Refrain from assigning roles and responsibilities that breach segregation of duties.

CONTROL ID
12055

CONTROL TYPE
Human Resources Management

CLASSIFICATION
Preventive

This Control directly supports the implied Control(s):

This Control has the following implementation support Control(s):

Refrain from assigning security compliance assessment responsibility for the day-to-day production activities an individual performs., CC ID: 12061
Refrain from approving previously performed activities when acting on behalf of the Chief Information Security Officer., CC ID: 12060
Refrain from performing activities with approval responsibility when acting on behalf of the Chief Information Security Officer., CC ID: 12059
Prohibit roles from performing activities that they are assigned the responsibility for approving., CC ID: 12052

Banks should form a separate information security function/group to focus exclusively on information security management. There should be segregation of the duties of the Security Officer/Group dealing exclusively with information systems security and the Information Technology Division which actual… (Information security team/function ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and object… (3.3.1 11 ¶ 1, Final Report EBA Guidelines on ICT and security risk management)
Implement a division of roles and responsibilities that reduces the possibility for a single individual to compromise a critical process. Make sure that personnel are performing only authorised duties relevant to their respective jobs and positions. (PO4.11 Segregation of Duties, CobiT, Version 4.1)