AM-12 Access Management

Segregation of Duties (SoD)

Conflicting duties are separated.

What good looks like

A SoD matrix defines incompatible duties; roles enforce it with compensating controls where needed.

Fraud, error concealment, unauthorised transactions.

4 tests — each concludes only on cited evidence.

Design

Procedure: Inspect the SoD matrix.
Expected: Documented and approved.
Sample: 1 (design inspection)
Evidence: SoD matrix, role mapping, conflict analysis, comp-control evidence.

Design

Procedure: Inspect role design.
Expected: Roles do not combine conflicting functions.
Sample: 1 (design inspection)
Evidence: SoD matrix, role mapping, conflict analysis, comp-control evidence.

Operating

Procedure: Run/inspect a conflict analysis over entitlements.
Expected: Zero unmitigated conflicts.
Sample: 25 (or full config inspection)
Evidence: SoD matrix, role mapping, conflict analysis, comp-control evidence.

Operating

Procedure: Inspect compensating-control evidence.
Expected: Documented and operating effectively.
Sample: 25 (or full config inspection)
Evidence: SoD matrix, role mapping, conflict analysis, comp-control evidence.

SoD matrix, role mapping, conflict analysis, comp-control evidence.

Want Tess to test AM-12 against your evidence?