We’re going to review the Separation of Duties control (AC-05) that is under the NIST Access Control Control Family.
A major reason for this control is to ensure there is not one sole person who is responsible any action that could be used to gain unauthorized access or otherwise harm the organization. This will reduce the chance of internal malicious actors having the ability to give unchecked access to sensitive information.
- An organization should have individual duties formally assigned when it comes to providing access, support, configuring, and auditing systems. For example:
- The person who has administration duties should not be the same person responsible for system auditing.
- The person who is responsible for approving wire transfers is not the same person who executes wire transfers.
- Permissions to a system should not be defined by the same person or group that is granting access.
- If IT is responsible for granting access to systems, HR or the Department Manager should be responsible for outlining what level of access is appropriate.
- This should be done through an Access Form or ticketing system to track the processes for separation of duties is being followed.
HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(4)(ii)(B), 164.310(a)(1), 164.310(b), 164.312(a)(1), 164.312(b), 164.312(c), 164.312(e)