AM-01 Access Management

IT Organisation & Segregation

IT responsibilities are appropriately divided.

Domain: Access Management
Control type: Preventive
Automated / manual: Manual
Frequency: Annual
Framework reference: COBIT APO01

What good looks like

IT roles defined with appropriate segregation (security vs ops vs dev).

Risk if it fails

Concentrated/conflicting responsibilities.

How Tess tests it

2 tests — each concludes only on cited evidence.

Roles & org segregation defined

Design

Procedure: Inspect org/role docs.
Expected: Defined.
Sample: 1 (design inspection)
Evidence: Org chart, job descriptions.

Incompatible functions segregated in org

Operating

Procedure: Inspect the structure.
Expected: Security/ops/dev appropriately separated.
Sample: 1
Evidence: Org chart, job descriptions.

Evidence Tess looks for

Org chart, job descriptions.

More in Access Management

AM-02 Password / Authentication Policy AM-03 Multi-Factor Authentication (MFA) AM-04 Centralised Identity / SSO AM-05 Session Management / Timeout

Want Tess to test AM-01 against your evidence?