S 2.5 Division of responsibilities and separation of functions

Initiation responsibility: Agency/company management

Implementation responsibility: Head of IT Section; Head of Organisational Section; IT Security Management

The functions to be performed by the agency/company as regards IT uses must be laid down. Here, a distinction must be made between two levels:

• The first level comprises those functions which provide for, or support, IT system uses for data processing purposes, such as work preparation, data post-processing, operating, programming, network administration, administration of permissions, auditing.

• The second level comprises those functions which apply to the IT procedures available for task performance. Examples of such functions are: person responsible for specialised tasks, IT application supervisor, data acquisition operator, desk officer, payment in-charge.

The next step is to lay down and justify separation of functions, i.e. functions which are not compatible with each other and thus must not be performed by one person at the same time. The relevant requirements may be implied by the tasks themselves or by legal provisions. Examples include:

• administration of permissions and auditing;

• network administration and auditing.

• programming and test of self-developed software;

• data acquisition and authority to sign orders to pay;

• auditing and authority to sign orders to pay;

This shows, in particular, that in most cases operational functions are not compatible with controlling functions.

After the separation of functions to be observed has been laid down, the functions can be assigned to persons.

The provisions laid down in this context must be documented and up-dated in case of changes being made to IT uses. If such assignment do result in incompatible functions having to be performed by one person, this fact must be explicitly mentioned in the relevant documentation on the separation of functions.

Additional controls:

• Has an exhaustive list of the relevant functions been established?

• Is completeness of the defined separation of functions ensured?

• Is separation of functions being maintained in staffing terms?

• Is the allocation of persons/functions updated?