← Controls / AC

AC-05 Separation Of Duties

Access Control

Low Moderate High

Description

The information system enforces separation of duties through assigned access authorizations.

Supplemental Guidance

The organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals. There is access control software on the information system that prevents users from having all of the necessary authority or information access to perform fraudulent activity without collusion. Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, quality assurance/testing, configuration management, and network security); and (iii) security personnel who administer access control functions do not administer audit functions.

Changes from Rev 4

Revises parameter to identify and document duties of individuals requiring separation Adds reference to multiple systems and organizations, and that separation of duties policy should span systems and application domains. Adds reference to AC-02 and AC-03 as enforcement mechanisms.

Enhancements

(0) None.

MITRE ATT&CK Techniques (167)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Initial Access 6 Execution 17 Persistence 58 Privilege Escalation 51 Defense Evasion 68 Credential Access 32 Discovery 4 Lateral Movement 15 Collection 8 Exfiltration 1 Impact 3
Show all 167 techniques grouped by tactic

Persistence

T1053 T1078 T1098 T1136 T1197 T1505 T1525 T1542 T1543 T1556 T1574 T1053.002 T1053.003 T1053.005 T1053.006 T1053.007 T1078.001 T1078.002 T1078.003 T1078.004 T1098.001 T1098.002 T1098.003 T1098.004 T1098.005 T1098.007 T1136.001 T1136.002 T1136.003 T1505.002 T1505.003 T1505.005 T1542.001 T1542.003 T1542.005 T1543.001 T1543.002 T1543.003 T1543.004 T1543.005 T1546.003 T1547.004 T1547.006 T1547.009 T1547.012 T1547.013 T1556.001 T1556.003 T1556.004 T1556.005 T1556.009 T1574.004 T1574.005 T1574.007 T1574.008 T1574.009 T1574.010 T1574.012

Privilege Escalation

T1053 T1055 T1078 T1098 T1134 T1484 T1543 T1548 T1574 T1611 T1053.002 T1053.003 T1053.005 T1053.006 T1053.007 T1055.008 T1078.001 T1078.002 T1078.003 T1078.004 T1098.001 T1098.002 T1098.003 T1098.004 T1098.005 T1098.007 T1134.001 T1134.002 T1134.003 T1134.005 T1543.001 T1543.002 T1543.003 T1543.004 T1543.005 T1546.003 T1547.004 T1547.006 T1547.009 T1547.012 T1547.013 T1548.002 T1548.003 T1548.006 T1574.004 T1574.005 T1574.007 T1574.008 T1574.009 T1574.010 T1574.012

Defense Evasion

T1055 T1070 T1078 T1134 T1197 T1218 T1222 T1484 T1542 T1548 T1550 T1556 T1562 T1574 T1578 T1599 T1601 T1055.008 T1070.001 T1070.002 T1070.003 T1070.007 T1070.008 T1070.009 T1078.001 T1078.002 T1078.003 T1078.004 T1134.001 T1134.002 T1134.003 T1134.005 T1218.007 T1222.001 T1222.002 T1542.001 T1542.003 T1542.005 T1548.002 T1548.003 T1548.006 T1550.002 T1550.003 T1556.001 T1556.003 T1556.004 T1556.005 T1556.009 T1562.001 T1562.002 T1562.004 T1562.006 T1562.007 T1562.008 T1562.009 T1574.004 T1574.005 T1574.007 T1574.008 T1574.009 T1574.010 T1574.012 T1578.001 T1578.002 T1578.003 T1599.001 T1601.001 T1601.002

Credential Access

T1003 T1110 T1528 T1552 T1556 T1558 T1606 T1003.001 T1003.002 T1003.003 T1003.004 T1003.005 T1003.006 T1003.007 T1003.008 T1056.003 T1110.001 T1110.002 T1110.003 T1110.004 T1552.001 T1552.002 T1552.006 T1552.007 T1556.001 T1556.003 T1556.004 T1556.005 T1556.009 T1558.001 T1558.002 T1558.003

