INFORMATION TECHNOLOGY POLICY:

ROLE-BASED USER MANAGEMENT

1 Source: www.knowledgeleader.com
 Table of Contents
INFORMATION TECHNOLOGY POLICY: ROLE-BASED USER MANAGEMENT..................................................3
ROLE-BASED USER MANAGEMENT..................................................................................................................... 6

2 Source: www.knowledgeleader.com
 INFORMATION TECHNOLOGY POLICY: ROLE-BASED
USER MANAGEMENT

Prepared By:

Approved By:

Revision Date:

Effective Date:

POLICY

For system access control:

• All IT users will be assigned a standard set of system privileges based on a template defined by IT technical
support.
• Any additional privileges a user needs must be requested by the user’s manager and approved by IT technical
support.

For application and data control:

• Any IT process resulting in transferred payments or goods must involve two or more users for initiation and
validation or approval before the process may be completed.
• The application or data owner must approve access to an application or data requiring specific authorizations.

PURPOSE

The purpose of this policy is to ensure that there are additional controls in place, specifically to:
• Detect errors using multistep processes to limit opportunities for employee fraud or theft and increase the
probability of detection when fraud or misappropriation of assets is attempted.
• Safeguard company computers and networks against inadvertent exposure to external threats.

SCOPE

This policy applies to:

• All application and process designers
• All managers who assign process responsibilities
• All system operators with privileges extending beyond a restricted user

3 Source: www.knowledgeleader.com
 RESPONSIBILITY

IT technical support is responsible for assessing any user’s request for additional privileges beyond the basic
defined template.

Application and process designers are responsible for:

• Ensuring multiuser involvement during the execution of any process that results in a funds or goods transfer
• Ensuring that applications do not need special privileges to be active during execution unless the task at hand
needs those privileges

Each department manager is responsible for ensuring that:

• No employee in the department has all the privileges required to execute a controlled process to completion.
• All special privileges are removed when an employee changes responsibilities within the department or if an
employee is transferred out of the department.

All users who need additional privileges for specific tasks are responsible for ensuring that those privileges are
active only during the execution of those specific tasks.

DEFINITIONS

• Separation of Duties: A security principle that ensures that an individual cannot breach security alone
• Least Privilege: A security principle that ensures that a user only has those privileges required for the task at
hand and no more.

REFERENCES AND RELATED STATEMENTS

• SPP IT 8.02: Systems Security

• SPP IT 8.03: User Identification and Passwords
• SPP IT 8.04: Confidentiality and Privacy
• SPP IT 9.03: Data Access Controls
• SPP IT 9.04: Application Security Controls

PROCEDURES

A department manager who requests special system, application or data access privileges for an employee must
include detailed justifications specifying why the special privileges are required based on the roles and
responsibilities assigned to the employee.

IT technical support will review all requests for additional privileges and:
• Approve those requests that have sufficient justification.
• Reject requests that do not have sufficient justification and include the reason for the rejection. Suggestions for
workarounds will be returned if enough information is supplied with the request.

A user who needs special system privileges for specific responsibilities will be assigned a secondary user
identifier with those privileges. This user identifier must be used only for the tasks needing special privileges.

4 Source: www.knowledgeleader.com
When these tasks no longer need to be performed, the user must revert to the privileges associated with his
regular user identifier.

All application and process design checklists must include a requirement that applications and processes
involving funds or the transfer of goods must have the involvement of multiple users for the completion of the
transfer.

Applications not needing special privileges during execution must not be dependent on special privileges being
active.

5 Source: www.knowledgeleader.com
 ROLE-BASED USER MANAGEMENT

THE NEED

Separation of duties is a powerful internal control. Separation of duties requires that more than one individual
initiate and conclude a transaction. It is strengthened by having clear policies setting out what users may and may
not do and requiring that more than one user be involved in certain activities.

CONTROL OBJECTIVES

This policy addresses the following control objectives:

COBIT Control objective ITCG Control objectives

DS5: Ensure systems security, maintain information
and processing infrastructure integrity, and minimize
the impact of security vulnerabilities and incidents.
R: Ensure that appropriate controls are established
over data management activities.
T: Ensure the integrity, confidentiality and availability
of information technology throughout the enterprise.

U: Ensure that access to the enterprise’s systems and

information is reliably controlled.

CONSIDERATIONS

The principles of “separation of duties” and “least privilege” are important general business controls. They are
used to ensure that any process used to transfer currency or goods or to create or modify important records of
transactions or balances cannot be executed from start to finish by one individual. Separation of duties protects
against inadvertent errors by requiring at least two individuals to be involved. It also may prevent theft or fraud
since they would require the collusion of two or more employees.

Enforcement is accomplished by identifying the roles assigned to different users and specifying restrictions by role
or by the user as to the applications and operations that different users may execute, what data they can access,
and the form of their data access, such as read-only, write-only, read and write, read and update, or update-only.

Separation of duties provides two benefits:

• It creates a proactive opportunity for someone to discover an error before completing the process.
• It reduces the possibility that a team member can commit fraud undetected. Employees will also be less likely
to attempt fraud when it is known that there is a high probability of getting caught.

In the most commonly used example, two separate transactions are needed to complete a payment process: first,
initiate the payment transaction, and second, authorize the payment. No single employee should be capable of
acting in both roles. This example can be extended to require a second authorization for a payment exceeding a
specified threshold such as $10,000, with additional authorizations at higher thresholds. Each extension adds
controls to lower the probability of collusion further.

It is also important to maintain separation of duties when one or more of the employees involved in a process is ill,
on vacation, on leave of absence or away on business for an extended period. One or more backup people must

6 Source: www.knowledgeleader.com
be assigned for each role. These backups must not be currently assigned to the process in another role. The
objective is to preserve control without unduly interfering with business operations.

The principle of least privilege is another necessary security control. It requires that an employee be given no
more privilege than necessary to execute their responsibilities. Additionally, the employee must only activate
those privileges needed to perform any specific task. For example, a system administrator should not be
operating with administrator privileges when surfing the internet or opening an email. Accidentally accessing a
rogue website with administrator privileges could seriously compromise the system administrator’s computer and
the attached network.

To ensure that an employee has the least privilege necessary, you must identify the employee’s responsibilities,
determine the minimum set of privileges needed to execute those responsibilities, and restrict the user so only
those privileges assigned may be invoked. When additional privileges beyond those needed to do a job are
denied to an employee, the denied privileges cannot be used to bypass the organization’s security policies.

7 Source: www.knowledgeleader.com