Skip to contentCYBERINFO
|

Control 5.3 : Segregation of Duties

Summary

This control ensures that conflicting duties and areas of responsibility are separated to reduce the risk of unauthorized or unintentional modification or misuse of the organization's assets. No single person should be able to complete a sensitive process without oversight.

Applicability

In-Scope: Required for all financial, technical, and data-processing tasks where a single point of failure could lead to fraud or significant data loss. It is a core requirement for maintaining internal controls and meeting regulatory standards.

Out-of-Scope: May be difficult to implement in very small teams; however, in these cases, the auditor will expect compensating controls like increased logging and management review of all actions.

Implementation Guidance

Microsoft 365 / Entra ID

  • Access Control: Configure Entra ID Administrative Units to restrict the scope of administrative power to specific departments or regions.

  • Approval Workflows: Use Microsoft Power Automate or PIM Approval workflows to ensure that sensitive actions (like creating a global admin) require a second person to authorize the request.

  • Auditing: Enable Unified Audit Logs in Microsoft Purview to track actions taken by privileged accounts for independent review.

Evidence Checklist

  • Duty Matrix: A list of conflicting roles (e.g., the person requesting a payment cannot be the person approving it).

  • Process Documentation: Flowcharts or SOPs showing where four-eyes approval is required.

  • Audit Logs: Evidence of dual-authorization occurring in practice within the Microsoft tenant.

Practical Audit Advice

Here are some questions the auditor might ask:

  • How did the organization identify which tasks carry the highest risk of fraud or error requiring segregation?

  • In instances where segregation of duties is not possible due to team size, what monitoring controls are in place to review the actions of privileged users?

  • Can you provide an example of a recent sensitive change that required a formal second-person approval?

  • How are access rights reviewed to ensure that a user has not accumulated conflicting roles over time (Role Creep)?