1.8 KiB
#iso27002/2022/EN
5.3 Segregation of duties
Control
Conflicting duties and conflicting areas of responsibility should be segregated.
Purpose
To reduce the risk of fraud, error and bypassing of information security controls.
Guidance
Segregation of duties and areas of responsibility aims to separate conflicting duties between different individuals in order to prevent one individual from executing potential conflicting duties on their own.
The organization should determine which duties and areas of responsibility need to be segregated. The following are examples of activities that can require segregation:
a) initiating, approving and executing a change;
b) requesting, approving and implementing access rights;
c) designing, implementing and reviewing code;
d) developing software and administering production systems;
e) using and administering applications;
f) using applications and administering databases;
g) designing, auditing and assuring information security controls.
The possibility of collusion should be considered in designing the segregation controls. Small organizations can find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls should be considered, such as monitoring of activities, audit trails and management supervision.
Care should be taken when using role-based access control systems to ensure that persons are not granted conflicting roles. When there is a large number of roles, the organization should consider using automated tools to identify conflicts and facilitate their removal. Roles should be carefully defined and provisioned to minimize access problems if a role is removed or reassigned.
Other information
No other information.