Segregation of duties trivia

---

• From: Faheem SIDDIQUI <fahimdxb@xxxxxxxxx>
• Date: Mon, 13 Nov 2006 07:04:11 +0400

---

Hi All...

I am preparing a "Segregation of Duties' Matrix within my IS function (Is there a better way to hit at the non-compliance point of 'lack of segregation of duties within the organisation', by external auditors?)

I found a very basic chart at ISACA website:
http://www.isaca.org/Content/ContentGroups/Certification3/CRM_Segregation_of_Duties.pdf <http://www.isaca.org/Content/ContentGroups/Certification3/CRM_Segregation_of_Duties.pdf>

According to this chart, some of the things in the Control Matrix are obvious but some aren't so.

For example: The chart suggests that A DB Admin cannot be an Application Programmer neither can he be a Sys Admin or Network Admin..Why?

Or a security administrator can be a Help Desk support personnel but cannot be a Systems Analyst or a Systems/Application programmer.

I was wondering, what's the potential control weakness in these two points??

What's the best way of documenting this 'Segregation of Duties' procedure for satisfying External Auditors?

---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

---

• Follow-Ups:
  • RE: Segregation of duties trivia
    • From: David Gillett

• References:
  • VPN relied upon for method of encryption
    • From: nospam
  • A question about Access controls
    • From: Faheem SIDDIQUI
  • Re: A question about Access controls
    • From: Kern

• Prev by Date: Problem Disabling "Null Session" on W2K3
• Next by Date: VLANs confusing
• Previous by thread: Re: A question about Access controls
• Next by thread: RE: Segregation of duties trivia
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: What comes first - Analysts and then programmers ... ... > Developer is ... Different shops apply different categories and heirarchies. ... Jr Level Programmer ... although they may have supervisory duties as well. ... (borland.public.delphi.non-technical) Re: Let me introduce John ... Don't suppose you need a developer, ... programmer; and another man whose programming abilities were so limited ... swept the floor, unloaded trucks, did data-entry, and other duties as ... they laid off about half the staff, ... (alt.sysadmin.recovery) Re: New Trigger, Comin Up..... ... Thanks everyone for your posts and encouragement, I focused on my duties, I skipped out ... during the "L's" and saw my programmer on a consulting job, and returned, all without ... (alt.support.stop-smoking) Auditing a progress database ... I need to audit the security and segregation of duties for a ... Progress database; is not much I have found about this topic; can any ... recomendme some spots to look at for information? ... (comp.databases.progress) SQL Server Roles ... between CDBA and DDBA. ... I want to maintain a segregation of duties between ... (microsoft.public.sqlserver.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)