Segregation of Duties

From The Secure Arc Wiki

Jump to: navigation, search

Contents

Assertion

No single individual should have the power to effect change of a critical control process, system or transaction.

Rationale

This year (2007) marks the first time “employees” beat out “hackers” as the most likely source of a security incident. [1]

This security principle helps to address the issue of "rogue" or "disgruntled" employees abusing their legitimately granted privileges. A solution adhering to the Segregation of Duties principle will require these types of users to collude with other similarly privileged users, significantly increasing the difficulty of executing such fraudulent activity.

Further detailed information is available on Wikipedia.

Related References

Policies & Standards

ISO 17799:2002

  • Section 8.1.4
    • Whether duties and areas of responsibility are separated in order to reduce opportunities for unauthorised modification or misuse of information or services.

NIST - sp800-55 - Security Metrics Guide for Information Technology Systems

  • Section 15.2
    • Are access controls enforcing segregation of duties?

COBIT Security Baseline - Control Objectives

  • Section 4.10
    • Senior management should implement a division of roles and responsibilities which should exclude the possibility for a single individual to subvert a critical process. Management should also make sure that personnel are performing those duties stipulated for their respective jobs and positions. In particular, a segregation of duties should be maintained between the following functions: Information Systems use, Data entry, computer operation, network management, system administration, systems development and maintenance, change management, security administration, and security audit.

Design Patterns

Navigation

Personal tools