Construction principles for information professionals: (4) Responsibility allocation and segregation of duties
In this series of blogs, I will focus on the enduring construction principles for information systems that ensure better "information structures." These principles have sometimes been forgotten in the rush of advancing technology, resulting in unstable or poorly maintainable and expandable "information structures." This time, I'll discuss the importance of clear responsibility allocation and segregation of duties within an organization. A recent incident at the municipality of The Hague, where an employee was able to forge passports for criminals due to inadequate segregation of duties in the work processes, serves as a reminder of the consequences that can arise when things go wrong.
The administrative organization (AO) is a crucial aspect of a reliable and controlled information management system. Segregation of duties and proper task allocation are fundamental requirements for effective governance and control of an organization. Nowadays, we often refer to this as "governance." While it is commonly associated with financial risks and fraud, it is more than that. It is closely tied to data registration and usage. Given that data is increasingly critical as a business asset and that misuse can have significant consequences, it is worthwhile for information professionals to pay attention to this aspect when designing the overall information provision and establishing checks and balances to prevent conflicts of interest. This should be a deliberate part of the design.
Responsibility Allocation
In many organizations, determining "who is responsible" for information as a business asset is not a straightforward question. The (ultimate) responsibility or ownership of processes, concepts, data, and systems is often undocumented. This also relates to the perpetual division between line responsibility and domain responsibility (or portfolio holders in matrix organizations). The CIO or CDO, in their role of setting guidelines, will demand certain standards for information management, but the substantive accountability for a process or data should lie with an individual within the line management.
Organizing and documenting ownership (or accountability) and management (or responsibility) using a RACI matrix is a means to make this explicit. Because with every change, someone must evaluate and approve the new process, product, concept, data, or application component.
An information professional needs to be familiar with responsibility allocation to ensure that designs are approved by the appropriate decision-making authority.
Segregation of Duties
Segregation of duties is based on creating conflicting interests and prevents an individual from being responsible for multiple consecutive critical actions within a business process, which may lead to irregularities that go undetected in the normal course of operations. It is a preventive control measure (similar to automated system controls and antivirus software) that helps avoid two things in daily record-keeping tasks:
- Discouraging intentional fraud because it requires the collaboration of two or more individuals.
- Reducing the likelihood of unintended errors resulting from the actions of a single employee.
According to the BIO (Baseline Informatiebeveiliging Overheid, or Government Baseline for Information Security), adequate segregation of duties exists when:
- The organization has a clear understanding of vulnerable actions and roles.
- Different vulnerable sub-actions are performed by different employees.
- Vulnerable actions that cannot be divided into sub-actions and cannot be performed separately are conducted in a team setting (principle of dual control).
Consider critical processes and identity management and authorization registration within this context. System authorizations are the means to implement strict segregation of duties. Of course, segregation of duties also exists outside the system, but configuring authorizations provides the opportunity to enforce segregation and is an efficient control mechanism. However, achieving a proper setup where there is complete separation between actions, viewing rights/reports, and between different departments of the organization can be challenging. This is a typical design issue that needs to be carefully considered at the beginning of the business process!
Keep in mind that responsibility allocation and segregation of duties require specific role assignments (decision-making function, recording function, custodial function, executing function, controlling function) to be performed by individuals. A department cannot have such a function!
During the digital transformation of the organization and the adjustment of processes and information provision, responsibility allocation and segregation of duties are crucial areas of focus. While the CISO (Chief Information Security Officer) and DPO (Data Protection Officer) serve as quality guardians, the information professional must conceptualize and design the proposed setup and submit it for review!
Read the other information science principles here:
- Meaningless identity designation, read here.
- Decoupling points for complexity reduction and flexibility, maximizing independence of components, read here.
- Language consistency, read here.
- Clear distribution of responsibilities and functional separation for administration, read here.
- Delegating decision-making authority as low as possible, read here.
- Detaching authorization from identification/authentication, read here.
- Single registration of master data, read here.
- Separating data and metadata in storage and processing, read here.
- Applying standard patterns without deviations, read here.
- Separating application function from data storage, read here.