Separation of Duties (SoD)
What is Separation of Duties (SoD)?
Separation of Duties (SoD)Control principle that splits a sensitive task across multiple people or systems so that no single actor can complete the task alone.
Separation of duties prevents fraud, error, and abuse by ensuring that critical functions require at least two independent actors. Classic examples are the developer who writes code and the release manager who deploys it, the requester and approver of a payment, or the privileged-access requester and the security officer who grants the just-in-time elevation. SoD is mandated by SOX, PCI DSS, ISO/IEC 27001, and NIST SP 800-53 (AC-5). It is enforced through RBAC/ABAC policies, workflow approvals, code review, multi-party authorization, and dual-control crypto operations. Compensating controls (logging, monitoring, periodic review) are used when full SoD is impractical in small teams.
● Examples
- 01
Requiring two senior engineers to approve a production database schema migration.
- 02
AWS IAM policies that prevent the same identity from creating and reviewing audit log access.
● Frequently asked questions
What is Separation of Duties (SoD)?
Control principle that splits a sensitive task across multiple people or systems so that no single actor can complete the task alone. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Separation of Duties (SoD) mean?
Control principle that splits a sensitive task across multiple people or systems so that no single actor can complete the task alone.
How does Separation of Duties (SoD) work?
Separation of duties prevents fraud, error, and abuse by ensuring that critical functions require at least two independent actors. Classic examples are the developer who writes code and the release manager who deploys it, the requester and approver of a payment, or the privileged-access requester and the security officer who grants the just-in-time elevation. SoD is mandated by SOX, PCI DSS, ISO/IEC 27001, and NIST SP 800-53 (AC-5). It is enforced through RBAC/ABAC policies, workflow approvals, code review, multi-party authorization, and dual-control crypto operations. Compensating controls (logging, monitoring, periodic review) are used when full SoD is impractical in small teams.
How do you defend against Separation of Duties (SoD)?
Defences for Separation of Duties (SoD) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Separation of Duties (SoD)?
Common alternative names include: SoD, Segregation of Duties.
● Related terms
- identity-access№ 854
Principle of Least Privilege
A security principle that grants every user, process, or service only the minimum privileges strictly required to perform its function — no more.
- compliance№ 717
Need-to-Know Principle
Security principle that grants access to information only to individuals whose duties specifically require it, even if they hold the appropriate clearance.
- identity-access№ 946
Role-Based Access Control (RBAC)
An authorization model that grants permissions to roles rather than directly to users, so users inherit access by virtue of their role assignments.
- identity-access№ 861
Privileged Access Management (PAM)
A set of practices and tools that secure, control, monitor, and audit access to accounts and systems with elevated administrative privileges.
- compliance№ 968
Sarbanes-Oxley Act (SOX)
U.S. federal law from 2002 that imposes governance, internal-control, and reporting requirements on publicly traded companies to protect investors.
- compliance№ 807
PCI DSS
A global information-security standard for organizations that store, process, or transmit payment card data, maintained by the PCI Security Standards Council.