National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

NIST Special Publication 800-53 (Rev. 4)

Security Controls and Assessment Procedures for Federal Information Systems and Organizations

AC-5 SEPARATION OF DUTIES

Family:
AC - ACCESS CONTROL
Class:
Priority:
P1 - Implement P1 security controls first.
Baseline Allocation:
Low Moderate High
N/A AC-5 AC-5

Control Description

The organization:

a. Separates [Assignment: organization-defined duties of individuals];

b. Documents separation of duties of individuals; and

c. Defines information system access authorizations to support separation of duties.

Supplemental Guidance

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.

Related to: AC-3AC-6PE-3PE-4PS-2

Control Enhancements

None.

References

None.