IT Segregation of Duties - Matrix 475



  • Hi.
    I’m working on SOX Compliance Preparation and I came up with Segregation of Duties within IT Area.
    I was just wondering if anyone out there can share a template for a Segregation of Duties Matrix or something like that.
    I really don’t know how to encourage this issue since we do not have any documentation for this activity control and we have to start from zero.
    Thanks in advance
    M.



  • I am not aware of a ‘template’ but may I suggest with starting out by getting a copy of the job duties for each of the members of the IT staff. Then speaking to each member of the staff or the VP of IT and determine what function each of them have and if it matches up with their job descriptions. Once you have all that documented and know who does what, then find out the access each of them has to the infrastructure. At first your going to be looking for major conflicts like a helpdesk admin having administrator access to the network. The big things should jump out at you. Then once you determine the big issues you will have start doing a little digging on other security area within the systems.
    Anyone else have any suggerstions?



  • Hi,
    try to check the following whether that satify your request.
    isaca.org/Content/ContentGroups/Certification3/CRM_Segregation_of_Duties.pdf
    regards



  • Thanks all for your answers.
    I finally came up with a specific business model for my client.
    The matrix is a table with two input rows and columns:
    IT Area-Roles / IT Services-Functions
    I had already seen the CISA matrix you mentioned and I think it is a good start if you need to define the combination of roles that can create a potential control weakness. But in order to have these segregated in a ‘chart’ you need to define all the functions and services that the ‘role’ applies for.
    I’ll be translating my matrix and posting it here later.
    Thanks again for your help.
    M.



  • Hi,
    I’m working on Sox Compliance and I’ll have to prepare a Segregation of Duties Matrix within IT Area.
    I was just wondering if you came up to an IT activity control list (that you called IT Services-Functions), maybe you could help me sending it by email. (erica.gallucci_at_gmail.com)
    I’m your next door country (Brasil) than I can read Spanish.
    Regards,
    Érica



  • Hi,
    i’m working on segregation of duties within IT organization.
    I was just wondering if you can share the matrix that you developed for your client.
    Could you help me sending it by email (simona.gangi_at_it.pwc.com)?
    Thank a lot.
    Best Regards,
    Simona



  • Hi - Some of the links found in this general search look promising (although you might have to skip some of the vendor related links).
    General search
    Please add www and paste into browser
    google.com/search?hl=en-and-q=SOX Segregation of Duties
    Example of Word based template found
    Please add www and paste into browser
    auditnet.org/docs/User AccessControls WP.doc


Log in to reply