Department of Corrections and Rehabilitation - Operations Manual

Cancel

Chapter 4 – Information Technology

Article 45 – Information Security

Revised May 20, 2013

View All Sections >

49020.7.1 Segregation of Duties in the Information Security Program

  • There shall be a strict separation of duties among, and within, all organizations responsible for using, operating, and developing computer based information systems. Separation of duties shall be maintained to ensure a separation of responsibilities for initiating and authorizing transactions, recording of transactions, and custody of assets. Segregation of duties, similar to that required in manual systems, shall be implemented in computerized systems.

  • The following guidelines shall be used regarding such separation of duties:

    • Convert and Conceal – No one person should be able to convert a resource to their personal use and be able to conceal the action.

    • Custody and Control – No one person should have custody of an asset and at the same time be solely responsible for the accounting for that asset.

    • Custody and Access – No one person shall have custody of an asset and, at the same time, have unrestricted access to the records pertaining to that asset.

    • Origination and Authorization – No one person shall both originate and authorize a transaction.

    • Originate and Maintain – No one person shall both enter a transaction and maintain the related master file.

    • Access and Restriction – Access to transactions shall be on a needtoknow basis.

  • EISEnterprise Information Services (formerly Information Services Division) is charged with the responsibility for the development and maintenance of computer based systems for the CDCRCalifornia Department of Corrections and Rehabilitation. In this capacity, EISEnterprise Information Services (formerly Information Services Division) provides a service to actual or potential users of computer-based information systems. In addition, there are several computer “user” groups throughout the Department. Each of these organizations is providing a service to all actual or potential users of computer based information systems.

  • To ensure that assigned responsibilities are met and that separation of duties is maintained, individuals/programs shall not originate or authorize transactions, have custody or control over online data processing assets, or have the authority to originate master file changes. Source documents shall originate and be controlled by functions independent of such persons/programs.

  • Appropriate procedures shall be developed, subject to approval by the AISO, to ensure that adequate controls exist to ensure the separation of duties and responsibilities.

  • The procedures may include variances to the Change Management Process in order to resolve failures of critical applications. Such variances shall provide for audit trails and retroactive release or approval documentation, and require the prior approval of the AISO.