Categories Topics
Description
Separation of Duties

Overview
Separation of Duties (SOD) is the concept of having more than one person perform activities in order to prevent fraud or errors.

Guidelines
Also known as segregation of duties, SOD is a form of checks and balances that should be incorporated into IT processes to ensure confidentiality, integrity and availability of information resources.  Examples of how SOD can be used include:
  • Security and System Administration: roles and individuals responsible for security functions (e.g. security monitoring, incident response, audit) should be separate from those responsible for system administration or normal business functions (e.g. systems and business applications support staff).  Security tasks should provide oversight of user activities to ensure no single user could have the power or authority for both security and management of systems and data.
  • System Administration and Sensitive Data: system administrators should generally require "least privilege" access to systems to support systems or applications as required to ensure confidentiality, integrity and availability of information.  Administrators generally should not have access to sensitive data unless specifically authorized by the data owner on a "need to know" basis to support the business.       
  • Access Control: ensure users (and roles) that can create accounts for access to resources or to reset passwords are separate from other users (or roles) requesting access.  Typically a group or role should be established (e.g. access or identity management) to perform access control activities.
  • Change Management: The role or individual authorized to approve changes should be separate from the individual requesting or implementing the change. Process should also include process to review and detect unauthorized changes to production devices.
  • Development and Production: Separate Development and Production roles used for privileged system, application and network access entitlements

Topic Category
Access Control