Back

Implement segregation of duties in roles and responsibilities.


CONTROL ID
00774
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish and maintain the staff structure in line with the strategic plan., CC ID: 00764

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical., CC ID: 06960


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • AIs should select reliable and effective authentication techniques to validate the identity and authority of their e-banking customers. In general, two-factor authentication (2FA) of customers should be implemented for e-banking channels (e.g. self-service terminals, Internet banking, phone banking … (§ 4.2.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should put in place adequate controls related to the strength of the password including a Personal Identification Number (PIN) (e.g. certain password requirements that can increase the difficulty of a successful brute-force attack). Effective measures should be implemented to counter automated b… (§ 4.1.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Proper segregation of duties within and among various IT functions is crucial for ensuring an effective IT control environment. In the event that an AI finds it difficult to segregate certain IT control responsibilities, it should put in place adequate compensating controls (e.g. peer reviews) to mi… (2.2.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Proper segregation of duties within the security administration function or other compensating controls (e.g. peer reviews) should be in place to mitigate the risk of unauthorized activities being performed by the security administration function. (3.3.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Practice Standard § I.2(3): Organizational duties and responsibilities should be segregated, thereby increasing the prevention of errors and fraud. Practice Standard § I.5(1): Management should ensure that responsibilities of personnel are clearly defined, including segregation of duties. (Practice Standard § I.2(3), Practice Standard § I.5(1), On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • O4.4: The organization should separate the duties of the system manager from those of the network manager and data manager. O5.4: The organization should separate the duties of the data manager from those of the network manager and system manager. (O4.4, O5.4, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Segregation should be maintained between those initiating static data (including web page content) and those responsible for verifying its integrity. Further, segregation should be maintained between those developing and those administering e-banking systems. (Critical components of information security 5) (x), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Network control functions should be performed by individuals possessing adequate training and experience. Network control functions should be separated, and the duties should be rotated on a regular basis, where possible. Network control software must restrict operator access from performing certain… (Critical components of information security 24) viii. ¶ 1 o., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Segregation of duties principle - Segregation of duties is an essential element of internal controls. The FI should ensure that responsibilities and duties for operating systems function, systems design and development, application maintenance programming, access control administration, data securit… (§ 11.0.1.b, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The organization should separate the administration roles for the gateway on unclassified systems. (Control: 0616, Australian Government Information Security Manual: Controls)
  • The organization must separate the administration roles for the gateway on classified systems. (Control: 0617, Australian Government Information Security Manual: Controls)
  • The organization should implement segregation of duties by allocating the appropriate roles and responsibilities. (¶ 26(f), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should implement role-based access profiles to ensure segregation of duties. (¶ 44(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should implement deployment and environment controls to ensure segregation of duties is enforced. (¶ 54(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • segregation of duties is enforced through appropriate allocation of roles and responsibilities. This reduces the potential for the actions of a single individual to compromise information security; (Attachment A 1(h)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • deployment and environment controls to ensure that development, test and production environments are appropriately segregated and enforce segregation of duties; (¶ 54(c), The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • segregation of duties, enforced through appropriate allocation of roles and responsibilities. This reduces the potential for the actions of one person to compromise IT assets; and (¶ 26(f), The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and object… (3.3.1 11 ¶ 1, Final Report EBA Guidelines on ICT and security risk management)
  • The ICT project management policy should ensure that information security requirements are analysed and approved by a function that is independent from the development function. (3.6.1 64, Final Report EBA Guidelines on ICT and security risk management)
  • specifications regarding the required segregation of duties during the different phases of the implemented ICT change processes (e.g. solution design and development, testing and approval of new software and/or changes, migration and implementation in the production environment, and bug fixing), wit… (Title 3 3.3.4(c) 56.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Whether the organisational framework for ICT risk management is robust with clear responsibilities and a clear separation of tasks between risk owners and management and control functions; (Title 3 3.4 61.b(ii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests. (Art. 38.6., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Check the information security process at all levels maintaining awareness of conflicts of interest between the roles of the author and the examiner. (6.1 Bullet 7, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Separation of functions between operative and controlling functions (also referred to as "separation of duties") (Section 5.7 IDM-01 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
