Separation of Duties

Status: Live

The organization will ensure that there is a segregation of duties between those that develop systems and applications, those that test systems and applications, and those that manage systems and applications. [UCF ID 00774]

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .17 § 3.11, ¶ .20 § 3.14, ¶ .24 § 3.15, ¶ .29 § 3.14; AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls, ¶ 41.4; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App B § III.C.1.e; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 498; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj E.1, Exam Tier II Obj E.2; FFIEC IT Examination Handbook – Development and Acquisition, Pg 5; FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 35, Obj 5.1; FFIEC IT Examination Handbook – Information Security, Pg 6, Exam Tier II Obj A.1 (Access Rights Administration), Exam Tier II Obj B.6; FFIEC IT Examination Handbook – Management, Pg 9, Pg 26, Exam Obj 2.1, Exam Obj 3.7; FFIEC IT Examination Handbook – Operations, July 2004, Pg 22, Pg 25, Pg C-7, Exam Tier I Obj 5.3, Exam Tier I Obj 9.6; FFIEC IT Examination Handbook – Retail Payment Systems, March 2004, Pg 33, Pg 38, Exam Tier I Obj 2.1, Exam Tier I Obj 3.3, Exam Tier I Obj 4.2, Exam Tier II Obj 2.1, Exam Tier II Obj 2.2, Exam Tier II Obj 3.2, Exam Tier II Obj 4.2, Exam Tier II Obj 6.5, Exam Tier II Obj 7.1, Exam Tier II Obj 9.15; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 16, Pg 20, Pg 31 thru Pg 33, Exam Tier I Obj 2.1, Exam Tier II Obj 1.5, Exam Tier II Obj 7.1, Exam Tier II Obj 9.3, Exam Tier II Obj 12.1, Exam Tier II Obj 14.4; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2, § 6.3.3; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 2-14.c(1); Protection of Assets Manual, ASIS International, Pg 15-I-18, Pg 15-V-6; NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006, § 8-611; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; Federal Information System Controls Audit Manual (FISCAM), February 2009, SC-1.1; GAO/PCIE Financial Audit Manual (FAM), § 295F.02; The National Strategy to Secure Cyberspace, February 2003, § III.A.1.b(i)(2); Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2, AC-5; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, AC-5, AC-5.5; CobiT 4.1, PO4.11; The Standard of Good Practice for Information Security, CB2.1.5(b), CI1.1.3(a), CI4.1.2(b), NW1.1.3(a), UE1.1.5(b), UE1.2.7(b); ISO 17799:2005 Code of Practice for Information Security Management, § 10.1.3; ISO 27001:2005, Information Security Management Systems - Requirements, Annex A.10.1.3; ISO/IEC 27002-2005 Code of practice for information security management, § 10.1.3; OGC ITIL: Security Management, § 4.2.3.2; BIS Sound Practices for the Management and Supervision of Operational Risk, ¶ 14, ¶ 33; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2, § 6.3.3; State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal, Rev. 2.0, § 4.4; Archer Control Table, ATCS-058, ATCS-059, ATCS-327; Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT, § 4.3 (AC-5); Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1, § 5.1.3

Sarbanes Oxley Guidance

The organization should implement roles and responsibilities that provide for separation of duties. [¶ .17 § 3.11, ¶ .20 § 3.14, ¶ .24 § 3.15, ¶ .29 § 3.14, AICPA Suitable Trust Services Principles and Criteria]

[¶ 41.4, AICPA SAS No. 94, The Effect of Information Technology on the Auditor's Consideration of Internal Controls]

Banking and Finance Guidance

The organization should ensure separation of duties are used for personnel who have access to customer information. [App B § III.C.1.e, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

The organization should verify the separation of duties between departments. [¶ 498, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

[Exam Tier II Obj E.1, Exam Tier II Obj E.2, FFIEC IT Examination Handbook – Audit, August 2003]

All projects should include separation of duties. [Pg 5, FFIEC IT Examination Handbook – Development and Acquisition]

The organization should ensure that one employee cannot complete a transaction from start to finish. [Pg 35, Obj 5.1, FFIEC IT Examination Handbook – E-Banking, August 2003]

The security officer should report directly to senior management and have independence to complete their tasks in order to maintain a separation of duties. [Pg 6, Exam Tier II Obj A.1 (Access Rights Administration), Exam Tier II Obj B.6, FFIEC IT Examination Handbook – Information Security]

The organization should separate information security management from the daily security duties for IT operations, if possible. Internal controls should be implemented to ensure there is a separation of duties. [Pg 9, Pg 26, Exam Obj 2.1, Exam Obj 3.7, FFIEC IT Examination Handbook – Management]

The organization should implement a separation of duties policy, such as having independent personnel monitoring the system and security administrator logs for unauthorized activity. The functional duties should be designed so one person does not perform a process from the beginning to the end to deter dishonesty or fraud. [Pg 22, Pg 25, Pg C-7, Exam Tier I Obj 5.3, Exam Tier I Obj 9.6, FFIEC IT Examination Handbook – Operations, July 2004]

