Organizational Control: Separation Of Duties

Control ID: AC-5 Separation Of Duties Family: Access Control Source: NIST 800-53r4
Control: The organization:
  1. Separates [Assignment: organization-defined duties of individuals];
  2. Documents separation of duties of individuals; and
  3. Defines information system access authorizations to support separation of duties.
Supplemental Guidance:
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.

Related Controls: AC-3, AC-6, PE-3, PE-4, PS-2
Control Enhancements: N/A
References: N/A
Mechanisms:
Protocol Implementation Conformance Statements: N/A