If you think that it sounds like line of business managers should take the lead
here, you’re correct. They need consultation and communication with IT so
that these two groups can develop a common language. But business process
experts, not IT managers, should be ultimately responsible for defining roles
in a way that achieves clean access control and avoids SoD violations.
By standardizing and centralizing role design, testing, and maintenance, tech-
nical experts and business process owners can speak a common language.
Taking these steps increases consistency and lowers IT costs.
When you can’t segregate duties
If only one person handles accounting in a small branch office, you can’t
segregate those duties. In these cases, SoD is not the ultimate answer.
Sometimes duties can’t be segregated properly because of a small or
remote staff. Such cases require management oversight to ensure that
SoD violations are not occurring. Instead of segregation of duties through
access control, a compensating control needs to be put in place so that a
manager reviews the transactions entered by such employees. Chapter 7
describes these types of controls in more detail.
Staying Clean ................................................................................................
After the roles are tidy, a method to detect violations, prevent further viola-
tions, and fix violations that have occurred — across systems, across
instances, and across applications — must be put into place.
Change is constant, and as employees are promoted, go on vacation, are
transferred, or move to another company, the nice clean roles may get
messed up again. Staying clean requires continued vigilance and review as
these events take place to ensure that roles remain clean. Two things can
help companies stay clean: identity management that makes it clear who did
what (nice for auditing) and compliant user provisioning, which makes it
easy to set up users the right way the first time.
In the online world, we have all grown used to needing different usernames
and passwords for different Web sites. We all know the pain of forgetting
a password. In the corporate world, it is much the same — employees
need access to servers and applications, all with many different passwords
and different schedules for changing them. However, the pain of forgetting
a password in the corporate world is greater, and the cost of resetting a user
password is high — estimated at between $50 and $500 per password.
Identity management solutions allow employees to sign on once and have
their identities tracked throughout the system. This helps with auditability;
all transactions are associated with that person’s identity, no matter where
Chapter 6: Access Control and the Role of Roles 123
