Purpose
Separation of duties (“SOD”) is fundamental to reducing the risk of loss of confidentiality, integrity, and availability of information. To accomplish SOD, duties are divided among different individuals to reduce the risk of error or inappropriate action. In general, responsibility for related transactions should be divided among employees so that one employee’s work serves as a check on the work of other employees. When duties are separated, there must be collusion between employees for assets (e.g., Organizational Data, Information Systems) to be used inappropriately without detection. Departments must ensure that its organizational structure, job duties, business processes, and access procedures include an adequate system of SOD.
Go to Procedures
Go to Resources
Related Policies
Data Governance and Management Policy
Related Guidelines, Procedures and Resources
Definitions
Capitalized terms not otherwise defined herein shall have the same meaning as set forth in the Data Governance and Management Policy
Audience
| Responsible | Data Steward Technical Manager |
|---|---|
| Accountable | Associate Data Trustee System Owner |
| Support | Associate Data Steward Data Administrator |
| Consulted | Data Governance team |
| Informed | Data Domain & Technology Sub-Committees Data User |
Procedures
- Documenting Separation of Duties (“SOD”)
- A Data Steward and a Technical Manager must document:
- Identified job-functions requiring the implementation of SOD
- Processes and procedures that support compliance with SOD
- Access procedures and other controls to deter an individual or an office from having the authority (or the ability) to perform conflicting functions both outside and within an Information System
Resources
- What are some examples of Separation of Duties (“SOD”)?
-
- One department should not have the ability to both admit a new student and confer a degree. These functions are split between an Admissions Office and the Registrar’s Office both in business processes and access within the student information system.
- One employee should not have the ability to both purchase items on a purchase card (p-card) and pay the monthly credit card bill. These functions are split between an employee approved to purchase and an employee approved to review financial transactions.
- One department should not have the ability to grant employee pay raises without proper oversight from the Budget Office and the Human Resources Office.
| Revision Date | Author | Description |
|---|---|---|
| 2021-07-27 | Zachary Hayes, Data Governance | New |
