compliance controls are associated with this Policy definition 'Separate duties of individuals' (60ee1260-97f0-61bb-8155-5d8b75743655)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
AC-5 |
FedRAMP_High_R4_AC-5 |
FedRAMP High AC-5 |
Access Control |
Separation Of Duties |
Shared |
n/a |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties.
Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2.
Control Enhancements: None.
References: None. |
link |
4 |
| FedRAMP_Moderate_R4 |
AC-5 |
FedRAMP_Moderate_R4_AC-5 |
FedRAMP Moderate AC-5 |
Access Control |
Separation Of Duties |
Shared |
n/a |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties.
Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2.
Control Enhancements: None.
References: None. |
link |
4 |
| hipaa |
0859.09m1Organizational.78-09.m |
hipaa-0859.09m1Organizational.78-09.m |
0859.09m1Organizational.78-09.m |
08 Network Protection |
0859.09m1Organizational.78-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. |
|
13 |
| hipaa |
11219.01b1Organizational.10-01.b |
hipaa-11219.01b1Organizational.10-01.b |
11219.01b1Organizational.10-01.b |
11 Access Control |
11219.01b1Organizational.10-01.b 01.02 Authorized Access to Information Systems |
Shared |
n/a |
The organization maintains a current listing of all workforce members (individuals, contractors, vendors, business partners, etc.) with access to sensitive information (e.g., PII). |
|
5 |
| hipaa |
1229.09c1Organizational.1-09.c |
hipaa-1229.09c1Organizational.1-09.c |
1229.09c1Organizational.1-09.c |
12 Audit Logging & Monitoring |
1229.09c1Organizational.1-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
Separation of duties is used to limit the risk of unauthorized or unintentional modification of information and systems. |
|
4 |
| hipaa |
1230.09c2Organizational.1-09.c |
hipaa-1230.09c2Organizational.1-09.c |
1230.09c2Organizational.1-09.c |
12 Audit Logging & Monitoring |
1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
No single person is able to access, modify, or use information systems without authorization or detection. |
|
13 |
| hipaa |
1231.09c2Organizational.23-09.c |
hipaa-1231.09c2Organizational.23-09.c |
1231.09c2Organizational.23-09.c |
12 Audit Logging & Monitoring |
1231.09c2Organizational.23-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
Job descriptions define duties and responsibilities that support the separation of duties across multiple users. |
|
3 |
| hipaa |
1232.09c3Organizational.12-09.c |
hipaa-1232.09c3Organizational.12-09.c |
1232.09c3Organizational.12-09.c |
12 Audit Logging & Monitoring |
1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. |
|
21 |
| hipaa |
1233.09c3Organizational.3-09.c |
hipaa-1233.09c3Organizational.3-09.c |
1233.09c3Organizational.3-09.c |
12 Audit Logging & Monitoring |
1233.09c3Organizational.3-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
Development, testing, quality assurance and production functions are separated among multiple individuals/groups. |
|
3 |
| hipaa |
1271.09ad1System.1-09.ad |
hipaa-1271.09ad1System.1-09.ad |
1271.09ad1System.1-09.ad |
12 Audit Logging & Monitoring |
1271.09ad1System.1-09.ad 09.10 Monitoring |
Shared |
n/a |
An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. |
|
8 |
| hipaa |
1271.09ad2System.1 |
hipaa-1271.09ad2System.1 |
1271.09ad2System.1 |
12 Audit Logging & Monitoring |
1271.09ad2System.1 09.10 Monitoring |
Shared |
n/a |
An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. |
|
7 |
| hipaa |
1276.09c2Organizational.2-09.c |
hipaa-1276.09c2Organizational.2-09.c |
1276.09c2Organizational.2-09.c |
12 Audit Logging & Monitoring |
1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
Security audit activities are independent. |
|
18 |
| hipaa |
1277.09c2Organizational.4-09.c |
