You work for a business that has just established a new data processing centre. In a conversation with one of the directors over lunch one day, you get onto the topic of controls and the design of controls for the new centre. Proudly, the director boasts, ‘We have the most hi-tech biometric controls in place. No unauthorised access to the centre is possible. The programmers are able to get on with their day-to-day duties of developing programs and managing the organisation’s data resources.’
You are slightly concerned by this statement and immediately think back to appropriate controls for implementation in the information systems environment — one of which is segregation of duties.
(a) What are the faults in the director’s statement?
(b) Can the organisation rely on biometric controls alone?
(c) How can separation of duties be applied in the information systems area?
(d) What are the critical functions that should be separated?
(e) What are the risks if these functions are not separated?