Segregation of Duties (SOD’s)

Segregation of Duties (SOD’s)

Segregation of Duties (also know as “Toxic Combinations”) is a situation where a user has a combination of entitlements/access on the system (or combination of systems), that gives them the ability to perform tasks that should never be controlled by a single user.

A simple example of this can be found on most mortgage application systems. Within the system there are two types of access = “create” [a mortgage] and “approve”. The first is the ability to create a mortgage for a customer (e.g. £300k), which is normally done by a customer facing employee. Once they have created a mortgage application for the customer, this mortgage is then “held” for approval by a different employee. This different employee is normally a senior team leader, who can check that the mortgage created is suitable and not in breach of any policies (e.g. you are not giving someone with a salary of £30k per annum, a £1million mortgage!). Once they have confirmed this, they can “release” the mortgage, so it goes through. This is a very simple security processes and stops all kinds of fraud from happening. A SOD would occur if someone had the ability to both “create” and “approve” a mortgage.

I have worked on projects where this has been a large issue and normally goes un-noticed for long periods of time. My experience has helped me build processes to control and eliminate all possible SOD’s. The main processes involve working closely with the business and technical teams to get an understanding of the system, all its entitlements and then the combinations of these entitlements that could create a possible SOD. Once this has all been established you can go about analysing the access on the system and establish who is in validation of a SOD and how to go about changing their access, with as little business impact as possible. Once the initial cleanup has been completed, processes are put in place to monitor for SOD’s in the future and also within the admin teams, so they know not to create these going forward too.