Report on the percentage of user roles, systems, and applications that comply with the separation of duties principle.

UCF ID: 01689

Control Type: Actionable Reports or measurements

Status: Live

Metric guidance

Calculation: The calculation for this metric is # of systems validated to enforce separation of duties / # of systems that require separation of duties.

Calculation source: The authority document source of information is NIST 800-55, Critical Element 6.1. The following formula was used: the number of systems that have validated the separation of duty requirement divided by the number of systems listed in the CMDB whose security plans require separation of duties to ensure least privilege and individual accountability.

The Common Control IDs associated with this metric are as follows:

Enforce assigned authorizations for system access and separate user functionality from system management functionality. [UCF Control ID 00558]

Ensure accounts and stored information are segregated from operating system access. [UCF Control ID 00552]

Ensure that roles and responsibilities provide for separation of duties. [UCF Control ID 00774]

Establish and maintain data processing integrity through the use of separation of duties. [UCF Control ID 00923]

Supporting and supported controls

This control directly supports:

Establish and maintain a role-based information access metrics standard. [UCF Control ID 01668]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE9.5; IIA Global Technology Audit Guide (GTAG): Information Technology Controls, § 18.2

US Federal Security Guidance

The organization must measure and report on the percentage of user roles, systems, and applications that comply with the separation of duties principle. [ISPE9.5, CISWG Information Security Program Elements, January 10,2005]

General Guidance

The purpose of this measurement is the percentage of user roles, systems, and applications that comply with the separation-of-duties principle. [§ 18.2, IIA Global Technology Audit Guide (GTAG): Information Technology Controls]