  • Granting and change of data access authorisations for internal and external users with administrative or extensive authorisations under the responsibility of the cloud provider comply with the policy or the management of system and data access authorisations (see IDM-01) or a separate policy. The au… (Section 5.7 IDM-06 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • In terms of organisation and processes, the information security officer function shall be independent to avoid any potential conflicts of interest. (II.4.19, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • (§ 4.2.3.2, OGC ITIL: Security Management)
  • must ensure that the data protection officer does not perform a task or fulfil a duty other than those mentioned in this Part where such task or duty would result in a conflict of interests; (§ 70(3)(b), UK Data Protection Act 2018 Chapter 12)
  • The entity uses a combination of controls to restrict access to its information assets including data classification. The entity enforces logical separations of data structures and the segregation of incompatible duties applies device security hardening and security configuration policies, including… (S7.1 Restricts access to information assets, Privacy Management Framework, Updated March 1, 2020)
  • The organization should verify the separation of duties between departments. (¶ 498, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • A separation of duties should exist to avoid conflicts of interest. (¶ 14, ¶ 33, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • Implement a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. Make sure that personnel are performing only authorised duties relevant to their respective jobs and positions. (PO4.11 Segregation of Duties, CobiT, Version 4.1)
  • Establish and communicate roles and responsibilities for IT personnel and end users that delineate between IT personnel and end-user authority, responsibilities and accountability for meeting the organisation's needs. (PO4.6 Establishment of Roles and Responsibilities, CobiT, Version 4.1)
  • Ensure that source documents are prepared by authorised and qualified personnel following established procedures, taking into account adequate segregation of duties regarding the origination and approval of these documents. Errors and omissions can be minimised through good input form design. Detect… (AC1 Source Data Preparation and Authorisation, CobiT, Version 4.1)
  • Examine the policies and procedures to verify that there is a Separation of Duties between personnel assigned to the development and test environments and the production environment. (Testing Procedures § 6.4 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Separation of duties between development/test and production environments (§ 6.4.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • There must be a Separation of Duties for personnel between the development and test environment and the production environment. (PCI DSS Requirements § 6.4.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Separation of duties between development/test and production environments. (6.4.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Separation of duties between development/test and production environments. (6.4.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Separation of duties between development/test and production environments. (6.4.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Is there separation of duties between personnel assigned to the development/test environments and those assigned to the production environment? (6.4.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Is there separation of duties between personnel assigned to the development/test environments and those assigned to the production environment? (6.4.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Is there separation of duties between personnel assigned to the development/test environments and those assigned to the production environment? (6.4.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Is there separation of duties between personnel assigned to the development/test environments and those assigned to the production environment? (6.4.2, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Observe processes and interview personnel assigned to development/test environments and personnel assigned to production environments to verify that separation of duties is in place between development/test environments and the production environment. (6.4.2, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Personnel should not be assigned to both the test/development environment and the production environment to ensure a separation of duties. (§ 5.1.3, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Additional requirement for service providers only: Reviews are performed at least once every three months to confirm that personnel are performing their tasks in accordance with all security policies and operational procedures. Reviews are performed by personnel other than those responsible for perf… (12.4.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Roles and functions are separated between production and pre-production environments to provide accountability such that only reviewed and approved changes are deployed. (6.5.4, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine policies and procedures to verify that processes are defined for separating roles and functions to provide accountability such that only reviewed and approved changes are deployed. (6.5.4.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Observe processes and interview personnel to verify implemented controls separate roles and functions and provide accountability such that only reviewed and approved changes are deployed. (6.5.4.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • By personnel other than those responsible for performing the given task. (12.4.2.b Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Roles and functions are separated between production and pre-production environments to provide accountability such that only reviewed and approved changes are deployed. (6.5.4, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Roles and functions are separated between production and pre-production environments to provide accountability such that only reviewed and approved changes are deployed. (6.5.4, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Additional requirement for service providers only: Reviews are performed at least once every three months to confirm that personnel are performing their tasks in accordance with all security policies and operational procedures. Reviews are performed by personnel other than those responsible for perf… (12.4.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Management segregates incompatible duties, and where such segregation is not practical management selects and develops alternative control activities. (§ 3 Principle 10 Points of Focus: Addresses Segregation of Duties, COSO Internal Control - Integrated Framework (2013))
