Separation of Duties

Overview

The Health IT security office manages access to information systems to ensure that all Medical Center employees adhere to the principle of separation of duties. Adherence to this principle prevents any one individual from completing a high-risk task independently. Thus, no single person has total control of a system's security mechanisms, which protects the system from compromise.

Purpose

This standard provides an outline for how separation of duties and the security principle of 'least privilege' are accomplished within the Medical Center.

Scope

This standard applies to all UVa Medical Center employees and customers that have access to Medical Center information systems.

Description

The National Institute of Standards and Technology (NIST) Special Publication 800-53 defines separation of duties as “Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion” and states "Organizations employ least privilege for specific duties and information systems. The principle of least privilege is also applied to information system processes, ensuring that the processes operate at privilege levels no higher than necessary to accomplish required organizational missions/business functions. Organizations consider the creation of additional processes, roles, and information system accounts as necessary, to achieve least privilege."

  • All access to information systems should be limited to prevent any one individual from having sole ownership of a system. See Medical Center Policy 0163: Access to Electronic Medical Records and Institutional Systems.
  • Health IT security owns and maintains the Online Access Request (OAR) application, which is used to request access to information systems.
  • Managers, supervisors, and employees/customers must adhere to the security principle of least privilege and should only request access that is needed to perform their job duties.
  • Managers and supervisors will only approve access that has been deemed necessary for the employee/customer to perform their job duties.
  • Managers and supervisors will at least annually review all employee access to ensure each employee/customer has the appropriate level of access (see Supervisor Review Form).
  • System owners will maintain and update the information system guidelines they are responsible for. These guidelines will be used when approving or denying access to an information system.
  • Before access is granted, the customer/employee must read and sign the Electronic User Attestation (see Account Agreement Form).
  • Supervisors, system owners, and information security have the right to deny access at any time if the access requested is deemed inappropriate for the user’s job role.

Document Supporting Resources