Doc:NIST SP 800-53r3 Appendix F/AC-5
AC-5 SEPARATION OF DUTIES
- Control: The organization:
- a. Separates duties of individuals as necessary, to prevent malevolent activity without collusion;
- b. Documents separation of duties; and
- c. Implements separation of duties through assigned information system access authorizations.
- Supplemental Guidance: Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, configuration management, quality assurance and testing, network security); (iii) security personnel who administer access control functions do not administer audit functions; and (iv) different administrator accounts for different roles. Access authorizations defined in this control are implemented by control AC-3. Related controls: AC-3.
- Control Enhancements: None.