Why is Separation of Duties difficult to implement
for small businesses?
During a webinar I gave, in partnership with the Veterans In Business Network, on the topic of DFARS / NIST 800-171 Cybersecurity Compliance, we received the following question: For Access Control you mentioned “separating duties” – in a small business with limited “back office” personnel, what do you recommend to meet this control?
This is a such a great question, I’d like to address it with this brief blog. It’s a challenge for small businesses with limited personnel “wearing many hats” to separate duties, but I’ll bet just by utilizing common sense the business already has some separation in place. Here is the exact requirement from NIST 800-171:
Control 3.1.4: Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
And here are the exact assessment objectives—or as we call them, “organizational actions”—from the NIST 800-171 A (DRAFT):
- the duties of individuals requiring separation to reduce the risk of malevolent activity are defined
- organization-defined duties of individuals requiring separation are separated
This control and its objectives are designed to provide the DoD with some level of assurance that it would require conspicuous collusion on the part of multiple employees of the contractor to perform malicious activity with respect to DoD Controlled Unclassified Information (CUI).
"Compelling Evidence" for
NIST 800-171 Security Requirements
To show “compelling evidence” that this control is met, I recommend generating a granular list of all duties performed at your organization with respect to the covered information and systems. Let’s say you are an engineering company; you’d have duties such as “manage IT system”, “approve access to IT systems”, “create engineering drawings”, “send engineering drawings to customer”, “create and send invoices”, etc. Then create a matrix that shows which personnel execute each duty, and use that to help define which duties need to be separated.
Separation of Duties Matrix
Your matrix doesn’t have to be terribly complex, but do your best to get as granular as possible with the duties, and be sure to list all individual roles. Notice the phrase “organization-defined” in the NIST 800-171 A objective—you define the duties and the separation. You’ll probably notice from the matrix that you already have a lot of separation. The matrix will also highlight some duties that you might be able to further separate. For instance, in our example of fictitious engineering company above, it sure looks like the CFO has a lot of duties; the CEO may want to re-evaluate and take some duties off the CFO’s plate, and/or create a more granular duty structure. Also, three roles have the “Approve access to IT systems” duty—only one individual should have this privilege, so the company will want to adjust policy there.
Save the matrix you created as “compelling evidence” of your strategy to separate duties. The matrix is in fact part of your system security plan.
Good Hunting!
–Adam Austin
Cybersecurity Lead