Part 1: Research Separation of Duties Policies (0/1 completed)
Note: In this part of the lab, you will review scholarly research on separation of duties policies in order to form a basis for their purpose and usage. Understanding the reason behind a SoD policy is key to understanding the component policies and procedures. Please take time to review the research thoroughly and think through the concepts of the policy itself.
1. Using your favorite search engine, locate and read the following scholarly, peer-reviewed research article referencing separation of duties policies.
Lu, J., Li, R., Lu, Z., & Jin, Y. (2009, December 31). Dynamic Enforcement of Separation-of-Duty Policies. Paper presented at the International Conference on Multimedia Information Networking and Security. http://dx.doi.org/10.1109/MINES.2009.102
2. Write a brief summary of the article. In your summary, focus on the need for a Separation of Duties policy and its key elements.
Part 2: Create a Separation of Duties Policy (0/6 completed)Note: In Part 1 of this lab, you learned about the motivating factors that inform a separation of duties policy. In this part of the lab, you will create your own separation of duties policy for a given scenario. As you prepare your policy, remember that no one individual or team should have too much authority or power to perform a function in a business or organization and that understanding where responsibilities begin and end is critical to effective separation of duties. However, just because one individual or team has decidedly too much authority or power does not necessarily mean that management should apply separation of duties to mitigate the risk given that truly separated duties often means additional labor and/or costs. Instead, management might decide to accept the risk or address the risk by other means.
1. Review the following scenario for the fictional Bankwise Credit Union:
- The organization is a local credit union that has multiple branches and locations throughout the region.
- Online banking and use of the internet are the bank’s strengths, given its limited human resources.
- The customer service department is the organization’s most critical business function.
- The organization wants to be in compliance with the Gramm-Leach-Bliley Act (GLBA) and IT security best practices regarding its employees.
- The organization wants to monitor and control use of the Internet by implementing content filtering.
- The organization wants to eliminate personal use of organization-owned IT assets and systems.
- The organization wants to monitor and control use of the e-mail system by implementing e-mail security controls.
- The organization wants to implement this policy for all the IT assets it owns and to incorporate this policy review into its annual security awareness training.
- The organization wants to define a policy framework, including a security management policy defining the separation of duties for information systems security.
2. Create a security management policy with defined separation of duties for the Bankwise Credit Union.
Bankwise Credit Union
Separation of Duties Policy
Policy Statement
(Define your policy verbiage.)
Purpose/Objectives
(Define the policy’s purpose as well as its objectives.)
Scope
(Define whom this policy covers and its scope. What elements, IT assets, or organization-owned assets are within this policy’s scope?)
Standards
(Does the policy statement point to any hardware, software, or configuration standards? If so, list them here and explain the relationship of this policy to these standards.)
Procedures
(Explain how you intend to implement this policy for the entire organization.)
Guidelines
(Explain any roadblocks or implementation issues that you must overcome in this section and how you will surmount them per defined guidelines. Any disputes or gaps in the definition and separation of duties responsibility may need to be addressed in this section.)
Challenge Exercise (0/1 completed)Note: The following challenge exercise is provided to allow independent, unguided work – similar to what you will encounter in a real situation.
For this portion of the lab, you will complete additional research of a case study in separation of duties and provide your own overview of the problem and solution.
Locate and read the following research article:
Ballesteros, S., Pan, L., Batten, L., & Li, G. (2015). Segregation-of-Duties Conflicts in the Insider Threat Landscape: An Overview and Case Study. Paper presented at the Second International Conference on Education Reform and Modern Management. https://doi.org/10.2991/ermm-15.2015.96
Discuss how a separation of duties policy would help to resolve the issues at Bankwise Credit Union, as discussed in this case study. Assume your audience is the CEO and Board of Bankwise Credit Union.