Dual Control or Segregation of Duties?

Many information security professionals, event at the senior level roles, are still getting the internal control mechanisms such as Dual Control and Segregation of duties wrong. I often see that they are confused between the concepts of Dual Control and Segregation of Duties. Both these controls are applied to prevent or reduce fraud but are slightly different in its objectives

FFIEC guidance on application access: Effective application access control can enforce both segregation of duties and dual control. (pg. 48)

ISO 27002   10.1.3  Segregation of Duties:  Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from it authorization. The possibility of collusion should be considered in designing the controls.

Segregation of Duties

Segregation of Duties address the splitting of various functions with in a process to different users so that it will not create an opportunity for a single user to perform conflicting tasks. The participation of two or more persons in a transaction creates a system of checks and balances and reduces the possibility of fraud considerably. So it is important for an organization to ensure that all tasks within a process has adequate separation.

Let us look at some use cases of segregation of duties

  • A person handling cash should not post to the accounting records
  • A loan officer should not disburse loan proceeds for loans they approved
  • Those who have authority to sign cheques should not reconcile the bank accounts
  • The credit card printing personal should not print the credit card PINs
  • Customer address changes must be verified by a second employee before the change
    can be activated.

In situations where the separation of duties are not possible, because of lack of staff, the senior management should set up additional measure to offset the lack of adequate controls.

To summarise, Segregation of Duties is about Separating the conflicting duties to reduce fraud in an end to end function.

Dual Control or Split Knowledge

Dual control enforces the concept of keeping a duo responsible for an activity. It requires more than one employee available to perform a task. It utilizes two or more separate entities (usually persons),
operating together, to protect sensitive functions or information. Whenever the dual control feature is limited to .something you know., it is often called split knowledge (such as part of the password, cryptographic keys etc.) This is typically used in high value transactions / activities (as per the organizations risk appetite) such as:

  • Approving a high value transaction using a special user account, where the password of this user account is split into two and managed by two different staff. Both staff should be present to enter the password for a high value transaction. This is often combined with the separation of duties principle. In this case, the posting of the transaction would have been performed by another staff. This leads to a situation where collusion of at least 3 people are required to make a fraud transaction which is of high value
  • Payment Card and PIN printing is separated by SOD principles. Now the organization can even enhance the control mechanism by implementing dual control / split knowledge. The card printing activity can be modified to require two staff to key in the passwords for initiating the printing process. Similarly, PIN printing authentication can also be made to be implemented with dual control. Many Host Security modules (HSM) comes with built in controls for dual controls where physical keys are required to initiate the PIN printing process.
  • Managing encryption keys is another key area where dual control / split knowledge to be implemented.

PCI DSS defines Dual Control as below. This is more from a cryptographic perspective, still useful

Dual Control: Process of using two or more separate entities (usually persons) operating in concert to protect sensitive functions or information. Both entities are equally responsible for the physical protection of materials involved in vulnerable transactions. No single person is permitted to access or use the materials (for example, the cryptographic key). For manual key generation, conveyance, loading, storage, and retrieval, dual control requires dividing knowledge of the key among the entities. (See also Split Knowledge).

Split knowledge: Condition in which two or more entities separately have key components that individually convey no knowledge of the resultant cryptographic key.

It is key for information security professionals to understand the differences between Dual Control and Separation of Duties. Both complement each other, but are not the same.