Report on the percentage of user roles, systems, and application that comply with the separation of duties principle

Status: Live

The organization will report on the percentage of user roles, systems, and application that comply with the separation of duties principle. [UCF ID 01689]

Metric guidance

Calculation: The calculation for this metric is # of systems validated to enforce separation of duties / # of systems that require separation of duties.

Calculation source: The authority document source of information is NIST 800-55, Critical Element 6.1. The following formula was used: the number of systems that have validated the separation of duty requirement divided by the number of systems listed in the CMDB whose security plans require separation of duties to ensure least privilege and individual accountability.

The Common Control IDs associated with this metric are as follows:

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE9.5; Security Metrics Guide for Information Technology Systems, NIST SP 800-55, July 2003, § A.6.1.3; IIA Global Technology Audit Guide (GTAG): Information Technology Controls, § 18.2

US Federal Security Guidance

The organization must measure and report on the percentage of user roles, systems, and applications that comply with the separation of duties principle. [ISPE9.5, CISWG Information Security Program Elements, January 10,2005]

NIST Guidance

This metric must be calculated using # of systems validated to enforce separation of duties / # of systems that require separation of duties.
Information Source: Use the number of systems listed in the CMDB whose security plans require separation of duties to ensure least privilege and individual accountability as the base number divided by the number of systems that have validated the separation of duty requirement.
[§ A.6.1.3, Security Metrics Guide for Information Technology Systems, NIST SP 800-55, July 2003]

General Guidance

The purpose of this measurement is the percentage of user roles, systems, and applications that comply with the separation-of-duties principle. [§ 18.2, IIA Global Technology Audit Guide (GTAG): Information Technology Controls]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.