Separation of Duties

Separation of duties (SoD) is the principle that critical functions — particularly those affecting security — should be divided across multiple individuals so that no single person has the authority to subvert controls without detection. It is required by NIST SP 800-171 AC.L2-3.1.4.

Classic examples: the person who approves purchase orders should not be the same person who approves payments; the system administrator who creates user accounts should not also be the person who reviews access logs.

In small organizations, perfect separation of duties is sometimes impossible. In those cases, contractors document the compensating controls (independent review, audit logging, periodic external review) that reduce the risk of unilateral action.