S 2.5 Division of responsibilities and separation of functions

Initiation responsibility: Top Management

Implementation responsibility: IT Security Officer, Head of IT, Head of Organisation

The functions to be performed by the government agency and/or company in connection with the use of IT must be defined. There are two levels of functions in this case:

• The first level consists of the functions enabling or supporting the use of the IT, for example work preparation, post-processing data, operations, programming, network administration, rights administration, audits.
• The second level consists of the functions which apply the IT procedures available for performing their tasks. Examples of such functions include: Specialist Responsible, IT application support, data acquisition, data processing, and authorised payment requester.

In the next step, the separation of functions is defined and reasons provided for these separations (i.e. which functions are incompatible and therefore cannot be performed by the same person at the same time.) Rules for defining this separation may result from the tasks themselves or from statutory provisions. Examples include:

• rights administration and auditing,
• network administration and auditing,
• programming and testing software developed in-house,
• data acquisition and authorised payment requesting,
• auditing and authorised payment requesting.

In particular, this clearly illustrates that most operative functions are not compatible with controlling functions.

After specifying the separation of functions to be applied, the functions can be assigned to specific people. Substitution arrangements must also be taken into account and documented (see also S 3.3 Arrangements for substitution).

The related specifications must be documented and updated if the IT usage changes. If two mutually incompatible functions need to be assigned to a single person, then special emphasis should be placed on this fact in the corresponding documentation on the separation of functions.

Review questions:

• Are all relevant functions using or supporting the use of information when performing their tasks defined within the organisation?
• Are separate functions completely defined and documented for contradictory functions?
• Is the separation of functions maintained on the level of personnel?