The separation of duties within Kudler Fine Foods is important as it limits the amount of power any one individual holds (Gregg, Nam, Northcutt & Pokladnik, 2013). It also enables the management of conflicts of interest and the appearance of conflicts of interests, as well as prevents fraud. It requires that for certain sets of transaction, no single person will be able to perform all the transactions within the set (Ferraiolo & Kuhn, n.d.). As an example, fraud can be prevented in the handling of money by having one sales person take the order while another sales person marks the order as paid. On the other hand, someone from the fulfillment department would be responsible for shipping the product. By having different employees assume different duties for the handling of money, controls are put in place, which ensure the security and accuracy of the order information being entered into the system. Another example would be that the Department Manager’s duties would be separate and different from those of the HR personnel. While the Department Manager handles product or item requisitions, the HR personnel is responsible for hiring employees and classifying employees’ benefits based on their positions in the organization. By separating the duties of the Department Managers from those of the HR personnel, it can be ensured that only the qualified and authorized people are able to make product requisitions and are able to modify employee benefits, respectively.
In the same regard, using roles to segregate data and system access among members of an organization will help ensure that only the authorized people are able to perform certain tasks. Roles can be likened to the employees’ positions in the organization while their level of data and system access can be likened to their duties. For example, only Department Managers should have access to the Inventory and the list of suppliers while only the HR personnel should have access to employee information. With these restrictions to system and data access, it can be ensured that an HR personnel will not mistakenly – intentionally or unintentionally – place orders for items that do not need replenishing. Similarly, it would ensure that Department Managers are not able to see the salaries of their fellow Department Managers and that they are not able to assign more benefits to their favorite employees.
In this regard, a role-based access control system would be the best way of accomplishing this type of security as a role-based control system has the mechanisms that can be used for the enforcement of a policy of separation of duties (Ferraiolo & Kuhn, n.d.). It provides “a means of naming and describing relationships between individuals and rights” (Ferraiolo & Kuhn, n.d., p. 10), which in turn provides the organization with a secure way of meeting its secure processing needs. Although the design and implementation of a role-based access control system is quite challenging, it can be tailored to the organization’s security risk tolerance and business model (Guerin & Lord, 2003). It is also scalable and requires little maintenance, which makes it a cost-efficient solution. Moreover, this approach leads to increased efficiency and the maximization of strategic business value and operational performance. It can also lead to the automation and streamlining of many business processes and transactions, which in turn enable users to perform their jobs faster, better, and with greater personal responsibility.
On the other hand, various techniques can be implemented in order to address distributed trust management issues for users who go to or from business partner networks. For example, in the distributed recommendation-trust model developed by Stephen Hailes and Alfarez Abdul-Raman, a conditional transitivity of trust is proposed. It hypothesizes that trust is transitive under certain conditions (Li & Singhal, 2007). It assumes asymmetrical trust and has two categories for trust relationships, namely direct trust and recommended trust. It uses different interactions for categorizing a trust relationship between two entities where trust in the various categories are independent of each other. Furthermore, it uses continuous trust values for recommender trust and direct trust (Li & Singhal, 2007).
Another method for managing distributed trust management issues is the use of public-key cryptography (Li &n Singhal, 2007). With this method, a public-key certificate is issued by a trusted third party for the certification of a public key’s ownership. In particular, a certificate contains the identity of an entity, the public key, and other data, such as the digital signature of the trusted third party. It is assumed that service users know the public key of a third party, which enables the verification of the certificate. The third party vouches only for the association between a public key and an entity, not necessarily fort the entity’s trustworthiness.
In conclusion, the separation of duties, which is represented by the rules defined in a role-based access control system, ensure the security of an organization through the restriction of any single user’s power or rights and through the prevention of fraud. Moreover, the implementation of a role-based access control system leads to a more efficient system and to increased user productivity. In addition, although the implementation of a role-based access control system can result in a distributed system, trust in such a system can be managed through the use of various techniques, such as the distributed trust-recommendation model and public-key cryptography.
References
Ferraiolo, D. F. & Kuhn, D. R. (n.d.). Role-based access controls. Retrieved from
http://arxiv.org/ftp/arxiv/papers/0903/0903.2171.pdf.
Gregg, J., Nam, M., Northcutt, S. & Pokladnik, M. (2013). Separation of duties in information
technology. Retrieved from http://www.sans.edu/research/security-laboratory/article/it-
separation-duties.
Guerin, T. & Lord, R. (2003). How role-based access control can provide security and business
benefits. Retrieved from
http://www.computerworld.com/s/article/86699/How_role_based_access_control_can_pr
ovide_security_and_business_benefits
Li, H. & Singhal, M. (2007). Trust management in distributed systems. IEEE.
