Separation of Duties

DG Separation of Duties

Purpose

Separation of duties (“SOD”) is fundamental to reducing the risk of loss of confidentiality, integrity, and availability of information. To accomplish SOD, duties are divided among different individuals to reduce the risk of error or inappropriate action. In general, responsibility for related transactions should be divided among employees so that one employee’s work serves as a check on the work of other employees. When duties are separated, there must be collusion between employees for assets (e.g., Organizational Data, Information Systems) to be used inappropriately without detection. Departments must ensure that its organizational structure, job duties, business processes, and access procedures include an adequate system of SOD.

 

Go to Procedures
Go to Resources

 

Related Policies

Data Governance and Management Policy

Related Guidelines, Procedures and Resources

Definitions

Capitalized terms not otherwise defined herein shall have the same meaning as set forth in the Data Governance and Management Policy

Audience

Responsible Data Steward
Technical Manager
Accountable Associate Data Trustee
System Owner
Support Associate Data Steward
Data Administrator
Consulted Data Governance team
Informed Data Domain & Technology Sub-Committees
Data User

Procedures

Documenting Separation of Duties (“SOD”)
A Data Steward and a Technical Manager must document:
  • Identified job-functions requiring the implementation of SOD
  • Processes and procedures that support compliance with SOD
  • Access procedures and other controls to deter an individual or an office from having the authority (or the ability) to perform conflicting functions both outside and within an Information System

Resources

What are some examples of Separation of Duties (“SOD”)?
  • One department should not have the ability to both admit a new student and confer a degree. These functions are split between an Admissions Office and the Registrar’s Office both in business processes and access within the student information system.
  • One employee should not have the ability to both purchase items on a purchase card (p-card) and pay the monthly credit card bill. These functions are split between an employee approved to purchase and an employee approved to review financial transactions.
  • One department should not have the ability to grant employee pay raises without proper oversight from the Budget Office and the Human Resources Office.

 

Revision Date Author Description
2021-07-27 Zachary Hayes, Data Governance New