AC-05-727 Separation of Duties

Separation of Duties

AC-05-727
Separation of Duties
Access Control
Protect
Account Management
MOD, HIGH
P1
Yes
August 17, 2016

All source code developed within the Agency shall be committed to an Agency-approved code repository service, and be reviewed and approved by an authorized individual designated by the information resource owner prior to release into a production environment. A developer may not release their own code for mission-critical information resources or those resources with a high risk of fraud. Financial systems developed by the Agency shall ensure that a person who enters a financial transaction is not the same person who authorized payment to be made from that transaction.

The lack of user segregation of duties may result in unauthorized or unintentional modification or misuse of the organization's information assets.
The organization: a. Separates [Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties.
a. Programmers are not the same individuals as approvers when a change is made to an application system. b. Programming controls ensure that the person who enters a financial transaction is not the same as the person who authorizes a payment be made from that transaction.
State organizations shall ensure adequate controls and separation of duties for tasks that are susceptible to fraudulent or other unauthorized activity.
Obtain access control policy; procedures addressing divisions of responsibility and separation of duties; information system configuration settings and associated documentation; list of divisions of responsibility and separation of duties; information system audit records; other relevant documents or records and ascertain if (I) the organization establishes appropriate divisions of responsibility and separates duties as needed to eliminate conflicts of interest in the responsibilities and duties of individuals; and (ii) the information system enforces separation of duties through assigned access authorizations.