Description:
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.
Priority: High
Category: Personnel Security
Services Associated with AWS:
- AWS Identity and Access Management (IAM)
- AWS Identity and Access Management (IAM), AWS Organizations
- AWS Identity and Access Management (IAM), AWS CloudTrail
- AWS Identity and Access Management (IAM)
Objective Evidence:
- Administrative: documented policies, standards & procedures
- Administrative: supporting documentation to demonstrate how Separation of Duties (SoD) is performed
- Technical: if applicable, screen shot of supporting technology that implements SoD
Possible Technology Considerations:
- Role Based Access Control (RBAC)
- Discretionary Access Control (DAC)
- Identity & Access Management (IAM)
- Privileged Access Management (PAM)
What needs to be answered:
Do system administrators have separate accounts for accessing CUI? Do multiple individuals handle responsibilities for critical information and systems?
- Verify Separation of Mission and System Support Functions
Description: This check ensures that mission functions and system support functions are divided among different individuals or roles, reducing the risk of malevolent activity. - Confirm Separation of System Support Functions
Description: This check confirms that system support functions such as configuration management, quality assurance and testing, system management, programming, and network security are conducted by different individuals. - Validate Separation of Access Control and Audit Functions
Description: This check verifies that security personnel administering access control functions do not also administer audit functions, helping to maintain the integrity of both functions. - Ensure Compliance with Policy on Separation of Duties
Description: This check ensures that the organization's policy on separation of duties, which includes considerations of all organizational systems and system components, is being properly followed.
More details: Multiple administrators within the development team split monitoring duties and management of CUI containing systems.