Now we’ll cover some of the administrative aspects of Operations Control.

  1. Separation of Duties is a preventative measure that prevents one person from performing a full function from beginning to an end. This policy reduces the possibility of any one person committing an act against policy unless there is collusion amongst two or more people. Since collusion involves the actions of more than one party, an unwanted action is less likely to occur.
  2. Job Rotation refers to the policy of constantly changing each person’s role within the business process. This method helps to identify reoccurring mistakes or fraudulent activities, since such activities can be identified and/or corrected by the new person assigned to the same task.  You could consider this policy as a type of “detective control.”A strategy that complements the job rotation tactic is mandatory vacation. This policy allows the administrator to detect potential activities of abuse by forcing staff to leave their current post or capacity on a temporary basis. Again, the worker newly assigned to the task is in a position to identify traces or clues leading to the discovery of abuse by the prior worker assigned to the task.
  3. Least Privilege is a policy that requires each individual to be granted the least amount of permission and rights necessary to perform only their assigned duties. In this method, the administrator prevents individuals from performing tasks outside of their assigned duties, which could lead to actions that jeopardizes the security of the company’s system.According to Saltzer and Schroeder [Saltzer 75], every program and every user of the system should operate using the least set of privileges necessary to complete the job.  Primarily, this principle limits the damage that can result from an accident or error.Sometimes, this policy is called  “need-to-know.”   In this scenario, a person is not given access to information unless he or she has a specific need to know it.  In other words, access to the information must be necessary to conduct that person’s official duties.

There are several other controls that should be addressed as well. However, the three fundamental methods we cover here are important administrative controls generally overlooked by many organizations.

Reference:
Saltzer, Jerome H. & Schroeder, Michael D. “The Protection of Information in Computer Systems.” Proceedings of the IEEE 63, 9 (September 1975): 1278-1308.

Tags: Operations Control Techniques, Operations Security