AC.L2-3.1.4 Separation of Duties
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
Source: NIST SP 800-171 Rev 2 3.1.4
Discussion: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.
Assessment Objectives:
Determine if:
- [a] the duties of individuals requiring separation are defined;
- [b] responsibilities for duties that require separation are assigned to separate individuals; and
- [c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
Examine: [SELECT FROM: Access control policy; procedures addressing divisions of responsibility and separation of duties; security plan; system configuration settings and associated documentation; list of divisions of responsibility and separation of duties; system access authorizations; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for defining divisions of responsibility and separation of duties; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Mechanisms implementing separation of duties policy].
SPRS Score: 1
POA&M Allowed: Yes