Does your organization regularly review and validate that privileges for critical business functions maintain proper separation of duties?
Explanation
Separation of duties ensures that no single individual has control over an entire critical process, reducing the risk of fraud, errors, and unauthorized activities. Regular reviews help identify when roles have accumulated excessive privileges over time or when organizational changes have created conflicts in duty separation.
Evidence could include documentation of periodic privilege reviews such as audit logs showing review dates, screenshots of privilege matrices for critical systems, meeting minutes from access review sessions, or formal reports identifying and remediating separation of duties conflicts.
Implementation Example
Periodically review the privileges associated with critical business functions to confirm proper separation of duties
ID: PR.AA-05.210
Context
- Function
- PR: PROTECT
- Category
- PR.AA: Identity Management, Authentication, and Access Control
- Sub-Category
- Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties
Related questions
- Does your organization have a formal process to request, track, review, and fulfill access requests that includes appropriate approval from system or data owners?
- Does your organization have a formal process for managing the lifecycle of cryptographic certificates, keys, identity tokens, and other credentials?
- Does your organization use unique device identifiers based on immutable hardware characteristics or secure provisioning methods?
- Does your organization physically label all authorized hardware assets with unique identifiers for inventory tracking and servicing purposes?
- Does your organization verify individuals' identities during enrollment using government-issued credentials?
- Does your organization issue unique credentials to each individual user and prohibit credential sharing?

