last sync: 2024-Oct-11 17:51:27 UTC

Separate duties of individuals | Regulatory Compliance - Operational

Azure BuiltIn Policy definition

Source Azure Portal
Display name Separate duties of individuals
Id 60ee1260-97f0-61bb-8155-5d8b75743655
Version 1.1.0
Details on versioning
Versioning Versions supported for Versioning: 1
1.1.0
Built-in Versioning [Preview]
Category Regulatory Compliance
Microsoft Learn
Description CMA_0492 - Separate duties of individuals
Additional metadata Name/Id: CMA_0492 / CMA_0492
Category: Operational
Title: Separate duties of individuals
Ownership: Customer
Description: Microsoft recommends that your organization separate duties of your organizational users as necessary and comply with your organizational policies to prevent malevolent activity without collusion. Microsoft recommends that your Access Control policies and standard operating procedures include details about the separation of duties, how user roles are defined, and how system privileges are assigned. Depending on the size of your organization, you may want to designate several admins who serve different functions. Your organization can enabled automated enforcement of these policies and should regularly review access rights to identify and remediate separation of duties conflicts.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 24 compliance controls are associated with this Policy definition 'Separate duties of individuals' (60ee1260-97f0-61bb-8155-5d8b75743655)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AC-5 FedRAMP_High_R4_AC-5 FedRAMP High AC-5 Access Control Separation Of Duties Shared n/a The organization: a. Separates [Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties. Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. Control Enhancements: None. References: None. link 4
FedRAMP_Moderate_R4 AC-5 FedRAMP_Moderate_R4_AC-5 FedRAMP Moderate AC-5 Access Control Separation Of Duties Shared n/a The organization: a. Separates [Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties. Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. Control Enhancements: None. References: None. link 4
hipaa 0859.09m1Organizational.78-09.m hipaa-0859.09m1Organizational.78-09.m 0859.09m1Organizational.78-09.m 08 Network Protection 0859.09m1Organizational.78-09.m 09.06 Network Security Management Shared n/a The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. 13
hipaa 11219.01b1Organizational.10-01.b hipaa-11219.01b1Organizational.10-01.b 11219.01b1Organizational.10-01.b 11 Access Control 11219.01b1Organizational.10-01.b 01.02 Authorized Access to Information Systems Shared n/a The organization maintains a current listing of all workforce members (individuals, contractors, vendors, business partners, etc.) with access to sensitive information (e.g., PII). 5
hipaa 1229.09c1Organizational.1-09.c hipaa-1229.09c1Organizational.1-09.c 1229.09c1Organizational.1-09.c 12 Audit Logging & Monitoring 1229.09c1Organizational.1-09.c 09.01 Documented Operating Procedures Shared n/a Separation of duties is used to limit the risk of unauthorized or unintentional modification of information and systems. 4
hipaa 1230.09c2Organizational.1-09.c hipaa-1230.09c2Organizational.1-09.c 1230.09c2Organizational.1-09.c 12 Audit Logging & Monitoring 1230.09c2Organizational.1-09.c 09.01 Documented Operating Procedures Shared n/a No single person is able to access, modify, or use information systems without authorization or detection. 13
hipaa 1231.09c2Organizational.23-09.c hipaa-1231.09c2Organizational.23-09.c 1231.09c2Organizational.23-09.c 12 Audit Logging & Monitoring 1231.09c2Organizational.23-09.c 09.01 Documented Operating Procedures Shared n/a Job descriptions define duties and responsibilities that support the separation of duties across multiple users. 3
hipaa 1232.09c3Organizational.12-09.c hipaa-1232.09c3Organizational.12-09.c 1232.09c3Organizational.12-09.c 12 Audit Logging & Monitoring 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures Shared n/a Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. 21
hipaa 1233.09c3Organizational.3-09.c hipaa-1233.09c3Organizational.3-09.c 1233.09c3Organizational.3-09.c 12 Audit Logging & Monitoring 1233.09c3Organizational.3-09.c 09.01 Documented Operating Procedures Shared n/a Development, testing, quality assurance and production functions are separated among multiple individuals/groups. 3
hipaa 1271.09ad1System.1-09.ad hipaa-1271.09ad1System.1-09.ad 1271.09ad1System.1-09.ad 12 Audit Logging & Monitoring 1271.09ad1System.1-09.ad 09.10 Monitoring Shared n/a An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. 8
