What is CMMC? CMMC Update Archives CMMC Links
Consulting Employee Training Security Awareness Training Public Speaking Expert Witness
White Papers Newsletters CMMC Update Articles Videos Interviews
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

May 19, 2026

Separation of Duties

3.1.4: Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Ah, yes, yet another control that is often misunderstood or simply taken too lightly.

Dictionary.com tells us that "collusion" is defined as "a secret agreement, especially for fraudulent or treacherous purposes; conspiracy."

So, the intent of this control is to ensure that it would be difficult for one person to conduct malevolent activity on their own; it would require the cooperation of a second person acting in tandem. Separation of Duties, when done correctly, serves this purpose quite well. Unfortunately, most orgs don't implement this correctly.

The Discussion for this control includes "ensuring that security personnel administering access control functions do not also administer audit functions." The classic example is a system administrator that can create user accounts and also has access to system log files. Acting on their own, this sysadmin could create a rogue account for a threat actor and then delete the account creation from the log files. That is malevolent activity without collusion. If, however, system log files are only accessible to a different sysadmin that has no privileges of account creation (in this example), it would require both of them, working together, to create an account and delete the record of its creation.

We often speak with orgs that have 2 or 3 IT people and all of them have full privileges on every system. You cannot meet this control simply by assigning different responsibilities to different individuals and hoping they don't collude.

I like to think in terms of three basic functions: authorization, implemention and monitoring/auditing. So, a new user account is authorized by someone in HR who has no system privileges. The new user account is created (implementation) by a sysadmin with no privileges in the logging/montoring system. The person with monitoring/auditing privileges will see the account creation and can verify that it's legitimate (contacting HR, pulling the account creation ticket, many ways for this to happen).

Remember also that the monitoring/auditing function doesn't necessarily have to be done by an IT person. Many individuals in other roles (HR, finance, operations) are capable of performing these duties. Often, this role is outsourced for a nominal fee.

So, have I changed the way you think about this control? Let me know! Reach out.



Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
email: sales at theneteffect dot com
Secure Payment Center






Site Map

Home
CMMC
PCI
GLBA
Consulting
Employee Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews



The Net Effect, LLC

Copyright 1996-2026 The Net Effect, L.L.C. All rights reserved. Read our privacy policy