Link to the home page.
Print from PDF version
Wireless Security Practices PDF Document
 

Security Disciplines for
Objective 1: Support

1-4. Separation of Duties

Description

Separation of duties is a critical element of a robust security policy. It requires the allocation of distinct information system duties, such as database administration, security, user functions, and source code access into separate job functions performed by different individuals. Separation of duties should be incorporated into change management procedures (see Section 2-5: Change Management).

Purpose

Separation of duties segregates critical, operational IT functions into distinct jobs to prevent a single person from harming a development or operational system or the services it provides, whether by an accidental act, omission, or intentional act.

Principles

The approach to separation of duties should be defined in an organization’s security policy.

Separation-of-duties procedures should be developed by the information system management team.

Policies

A separation-of-duties policy should be established and documented that encompasses programming, database administration, security, user functions, and source code access into separate job functions performed by different individuals. A training program should be established for impacted personnel on separation of duties, and an audit plan should be established and executed periodically to ensure compliance with the separation-of-duties policy.

Best Practices

An individual should not have access to more than one critical task as identified by management. Personnel should only perform those duties specified in their job descriptions; therefore, programming and operations functions should be performed by different individuals.

Programmers should not be able to execute any jobs in a production mode, perform database administration functions, perform application security functions, or have access to production databases.

Operators should not have the ability to make changes to production applications or system software libraries, and database changes should be administered by database administration personnel only.

Security responsibilities should be clearly separated from processing operations functions. Security functions (i.e., authority, access to data, restricting functions) should be performed by security personnel.

Reference

  • International Standard, ISO/IEC 17799, Information Technology—Code of Practice for Information Security Management.