hipaa 1271.09ad2System.1 hipaa-1271.09ad2System.1 1271.09ad2System.1 12 Audit Logging & Monitoring 1271.09ad2System.1 09.10 Monitoring Shared n/a An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. 7
hipaa 1276.09c2Organizational.2-09.c hipaa-1276.09c2Organizational.2-09.c 1276.09c2Organizational.2-09.c 12 Audit Logging & Monitoring 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures Shared n/a Security audit activities are independent. 18
hipaa 1277.09c2Organizational.4-09.c hipaa-1277.09c2Organizational.4-09.c 1277.09c2Organizational.4-09.c 12 Audit Logging & Monitoring 1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures Shared n/a The initiation of an event is separated from its authorization to reduce the possibility of collusion. 4
hipaa 1278.09c2Organizational.56-09.c hipaa-1278.09c2Organizational.56-09.c 1278.09c2Organizational.56-09.c 12 Audit Logging & Monitoring 1278.09c2Organizational.56-09.c 09.01 Documented Operating Procedures Shared n/a The organization identifies duties that require separation and defines information system access authorizations to support separation of duties; and incompatible duties are segregated across multiple users to minimize the opportunity for misuse or fraud. 3
hipaa 1279.09c3Organizational.4-09.c hipaa-1279.09c3Organizational.4-09.c 1279.09c3Organizational.4-09.c 12 Audit Logging & Monitoring 1279.09c3Organizational.4-09.c 09.01 Documented Operating Procedures Shared n/a The organization ensures that mission critical functions and information system support functions are divided among separate individuals. 3
hipaa 1451.05iCSPOrganizational.2-05.i hipaa-1451.05iCSPOrganizational.2-05.i 1451.05iCSPOrganizational.2-05.i 14 Third Party Assurance 1451.05iCSPOrganizational.2-05.i 05.02 External Parties Shared n/a Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. 21
hipaa 1808.08b2Organizational.7-08.b hipaa-1808.08b2Organizational.7-08.b 1808.08b2Organizational.7-08.b 18 Physical & Environmental Security 1808.08b2Organizational.7-08.b 08.01 Secure Areas Shared n/a Physical access rights are reviewed every 90 days and updated accordingly. 7
ISO27001-2013 A.6.1.2 ISO27001-2013_A.6.1.2 ISO 27001:2013 A.6.1.2 Organization of Information Security Segregation of Duties Shared n/a Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets. link 5
NIST_SP_800-171_R2_3 .1.4 NIST_SP_800-171_R2_3.1.4 NIST SP 800-171 R2 3.1.4 Access Control Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Shared Microsoft and the customer share responsibilities for implementing this requirement. Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. link 6
NIST_SP_800-53_R4 AC-5 NIST_SP_800-53_R4_AC-5 NIST SP 800-53 Rev. 4 AC-5 Access Control Separation Of Duties Shared n/a The organization: a. Separates [Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties. Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. Control Enhancements: None. References: None. link 4
NIST_SP_800-53_R5 AC-5 NIST_SP_800-53_R5_AC-5 NIST SP 800-53 Rev. 5 AC-5 Access Control Separation of Duties Shared n/a a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties. link 4
op.acc.3 Segregation of functions and tasks op.acc.3 Segregation of functions and tasks 404 not found n/a n/a 43
PCI_DSS_v4.0 6.2.3.1 PCI_DSS_v4.0_6.2.3.1 PCI DSS v4.0 6.2.3.1 Requirement 06: Develop and Maintain Secure Systems and Software Bespoke and custom software are developed securely Shared n/a If manual code reviews are performed for bespoke and custom software prior to release to production, code changes are: • Reviewed by individuals other than the originating code author, and who are knowledgeable about code-review techniques and secure coding practices. • Reviewed and approved by management prior to release. link 1
SWIFT_CSCF_v2022 5.1 SWIFT_CSCF_v2022_5.1 SWIFT CSCF v2022 5.1 5. Manage Identities and Segregate Privileges Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. Shared n/a Accounts are defined according to the security principles of need-to-know access, least privilege, and separation of duties. link 35
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
PCI DSS v4 c676748e-3af9-4e22-bc28-50feed564afb Regulatory Compliance GA BuiltIn
Spain ENS 175daf90-21e1-4fec-b745-7b4c909aa94c Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add 60ee1260-97f0-61bb-8155-5d8b75743655
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC