iso27diy-corp/Corpus/Literature notes/Segregation of Duties.md

# Segregation of Duties

- [Implementing Segregation of Duties ISACA](Implementing%20Segregation%20of%20Duties%20ISACA.md)
- [Segregation of Duties in Auditing](Segregation%20of%20Duties%20in%20Auditing.md)
- [a-5.3-Segregation-of-duties](../Standards/ISO27x/OST/27002/EN/a-5.3-Segregation-of-duties.md)
- [ISO_27002_2022_5.3_PE Segregation of duties](../../../iso27DIY-gis/reference/Paraphrased/ISO27002-2022-EN/ISO_27002_2022_5.3_PE%20Segregation%20of%20duties.md)
- [Typologie Starreveld](Typologie%20Starreveld.md)
- [Trias Politica](../Sparks/Trias%20Politica.md)

Segregation of Duties ensures no single person has enough authority or access to compromise the system or data on their own.

**From a [dead blog](https://blogs.dnvgl.com/energy/separation-of-duties-and-it-security):**

Two primary objectives:
* prevention of conflict of interest (real or apparent), wrongful acts, fraud, abuse and errors. 
* detection of control failures.

There is an easy test for Separation of duties.
	1. Can any one person exfiltrate classified information without detection?
	2. Can any one person alter or destroy classified information without being detected?
	3. Does any one person have influence over controls design, implementation and reporting of the effectiveness of the controls?

The answers to all these questions should be “no.” 

So:
1. Determine what is sensitive information and label it
2. Log access to sensitive information.
3. Separate access rights (incl. modification and deletion) from the rights to modify controls or logging.
4. Separate design and implementation of security controls from testing, auditing, monitoring and reporting.

Responsibilities for controls (**DIME model**):
* Design
* Implementation
* Monitoring / reporting
* Evaluation
* Auditing

Also:
* The security officer should not report to the CIO, as she is responsible for having no cybersecurity issues.
* Use a third party to monitor security and conduct tests and audits.