
	Home > Ask the Security Experts > Security Management Questions & Answers > What controls can compensate when segregation of duties isn't economically feasible?

Ask The Security Expert: Questions & Answers

EMAIL THIS

What controls can compensate when segregation of duties isn't economically feasible?

EXPERT RESPONSE FROM: Mike Rothman

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 12 February 2008
Effective segregation of security-related duties is sometimes not economically feasible in smaller businesses. What internal controls do you suggest to help compensate for this problem?

EXPERT RESPONSE
If the organization has only one IT person, then it's hard to enforce segregation of duties. But all is not lost; even though true segregation is not feasible, corporations can do a good job "watching the watcher." I suggest having a strong log management capability implemented to keep a record of all transactions.

But it's not enough to just log the actions. It's critical that organizations store the data somewhere that the IT administrator cannot gain access and tamper with it. The first thing a bad guy does is try to cover his or her tracks, which means eliminating log records. So the log device needs to be protected and the IT person can't have access.

A few organizations are now offering log management services in which the logging platform resides "in the cloud" or via a hosted service, which provides the type of segregation necessary to keep things separate. To be clear, this wouldn't necessarily provide true segregation of duties (since the IT person is still doing all the functions), but it will provide an audit trail and the ability to investigate an issue if some malfeasance is suspected.

More information:

Is centralized logging worth all the effort? Read more.
Learn more about low-cost options for secure servers.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Security Management
	What is the GISP certification and how does it compare to the CISSP certification?
	Would QSAs normally write up a PCI DSS report on compliance (ROC) and submit it to all issuing card brands?
	How can gap analysis be applied to the security system development life cycle?
	When should an enterprise consider low-cost security appliances vs. a bigger do-everything appliance?
	What are some tips on protecting my security budget in a tight economy?
	What value do research firms provide to enterprises that subscribe to their services?
	What certificate offers the best ROI for an IT project manager?
	Which is the biggest threat to data: Insider activity or outsider activity?
	What role does information security play in enterprise fraud-prevention activities?
	What is the difference between an SAS 70 data center and a Tier III data center?

Creating and Managing Information Security Policies

Richard Mackey: Building a framework-based compliance program

Learning the language of global compliance

IT security pros face challenge during economic crisis

Interview: Chris Nickerson of TruTV's 'Tiger Team'

IT security not valued at many firms, study finds

What value do research firms provide to enterprises that subscribe to their services?

Sound compliance policies, practices reduce legal costs

Exploring Microsoft's Network Access Protection policy options

IAM best practices for employees with varying degrees of access to the same computer

How to avoid DLP implementation pitfalls

Creating and Managing Information Security Policies Research

Management Support for Information Security

IT security pros focus on internal threats during tough economy

IT security pros face challenge during economic crisis

What are some tips on protecting my security budget in a tight economy?

IT security not valued at many firms, study finds

How to get information security buy-in from the executive team

Initial virtualization costs could outweigh benefits

What's your advice for getting other business units to contribute to crafting an effective information security policy?

Will the new CERT security incident-response project benefit infosec pros?

CIO role could shift toward data quality, says IBM group

Results Chain for Information Security and Assurance

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

defense in depth (SearchSecurity.com)

non-disclosure agreement (SearchSecurity.com)

security policy (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy