Skip to Content

NIST 800-171 - Separation of Duties (3.1.4)

109  Matthew Burdick September 27, 2022  Access Control

Overview:
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.


Action Items:
3.1.4[a]
Determine if: the duties of individuals requiring separation are defined.


3.1.4[b]
Determine if: responsibilities for duties that require separation are assigned to separate individuals.


3.1.4[c]
Determine if: access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.


POTENTIAL ASSESSMENT METHODS AND OBJECTS


1
Examine: Access control policy; procedures addressing divisions of responsibility and separation of duties; system security plan; system configuration settings and associated documentation; list of divisions of responsibility and separation of duties; system access authorizations; system audit logs and records; other relevant documents or records].


2
Interview: Personnel with responsibilities for defining divisions of responsibility and separation of duties; personnel with information security responsibilities; system or network administrators].


3
Test: Mechanisms implementing separation of duties policy]


Related Documents (document name and content will vary by organization):
1) Access control policy
2) procedures addressing divisions of responsibility and separation of duties
3) system security plan
4) system configuration settings and associated documentation
5) list of divisions of responsibility and separation of duties
6) system access authorizations
7) system audit logs and records
8) other relevant documents or records


Additional Guidance:
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.
Not Rated
Secure Code