Probably many will respond to your posting on-line. I would suggest you
start with a real security policy document. If you want to contact me for
specific comments off-line, you can email 100710 .
Subject: segregation of duties
Date: Thursday, September 28, 1995 8:25AM
When designing, implementing and running a firewall system, not only
technical problems come in to play.
A firewall system can be considered as a single point of entry, which is
designed to provide adequate protection against the "bad boys" populating
the outside world. IT crime statistics however show that over 80% of all IT
fraud is committed by insiders. One should therefore also ensure that the
firewall is protected against insiders with bad intentions. One of a set of
measures to implement such protection is the application of the principle of
"segregation of duties" (also known as the "need to know" principle). The
idea is that it should NOT be possible for one person to completely manage
all parts of a gateway system. If implemented correctly, it takes at least
two persons to break the protection, which reduces the probability of IT
Does anybody on the list have practical experience with the implementation
of this principle in a firewall environment?
Moret Ernst & Young EDP Audit Management Services, Amsterdam
tel. 020 5497 208