Report on the percentage of user roles, systems, and application that comply with the separation of duties principle

Status: Live

The organization will report on the percentage of user roles, systems, and application that comply with the separation of duties principle. [UCF ID 01689]

Metric guidance

Calculation: The calculation for this metric is # of systems validated to enforce separation of duties / # of systems that require separation of duties.

Calculation source: The authority document source of information is NIST 800-55, Critical Element 6.1. The following formula was used: the number of systems that have validated the separation of duty requirement divided by the number of systems listed in the CMDB whose security plans require separation of duties to ensure least privilege and individual accountability.

The Common Control IDs associated with this metric are as follows:

Application and object access and separation enforcement [UCF Control ID 00558]

Ensure accounts (and stored information) are segregated from operating system access [UCF Control ID 00552]

Separation of Duties [UCF Control ID 00774]

Maintain data processing integrity through separation of duties [UCF Control ID 00923]

Supporting and supported controls

This control directly supports:

Establish and maintain a role-based information access metrics standard [UCF Control ID 01668]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE9.5; Security Metrics Guide for Information Technology Systems, NIST SP 800-55, July 2003, § A.6.1.3; IIA Global Technology Audit Guide (GTAG): Information Technology Controls, § 18.2

US Federal Security Guidance

The organization must measure and report on the percentage of user roles, systems, and applications that comply with the separation of duties principle. [ISPE9.5, CISWG Information Security Program Elements, January 10,2005]

NIST Guidance

This metric must be calculated using # of systems validated to enforce separation of duties / # of systems that require separation of duties.
Information Source: Use the number of systems listed in the CMDB whose security plans require separation of duties to ensure least privilege and individual accountability as the base number divided by the number of systems that have validated the separation of duty requirement. [§ A.6.1.3, Security Metrics Guide for Information Technology Systems, NIST SP 800-55, July 2003]

General Guidance

The purpose of this measurement is the percentage of user roles, systems, and applications that comply with the separation-of-duties principle. [§ 18.2, IIA Global Technology Audit Guide (GTAG): Information Technology Controls]