IAM-04: Separation of Duties

CSF v1.1 References:

PF v1.0 References:

Threats Addressed:

Previous Version:

Control Statement

Employ the separation of duties principle when implementing information system access.

Implementation Guidance

Access control policy should provide instruction on separation of environment and separation of duties, and cover the following:

  1. Maintain separation of duties between the production, testing, and development environments while limiting read/write access to all environments (such as production, development, and testing).
  2. Maintain separation of duties should and require multiple layers of approval (e.g., business approval, system owner approval) to ensure the integrity of access to different systems.

Auditing Guidance

  1. Determine if divisions of responsibility and separation of duties are defined and documented.
  2. Determine if information system access authorizations are established to support separation of duties.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.