Wednesday, February 10, 2010

Separation of Duties

When studying for the CompTIA Security+ (SY0-201) exam, you'll come across this objective.
  • 3.1 Identify and apply industry best practices for access control methods.
One of the praactices you should understand is: Separation of Duties.

The Separation of Duties principle ensures that no single person or entity controls all of the functions for a critical process. Instead of a single person or entity having all of the responsibility, the responsibilities are divided between two or more people or entities.

Consider an accounting department. They are responsible for accepting bills, identifying bills that will be paid and then paying them. Separation of Duties is commonly used to separate the functions into two separate divisions.

  • Accounts receivable. This division receives and approves the bills.
  • Accounts payable. This division pays the bills approved by accounts receivable.
If a single person did both functions, the potential for fraud is increased. This person may decide to submit a bogus bill, approve the bill, and pay the bill. The books look valid since an approved bill is paid, but it is still fraud.

The principle of separation of duties is designed to prevent fraud, theft, and errors.

Good luck in your studies.

Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide