SEPARATION OF DUTIES

Policy Version: 1.0

Effective Date:
Review Cycle: Annually or as required

1. Purpose
This Separation of Duties Policy is established to define clear roles and
responsibilities within SecureTech’s cybersecurity team. The policy aims to prevent conflicts of
interest, mitigate the risk of insider threats, and enhance the overall security posture by ensuring
that critical tasks and access rights are distributed among multiple individuals.

2. Scope
The policy applies to all SecureTech employees, contractors, and any
third-party vendors who are involved in the cybersecurity operations, development,
administration, and monitoring of SecureTech’s information systems and networks.

3. Definitions
(a) Separation of Duties: A security principle that prevents any single
individual from having the ability to execute two or more conflicting sensitive transactions
without detection
(b) Role-Based Access Control: An approach to restricting system access
to authorized users based on their roles within the organization

4. Policy
4.1 Distribution of responsibilities
(a) Duties shall be divided among different individuals to reduce the
risk of error, fraud, abuse, and to increase the ability to detect any
anomalies promptly.
(b) No single individual should control all key aspects of a critical
process or sensitive task
4.2 Implementation of Role-Based Access Control
(a) Access to information systems and data will be governed by
RBAC, ensuring the employees are granted access only to the
resources necessary for their job functions.
(b) The principle of least privilege must be enforced, providing
employees the minimal level of access - or permissions - needed to
perform their job functions.
4.3 Critical Processes and Dual Control
(a) Processes that are critical to the security of information systems
must require at least two individuals to complete a task or series of
tasks. This includes, but is not limited to, system changes, financial
approval, and access rights review.
(b) Dual control mechanisms must be implemented to ensure that
critical actions are performed jointly and not in isolation.
4.4 Periodic Review and Auditing
(a) The cybersecurity team will conduct regular reviews and audits of
roles, responsibilities, and access rights to ensure compliance with
this policy.
(b) Any deviations from this policy must be reported immediately,
investigated, and rectified.
4.5 Training and Awareness
(a) All relevant personnel must receive training on this policy to
understand the importance of SoD and their responsibilities in
maintaining it.
(b) Continuous awareness programs shall be conducted to reinforce
the significance of separation of duties in preventing security
incidents.
 5. Enforcement
Violations of this policy will be handled according to SecureTech’s
disciplinary process and may result in disciplinary action, up to and including termination of
employment or contracts.

6. Policy Review and Modification

This policy is to be reviewed annually or following significant changes to
the organization or technology environment. Any amendments must be approved by the Chief
Information Security Officer and communicated to all affected parties.

Chief
Information
Security
Cybersecurity Cybersecurity Officer
Activity/Function Analyst Manager (CISO) IT Administrator

Initiate
cybersecurity ✔
measures

Approve
cybersecurity ✔
policies

Implement security
✔ ✔ ✔
software/tools

Monitor and
analyze security ✔
alerts
Conduct
cybersecurity risk ✔ ✔
assessments

Approve access to
sensitive ✔
information

Review and
approve
✔
cybersecurity
budgets

Audit security
measures and ✔ ✔
compliance

Manage user access

✔
controls

Handle
cybersecurity ✔ ✔
incidents

Review
cybersecurity ✔ ✔
reports
Notes:

● Cybersecurity Analyst: Primarily responsible for the execution of security measures,

including monitoring, risk assessments, and handling incidents. They initiate the
implementation of security tools but do not have the authority to approve policies or
access to sensitive information.
● Cybersecurity Manager: Oversees the operational side of cybersecurity, including the
approval of policies crafted by analysts, conducting audits, and managing the review of
cybersecurity reports. They play a pivotal role in incident management alongside
analysts.
● Chief Information Security Officer (CISO): Has the ultimate responsibility for
cybersecurity posture, including the approval of access to sensitive information,
reviewing and approving budgets, and overseeing the overall compliance with
cybersecurity policies.
● IT Administrator: Focused on the technical implementation of security measures,
including the management of user access controls and the deployment of security
software/tools, under the approval and guidance of cybersecurity analysts and managers.

This chart ensures a clear division of responsibilities within SecureTech's cybersecurity

team, mitigating risks associated with concentrated control over cybersecurity operations and
enhancing the overall security framework of the organization.

Approved by:

____________________________________
Name

____________________________________
Title

____________________________________
Date