Segregation of Duties

Segregation of duties is the practice of limiting conflicts of interest and the opportunity to perform inappropriate activities. This is achieved by the design of roles and responsibilities and system access privileges.

The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.

Approval processes are the most common segregation of duties practice. Whatever the approval relates to, having this approval ensures that a second person is involved. This is usually at a higher level of seniority that is accountable for the matter being approved. Another key method of segregating duties is through access control, separating system functions that can be performed by role; for example, developers work in the code base but can’t migrate those changes into production.

As it relates to the Consumer Data Right (CDR), change control segregation of duties is the key area of focus. This segregation provides the foundation of the Change Control practices, supporting the Change Control Policy and environment. You may have a well-defined process for raising change tickets, defining requirements, testing, and approving changes prior to implementation. But without segregation of duties, that may be bypassed by a developer has the ability to. That’s why segregation of duties is important to ensure high-quality changes, that are authorised, appropriate and secure.

The common method of implementing this is in your version control software like Github, Bitbucket or Gitlab. These each have a setting in the configurations to "enforce a minimum number of approving reviewers".

The CDR Perspective

Segregation of duties supports two areas of the 24 information security requirements:

• Secure coding: changes to the accredited data recipient’s systems (including its CDR data environment) are designed and developed consistent with industry accepted secure coding practices, and are appropriately tested prior to release into the production environment.
• Role based access: involves assigning specific access rights to a role and providing a user with access to that role as opposed to assigning rights directly to an account. This allows simplifes the user access management process. Further, RBAC should be used to minimise the access rights provided to each user to only that necessary for the user to perform their assigned duties.

About AssuranceLab

AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.