AC-5 Separation of Duties

Description

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example:

1. dividing mission functions and information system support functions among different individuals and/or roles;
2. conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and
3. ensuring security personnel administering access control functions do not also administer audit functions.

Applicability

The owner of an information resource, or designee, is responsible for identifying the relevant information technology roles for custodians or users of their information resources.

Separation of duties must be implemented such that operational information resource functions are separated into distinct jobs to prevent a single person from harming a development or operational information resource or the services it provides, whether by an accidental act, omission, or intentional act.

Implementation

TAMU-CC shall:

1. Separation of the development, test and operational environments will be implemented, either logically or physically:
   1. Development and operational software must, where possible, run on different computer processors, or in different domains and directories;
   2. Development and testing activities must be separated; and
   3. Compilers, editors, and other system utilities must not be accessible from operational systems when not required.
2. Each individual who uses administrator or special access accounts shall use the account or access privilege most appropriate for the requirements of the work being performed (e.g., user account vs. administrator account).
3. TAMU-CC shall maintain a list(s) of personnel who have administrator or special access accounts for unit information resources. The list(s) shall be reviewed at least annually by the appropriate unit head, information resource owner or their designee.
4. In the course of their normal duties to assure the availability, integrity, utility, authenticity and confidentiality of information resources, information resources custodians with special access privileges may routinely access descriptive data to investigate various events related to the performance or security of those resources. Personnel from the Division of IT may also routinely investigate events related to the performance and the secure operation of the TAMU-CC network. Information resource owners may at times also access user data in maintaining the operational integrity and security of information resources. Information resource custodians shall, however, maintain the confidentiality of user data to the extent practical and not divulge user data except to authorized university officials (such as described in Section 3).
5. In situations requiring special access privileges to conduct investigations, the Chief Information Security and Privacy Officer (CISPO), or the Compliance department or Human Resources department (with a copy to the CISPO) shall seek authorization to access the files and email accounts of individuals employed by or attending TAMU-CC, as follows:
   1. Faculty/Staff
      1. For access to accounts involving Faculty & Staff, approval must be obtained from any three (3) of the following:
         1. President
         2. Provost/Vice-President for Academic Affairs
         3. Vice-President for Finance & Administration
         4. Chief Ethics & Compliance Officer
         5. Vice President for Institutional Excellence
         6. Executive Vice President for Research and Innovation
      2. Students
         1. For access to accounts involving Students, approval must be obtained from any three (3) of the following:
            1. President
            2. Vice-President for Student Affairs
            3. Dean of Students
            4. Associate Dean of Students
            5. Senior Student Conduct Officer
            6. Executive Vice President for Research and Innovation
            7. Chief Ethics & Compliance Officer
         2. Investigations conducted beyond the normal routines outlined in Section 4 and involving user data shall ensure that any user data is revealed only to disinterested third parties as outlined in Section 4 and all the requirements of privacy laws are maintained (e.g., Health Insurance Portability and Accountability Act, Family Educational Rights and Privacy Act, the Texas Public Information Act).
         3. In those cases where law enforcement agencies request access in conjunction with an investigation, the request shall be in writing (e.g., subpoena, court order). All such requests shall be reported to the appropriate unit head, director, or their designee upon receipt as well as the Office of General Counsel.
         4. Each individual who uses administrator or special access accounts shall use the account or access privilege most appropriate for the requirements of the work being performed (e.g., user account vs. administrator account).
         5. The password for a shared administrator or special access account shall change under any one of the following conditions:
            1. an individual knowing the password leaves the Texas A&M department:
            2. job duties change such that the individual no longer performs functions requiring administrator or special access; or
            3. a contractor or vendor with such access leaves or completes their work.
         6. In the case where an information resource has only one administrator account, there shall be a password escrow procedure in place such that an appropriate individual other than the person assigned an administrator account can gain access to the account in an emergency situation.
         7. When special access accounts are needed for internal or external audit, software development, software installation or other defined need, the need must be:
            1. authorized such as those situations specified in Section 4;
            2. created with a specific expiration date; and
            3. removed when the work is complete.
         8. TAMU-CC shall ensure adequate controls and separation of duties for tasks that are susceptible to fraudulent or other unauthorized activity.

Revision History

Last Updated: February 21, 2025

Previous Versions:

• June 29, 2023
• May 31, 2022
• March 25, 2021
• September 16, 2019