Separation of Duties (AC-5)

| Show Notes
Created August 12, 2016
Revised September 1, 2016

Description

This Control addresses how information resource owners and custodians shall ensure that principle of Separation of Duties is implemented to prevent errors and/or fraud. It also provides procedures for appropriately managing the creation, use, monitoring, control and removal of accounts with special access privileges based on the duties of staff.

Separation of Duties is achieved by disseminating the tasks and associated privileges for a specific security process among multiple users and chains of command. This ensures no single individual or organization should be in a position to both perpetuate and conceal irregularities resulting in unauthorized or unintentional modification or misuse of the university’s information resources.

Technical support staff may have special access account privilege requirements in comparison with typical users.

Applicability

The owner of an information resource, or designee, is responsible for identifying the relevant information technology roles for custodians or users of their information resources.

Separation of duties must be implemented such that operational information resource functions are separated into distinct jobs to prevent a single person from harming a development or operational information resource or the services it provides, whether by an accidental act, omission, or intentional act.

Implementation

1

Separation of the development, test and operational environments will be implemented, either logically or physically:

1.1

Development and operational software must, where possible, run on different computer processors, or in different domains and directories;

1.2

Development and testing activities must be separated;

1.3

Compilers, editors, and other system utilities must not be accessible from operational systems when not required; and

1.4

Different logon procedures must be used for operational, test, and development systems, to reduce risk of error. Users should use different passwords for these systems.

2

Each individual who uses administrator or special access accounts shall use the account or access privilege most appropriate for the requirements of the work being performed (e.g., user account vs. administrator account).

3

Texas A&M University (Texas A&M) units shall maintain a list(s) of personnel who have administrator or special access accounts for unit information resources. The list(s) shall be reviewed at least annually by the appropriate unit head, information resource owner or their designee.

4

In the course of their normal duties to assure the availability, integrity, utility, authenticity and confidentiality of information resources, information resources custodians with special access privileges may routinely access descriptive data to investigate various events related to the performance or security of those resources. Personnel from the Texas A&M IT security team may also routinely investigate events related to the performance and the secure operation of the Texas A&M network. Information resource owners may at times also access user data in maintaining the operational integrity and security of information resources. Information resource custodians shall, however, maintain the confidentiality of user data to the extent practical and not divulge user data except to authorized university officials (such as described in Section 3).

5

Use of special access privileges to conduct investigations related to user data shall be directed by:

5.1

appropriate university management personnel (e.g., Unit Head, Dean, Director, Vice President) (see University rule 32.01.99.M1 Complaint Procedures for Electronic Information Resources);

OR

5.2

university officials conducting investigations, such as:

5.2.1

System Internal Audit;

5.2.2

Office of the General Counsel;

5.2.3

a designated officer conducting inquiries or investigating possible misconduct in research or scholarship;

5.2.4

an authority investigating allegations of discrimination, sexual harassment or related retaliation;

5.2.5

an investigation of Student Rules violations; or,

5.2.6

the Office of the Chief Information Security Officer.

Prior to conducting such investigations, the individual with administrator or special access will consult with the university Chief Information Security Office at ciso@tamu.edu.

6

Investigations conducted beyond the normal routines outlined in Section 4 and involving user data shall ensure that any user data is revealed only to disinterested third parties as outlined in Section 4 and all the requirements of privacy laws are maintained (e.g., Health Insurance Portability and Accountability Act, Family Educational Rights and Privacy Act, the Texas Public Information Act).

7

In those cases where law enforcement agencies request access in conjunction with an investigation, the request shall be in writing (e.g., subpoena, court order). All such requests shall be reported to the appropriate unit head, director, or their designee upon receipt as well as the Office of General Counsel.

8

Each individual who uses administrator or special access accounts shall use the account or access privilege most appropriate for the requirements of the work being performed (e.g., user account vs. administrator account).

9

The password for a shared administrator or special access account shall change under any one of the following conditions:

9.1

an individual knowing the password leaves the Texas A&M department:

9.2

job duties change such that the individual no longer performs functions requiring administrator or special access; or

9.3

a contractor or vendor with such access leaves or completes their work.

10

In the case where an information resource has only one administrator account, there shall be a password escrow procedure in place such that an appropriate individual other than the person assigned an administrator account can gain access to the account in an emergency situation.

11

When special access accounts are needed for internal or external audit, software development, software installation or other defined need, the need must be:

11.1

authorized such as those situations specified in Section 4;

11.2

created with a specific expiration date; and

11.3

removed when the work is complete.