IBM Cloud Docs
AC-5 - Separation of Duties

AC-5 - Separation of Duties

Control requirements

The organization:

AC-5 (a)
Separates [Assignment: organization-defined duties of individuals];
AC-5 (b)
Documents separation of duties of individuals; and
AC-5 (c)
Defines information system access authorizations to support separation of duties.

Additional IBM Cloud for Financial Services specifications

  • Ensure segregation exists such that no one individual has the authority/ability to develop, compile and/or move object code from non-production environments into production environments.

Implementation guidance

See the resources that follow to learn more about how to implement this control.

IBM Cloud for Financial Services profile

The rules related to this control that follow are part of the IBM Cloud for Financial Services v1.2.0 profile in IBM Cloud® Security and Compliance Center.

Rules for AC-5 in IBM Cloud for Financial Services v1.2.0 profile
Requirement ID Rules
AC-5 (c)
  • Check whether permissions for API key creation are limited and configured in IAM settings for the account owner
  • Check whether App ID Cloud Directory users aren't able to update their own accounts
  • Check whether IAM roles are used to create IAM policies for IBM resources
  • Check whether IAM users are attached to at least one access group
  • Check whether App ID Cloud Directory users aren't able to self-sign up to applications
  • Check whether App ID user profile updates from client apps is disabled

NIST supplemental guidance

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.