  • Many controls have separation of duties as a vital element. The organizational structure should not have one individual or department with full responsibility for all aspects of processing data. Initiating, authorizing, inputting, processing, and checking data should be separated. (§ 5.3.3.1 ¶ 1, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • IT management should show the separation of roles exist for change stakeholders and that they are effective. The organization should have a policy that states the assignments and separation of roles and responsibilities for the change stakeholders. The policy should ensure production changes are str… (§ 7 ¶ 2, Table 4, Table 5, IIA Global Technology Audit Guide (GTAG) 2:Change and Patch Management Controls: Critical for Organizational Success)
  • Segregation of duties is difficult to effectively and efficiently audit due to the complexity of application level security. A segregation of duties audit should be performed and should include an understanding of how segregation of duties are managed and controlled; determining what job functions a… (App A.6, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Access requests should be evaluated by the approver to determine if a segregation of duty conflict will occur. The IT department also may note potential segregation of duty conflicts when establishing or changing user identities. When this occurs, the IT department should notify the business owner o… (§ 3.3.3 (Conflicts), IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • The organization should implement a system to ensure unauthorized employees cannot gain access to information they should not know. (Pg 15-I-18, Pg 15-V-6, Protection of Assets Manual, ASIS International)
  • Hypervisors should be configured to segregate the roles of hypervisor administrators (for multiple virtual servers). (CF.07.03.05e, The Standard of Good Practice for Information Security)
  • Virtual servers should be protected by applying standard security management practices to hypervisors, which include monitoring administrator activities to help ensure actions and privileges that they are allowed to perform are specifically aligned to their duties. (CF.07.03.06b-1, The Standard of Good Practice for Information Security)
  • Hypervisors should be configured to segregate the roles of hypervisor administrators (for multiple virtual servers). (CF.07.03.05e, The Standard of Good Practice for Information Security, 2013)
  • Virtual servers should be protected by applying standard security management practices to hypervisors, which include monitoring administrator activities to help ensure actions and privileges that they are allowed to perform are specifically aligned to their duties. (CF.07.03.06b-1, The Standard of Good Practice for Information Security, 2013)
  • Strong encryption (e.g., AES-256) in open/validated formats and standard algorithms shall be required. Keys shall not be stored in the cloud (i.e. at the cloud provider in question), but maintained by the cloud consumer or trusted key management provider. Key management and key usage shall be separa… (EKM-04, Cloud Controls Matrix, v3.0)
  • Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards are necessa… (¶ 8.1.5(10), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • independence of the compliance function; (§ 4.4 ¶ 1 Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • ensure that the compliance function has authority to act independently and is not compromised by conflicting priorities, particularly where compliance is embedded in the business. (§ 5.3.3 ¶ 1 e), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Duties should be segregated to reduce opportunities for personnel to misuse or modify assets, whether intentionally or unintentionally. No person should be able to access data without authorization or detection. (§ 10.1.3, ISO 27002 Code of practice for information security management, 2005)
  • In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information should, where feasible, segregate duties and areas of responsibility in order to reduce opportunities for unauthorized modification or misuse of personal health information. (§ 6.1.2 Health-specific control, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • Conflicting duties and conflicting areas of responsibility should be segregated. (§ 5.3 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties. (PR.AC-4, CRI Profile, v1.2)
  • When required and appropriate, one or more system components (software applications,embedded devices, host devices and network devices) shall provide the capability for the system to enforce the concept of least privilege. Individual system components shall provide the granularity of permissions and… (4.4 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Separates [Assignment: organization-defined duties of individuals]; (AC-5a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Documents separation of duties of individuals; and (AC-5b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Separates [Assignment: organization-defined duties of individuals]; (AC-5a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Documents separation of duties of individuals; and (AC-5b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Documents separation of duties of individuals; and (AC-5b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Separates [Assignment: organization-defined duties of individuals]; (AC-5a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity req… (¶ 2.147, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Some relevant factors in determining whether to use the work of the internal audit function to obtain evidence about the operating effectiveness of controls include the pervasiveness of the control, the potential for management override of the control, and the degree of judgment and subjectivity req… (¶ 3.169, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Management segregates incompatible duties, and where such segregation is not practical, management selects and develops alternative control activities. (CC5.1 Addresses Segregation of Duties, Trust Services Criteria)
