Level 2


Description:

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.  


Priority: High 


Domain: ACCESS CONTROL (AC) 


Services Associated with AWS: 

  • AWS Identity and Access Management (IAM)
  • AWS Identity and Access Management (IAM), AWS Organizations
  • AWS Identity and Access Management (IAM), AWS CloudTrail
  • AWS Identity and Access Management (IAM)


Services Associated with Azure:

  • Azure Active Directory (Azure AD)
  • Azure RBAC (Role-Based Access Control)
  • Azure Policy
  • Azure Sentinel
  • Azure Security Center
  • Azure Monitor
  • Azure Logic Apps
  • Azure Functions
  • Azure Key Vault
  • Azure Privileged Identity Management (PIM)
  • Azure Audit Logs
  • Azure Information Protection
  • Azure Data Lake Storage
  • Azure Virtual Machines
  • Azure SQL Database
  • Azure DevOps
  • Azure Kubernetes Service (AKS)
  • Azure Firewall
  • Azure ExpressRoute
  • Azure Virtual Network (V Net)


Objective Evidence: 

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how Separation of Duties (SoD) is performed
  • Technical: if applicable, screen shot of supporting technology that implements SoD


Possible Technology Considerations:

  • Role Based Access Control (RBAC)
  • Discretionary Access Control (DAC)
  • Identity & Access Management (IAM)
  • Privileged Access Management (PAM)


What needs to be answered:

Do system administrators have separate accounts for accessing CUI? Do multiple individuals handle responsibilities for critical information and systems? 


Checks for AWS

  • Verify Separation of Mission and System Support Functions
    Description: This check ensures that mission functions and system support functions are divided among different individuals or roles, reducing the risk of malevolent activity.
  • Confirm Separation of System Support Functions
    Description: This check confirms that system support functions such as configuration management, quality assurance and testing, system management, programming, and network security are conducted by different individuals.
  • Validate Separation of Access Control and Audit Functions
    Description: This check verifies that security personnel administering access control functions do not also administer audit functions, helping to maintain the integrity of both functions.
  • Ensure Compliance with Policy on Separation of Duties
    Description: This check ensures that the organization's policy on separation of duties, which includes considerations of all organizational systems and system components, is being properly followed.
     


Checks for Azure

  • Ensure Separation of Mission and System Support Functions
    Description: This policy check verifies that mission functions and system support functions within Azure are divided among different individuals or roles. It ensures that responsibilities for critical information and systems are assigned to multiple individuals, reducing the risk of unauthorized or malevolent activities.
  • Confirm Separation of System Support Functions
    Description: This policy check confirms that system support functions such as configuration management, quality assurance and testing, system management, programming, and network security are conducted by different individuals or teams. It ensures that there is a clear separation of responsibilities to prevent conflicts of interest and increase accountability.
  • Validate Separation of Access Control and Audit Functions
    Description: This policy check ensures that individuals responsible for administering access control functions within Azure, such as Azure Active Directory (Azure AD) and Azure RBAC (Role-Based Access Control), do not also administer audit functions. It verifies the separation of duties to maintain the integrity and independence of access control and audit activities.
  • Ensure Compliance with Policy on Separation of Duties
    Description: This policy check ensures that the organization's policy on separation of duties, including considerations for all Azure systems and components, is being followed. It validates that the defined roles and responsibilities align with the policy requirements, reducing the risk of unauthorized actions and potential abuses of privileges.


More Details: Multiple administrators within the development team split monitoring duties and management of CUI containing systems.