hipaa-1277.09c2Organizational.4-09.c |
1277.09c2Organizational.4-09.c |
12 Audit Logging & Monitoring |
1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
The initiation of an event is separated from its authorization to reduce the possibility of collusion. |
|
4 |
| hipaa |
1278.09c2Organizational.56-09.c |
hipaa-1278.09c2Organizational.56-09.c |
1278.09c2Organizational.56-09.c |
12 Audit Logging & Monitoring |
1278.09c2Organizational.56-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
The organization identifies duties that require separation and defines information system access authorizations to support separation of duties; and incompatible duties are segregated across multiple users to minimize the opportunity for misuse or fraud. |
|
3 |
| hipaa |
1279.09c3Organizational.4-09.c |
hipaa-1279.09c3Organizational.4-09.c |
1279.09c3Organizational.4-09.c |
12 Audit Logging & Monitoring |
1279.09c3Organizational.4-09.c 09.01 Documented Operating Procedures |
Shared |
n/a |
The organization ensures that mission critical functions and information system support functions are divided among separate individuals. |
|
3 |
| hipaa |
1451.05iCSPOrganizational.2-05.i |
hipaa-1451.05iCSPOrganizational.2-05.i |
1451.05iCSPOrganizational.2-05.i |
14 Third Party Assurance |
1451.05iCSPOrganizational.2-05.i 05.02 External Parties |
Shared |
n/a |
Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. |
|
21 |
| hipaa |
1808.08b2Organizational.7-08.b |
hipaa-1808.08b2Organizational.7-08.b |
1808.08b2Organizational.7-08.b |
18 Physical & Environmental Security |
1808.08b2Organizational.7-08.b 08.01 Secure Areas |
Shared |
n/a |
Physical access rights are reviewed every 90 days and updated accordingly. |
|
7 |
| ISO27001-2013 |
A.6.1.2 |
ISO27001-2013_A.6.1.2 |
ISO 27001:2013 A.6.1.2 |
Organization of Information Security |
Segregation of Duties |
Shared |
n/a |
Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets. |
link |
5 |
| NIST_SP_800-171_R2_3 |
.1.4 |
NIST_SP_800-171_R2_3.1.4 |
NIST SP 800-171 R2 3.1.4 |
Access Control |
Separate the duties of individuals to reduce the risk of malevolent activity without collusion. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. |
link |
6 |
| NIST_SP_800-53_R4 |
AC-5 |
NIST_SP_800-53_R4_AC-5 |
NIST SP 800-53 Rev. 4 AC-5 |
Access Control |
Separation Of Duties |
Shared |
n/a |
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties.
Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2.
Control Enhancements: None.
References: None. |
link |
4 |
| NIST_SP_800-53_R5 |
AC-5 |
NIST_SP_800-53_R5_AC-5 |
NIST SP 800-53 Rev. 5 AC-5 |
Access Control |
Separation of Duties |
Shared |
n/a |
a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and
b. Define system access authorizations to support separation of duties. |
link |
4 |
|
op.acc.3 Segregation of functions and tasks |
op.acc.3 Segregation of functions and tasks |
404 not found |
|
|
|
n/a |
n/a |
|
43 |
| PCI_DSS_v4.0 |
6.2.3.1 |
PCI_DSS_v4.0_6.2.3.1 |
PCI DSS v4.0 6.2.3.1 |
Requirement 06: Develop and Maintain Secure Systems and Software |
Bespoke and custom software are developed securely |
Shared |
n/a |
If manual code reviews are performed for bespoke and custom software prior to release to production, code changes are:
• Reviewed by individuals other than the originating code author, and who are knowledgeable about code-review techniques and secure coding practices.
• Reviewed and approved by management prior to release. |
link |
1 |
| SWIFT_CSCF_v2022 |
5.1 |
SWIFT_CSCF_v2022_5.1 |
SWIFT CSCF v2022 5.1 |
5. Manage Identities and Segregate Privileges |
Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. |
Shared |
n/a |
Accounts are defined according to the security principles of need-to-know access, least privilege, and separation of duties. |
link |
35 |