G.3.2 Separation of duties

Control Details

Objective

Reduce the potential for abuse of authorized privileges and the chance of collusion when acquiring components, systems, and services.

Definition

Ensure that appropriate separation of duties is established for decisions that require the acquisition and administration of information systems and the acquisition of components entering the supply chain. Separation of duties can be used to deny contracted developers the privilege to promote code they wrote from development to the production environment. Separation of duties can prevent collusion, for example, by ensuring personnel administering access control functions do not also administer acquisition.

Assessment Questions

1. How is separation of duties established for decisions that require the acquisition of information systems and supply chain components, such as components entering the enterprise's supply chain or contracted developers promoting code from development to production?

Reference sources

1. 800-161 AC-5