Compliance Mappings

ISO 27001:2022

A.5.3

ISO 27002:2022

5.38.2

COBIT 2019

DSS05DSS06

CIS Controls v8

CIS 5

NIST CSF 2.0

PR.AA-05

SOC 2 TSC

CC5.1CC6.6CC6.6-POF2

PCI DSS v4.0.1

7.2

CSA CCM v4

IAM-04IAM-09

CSA AICM v1

IAM-04IAM-09IAM-19

ISO 42001:2023

A.3.2

IEC 62443

3-3 SR 1.3

NIS2 Directive

Art. 21(2)(i)

MAS TRM

9

BSI IT-Grundschutz

OPS.1.1.2ORP.1ORP.4

ANSSI

Hygiene.15Hygiene.17SecNumCloud.10.4

FINMA Circular 2023/1

IV.B.d(59)IV.B.d(60)

OSFI B-13

B-13.1.1B-13.3.2

EU GDPR

Art.24(1)Art.32(1)(b)Art.5(1)(f)

EU DORA

Art.9(4)(c)Art.9(4)(d)

BIO2

5.38.2

RBI CSF

Annex1.8ITGRCA.19

FISC Security Guidelines

FISC.T2

LGPD + BCB 4893

BCB.Art.3LGPD.Art.46

HKMA TM-E-1

TME1.8.1TME1.8.2

MLPS 2.0

8.1.10.48.1.4.2

DNB Good Practice

DNB.17.2DNB.7.1

SWIFT CSCF

SWIFT.1.2SWIFT.5.1

SAMA CSF

1.53.1

NCA ECC

2-2

UAE IA

T9

CBB TM

TM-6

Qatar NIA

AC

CBUAE

CR-4

CBE CSF

CD-1CTO-1

SA JS2

JS2-7.1

CBN CSF

Part3.2Part9

BoG CISD

CISD-VIII

POPIA

s19

BoM CTRM

3.3

IOSCO Cyber Resilience

PROT-1

BCBS 239

Principle 1

CPMI-IOSCO PFMI

CG.PR

FFIEC IS

II.C.7II.C.7(b)II.C.7(c)

NYDFS 500

500.7

HIPAA Security Rule

§164.308(a)(3)(i)§164.308(a)(3)(ii)(A)§164.308(a)(4)(ii)(C)

ECB CROE

CROE.2.3.1

EBA ICT Guidelines

3.4.2

SEBI CSCRF

PR.AA

BOT Cyber Resilience

Ch2.2

CMMC 2.0

AC

10 CFR 73.54

RG5.71-A-AC

TSA Pipeline SD

SD-2 Sec B

IEEE 1686-2022

5.1

DOE C2M2 v2.1

ACCESS

API 1164

Sec 6

IAEA NSS 17-T

Sec 5.3

FIPS 140-3

FIPS 140-3 §7.4

PCI HSM

156

Common Criteria

CC Part 2 — FDPCC Part 2 — FMT

ISAE 3402

Clause 4

Solvency II

EIOPA-ICT-4.4

Lloyd's Minimum Standards

MS2.1MS5.1MS8.3

NAIC Insurance Data Security

4-access4B

PRA SS1/23

P-IT.1P2.2P2.4P4.1

FCA SYSC 13

SYSC 13.6.2SYSC 13.7.3

HITRUST CSF v11

01.a

FDA 21 CFR Part 11

§11.10(d)§11.10(g)

ISO 27799

9.3

NHS DSPT

NDG-4.1NDG-4.4

CCSS v9.0

1.02.21.04.31.05.3

MiCA

Art.36(1)Art.63(2)Art.65(1)Art.86(1)Art.92(1)

Basel SCO60

SCO60.55SCO60.60SCO60.61SCO60.62SCO60.63SCO60.66

BSSC Standards

KMS-04KMS-06GSP-11

SEC Custody (Digital Assets)

SEC-CD-02SEC-CD-03SEC-CD-04SEC-CD-05SEC-CD-16SEC-CD-19

ISO 17799 (legacy)

10.1.310.6.110.10.1

COBIT 4.1 (legacy)

PO4.11