According to the NIST glossary, separation of duty “refers to the principle that no user should be given enough privileges to misuse the system on their own.” Here is an example: members of the IT group are not permitted to create user accounts for personnel unless instructed to do so by human resources. Another example is requiring that IT management provides written approval for proposed changes to firewall rules before they are implemented by a technician. Here is another example, before a server has patches installed by a technician, written approval is required from IT management.

The goal behind the separation of duties is to prevent one individual from being able to commit fraud or cause damage.

NIST SP 800-171 security control 3.1.4 states “Separate the duties of individuals to reduce the risk of malevolent activity without collusion.”

To meet this requirement you need to ensure that:

• The duties of individuals requiring separation are defined.
• Responsibilities for duties that require separation are assigned to separateindividuals.
• Access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.

We have a system access authorizations document template that can be downloaded from the Compliance Accelerator application that you can use to meet NIST SP 800-171 documentation related requirements. Here is a sample of the document.