答案:
Separation of duties is a key element in a well-designed internal control system, and it is fundamental to data security. There are various options for achieving separation of duties in information security, and the options vary depending on department responsibilities. For example, some of the best practices for ensuring separation of duties within the information technology department and between information systems and business unit personnel are as follows:
· Programmers should not have unsupervised access to production programs or have
Access to production data sets (data files).
· Information systems personnel’s access to production data should be limited. · Application system users should only be granted access to those functions and data
Required for their job duties.
· Program developers should be separated from program testers.
· System users should not have direct access to program source code.
· Computer operators should not perform computer programming.
· Development staff should not have access to production data.
· Development staff should not access system-level technology or database management
Systems.
· End users should not have access to production data outside the scope of their normal
Job duties.
· End users or system operators should not have direct access to program source code. · Programmers should not be server administrators or database administrators.
· IT departments should be separated from information user departments. · Functions involving the creation, installation, and administration of software programs
Should be assigned to different individuals.
· Managers at all levels should review existing and planned processes and systems to
Ensure proper separation of duties.
· Employees’ access to documents should be limited to those that correspond with their
Related job tasks.