AC-5: Separation of Duties

NIST Baseline:  Moderate 

DIR Required By:  07/20/2023 

Review Date:  04/17/2024 

The principle of separation of duties reduces risk by preventing errors and/or abuse. Separation of duties is required for High Impact Information Resources.  

  • Information resource owners or their designees are responsible for ensuring that controls are implemented to support the principle of separation of duties for information resources under their control.  
  • Information resource owners or their designees must maintain a list of individuals who have administrative or special access accounts for resources they control. The list must be reviewed by the information resource owner or their designee on a regular basis.  
  • Requirements for High Impact Information Resources:  
    • Separation of development, test, and production environments shall be implemented when possible.  
    • Where feasible, development and test systems should have appropriate forms of isolation from production systems. For example, development, test, and production systems may each use separate virtual servers that are isolated from each other.  
    • Source code must be reviewed and approved by an authorized individual or group designated by the information resource owner before release into a production environment.  
    • There must be appropriate separation between members of the development team and those who are allowed to deploy code to the production environment.    
  • Financial systems developed by Tarleton must ensure that the person who enters a financial transaction is not the same person who authorized payment to be made from that transaction.  
  • Source code developed within Tarleton for High and Moderate Impact Information Resources must be committed to a code repository approved by the information resource owner or their designee.  
  • Individuals who use administrative or special access accounts must use the account most appropriate for the work being performed (i.e., user account vs. administrator account). See Control AC-6, Least Privilege, for additional information.  
  • The password for a shared administrator or special access account must be changed if:   
    • An individual knowing the password leaves employment; and 
    • Job duties change and the individual no longer performs functions requiring such access. 
  • Development and testing tools must be removed or disabled on production systems when they are not required. 

References/Additional Resources

None.  See any applicable internal procedures.