+OIS-04 Segregation of Duties
---+OIS-04.01B
---+OIS-04.02B
---+OIS-04.03B
---+OIS-04.04B
---+OIS-04.01AC
---+OIS-04.02AC
|
1. Übersicht
OIS-04 Segregation of Duties
-
| Bezeichnung |
Standard |
|
OIS-04.01B
|
Conflicting tasks and responsibilities are segregated based on a risk assessment in accordance with OIS-07 to reduce the risk of unauthorised or unintended changes or misuse of cloud service customer data, cloud service derived data and cloud service provider data. The risk assessment covers the following areas, insofar as these are applicable to the provision of the cloud service and are in the area of responsibility of the cloud service provider:
1. Administration of a role, rights and authorisation framework based on role-based access control and the business and security requirements of the cloud service provider (cf. IAM-01);
2. Development, testing and release of changes (cf. DEV-01);
3. Risk management (cf. OIS-07); and
4. Operation of the system components.
Identified events that may constitute unauthorised or unintentional changes to or misuse of cloud service customer data, cloud service derived data and cloud service provider data may, for example, be treated as a security incident, cf. SIM-01.
The area of risk management in the context of segregation of duties refers to the so-called different lines of defense, i.e. roles that review risks (2nd line of defense) are different from roles that own risks (1st line of defense).
|
|
OIS-04.02B
|
Mitigating measures are outlined in the risk treatment plan (cf. OIS-09) and implemented by the cloud service provider in a way that prioritises the segregation of duties.
|
|
OIS-04.03B
|
If segregation of duties cannot be implemented due to organisational or technical constraints, the cloud service provider establishes and operates compensating controls to monitor relevant activities. These controls are designed to detect unauthorised or unintended changes, misuse of data, or violations of operational policies, and enable timely and appropriate response actions.
|
|
OIS-04.04B
|
An inventory consisting of conflicting tasks, responsibilities and resolving measures is established and maintained by the cloud service provider. For the assignment, change or revocation of roles, rights and authorities, the cloud service provider enforces the segregation of duties.
|
|
OIS-04.01AC
|
To resolve conflicting roles, measures associated with the segregation of duties are monitored and enforced by the cloud service provider.
|
|
OIS-04.02AC
|
Timely and appropriate remediation measures address any deviations identified during monitoring.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|