3.1.4—Access Control - Derived
>Control Description
>Discussion
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern separation of duties for critical functions?
- •How do you identify duties that require separation?
- •What process ensures individuals cannot execute conflicting duties?
- •How are separation of duties conflicts detected and resolved?
- •Who reviews and approves role assignments to prevent conflicts?
Technical Implementation:
- •What technical controls enforce separation of duties?
- •How do access control systems prevent conflicting role assignments?
- •What automated checks detect separation of duties violations?
- •How are privileged functions divided among different individuals?
- •What mechanisms prevent a single user from completing critical transactions alone?
Evidence & Documentation:
- •Can you provide a separation of duties matrix?
- •What documentation shows role conflicts are prevented?
- •What evidence demonstrates critical functions require multiple people?
- •Can you show logs of transactions requiring dual authorization?
- •What audit reports verify separation of duties compliance?
Ask AI
Configure your API key to use AI features.