  • Management segregates incompatible duties and, where such segregation is not practical, management selects and develops alternative control activities. (CC5.1 ¶ 2 Bullet 6 Addresses Segregation of Duties, Trust Services Criteria, (includes March 2020 updates))
  • When desktop computers are used to transmit scoped systems and data, is there segregation of duties for approving and implementing access requests? (§ G.22.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to process scoped systems and data, is there segregation of duties for approving and implementing access requests? (§ G.22.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to store scoped systems and data, is there segregation of duties for approving and implementing access requests? (§ G.22.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to transmit scoped systems and data, is there segregation of duties to prevent the user of a system from modifying or deleting its security audit logs? (§ G.22.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to process scoped systems and data, is there segregation of duties to prevent the user of a system from modifying or deleting its security audit logs? (§ G.22.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to store scoped systems and data, is there segregation of duties to prevent the user of a system from modifying or deleting its security audit logs? (§ G.22.5, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When windows Internet Information Services is used for web services, is membership to the Internet Information Services administrators group restricted to those with web administration roles and responsibilities? (§ G.21.2.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is there a segregation of duties between those requesting a change? (§ G.2.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is there a segregation of duties between those approving a change? (§ G.2.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is there a segregation of duties between those implementing a change? (§ G.2.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When encryption tools are managed and maintained for scoped data, is there segregation of duties between key management duties and normal operational duties? (§ I.6.6, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Key duties should be separated to reduce the risk of one individual affecting the entire system. (§ 2-14.c(1), Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The organization shall separate duties so no one employee can defraud the company unaided. All duties, including all stages of computer programming and operations, shall be analyzed for the purpose of defeating single-handed fraud. The organization shall use multiple employees to review programmer c… (App B § 2.C, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 1.5.3: The organization must verify the system security officer (SSO) is independent from the IS operations. If the organization has other SSOs at various levels, all security actions must be cleared through the primary SSO for Medicare records and operations. CSR 4.1.2: The organization must di… (CSR 1.5.3, CSR 4.1.2, CSR 4.4.1, CSR 4.7.1, CSR 4.7.2, CSR 4.7.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Separation of Duties should be implemented for the administrative function of the biometric system, to include different individuals as the enrollment administrator, Security Administrator, and audit administrator. (§ 4.2 ¶ 2, DISA Access Control STIG, Version 2, Release 3)
  • The audit system should be have Separation of Duties, that is, the Security Administrator should be able to read the logs, but should not be allowed to delete or change entries, only the audit administrator should have that right. (§ 4.7 ¶ 2, DISA Access Control STIG, Version 2, Release 3)
  • Separate the duties of individuals to reduce the risk of malevolent activity without collusion. (AC.3.017, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Separate the duties of individuals to reduce the risk of malevolent activity without collusion. (AC.3.017, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Separate the duties of individuals to reduce the risk of malevolent activity without collusion. (AC.3.017, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Separate the duties of individuals to reduce the risk of malevolent activity without collusion. (AC.L2-3.1.4 Separation of Duties, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Check the presence of two person control in system design/enclave architecture. (DCBP-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • If the system is at Protection Level 3, the System Manager and the Information Systems Security Officer cannot be the same person. (§ 8-611, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • If necessary, the group health plan must be corrected to incorporate the following: protected health information will be disclosed to the plan sponsor upon certification that the plan documents includes and the plan sponsor agrees to adequate separation. (§ 164.504(f)(2)(ii)(J), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Ensure that the adequate separation required by §164.504(f)(2)(iii) is supported by reasonable and appropriate security measures. (§ 164.314(b)(2)(ii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • (§ III.A.1.b(i)(2), The National Strategy to Secure Cyberspace, February 2003)
  • The administrative duties for the host should be segregated in a virtual environment. (§ 5.10.3.2 ¶ 2(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Employee access to systems and confidential data provides for separation of duties. (Domain 3: Assessment Factor: Preventative Controls, ACCESS AND DATA MANAGEMENT Baseline 1 ¶ 2, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Determine whether management assigned responsibilities for the AIO functions based on the complexity of the architecture needs and assess the effectiveness of the entity's separation of duties across the functions, particularly in situations where architecture responsibilities are combined with othe… (App A Objective 2:9, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Incorporation of appropriate segregation of duties and monitoring throughout the change management process. (App A Objective 6:3g, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implementation of dual control and segregation of duties. (App A Objective 14:4c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Establishment of appropriate segregation of duties. (App A Objective 2.5.