What controls can compensate when segregation of duties isn't economically feasible?
Having a strong log management capability is a good way to start when security segregation isn't possible. Mike Rothman explains.
Effective segregation of security-related duties is sometimes not economically feasible in smaller businesses. What internal controls do you suggest to help compensate for this problem?
If the organization has only one IT person, then it's hard to enforce segregation of duties. But all is not lost; even though true segregation is not feasible, corporations can do a good job "watching the watcher." I suggest having a strong log management capability implemented to keep a record of all transactions.
But it's not enough to just log the actions. It's critical that organizations store the data somewhere that the IT administrator cannot gain access and tamper with it. The first thing a bad guy does is try to cover his or her tracks, which means eliminating log records. So the log device needs to be protected and the IT person can't have access.
A few organizations are now offering log management services in which the logging platform resides "in the cloud" or via a hosted service, which provides the type of segregation necessary to keep things separate. To be clear, this wouldn't necessarily provide true segregation of duties (since the IT person is still doing all the functions), but it will provide an audit trail and the ability to investigate an issue if some malfeasance is suspected.