IT Organization Structure and Responsibilities

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hi there and welcome back to our next lesson,
00:00
IT organization structure and responsibilities.
00:00
We'll be covering today what IT
00:00
organization structures and responsibilities are,
00:00
some of the general functions, segregation of duties,
00:00
which is a fairly critical sub takeaway
00:00
from this particular lesson.
00:00
Some of the cons, compensating controls
00:00
that can be put in place. Let's begin.
00:00
The IT organization structure and responsibilities,
00:00
it will be implemented in a number of
00:00
different ways across different organizations.
00:00
But typically you'll see them headed by an IT manager,
00:00
a director, or a Chief Information Officer,
00:00
particularly in large organizations.
00:00
Now, important little tip for the exam.
00:00
Specific job responsibilities won't be tested,
00:00
essentially due to the variation.
00:00
They'll vary from large to
00:00
small organizations and across the world.
00:00
Common functions though, such as
00:00
the business owner information custodian maybe tested.
00:00
It's important that you know those and
00:00
a key focus of this area will be
00:00
the implication of separation of
00:00
duties on the organization and structure of IT.
00:00
In terms of an organization, an IT organization,
00:00
these are a couple of the standard
00:00
functions that you may see;
00:00
systems development manager, project management,
00:00
help desk, end user,
00:00
and end user support manager,
00:00
somebody responsible for data management,
00:00
quality assurance, and
00:00
obviously information security management.
00:00
Now, depending on the organization,
00:00
there can be a range of
00:00
other functions that you may come across.
00:00
I want to go through all those,
00:00
but you can certainly see that they're a little bit more
00:00
industry-specific that may not
00:00
exist in all organizations.
00:00
Now segregation of duties,
00:00
as I said, this is a key aspect to understand.
00:00
Again, it will vary between organization.
00:00
But generally there are three areas
00:00
that you look at for segregation of duties.
00:00
One is the custody of assets.
00:00
Ensuring that critical assets
00:00
or sensitive assets are held by two different people,
00:00
authorization of transactions or any processing,
00:00
and recording of transactions.
00:00
They're the three key aspects
00:00
of the segregation of duties
00:00
issues that you need to be mindful
00:00
of. Why do we segregate?
00:00
Ultimately, there's a number of reasons.
00:00
Misappropriation of assets, having
00:00
two people responsible will lower that level of risk.
00:00
Financial statements,
00:00
irregularities, or inaccurate financial documentation,
00:00
undetected, improper use of funds,
00:00
and also modification of data and
00:00
changes to data or programs.
00:00
The key idea between segregation
00:00
is having two separate individuals
00:00
share sensitive responsibility will lessen the chance
00:00
of any malfeasance or any errors or misuse craving in.
00:00
Now some of the controls with segregation of duties.
00:00
Transaction authorization.
00:00
An authorization of transactions
00:00
is conducted by two individual people.
00:00
Often cases you'll see this in
00:00
accounts payable and accounts receivable
00:00
being split across
00:00
two individuals within an organization.
00:00
Custody of assets.
00:00
In other words, two areas or two people in
00:00
responsible for sensitive assets and access to data,
00:00
which is a fairly critical thing within organizations.
00:00
Authorizations for particular access
00:00
to sensitive data within
00:00
the organization are separated
00:00
from different roles and functions.
00:00
Now some compensating controls.
00:00
In other words, controls which can be put in place to
00:00
help manage this upright shown duties requirements.
00:00
Audit trials, for example,
00:00
reconciliation processes, exception reporting,
00:00
transaction logs, supervisory reviews,
00:00
and obviously as an auditor
00:00
and independent review potentially.
00:00
We've reached the end of our lesson.
00:00
We've talked a little bit about
00:00
the organizational structure and
00:00
responsibilities within IT and
00:00
how they vary across organizations.
00:00
But we'll have some commonalities that you
00:00
can certainly look for.
00:00
Some of the general functions that are
00:00
performed within the IT organization.
00:00
Segregation of duties, which is
00:00
a key thing to remember for your exam,
00:00
and some compensating controls that
00:00
exist for segregation of duties.
00:00
I hope you enjoyed
00:00
this lesson and I will see you at the next one.
Up Next