Do you have the right model in place for Segregation of Duties?

However, RiskIQ’s 2018 CISO Survey reveals that 89.1% of Chief Information Security Officers are concerned about cyber security risks. However, the risk is not always externally induced. Research from IBM has found that 60% of all cyber-attacks are carried out by insiders, and with the average remediation cost of $3.6 million (2017), according to the Ponemon Institute, insider risk provides a serious issue that cannot be ignored.

What is SoD?

SoD is an internal control designed to prevent error, conflict of interest, malicious acts and fraud. It ensures that separation of duties exists across tasks, for multiple individuals, to avoid conflicting responsibilities. Examples of this include; a user being able to process and authorise a payment, or perhaps open and close a fraud investigation case.  By having robust controls in place, the issues posed by insider risk are greatly reduced.

Risks from inadequate usage of SoD?

In large organizations “Toxic Combinations” can happen much more frequently than one would expect. With employees going through promotions, changing roles, changes of departments, or even company-wide restructures, they can sometimes gain unnecessary access rights, or a “Toxic Combination”. Thus, SoD ensures that colleagues have the correct access at the correct time.

A Detective SOD Model

Currently, the prevailing model in UK businesses is a Detective SoD Model. This can involve the security function of the business collating and analysing user access logs to check if the access activity aligns with the access rights created for that individual’s role. Subsequently, these measures identify issues of “Toxic Combinations” and flag these as a security risk. This process is often followed by risk acceptance or remediation actions.

However, the Detective SoD Model is a reactive model and should only really be deployed as an interim control. Principally, the key shortcoming of this model is that organizations will be addressing the issue too late, leaving them open to risk. Additionally, often the Detective Model is time consuming, involving a lengthy process, and is costly due to the remediation/damage and resourcing costs involved.

An organization should have a preventative solution if they are under threat of insider risk, so that they can mitigate unacceptable levels of risk.

A Preventative SOD Model (PTC)

A Preventative Model is as it implies – it prevents “Toxic Combinations” before access is granted to any colleagues.

It is important to note that for PTC to be implemented successfully in any organization, it should focus on operational, as well as user experience elements.

Factors to consider when implementing preventative “Toxic Combinations” (PTC)

When implementing a PTC model, there are five keys facets to look at:

a. User experience

When creating this preventative system, organizations must make the system accessible and unobtrusive. With a poor colleague experience, uptake and engagement will be low from colleagues which makes efforts in this space counter-intuitive, thereby leading to a weak internal controls environment.

b. Toxicity rules

By using advanced analytical capabilities to ensure rulesets do not become unwieldy, organizations can remove the uncertainty and unpredictability of manual checking and can allow for a nimbler, more accurate approach.

c. Risk scoring

Risk scoring of entitlements can help prioritize requests that can be moved to auto-approval workflows versus requests that require escalated approvals. This helps minimize the workload for the approvers and avoid impediments along the workflow.

d. Multi step checks

By creating multiple points of access approval, this strengthens an already robust control.

e. Role based PTC

Creating role-based access, roles can be created with SoD already in mind, which can allow for appropriate access across a role. This means that access can be granted and removed quickly and allow for fast mobilization and movement across an organization.

Once PTC has been launched, DTC becomes a secondary check that solidifies the SoD process.

The future of SODs

Leveraging nascent technologies can allow for a more proactive and efficient systems, mitigating potential risks. Having access to real-time data is essential as this is the catalyst to a variety of these new technologies, but without a set of stringent Key Performance Indicators, any new technology that is implemented will not be used to its full potential.

Machine learning capabilities can be used to recommend new ‘rules’ and to assess approval actions and rationales. For instance, scripts can be developed to do transaction analysis and identify types of transactions that can be in scope for PTC.

User behaviour analytics could also be applied to identify unusual user activities that breach toxic rules. This could then be investigated further, and remedial action can be taken.

In conclusion, an effective SoD model includes detective and preventative processes that are user centric. These are best supported by real time data and continuous improvement of underlying capabilities to reach maturity, and the support of a business to ensure agility in the SoD system.

Our Authors

Richard Wilson
richard.b.wilson@capgemini.com

Jonathan Youngman
jonathan.youngman@capgemini.com

Ryan Abraham
ryan.abraham@capgemini.com