PR.AA-05.210

Does your organization regularly review and validate that privileges for critical business functions maintain proper separation of duties?

Explanation

Separation of duties ensures that no single individual has control over an entire critical process, reducing the risk of fraud, errors, and unauthorized activities. Regular reviews help identify when roles have accumulated excessive privileges over time or when organizational changes have created conflicts in duty separation. Evidence could include documentation of periodic privilege reviews such as audit logs showing review dates, screenshots of privilege matrices for critical systems, meeting minutes from access review sessions, or formal reports identifying and remediating separation of duties conflicts.

Implementation Example

Periodically review the privileges associated with critical business functions to confirm proper separation of duties

ID: PR.AA-05.210

Context

Function: PR: PROTECT
Category: PR.AA: Identity Management, Authentication, and Access Control
Sub-Category: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub