May the source be with you,
but remember the KISS principle ;-)
Key Softpanorama Topics
|About||Contents||Top Updates||Top Visited|
|Bulletin||Selected Papers||Softpanorama Bookshelf||History|
|News||Recommended Links||Rainbow Books||Authentication||Unix permissions model||The umask||PAM||Principle of Least Privilege||Unix Sudo (superuser do)|
|RBAC, SOX and Role Engineering||SOX craziness||Security Models||Admin Horror Stories||Unix History||Humor||Etc|
RBAC mechanisms can be used by a system administrator in enforcing a policy of separation of duties. Separation of duties is considered valuable in deterring fraud since fraud can occur if an opportunity exists for collaboration between various job related capabilities. Separation of duty requires that for particular sets of transactions, no single individual be allowed to execute all transactions within the set. The most commonly used examples are the separate transactions needed to initiate a payment and to authorize a payment. No single individual should be capable of executing both transactions. Separation of duty is an important consideration in real systems. In real situations, only certain transactions need to be restricted under separation of duty requirements. For example, we would expect a transaction for "authorize payment'' to be restricted, but a transaction "submit suggestion to administrator'' would not be.
The separation of duties is a powerful internal control. Its objective is to ensure that duties (roles) are assigned to individuals in a manner so that no one individual has complete control over the system (like traditional Unix root account). The question of who should do what becomes extremely important in a web-enabled and/or distributed environment where on-line system pre-approval does not exist and central control is not apparent to the user.
Separation of duty can be either static or dynamic. Compliance with static separation requirements can be determined simply by the assignment of individuals to roles and allocation of transactions to roles. The more difficult case is dynamic separation of duty where compliance with requirements can only be determined during system operation. The objective behind dynamic separation of duty is to allow more flexibility in operations. Consider the case of initiating and authorizing payments. A static policy could require that no individual who can serve as payment initiator could also serve as payment authorizer. This could be implemented by ensuring that no one who can perform the initiator role could also perform the authorizer role. Such a policy may be too rigid for commercial use, making the cost of security greater than the loss that might be expected without the security. More flexibility could be allowed by a dynamic policy that allows the same individual to take on both initiator and authorizer roles, with the exception that no one could authorize payments that he or she had initiated. The static policy could be implemented by checking only roles of users; for the dynamic case, the system must use both role and user ID in checking access to transactions.
|Bulletin||Latest||Past week||Past month||
Separation of Duties and IT Security - CSO Online - Security and Risk
Separation of duty, as it relates to security, has two primary objectives. The first is the prevention of conflict of interest, the appearance of conflict of interest, wrongful acts, fraud, abuse and errors.
The second is the detection of control failures that include security breaches, information theft, and circumvention of security controls.
... ... ...There is an easy test for Separation of Duties. First ask if any one person alter or destroy your financial data without being detected. For the second test ask is any one person can steal or exfiltrate sensitive information. The final test asks if any one person has influence over controls design, implementation and reporting of the effectiveness of the controls. If the answer to any of these questions is YES, then you need to take a hard look at the separation of duties.
Separation of duties - Wikipedia, the free encyclopedia
SEPARATION OF DUTIES
The Financial Integrity and State Manager's Accountability Act of 1983 (Government Code Sections 13400-13407) requires that the head of each State agency establish and maintain an adequate system of internal control within their agencies. A key element in a system of internal control is separation of duties. This section provides the appropriate level of separation of duties for agencies with manual accounting processes. Employees of units other than the accounting unit should be used, when necessary, to provide separation of duties.
Separation of Duties
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : C++ Humor : ARE YOU A BBS ADDICT? : Object oriented programmers of all nations : C Humor : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor: Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : The Most Comprehensive Collection of Editor-related Humor : Microsoft plans to buy Catholic Church : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor : Best Russian Programmer Humor : Russian Musical Humor : The Perl Purity Test : Politically Incorrect Humor : GPL-related Humor : OFM Humor : IDS Humor : Real Programmers Humor : Scripting Humor : Web Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor :
The Last but not Least
|You can use PayPal to make a contribution, supporting hosting of this site with different providers to distribute and speed up access. Currently there are two functional mirrors: softpanorama.info (the fastest) and softpanorama.net.|
The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: August 05, 2013