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Employs appropriate segregation of duties. (App A Objective 6.8.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should mitigate the risks posed by users by doing the following: - Establishing and administering security screening in IT hiring practices. - Establishing and administering a user access program for physical and logical access. - Employing segregation of duties. - Obtaining agreements… (II.C.7 User Security Controls, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The IT department's responsibilities are appropriately segregated from business processing activities. (App A Objective 2:10 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review the roles and responsibilities of all levels of management, including executive management, CIO or CTO, CISO, IT line management, and IT business unit management, to ensure that there is a clear delineation between management and oversight functions and operational duties. (App A Objective 2:9, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Reconcilements and proofs are performed daily by persons with no conflicting duties; (TIER II OBJECTIVES AND PROCEDURES E.2. Bullet 6, FFIEC IT Examination Handbook - Audit, April 2012)
  • Separation of duties is sufficient to prevent any one person from initiating, verifying,and executing a transfer of funds; (TIER II OBJECTIVES AND PROCEDURES E.1. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Auditors responsible for operating a system of internal controls or actually performing operational duties or activities. Note that it is recommended that the internal audit manager report directly to the audit committee functionally on audit issues and may also report to senior management for admin… (TIER I OBJECTIVES AND PROCEDURES Objective 5:2. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Exam Tier II Obj E.1 Determine whether audit procedures for payment systems risk adequately consider the risks in wholesale electronic funds transfer (EFT). Evaluate whether ▪ Adequate operating policies and procedures govern all activities, both in the wire transfer department and in the originat… (Exam Tier II Obj E.1, Exam Tier II Obj E.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • All projects should include separation of duties. (Pg 5, FFIEC IT Examination Handbook - Development and Acquisition)
  • The organization should ensure that one employee cannot complete a transaction from start to finish. (Pg 35, Obj 5.1, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The organization should separate information security management from the daily security duties for IT operations, if possible. Internal controls should be implemented to ensure there is a separation of duties. (Pg 9, Pg 26, Exam Obj 2.1, Exam Obj 3.7, FFIEC IT Examination Handbook - Management)
  • The organization should implement a separation of duties policy, such as having independent personnel monitoring the system and security administrator logs for unauthorized activity. The functional duties should be designed so one person does not perform a process from the beginning to the end to de… (Pg 22, Pg 25, Pg C-7, Exam Tier I Obj 5.3, Exam Tier I Obj 9.6, FFIEC IT Examination Handbook - Operations, July 2004)
  • Determine whether the financial institution requires separation of duties at the RDC customer location and how it monitors for compliance. If separation of duties is not mandatory or possible, describe any required compensating controls required at the RDC customer location. (App A Tier 2 Objectives and Procedures N.8 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess staff access to PIN data. Ensure there is separation of duties between staff responsible for card operations and staff responsible for preparing or issuing bankcards. (App A Tier 2 Objectives and Procedures B.1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Describe how financial institution management has established appropriate separation of duties for the system administration and security monitoring functions. For example, does one person assign users or rights and another review the activity reports? (App A Tier 2 Objectives and Procedures N.8 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Describe how the financial institution and its RDC customers have implemented appropriate separation of duties controls over the remote capture and transmission process. (App A Tier 2 Objectives and Procedures N.8 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • There should be a separation of duties for personnel involved in originating, approving, and processing transactions. The organization should use separation of duties to minimize the potential of staff members tampering with check images and information during the processing process. (Pg 33, Pg 38, Exam Tier I Obj 2.1, Exam Tier I Obj 3.3, Exam Tier I Obj 4.2, Exam Tier II Obj 2.1, Exam Tier II Obj 2.2, Exam Tier II Obj 3.2, Exam Tier II Obj 4.2, Exam Tier II Obj 6.5, Exam Tier II Obj 7.1, Exam Tier II Obj 9.15, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization should establish a separation of duties for funds transfer systems, accounting tasks, and critical payment processing tasks. The results of the risk assessment should be used to develop standards for separation of duties. (Pg 16, Pg 20, Pg 31 thru Pg 33, Exam Tier I Obj 2.1, Exam Tier II Obj 1.5, Exam Tier II Obj 7.1, Exam Tier II Obj 9.3, Exam Tier II Obj 12.1, Exam Tier II Obj 14.4, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • (SC-1.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • (§ 295F.02, GAO/PCIE Financial Audit Manual (FAM))
  • Separates [Assignment: organization-defined duties of individuals]; (AC-5a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents separation of duties of individuals; and (AC-5b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Separates [Assignment: organization-defined duties of individuals]; (AC-5a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Documents separation of duties of individuals; and (AC-5b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Has the Credit Union implemented segregation of duties for employees with access to or responsibilities for member information? (IT - 748 Compliance Q 6e, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and (AC-5a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Define system access authorizations to support separation of duties. (AC-5b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and (AC-5a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Define system access authorizations to support separation of duties. (AC-5b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Define system access authorizations to support separation of duties. (AC-5b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and (AC-5a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Define system access authorizations to support separation of duties. (AC-5b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and (AC-5a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Define system access authorizations to support separation of duties. (AC-5b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and (AC-5a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • A single operator may assume multiple roles. If the cryptographic module supports concurrent operators, it shall separate roles. (§ 4.3 ¶ 1, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
  • Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise. (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • App A.1.1.1: The organization shall ensure that no individual holds more than one of the following roles in the identity proofing and registration process: the personal identity verification (PIV) applicant, sponsor, registrar, and issuer. One individual or entity may assume the roles of PIV issuer … (App A.1.1.1, App A.2.2 ¶ 3, FIPS Pub 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, Change Notice 1)
  • The PIV identity proofing, registration, issuance, and reissuance processes SHALL adhere to the principle of separation of duties to ensure that no single individual has the capability to issue a PIV Card without the cooperation of another authorized person. (2.7 ¶ 10, FIPS Pub 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors)
  • Access permissions are managed, incorporating the principles of least privilege and separation of duties. (PR.AC-4, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Organizational records and documents should be examined to ensure individuals are not assigned responsibilities that conflict with the separation of duties policy, separation of duties are enforced continuously, and that specific responsibilities and actions are defined for the implementation of the… (AC-5, AC-5.5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Separates [Assignment: organization-defined duties of individuals]; (AC-5a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents separation of duties of individuals; and (AC-5b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Separates [Assignment: organization-defined duties of individuals]; (AC-5a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Documents separation of duties of individuals; and (AC-5b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must segregate functions and responsibilities to eliminate Conflicts of Interest and to ensure independence of individuals and roles. (SG.AC-6 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should assign separate personnel to the functions of system administration and auditors. (SG.AU-12 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Separate the duties of individuals to reduce the risk of malevolent activity without collusion. (3.1.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Separate the duties of individuals to reduce the risk of malevolent activity without collusion. (3.1.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Separate the duties of individuals to reduce the risk of malevolent activity without collusion. (3.1.4, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must establish and maintain Separation of Duties policies and procedures to control the duties of individuals to prevent malevolent activity absent collusion. (App F § AC-5.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must document the Separation of Duties. (App F § AC-5.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must use compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot support the differentiation of roles. (App I § AC-5, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must consider if it is appropriate for a single individual to be performing multiple critical roles on an Industrial Control System. (App I § AC-5, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization separates {organizationally documented duties of individuals}. (AC-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization documents separation of duties of individuals. (AC-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization separates {organizationally documented duties of individuals}. (AC-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents separation of duties of individuals. (AC-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization separates {organizationally documented duties of individuals}. (AC-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents separation of duties of individuals. (AC-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Documents separation of duties of individuals; and (AC-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Separates [Assignment: organization-defined duties of individuals]; (AC-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Separates [Assignment: organization-defined duties of individuals]; (AC-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Documents separation of duties of individuals; and (AC-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Documents separation of duties of individuals; and (AC-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Separates [Assignment: organization-defined duties of individuals]; (AC-5a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Define system access authorizations to support separation of duties. (AC-5b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and (AC-5a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Separates [Assignment: organization-defined duties of individuals]; (AC-5a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Documents separation of duties of individuals; and (AC-5b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Separation of duty controls should be incorporated into the application and the application rules. (§ A.3.b.2.c, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • Separation of duties should exist for the sanitization and verification procedures. (§ 4.4, State of Arizona Standard P800-S880, Revision 2.0: Media Sanitation/Disposal, Revision 2.0)
  • Separates [Assignment: organization-defined duties of individuals]; (AC-5a., TX-RAMP Security Controls Baseline Level 2)
  • Documents separation of duties of individuals; and (AC-5b., TX-RAMP Security Controls Baseline Level 2)