Identity and access management

LSSEC01: How do you accommodate separation of duties as part of your identity and access management design?

Separation of duties, as it relates to security, has two primary objectives.

The first objective is the avoidance of conflict of interest, abuse, and errors.

The second objective is the detection of control failures that include security breaches, information theft, and circumvention of security controls.

Separation of duties is also essential for demonstrating that data integrity has been maintained. The FDA, for example, clearly states in its guidance that the system administrator role should only be assigned to personnel who are not responsible for the record content. This separation stops an individual whose role has a direct interest in the results of the decision from having the ability to modify or delete critical data. This protects the integrity of the data and avoids the risk of allegations of tampering.

Best practices

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Design principles

LSSEC01-BP01 Implement the principle of separation of duties