last sync: 2024-Mar-01 17:50:27 UTC

Document separation of duties | Regulatory Compliance - Documentation

Azure BuiltIn Policy definition

Source Azure Portal
Display name Document separation of duties
Id e6f7b584-877a-0d69-77d4-ab8b923a9650
Version 1.1.0
Details on versioning
Category Regulatory Compliance
Microsoft Learn
Description CMA_0204 - Document separation of duties
Additional metadata Name/Id: CMA_0204 / CMA_0204
Category: Documentation
Title: Document separation of duties
Ownership: Customer
Description: Microsoft recommends that your organization document the separation of duties of individuals. Your organization may prohibit users from being the administrator of their own workstation, unless required for software installation and/or removal. It is recommended that the documentation from the software provider explicitly states that administrator rights are required. Your organization should consider creating and maintaining Access Control policies and standard operating procedures that document the separation of duties, defined user roles, and assignment of privileges within your organization.
Requirements: The customer is responsible for implementing this recommendation.
Mode All
Type BuiltIn
Preview False
Deprecated False
Effect Default
Manual
Allowed
Manual, Disabled
RBAC role(s) none
Rule aliases none
Rule resource types IF (1)
Microsoft.Resources/subscriptions
Compliance
The following 20 compliance controls are associated with this Policy definition 'Document separation of duties' (e6f7b584-877a-0d69-77d4-ab8b923a9650)
Control Domain Control Name MetadataId Category Title Owner Requirements Description Info Policy#
FedRAMP_High_R4 AC-5 FedRAMP_High_R4_AC-5 FedRAMP High AC-5 Access Control Separation Of Duties Shared n/a The organization: a. Separates [Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties. Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. Control Enhancements: None. References: None. link 4
FedRAMP_Moderate_R4 AC-5 FedRAMP_Moderate_R4_AC-5 FedRAMP Moderate AC-5 Access Control Separation Of Duties Shared n/a The organization: a. Separates [Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties. Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. Control Enhancements: None. References: None. link 4
hipaa 0859.09m1Organizational.78-09.m hipaa-0859.09m1Organizational.78-09.m 0859.09m1Organizational.78-09.m 08 Network Protection 0859.09m1Organizational.78-09.m 09.06 Network Security Management Shared n/a The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. 14
hipaa 11219.01b1Organizational.10-01.b hipaa-11219.01b1Organizational.10-01.b 11219.01b1Organizational.10-01.b 11 Access Control 11219.01b1Organizational.10-01.b 01.02 Authorized Access to Information Systems Shared n/a The organization maintains a current listing of all workforce members (individuals, contractors, vendors, business partners, etc.) with access to sensitive information (e.g., PII). 5
hipaa 1229.09c1Organizational.1-09.c hipaa-1229.09c1Organizational.1-09.c 1229.09c1Organizational.1-09.c 12 Audit Logging & Monitoring 1229.09c1Organizational.1-09.c 09.01 Documented Operating Procedures Shared n/a Separation of duties is used to limit the risk of unauthorized or unintentional modification of information and systems. 4
hipaa 1231.09c2Organizational.23-09.c hipaa-1231.09c2Organizational.23-09.c 1231.09c2Organizational.23-09.c 12 Audit Logging & Monitoring 1231.09c2Organizational.23-09.c 09.01 Documented Operating Procedures Shared n/a Job descriptions define duties and responsibilities that support the separation of duties across multiple users. 3
hipaa 1232.09c3Organizational.12-09.c hipaa-1232.09c3Organizational.12-09.c 1232.09c3Organizational.12-09.c 12 Audit Logging & Monitoring 1232.09c3Organizational.12-09.c 09.01 Documented Operating Procedures Shared n/a Access for individuals responsible for administering access controls is limited to the minimum necessary based upon each user's role and responsibilities and these individuals cannot access audit functions related to these controls. 21
hipaa 1233.09c3Organizational.3-09.c hipaa-1233.09c3Organizational.3-09.c 1233.09c3Organizational.3-09.c 12 Audit Logging & Monitoring 1233.09c3Organizational.3-09.c 09.01 Documented Operating Procedures Shared n/a Development, testing, quality assurance and production functions are separated among multiple individuals/groups. 3
hipaa 1271.09ad1System.1-09.ad hipaa-1271.09ad1System.1-09.ad 1271.09ad1System.1-09.ad 12 Audit Logging & Monitoring 1271.09ad1System.1-09.ad 09.10 Monitoring Shared n/a An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. 8
