The IT Law Wiki

Segregation of duties

32,081pages on
this wiki
Add New Page
Add New Page Talk0

Definition Edit

Segregation of duties

[are] the policies, procedures, and organizational structures that help ensure that no single individual can independently control all key aspects of a process or computer-related operation and thereby gain unauthorized access to assets or records.[1]
reduces the risk that one individual can independently perform inappropriate actions without detection.[2].

Overview Edit

Often, organizations achieve segregation of duties by dividing responsibilities among two or more individuals or organizational groups. This diminishes the likelihood that errors and wrongful acts will go undetected, because the activities of one individual or group will serve as a check on the activities of the other. Effective segregation of duties includes segregating incompatible duties and maintaining formal operating procedures, supervision, and review. Inadequate segregation of duties increases the risk that erroneous or fraudulent transactions could be processed, improper program changes implemented, and computer resources damaged or destroyed. For systems categorized as high or moderate impact, NIST states that incompatible duties should be segregated, such as, by not allowing security personnel who administer system access control functions to administer audit functions.[3]

References Edit

  1. Information Security: Federal Deposit Insurance Corporation Has Made Progress, but Further Actions Are Needed to Protect Financial Data, at 13.
  2. Information Security: Concerted Response Needed to Resolve Persistent Weaknesses, at 6.
  3. Id.

Also on Fandom

Random Wiki