Question

How would you enforce least privilege and SoD controls in your system? Please provide an example.

Answer 1

The principle of least privilege ensures that employees only will be given access to the information and resources that are necessary for a legitimate purpose.

The basic concept behind SoD is that no employee or group should be in a position both to perpetrate and to conceal errors or fraud in the normal course. The duties which are incompatible and should be segregated are:

• Authorize / Approval
• Custody of assets
• Record and report

SoD may be implemented a different levels like:

Individual level: This is most basic SoD where it is ensured that different duties are performed by different persons.

Organizational unit / Function level: Here SoD is implemented at unit / sub unit level, An sales offer may be prepared by Sales department but signed off by Operations department.

Legal Entity level: At this level operations are performed at legal entity level, Investments made by subsidiary may require authorization by Holding company.

Implementation in system:

Risk assessment is done to properly assess SoD risk from conflicting duties.

Based on risk assessment segregated duties are assigned to specific roles so that no single role can perform incompatible duties. For example, in case of managing change in a software application:

Duties to be performed are:

• Development of queries based on requirements. This has to be assigned to software engineer
• Testing /Approving Logic: This is assigned to quality analyst.
• Approve system access: This is assigned to Security controller.

​

In the matrix above 'X' denotes incompatibility.. Software Engineer cannot approve logic/changes or cannot approve system access.

SoD controls are implemented in the system through defining Roles and Responsibilities within software based on SoD matrix for each key processes. Roles and responsibilities are mapped to ensure that a role cannot have access and hence cannot perform duties which are incompatible. Roles will have access only to processes/responsibilities he can perform. Thus by defining roles and responsibilities, mapping them and managing access controls SoD is enforced in system.