There should be a separation of duties for personnel involved in originating, approving, and processing transactions. The organization should use separation of duties to minimize the potential of staff members tampering with check images and information during the processing process. [Pg 33, Pg 38, Exam Tier I Obj 2.1, Exam Tier I Obj 3.3, Exam Tier I Obj 4.2, Exam Tier II Obj 2.1, Exam Tier II Obj 2.2, Exam Tier II Obj 3.2, Exam Tier II Obj 4.2, Exam Tier II Obj 6.5, Exam Tier II Obj 7.1, Exam Tier II Obj 9.15, FFIEC IT Examination Handbook – Retail Payment Systems, March 2004]

The organization should establish a separation of duties for funds transfer systems, accounting tasks, and critical payment processing tasks. The results of the risk assessment should be used to develop standards for separation of duties. [Pg 16, Pg 20, Pg 31 thru Pg 33, Exam Tier I Obj 2.1, Exam Tier II Obj 1.5, Exam Tier II Obj 7.1, Exam Tier II Obj 9.3, Exam Tier II Obj 12.1, Exam Tier II Obj 14.4, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

A separation of duties should exist to avoid conflicts of interest. [¶ 14, ¶ 33, BIS Sound Practices for the Management and Supervision of Operational Risk]

Payment Card Guidance

The organization must ensure the production environment is separated from the test/development environment.
Verify personnel working in the development environment do not use the same account to access the production environment.
Interview software developers to ensure that they use separate accounts for accessing the development environment and the production environment. [§ 6.3.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 1.2]

The organization must ensure the production environment is separated from the test/development environment. [§ 6.3.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 1.2]

Personnel should not be assigned to both the test/development environment and the production environment to ensure a separation of duties. [§ 5.1.3, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1]

US Federal Security Guidance

Key duties should be separated to reduce the risk of one individual affecting the entire system. [§ 2-14.c(1), Army Regulation 380-19: Information Systems Security, February 27, 1998]

The organization should implement a system to ensure unauthorized employees cannot gain access to information they should not know. [Pg 15-I-18, Pg 15-V-6, Protection of Assets Manual, ASIS International]

If the system is at Protection Level 3, the System Manager and the Information Systems Security Officer cannot be the same person. [§ 8-611, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006]

Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

[SC-1.1, Federal Information System Controls Audit Manual (FISCAM), February 2009]

[§ 295F.02, GAO/PCIE Financial Audit Manual (FAM)]

[§ III.A.1.b(i)(2), The National Strategy to Secure Cyberspace, February 2003]

NIST Guidance

The organization needs to establish appropriate divisions of responsibility and separate duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals.
There must be access control software on the information system that prevents users from having all of the necessary authority or information access to perform fraudulent activity without collusion. Examples of separation of duties include: 1) mission functions and distinct information system support functions are divided among different individuals/roles; 2) different individuals perform information system support functions (e.g., system management, systems programming, quality assurance/testing, configuration management, and network security); and 3) security personnel who administer access control functions do not administer audit functions. [AC-5, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 2]

Organizational records and documents should be examined to ensure individuals are not assigned responsibilities that conflict with the separation of duties policy, separation of duties are enforced continuously, and that specific responsibilities and actions are defined for the implementation of the separation of duties control. Any problems discovered during the implementation of the separation of duties control should be documented and used to improve the controls. System account privileges should be checked and tested to ensure users do not have multiple privileges that allow them to perform more than one role, such as systems programming and network security.
Test the system to ensure users do not have multiple privileges that allow them to perform more than one role conflicting role by attempting to assign an individual multiple roles.
Interviews should be conducted with personnel involved in the process of assigning user accounts and privileges to individuals. [AC-5, AC-5.5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should ensure that there are separation of duties for the jobs that involve the use of Personally Identifiable Information (PII). [§ 4.3 (AC-5), Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), NIST SP 800-122, DRAFT]

US State Laws and Protectorates Guidance

Separation of duties should exist for the sanitization and verification procedures. [§ 4.4, State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal, Rev. 2.0]

ISO Guidance

Duties should be segregated to reduce opportunities for personnel to misuse or modify assets, whether intentionally or unintentionally. No person should be able to access data without authorization or detection. [§ 10.1.3, ISO 17799:2005 Code of Practice for Information Security Management]

Duties assigned to personnel should be segregated to prevent the potential of unauthorized use or unintentional modification of data. [Annex A.10.1.3, ISO 27001:2005, Information Security Management Systems - Requirements]

Duties should be segregated to reduce opportunities for personnel to misuse or modify assets, whether intentionally or unintentionally. No person should be able to access data without authorization or detection. [§ 10.1.3, ISO/IEC 27002-2005 Code of practice for information security management]

ITIL Guidance

[§ 4.2.3.2, OGC ITIL: Security Management]

General Guidance

The organization should implement a division of roles and responsibilities that reduces the possibility for a single individual to subvert a critical process. Management also makes sure that personnel are performing only authorized duties relevant to their respective jobs and positions. [PO4.11, CobiT 4.1]

Persons involved in the administration of applications, installations, systems, networks, and end user environments should be kept to a minimum to prevent the risk of theft, unauthorized data changes, and fraud. Access control settings should be used to provide for the segregation of duties. [CB2.1.5(b), CI1.1.3(a), CI4.1.2(b), NW1.1.3(a), UE1.1.5(b), UE1.2.7(b), The Standard of Good Practice for Information Security]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of user roles, systems, and application that comply with the separation of duties principle [UCF Control ID 01689]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.