Information
Separation of duties is a prevalent Information Technology control implemented at different layers of the information system including the operating system and in applications. It serves to eliminate or reduce the possibility that a single user may carry out a prohibited action. Separation of duties requires that the person accountable for approving an action is not the same person who is tasked with implementing or carrying out the action.
Additionally, the person or entity accountable for monitoring the activity must be separate as well. To meet this requirement, applications, when applicable, shall be divided where functionality is based on roles and duties. Examples of separation of duties include: (i) mission functions and distinct information system support functions are divided among different individuals/roles; (ii) different individuals perform information system support functions (e.g., system management, systems programming, configuration management, quality assurance and testing, network security); (iii) security personnel who administer access control functions do not administer audit functions; and (iv) different administrator accounts for different roles.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Create and/or confirm the three required permission levels exist and have permissions in accordance with organizationally defined permissions.
1. On a site home page, click Site Actions, and then click Site Permissions.
2. In the Manage section of the ribbon, click Permission Levels.
3. Create missing permission levels by clicking Add a Permission Level.
4. On the Add a Permission Level page, in the Name field, type a name for the new permission level (Web Site Admin, Web Site Audit, or Web Site Manager).
5. In the Description field, type a description of the new permission level.
6. In the list of permissions, select the check boxes to add permissions to the permission level according to the organizationally defined permissions from the IAO.
7. Click Create.