The techniques of dual control and segregation of duties have to be implemented to enhance the control over activities wherever the risk and impact of an IT Security incident would likely result in financial or other material damage to the organization.
Segregation of duties is a primary internal control, which prevents, or decreases the risk of errors, or irregularities, and identifies problems. This is achieved when an individual does not have control over all phases of a transaction.
The objectives of this Policy are to ensure that:
a. Potential areas of fraud are identified and activities in those areas are placed under dual control, or segregation of duties is performed;
b. Live data or software could not be amended or modified by Network and Systems staff, either accidentally or for vindictive or fraudulent reasons;
c. Development staff (either from Company and Company owned companies or from a contractor) will not operate with powerful privileges in the operational environment, which would be high risk and hence unacceptable;
d. Systems administration and user activities have to be separated to avoid sensitive data to be compromised;
e. An evidence of information security incident must not be altered by any member of staff who has access to an audit trail that recorded their actions during the incident.
1.1 PROCEDURE OWNER
1.3 APPLICABLE REGULATIONS
1.4 RELATED [COMPANY] NORMS AND PROCEDURES
1.6 AUDIENCE AND SCOPE
1.7 DOCUMENT SUPPORT
2. DEFINITIONS & ABBREVIATIONS
4. ROLES AND RESPONSIBILITIES
4.1 DEPARTMENT MANAGER
4.2 IT SECURITY TEAM
6. FINAL CONSIDERATIONS
6.1 DISCIPLINARY ACTIONS AGAINST PROCEDURE VIOLATION
6.2 DOCUMENT REVISION
This standard documents the security requirements for Company’s Application Security and Development. This standard is aligned to Company’s Systems Management Policy and must be applied to all applications written and developed for the Company.