Page 141 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 141

The Importance of Job Descriptions


                  Job descriptions are important to the design and support of a
                  security solution. However, many organizations either have
                  overlooked this or have allowed job descriptions to become stale
                  and out-of-sync with reality. Try to track down your job

                  description. Do you even have one? If so, when was it last updated?
                  Does it accurately reflect your job? Does it describe the type of
                  security access you need to perform the prescribed job
                  responsibilities? Some organizations must craft job descriptions to
                  be in compliance with Service Organization Control (SOC) 2, while
                  others following ISO 27001 require annual reviews of job

                  descriptions.


               Important elements in constructing job descriptions that are in line

               with organizational processes include separation of duties, job
               responsibilities, and job rotation.

               Separation of Duties Separation of duties is the security concept in
               which critical, significant, and sensitive work tasks are divided among
               several individual administrators or high-level operators (Figure 2.1).
               This prevents any one person from having the ability to undermine or
               subvert vital security mechanisms. Think of separation of duties as the

               application of the principle of least privilege to administrators.
               Separation of duties is also a protection against collusion. Collusion is
               the occurrence of negative activity undertaken by two or more people,
               often for the purposes of fraud, theft, or espionage. By limiting the
               powers of individuals, separation of duties requires employees to work
               with others to commit larger violations. The act of finding others to

               assist in a violation and then the actions to perform that violation are
               more likely to leave behind evidence and be detectible, which directly
               reduces the occurrence of collusion (via deterrence, the chance that
               they might get caught). Thus, collusion is difficult and increases risk to
               the initiator prior to the commission of the act.
   136   137   138   139   140   141   142   143   144   145   146