HOW TO ACHIEVE SEPARATION

There are various ways to achieve separation of duties, some of which have been discussed: through organizational structure, technical means, phys-ical measures, and administrative practices. None of these approaches can work alone; they should be combined to achieve proper segregation of func-tions.

Organizational Separation

The most obvious and most widely used technique for achieving separation of duties is placing incompatible functions in different organizational areas (e.g., programming and computer operations can be organizationally sepa-rated). For organizational separation to work, every employee must under-stand how the functions are separated. This underunder-standing can be achieved by using job descriptions, perhaps supplemented by organizational charts. One of the major considerations when using organizational separation is that two organizational units should not be responsible for the same function. Besides complicating the separation of duties, dual responsibility makes it more diffi-cult to establish accountability.

Some guidelines for organizational separation are:

• Control functions (listed earlier) should not be split (e.g., between data entry and control).

• Since control monitors the activities of computer operations and data entry, it should be organizationally separated from them.

• The operations supervisor should not have responsibility for systems and programming, nor should the systems and programming supervisor have operations responsibilities.

• The systems and programming supervisor should not have responsibil-ity for or control over data entry.

122 DATA CENTER OPERATIONS MANAGEMENT

• The systems programmer should not report to the systems and program-ming supervisor.

• The data base administrator should report to the head of OP.

• The security administrator should report to the head of OP or to the head of data base administration.

• The EOP auditor should not be part of OP.

Technological Separation

Technology can assist in separating functions through various software packages. Three useful types of packages are tape management systems, program management systems, and security packages.

Tape Management Systems. Tape management systems allow tape li-braries to be run using only a number for the external tape label. With such systems, the content of a file cannot be discovered without a library listing.

This limits access to assets. For example, it would be next to impossible for someone without a library listing to make an unauthorized copy of a personnel file. Even after gaining access to the library, it would be impossible to discover which of the hundreds of tape reels held the personnel file.

Program Management Systems. Program management systems (PMSs) discourage irregular alterations to programs by providing an audit trail of program changes. Another function performed by many PMS packages is preventing changes to live production programs-another limitation on access to assets.

Security Packages. Security packages are another technological method for separating functions and limiting access. Through proper password proce-dures, for example, programmers can be denied access to live data files, and users can be denied access to programs. Thus, programmers cannot enter data, and users cannot change programs. Separation can also be carried one step further: user access can be limited to specific files, and programmers can be given access only to programs for which they have responsibility.

Security packages perform other functions in addition to password control.

They can keep a record of log-on violations and can disconnect a terminal after a predetermined number of successive log-on errors. This prevents an unauthorized person from gaining access to files and/or programs through trial and error. Security packages can also record illegal requests and alert the security administrator so that an immediate investigation can be made. In addition, the packages can log all file accesses (or only accesses to restricted files) in order to facilitate investigation of unauthorized changes to these files.

Physical Separation

Separation of duties can be implemented and enforced by physical means;

for example, physical access to the computer should be limited to computer

SEPARATION OF DUTIES 123

operators, operations management, and field engineers (field engineers should be accompanied and closely observed by operations supervision).

Physical separation can be enforced by placing the computer in a room with locked entrances or by using guards and badges. People who need access to the computer room, but not to the computer, can be issued badges that authorize access at particular times or under certain conditions. In this cate-gory are the tape librarian, janitorial staff, EDP auditors, and possibly control clerks.

Tape Library. If a tape management system is not used, access to the tape library must be limited in some other way. Only the tape librarians and their supervisors who do not operate the computer should have access. This limita-tion can be enforced by locating the tape library in a separate room adjacent to the computer room. The door between the computer room and the tape library should be locked.

Terminals. With the advent of RJE and online terminals, physical access to the computer is no longer needed to use its programs, files, and computing power. Thus, RJE and online terminals should also be protected from unau-thorized access. RJE terminals should be placed in locked rooms. This may be impractical for online terminals; in such cases, terminals equipped with locks should be used. In addition, the communications systems that control online terminals can limit the hours of use (e.g., from 8:00 A.M. to 12:00 P.M. and from 1:00 P.M. to 5:00 P.M.). Passwords and/or machine-readable badges can also be used to limit access to terminals.

Program Documentation. As programmers should not have access to the computer, operators should not have access to program documentation that would enable them to understand, and thus modify, a program's functions.

Furthermore, programmers should not have access to the documentation of programs for which they are not responsible. To ensure this type of separa-tion, program documentation should be physically controlled. It should be kept in a central location where it can be locked up when not in use, and checkout procedures should be used. These physical controls are important for both programs in production and programs under development.

Employee Seating. Finally, persons performing similar functions should sit in the same area. Conversely, the seating arrangement should not intermix people performing incompatible functions. This physical separation simplifies the security aspects of the supervisor's task.

Administrative Separation

Many administrative rules or actions can be used to achieve separation of duties; including the following:

• All tests should be run by computer operators.

• Live data files should never be used for test purposes.

124 DATA CENTER OPERATIONS MANAGEMENT

• Users must participate in the development of test data.

• Check stock and other negotiable paper should be stored, controlled, and accounted for by someone not in the DP department.

• All negotiable paper should be numbered, and its use should be10gged.

• All runs involving negotiable paper should take place on weekday shifts. Two people should be present during the runs.

• Computer operators should not have access to control totals.

• DP personnel must not originate entries for processing.

• Runs of specific applications should be rotated among operators on a basis unknown to the operators.

• The keying of input to a given application should be rotated among data entty operators.

• All DP personnel should be required to take annual vacations, at least five days of which should be consecutive.

• All errors, except keypunch errors, should be corrected by users. If a user corrects his or her own errors, the errors and the corrected values should be reviewed by a supervisor. '

• Data entty operators should not verify their own work.

• Control personnel should ensure that all errors are corrected by users, either by keeping a copy of all error, exception, and batch balance reports or by logging errors.

• All systems designs should be approved by users and EDP auditors.

• All documentation should be reviewed by supervisors to ensure adher-ence to standards.

• Console logs or reports should be reviewed by supervisors to detect unauthorized actions and interventions.

• Security reports produced by the security package or other software should be reviewed by the security administrator to detect unauthorized accesses and actions.

• Reports produced by the program management system should be re-viewed by program supervision to detect unauthorized program changes.