Segregation of duties
|“||[are] the policies, procedures, and organizational structures that help ensure that no single individual can independently control all key aspects of a process or computer-related operation and thereby gain unauthorized access to assets or records.||”|
|“||reduces the risk that one individual can independently perform inappropriate actions without detection..||”|
Often, organizations achieve segregation of duties by dividing responsibilities among two or more individuals or organizational groups. This diminishes the likelihood that errors and wrongful acts will go undetected, because the activities of one individual or group will serve as a check on the activities of the other. Effective segregation of duties includes segregating incompatible duties and maintaining formal operating procedures, supervision, and review. Inadequate segregation of duties increases the risk that erroneous or fraudulent transactions could be processed, improper program changes implemented, and computer resources damaged or destroyed. For systems categorized as high or moderate impact, NIST states that incompatible duties should be segregated, such as, by not allowing security personnel who administer system access control functions to administer audit functions.