Evidence – AC.L2-3.1.4
Separate the Duties of Individuals
What This Evidence Shows
This evidence shows that administrative, security, and operational duties are not all performed by the same individual, or that compensating controls are in place when full separation is not possible.
This supports AC.L2-3.1.4 (Separation of Duties) in the System Security Plan (SSP).
How Separation of Duties Is Demonstrated
1. Duties Are Clearly Defined
The organization defines different responsibilities for: - System administration - Security or compliance oversight - Normal system use and operations
Examples of how this is shown:
- Job descriptions or role descriptions show who is responsible for administration versus day-to-day use
- Policies or internal documentation describe who can make system changes and who approves or reviews those changes
This shows that responsibilities are intentionally separated and understood.
2. Administrative and User Responsibilities Are Not Combined
Individuals who perform routine operational work are not also responsible for unrestricted system administration without oversight.
Examples of how this is shown:
- Only designated individuals perform system administration tasks
- Regular users do not perform administrative or security management duties
- Where a person has multiple responsibilities, those duties are documented
This reduces the risk that one person can misuse the system without detection.
3. Oversight Exists for Privileged Activities
Administrative and security-related activities are subject to oversight.
Examples of how this is shown:
- Management or leadership reviews administrative actions
- Another individual reviews changes made by administrators
- Security or compliance responsibilities include review or approval duties
This oversight helps detect mistakes or malicious actions.
4. Compensating Controls Are Used When Duties Cannot Be Fully Separated
In small organizations where one person must perform multiple roles, additional controls are used to reduce risk.
Examples of how this is shown:
- Increased management review of administrative actions
- Documentation of decisions and approvals
- Independent review by a manager, owner, or external party
This ensures that lack of staffing does not eliminate accountability.
Where This Evidence Exists
This evidence exists in organizational policies, role descriptions, management procedures, and oversight practices and is retained according to organizational policy and contractual requirements.