← Controls / AC

AC-05 Separation Of Duties

Access Control

Low Moderate High

Description

The information system enforces separation of duties through assigned access authorizations.\n

Supplemental Guidance

The organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals. There is access control software on the information system that prevents users from having all of the necessary authority or information access to perform fraudulent activity without collusion. Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, quality assurance/testing, configuration management, and network security); and (iii) security personnel who administer access control functions do not administer audit functions.\n

Changes from Rev 4

Revises parameter to identify and document duties of individuals requiring separation Adds reference to multiple systems and organizations, and that separation of duties policy should span systems and application domains. Adds reference to AC-2 and AC-3 as enforcement mechanisms.

Enhancements

(0) None.\n

Compliance Mappings

ISO 27002:2022

5.185.3

NIST CSF 2.0

PR.AA-05

SOC 2 TSC

CC5.1CC5.1-POF6CC6.6CC6.6-POF2PI1.2-POF1PI1.2-POF2PI1.2-POF3

ISO 17799 (legacy)

10.1.310.6.110.10.1

COBIT 4.1 (legacy)

PO4.11