Separation of duties addresses the potential for abuse of authorized privileges and helps to
reduce the risk of malevolent activity without collusion. Separation of duties includes
dividing mission functions and system support functions among different individuals or
roles; conducting system support functions with different individuals (e.g., configuration
management, quality assurance and testing, system management, programming, and
network security); and ensuring that security personnel administering access control
functions do not also administer audit functions. Because separation of duty violations can
span systems and application domains, organizations consider the entirety of organizational
systems and system components when developing policy on separation of duties.
CMMC CLARIFICATION
A company must avoid situations in which conflicts of interest or even lack of knowledge can
create security problems. This can be accomplished by splitting important duties and tasks
between employees in order to reduce intentional or unintentional execution of malicious
activities, when those involved are not colluding. This allows the organization to minimize
employees' fraud, abuse and errors. Summarizing, no one person should be in charge of an
entire critical task from beginning to end.
Example
You are responsible for designing and implementing security solutions in your organization.
The same person should not test security mechanisms, conduct security audits, and release
software for delivery. Policy is created and implemented so that the development team does
not do testing and the test team does not do development. This eliminates your ability to
intentionally or unintentionally develop a weak security solution that is not identified
through testing or is released prematurely before unit, integration, regression, operational
and security testing are complete.
References
• NIST SP 800-171 Rev 1 3.1.4
• NIST CSF v1.1 PR.AC-4
• NIST SP 800-53 Rev 4 AC-5