An Advanced Segregation of Duties Capability for HP OpenView Select Identity
Tackling ID threats
Segretation of Duties (SoD) is a critical control issue for many organizations. This white paper defines SoD, discusses the relationship between SoD and the provisioning process, introduces HP OpenView Select Identity and its current SoD capabilities, and describes an advanced Select Identity SoD prototype created by HP Labs, which is available to partners and select customers by special request. The paper is directed at strategists, developers and consultants interested in SoD. HP OpenView Select Identity, or the enforcement of business rules during provisioning. In addition, this paper provides an example of how Select Identity can be extended to provide additional management and enforcement capabilities.
Segregation of Duties helps prevent fraud and error by distributing sensitive tasks among multiple individuals. For example, an organization may prohibit an individual from creating and approving the same purchase order. SoD can make fraudulent activities more difficult and risky by requiring collusion between potential perpetrators. Also, SoD can reduce the frequency of errors by requiring separate review or approval of individual actions. Organizations have long practiced SoD, but recent legal and regulatory actions have intensified the demand for SoD tools and expertise. For example, the U.S. Sarbanes-Oxley Act of 2002 has increased the priority and visibility of SoD in U.S. publicly traded companies. Section 302 of the act requires CEOs and CFOs to certify their companies’ financial reports, and Section 404 requires management to include in their annual reports an assessment of their corporate internal control structure and financial reporting procedures.
Implementing SoD involves identifying sensitive privileges or capabilities and then combining them into constraints, which are sets of capabilities that should not be assigned concurrently to the same user, at least without some mitigation. A SoD violation or conflict occurs when a user possesses all the capabilities referenced by a single constraint (for instance the ability to create and approve the same purchase order).
In theory, organizations can implement SoD with manual procedures for assigning and executing sensitive tasks. But in practice, large organizations can greatly benefit from automation. For example, a typical corporate general ledger system may contain tens of thousands of different transactions that should be evaluated against each other for potential SoD conflicts. The general ledger transactions should also be evaluated against transactions in other systems, such as accounts receivable, accounts payable, procurement and payroll.