Segregation of duties (SoD) ensures proper oversight and reduces the risk of possible fraud or data breaches within your core system. In the US, to meet Sarbanes–Oxley (SOX) requirements, public companies are required to certify their controls for SoD. SoD presents a unique challenge to control compliance as it requires close alignment of business and IT stakeholders to assess, mitigate, reduce and monitor the risk of fraud or material misstatement. As such enforcement of SoD requires a software because manual controls — performed in-house or by consultants — are often too weak, too fickle to handle the complex nature of today’s hybrid IT.
Any organization that is ISO 27001 certified or undergoes SOX reviews will know that segregation of duties is an area that comes under close scrutiny during compliance reviews, and if any processes aren’t well segregated, the auditors conduct thorough integrity checks on any affected systems.
Identify the Business Needs
Every business, regardless of size or industry, should have some kind of core ERP systems that need Segregation of Duty (SoD). It’s important to create a list of features that are important for your business. Prioritize those features and separate the must-haves and nice-to-have features. Every Segregation of Duty (SoD) packaged software will has trade-offs, and in some cases organizational use cases need multiple solutions from different software developers to meet requirements. As a rule of thumb organizations must stack rank the required features using the following
- Essential — Features that must be included in the proposed product. The product is not acceptable unless these features are available.
- Conditional — Features that are not mission critical but are important for productivity and the business. Products missing conditional features will be ranked lower.
- Nice to have — Features that are not essential or conditional but would be of some use if available.
Shortlist Vendors
Identify a list of software vendors that can provide the services and software required. Send them your requirements. One of the best ways to compare different Segregation of Duty products is to compare the functional traceability, see a demonstration of the product and get insights from reference customers. As customers have already been through the process, they know where the system shines with its Segregation of Duties and what areas stand to improve. Through this research narrow down the list.
Do Return On Investment (ROI)
With rising breaches and mounting regulatory pressure around SOX, HIPAA etc., a security or compliance project becomes strategic and smart choice. However, funding for any information security or compliance projects must validate Return On Investment (ROI). A typical ROI model will evaluate the project across the following four areas:
(1) Increased revenue,
(2) Decreased costs,
(3) Decreased risk, and
(4) Increased speed-to-market.
A typical cybersecurity projects builds ROI around # 2 and/or # 3. Also the total cost of implementation should include the initial setup and ongoing maintenance. Given most companies are engaged in digital transformation and cloud adoption it is best to buy a future proof Segregation of Duty (SoD) product. However, that may not be possible owing to a number of factors. In that case factor in extra cost to cover the updates needed to incorporate these changes later.
Do Proof-Of-Concept (POC)
Before implementing any Segregation of Duty (SoD) software, organizations need to understand if it is the right fit for them. The POC process allows businesses to validate the base features, usability and performance of without getting too far into the weeds. Think of a Proof-of-Concept as a small project to determine whether organization can implement a certain Segregation of Duty (SoD) product. Most Segregation of Duty (SoD) vendors offer a paid POC from $5,000 to $20,000 with a defined scope. The costs , partial or full, of the Proof of Concept may be deducted from the final amount if the deal goes through.
Achieve Segregation of Duties Using SecurEnds
Whether it’s an internal or external audit, SecurEnds IGA software allows administrators to generate reports to provide specific information about Segregation of Duties within the company.