Setting security for each employee based on their specific role provides the tightest and most personalized security. The trade-off is the increased amount of administration effort when setting up the specific roles to use and the access permitted for each role. Keeping these details up to date can also be time consuming.
You have been brought in as a consultant from Smith Systems Consulting to advise Riordan Manufacturing on what it will take to establish adequate enterprise security policies. You need to prepare a paper that highlights why they should establish separation of duties via role assignment and how this will provide safeguards to protect the data in their information systems.
This paper is about why Riordan should use role assignment to establish separation of duties, so the paper should focus on that, not any of the other elements of the background information. You do not need to give background on Riordan, Smith Systems Consulting or anyone else. Focus on why separation of duties using role assignment is a good thing. Everything else is outside the scope of the paper.
Separation of Duties Using Role Assignment
Separation of duties is a common strategy many companies employ to mainly protect the security of their organization. It basically refers to the concept that no single individual can compromise the security of the entire organization. It also extends to the premise that at a particular point of collapse, no one individual can benefit from the crime they have committed trying to illegally compromise the security controls of the entire organization. This principle is achieved by delegating the responsibilities and related privileges for a specific security process among many individuals within the organization - known as 'role assignment'.
Definition: "This principle prevents any part of the computer system from being under the control of a single person. Every duty or transaction therefore requires multiple people to be involved, with tasks being split among them. In banking, this idea has long been part of the security features of the financial community as a means to control fraud and theft. Now the same concept is applied to computer systems and information security practitioners" (Yourdictionary.com, 2010).
The use of separation of duties through role assignment can help safeguard a company against:
* Compromising company records
* Misuse of related privileges
* PCI-DSS compliant ("The PCI DSS, is a set of comprehensive requirements for enhancing payment account data security, which was developed by the founding payment brands of the PCI Security Standards Council, including American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., to help facilitate the broad adoption of consistent data security measures on a global basis" (PCI, 2011))
* Implication of business partners
* Sharing root passwords
* Having orphaned accounts which are basically old accounts of employees who no longer work for the organization. "Orphaned accounts are a huge, huge issue, ...
The solution deals with seperation of duties using role assignment common strategy many companies employ to mainly protect the security of their organization. It outlines what role assignment is and how it can be used for security purposes. it also lists the main objectives and the principles involved along with risks if an organization is not secure.