Home > Midmarket IT Security Tips > > What controls can compensate when segregation of duties isn't economically feasible?
Midmarket IT Security Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 


What controls can compensate when segregation of duties isn't economically feasible?


Mike Rothman
02.05.2009
Rating: --- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


Effective segregation of security-related duties is sometimes not economically feasible in smaller businesses. What internal controls do you suggest to help compensate for this problem?

If the organization has only one IT person, then it's hard to enforce segregation of duties. But all is not lost; even though true segregation is not feasible, corporations can do a good job "watching the watcher." I suggest having a strong log management capability implemented to keep a record of all transactions.

But it's not enough to just log the actions. It's critical that organizations store the data somewhere that the IT administrator cannot gain access and tamper with it. The first thing a bad guy does is try to cover his or her tracks, which means eliminating log records. So the log device needs to be protected and the IT person can't have access.

A few organizations are now offering log management services in which the logging platform resides "in the cloud" or via a hosted service, which provides the type of segregation necessary to keep things separate. To be clear, this wouldn't necessarily provide true segregation of duties (since the IT person is still doing all the functions), but it will provide an audit trail and the ability to investigate an issue if some malfeasance is suspected.

Rate this Tip
To rate tips, you must be a member of SearchMidmarketSecurity.com.
Register now to start rating these tips. Log in if you are already a member.




Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
Writing and enforcing security policies
Five things to do before your first PCI DSS compliance audit
Acceptable use policy for Internet usage helps data protection efforts
Midmarket security managers must push risk acceptance to the business
Demystifying identity management
Quiz: Building an identity and access management architecture
Handling the politics of network access control policies
Questions to ask when choosing your managed security service provider
From the gateway to the application: Effective access control strategies
Consider a compliance-driven security framework
How should a company's security program define roles and responsibilities?

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts