T3.2.4 - SEGREGATION OF DUTIES Implementation Guidance
The entity shall segregate duties and areas of responsibility.
Back to T3.2.4 - P2 - SEGREGATION OF DUTIES
Segregation of duties is a method for reducing the risk of accidental or deliberate system misuse. Care should be taken that no single person can access, modify or use assets without authorization or detection. The initiation of an event should be separated from its authorization. The possibility of collusion should be considered in designing the controls.
Small entities may find segregation of duties difficult to achieve, but the principle should be applied as far as is possible and practicable. Whenever it is difficult to segregate, other controls such as monitoring of activities, audit trails and management supervision should be considered. It is important that security audit remains independent.
