Search Rocket site

Separation of Duties is a Critical Part of your Modern Mainframe Security Strategy

Heidi Losee

January 8, 2020

Recently, we talked about why the mainframe security architect plays such an important role in implementing and modernizing mainframe security strategy. They help fill security gaps, making sure security is front and center throughout the modernization process.

Unfortunately, research shows that 61% of companies think it’s difficult to find the right personnel to manage mainframe security. But even once an organization hires and trains the right people, the work doesn’t stop there. There needs to be a solid framework delineating the roles and responsibilities of each team member in order to maintain security and reporting duties.

For example, while the mainframe security architect should oversee the security of the mainframe, it’s crucial that they’re not responsible for data ownership. Creating separation between roles, so the mainframe security architect doesn’t end up reporting on themselves, is an important part of modern mainframe security strategy.

This concept, often referred to as separation of duties, helps organizations maintain security. And, in fact, new regulations like GDPR actually require organizations to pay more attention to the roles and duties of various team members. Here’s how separation of duties can help.

What’s the goal of separation of duties?

At its core, one of the main goals of separation of duties is to avoid scenarios where people are reporting on themselves or their managers. In reality, the person or people designing mainframe security shouldn’t be the same people responsible for implementing, testing, conducting audits, or monitoring and reporting on mainframe security. With that in mind, it’s time to reevaluate reporting relationships. The reporting relationship should no longer be to the CIO, as has traditionally been the case.

There are two primary objectives of this. The first is to prevent conflicts of interest – whether real or apparent – as well as wrongful acts, fraud, abuse and errors. But, separation of duties also helps organizations detect control failures. These can include, but aren’t limited to, security breaches, information theft and circumvention of security controls.

Possible solutions

Here are a couple of ways to achieve separation of duties, in keeping with the standards GDPR requires. One option is to designate someone who’s responsible for all of Information Security. That person should then report to the chairman of the audit committee.

Another option is to use a third party to monitor security and conduct surprise security audits and security testing. These reports should be sent either to the Board of Directors or the chairman of the audit committee.

Blurred responsibilities within IT operations have created unwanted risk, complexity and conflicts of interest. Separation of duties helps solve this challenge, by empowering organizations to define roles more clearly and minimize risk.