hipaa 1271.09ad2System.1 hipaa-1271.09ad2System.1 1271.09ad2System.1 12 Audit Logging & Monitoring 1271.09ad2System.1 09.10 Monitoring Shared n/a An intrusion detection system managed outside of the control of system and network administrators is used to monitor system and network administration activities for compliance. 7
hipaa 1276.09c2Organizational.2-09.c hipaa-1276.09c2Organizational.2-09.c 1276.09c2Organizational.2-09.c 12 Audit Logging & Monitoring 1276.09c2Organizational.2-09.c 09.01 Documented Operating Procedures Shared n/a Security audit activities are independent. 18
hipaa 1277.09c2Organizational.4-09.c hipaa-1277.09c2Organizational.4-09.c 1277.09c2Organizational.4-09.c 12 Audit Logging & Monitoring 1277.09c2Organizational.4-09.c 09.01 Documented Operating Procedures Shared n/a The initiation of an event is separated from its authorization to reduce the possibility of collusion. 4
hipaa 1278.09c2Organizational.56-09.c hipaa-1278.09c2Organizational.56-09.c 1278.09c2Organizational.56-09.c 12 Audit Logging & Monitoring 1278.09c2Organizational.56-09.c 09.01 Documented Operating Procedures Shared n/a The organization identifies duties that require separation and defines information system access authorizations to support separation of duties; and incompatible duties are segregated across multiple users to minimize the opportunity for misuse or fraud. 3
hipaa 1279.09c3Organizational.4-09.c hipaa-1279.09c3Organizational.4-09.c 1279.09c3Organizational.4-09.c 12 Audit Logging & Monitoring 1279.09c3Organizational.4-09.c 09.01 Documented Operating Procedures Shared n/a The organization ensures that mission critical functions and information system support functions are divided among separate individuals. 3
hipaa 1451.05iCSPOrganizational.2-05.i hipaa-1451.05iCSPOrganizational.2-05.i 1451.05iCSPOrganizational.2-05.i 14 Third Party Assurance 1451.05iCSPOrganizational.2-05.i 05.02 External Parties Shared n/a Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. 21
ISO27001-2013 A.6.1.2 ISO27001-2013_A.6.1.2 ISO 27001:2013 A.6.1.2 Organization of Information Security Segregation of Duties Shared n/a Conflicting duties and areas of responsibility shall be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization's assets. link 5
NIST_SP_800-171_R2_3 .1.4 NIST_SP_800-171_R2_3.1.4 NIST SP 800-171 R2 3.1.4 Access Control Separate the duties of individuals to reduce the risk of malevolent activity without collusion. Shared Microsoft and the customer share responsibilities for implementing this requirement. Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties. link 6
NIST_SP_800-53_R4 AC-5 NIST_SP_800-53_R4_AC-5 NIST SP 800-53 Rev. 4 AC-5 Access Control Separation Of Duties Shared n/a The organization: a. Separates [Assignment: organization-defined duties of individuals]; b. Documents separation of duties of individuals; and c. Defines information system access authorizations to support separation of duties. Supplemental Guidance: Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2. Control Enhancements: None. References: None. link 4
NIST_SP_800-53_R5 AC-5 NIST_SP_800-53_R5_AC-5 NIST SP 800-53 Rev. 5 AC-5 Access Control Separation of Duties Shared n/a a. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and b. Define system access authorizations to support separation of duties. link 4
SWIFT_CSCF_v2022 5.1 SWIFT_CSCF_v2022_5.1 SWIFT CSCF v2022 5.1 5. Manage Identities and Segregate Privileges Enforce the security principles of need-to-know access, least privilege, and separation of duties for operator accounts. Shared n/a Accounts are defined according to the security principles of need-to-know access, least privilege, and separation of duties. link 35
Initiatives usage
Initiative DisplayName Initiative Id Initiative Category State Type
FedRAMP High d5264498-16f4-418a-b659-fa7ef418175f Regulatory Compliance GA BuiltIn
FedRAMP Moderate e95f5a9f-57ad-4d03-bb0b-b1d16db93693 Regulatory Compliance GA BuiltIn
HITRUST/HIPAA a169a624-5599-4385-a696-c8d643089fab Regulatory Compliance GA BuiltIn
ISO 27001:2013 89c6cddc-1c73-4ac1-b19c-54d1a15a42f2 Regulatory Compliance GA BuiltIn
NIST SP 800-171 Rev. 2 03055927-78bd-4236-86c0-f36125a10dc9 Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 4 cf25b9c1-bd23-4eb6-bd2c-f4f3ac644a5f Regulatory Compliance GA BuiltIn
NIST SP 800-53 Rev. 5 179d1daa-458f-4e47-8086-2a68d0d6c38f Regulatory Compliance GA BuiltIn
SWIFT CSP-CSCF v2022 7bc7cd6c-4114-ff31-3cac-59be3157596d Regulatory Compliance GA BuiltIn
History
Date/Time (UTC ymd) (i) Change type Change detail
2022-09-27 16:35:32 change Minor (1.0.0 > 1.1.0)
2022-09-13 16:35:29 add e6f7b584-877a-0d69-77d4-ab8b923a9650
JSON compare
compare mode: version left: version right:
JSON
api-version=2021-06-01
EPAC