richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Vault restructure

Browse source
This commit is contained in:
Richard Kranendonk 2026-04-23 11:51:51 +02:00
parent d45797d121
commit ff77508bd1
1433 changed files with 415450 additions and 1201 deletions
Download patch file Download diff file Expand all files Collapse all files

40
Corpus/📚️ Literature notes/Segregation of Duties.md Normal file
View file

@ -0,0 +1,40 @@
# Segregation of Duties
- [Implementing Segregation of Duties ISACA](Implementing%20Segregation%20of%20Duties%20ISACA.md)
- [Segregation of Duties in Auditing](Segregation%20of%20Duties%20in%20Auditing.md)
- [a-5.3-Segregation-of-duties](../Standards/ISO27x/OST/27002/EN/a-5.3-Segregation-of-duties.md)
- [ISO_27002_2022_5.3_PE Segregation of duties](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.3_PE%20Segregation%20of%20duties.md)
- [Typologie Starreveld](Typologie%20Starreveld.md)
- [Trias Politica](../🎇%20Sparks/Trias%20Politica.md)
Segregation of Duties ensures no single person has enough authority or access to compromise the system or data on their own.
**From a [dead blog](https://blogs.dnvgl.com/energy/separation-of-duties-and-it-security):**
Two primary objectives:
* prevention of conflict of interest (real or apparent), wrongful acts, fraud, abuse and errors.
* detection of control failures.
There is an easy test for Separation of duties.
1. Can any one person exfiltrate classified information without detection?
2. Can any one person alter or destroy classified information without being detected?
3. Does any one person have influence over controls design, implementation and reporting of the effectiveness of the controls?
The answers to all these questions should be “no.”
So:
1. Determine what is sensitive information and label it
2. Log access to sensitive information.
3. Separate access rights (incl. modification and deletion) from the rights to modify controls or logging.
4. Separate design and implementation of security controls from testing, auditing, monitoring and reporting.
Responsibilities for controls (**DIME model**):
* Design
* Implementation
* Monitoring / reporting
* Evaluation
* Auditing
Also:
* The security officer should not report to the CIO, as she is responsible for having no cybersecurity issues.
* Use a third party to monitor security and conduct tests and audits.