APPL-05

Does your application provide separation of duties between security administration, system administration, and standard user functions?

Explanation

This question is asking whether your application implements 'separation of duties' (SoD), which is a fundamental security principle that divides critical functions among different individuals to prevent fraud, errors, and security breaches. Specifically, it's asking if your application separates three key roles: 1. Security administration: Users who manage security policies, access controls, and security configurations 2. System administration: Users who maintain the technical infrastructure, perform updates, and manage system configurations 3. Standard users: Regular users who use the application for its intended business purpose The question is being asked because combining these roles creates significant security risks. For example, if a single person can both create user accounts (security admin) and access sensitive data (standard user), they could create unauthorized accounts and access data without detection. Similarly, if system administrators also handle security administration, they could potentially bypass security controls they themselves configured. Separation of duties is a critical control that helps prevent unauthorized activities, reduces the risk of errors, and limits the damage that can be done by a single compromised account. It's also a requirement in many compliance frameworks like SOC 2, ISO 27001, and PCI DSS. To best answer this question, you should: 1. Clearly explain how your application separates these three roles 2. Describe the specific permissions and capabilities of each role 3. Explain any technical controls that enforce this separation 4. Mention any approval workflows that might exist for sensitive actions

Example Responses

Example Response 1

Yes, our application enforces strict separation of duties between security administration, system administration, and standard user functions Security administrators can manage user access controls, authentication policies, and security configurations but cannot modify system infrastructure or access business data System administrators can maintain servers, perform updates, and configure technical settings but cannot modify security policies or access sensitive business data Standard users can only access application features and data according to their assigned roles and permissions These separations are enforced through our role-based access control (RBAC) system, and any attempt to perform actions outside one's assigned role is logged and denied Additionally, any changes to role definitions or security policies require approval through our change management process, which includes review by both security and compliance teams.

Example Response 2

Yes, our cloud-based SaaS application implements separation of duties through a hierarchical permission model We have dedicated Security Administrator roles that manage identity providers, MFA settings, and access policies; System Administrator roles that handle infrastructure configurations, performance monitoring, and technical maintenance; and various end-user roles with different levels of application access based on business need Our platform enforces these separations technically through our permission system, and all administrative actions are logged in our immutable audit trail For enterprise customers, we also support custom role creation with granular permission settings to further refine the separation of duties according to their specific security policies Administrative actions that could impact security posture require multi-person approval workflows to prevent abuse of privileges.

Example Response 3

No, our current application does not fully separate security administration, system administration, and standard user functions As a small startup with limited resources, we currently have a combined administrator role that handles both security and system administration functions This role can manage user accounts, configure security settings, and perform system maintenance tasks We recognize this as a security limitation and have implemented compensating controls including comprehensive audit logging of all administrative actions, regular security reviews, and a four-eyes principle for critical changes requiring approval from a second administrator We have included proper separation of duties in our product roadmap and plan to implement it within the next six months as we scale our team and customer base.

Context

Tab
Infrastructure
Category
Application/Service Security

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron