We’re continuing our discussion from the previous blog post, “The Importance of Separation of Duties”, and getting into more details surrounding documenting and tracking your processes.
- Document the separation of duties:
-
- It should be formally documented who from your organization is responsible for each information system and those responsibilities should be spread out to different individuals.
-
- Specifically, who is responsible for configuring, auditing, and granting access to systems?
- You can define this by job title or specific person. We suggest job title to avoid having to change your policy and procedure documents every time there is a staff change.
-
- It should be formally documented who from your organization is responsible for each information system and those responsibilities should be spread out to different individuals.
-
- Documentation and tracking of requests:
-
- Using a ticketing system to track access requests, auditing of systems, or support incidents will track that the separation of duties is being executed properly.
- Audit logs could be used to identify who is doing what and corroborate compliance with separation of duties standards.
- It’s important to make sure the records are being kept for an appropriate amount of time and are reviewed with a defined cadence.
-
https://nvd.nist.gov/800-53/Rev4/control/AC-5
HIPAA Security Rule 45 C.F.R. §§ 164.308(a)(4)(ii)(B), 164.310(a)(1), 164.310(b), 164.312(a)(1), 164.312(b), 164.312(c), 164.312(e)
