Glossary · Compliance concepts
What is Segregation of Duties?
Also known as: SoD, Separation of Duties, Division of Responsibilities
Segregation of duties (SoD) is the practice of splitting a critical task across multiple people so that no single individual can complete a sensitive action alone. By requiring more than one person, it reduces the chance of fraud and error and creates a natural check on powerful actions. SoD is a foundational control in both security and financial compliance.
Key takeaways
- Segregation of duties stops one person from controlling an entire sensitive process.
- It guards against both fraud and honest mistakes by requiring a second party.
- Classic examples include splitting who requests, approves, and executes a change.
- SoD is enforced and verified through access reviews and approval workflows.
- Small teams often need compensating controls where full separation is impractical.
What problem does segregation of duties solve?
When one person can initiate, approve, and execute a sensitive action with no oversight, there is nothing standing between a single mistake or a single bad actor and real damage. Segregation of duties breaks that chain by distributing the steps across different people.
The principle is old and intuitive: the person who requests a payment should not also approve it, and the developer who writes a change should not be the only one who pushes it to production. Each handoff is an opportunity to catch an error or block misuse.
Where segregation of duties applies
SoD shows up wherever a process is powerful enough that unilateral control is dangerous. Common patterns include separating the following responsibilities.
- Requesting versus approving access or privileges.
- Writing code versus approving and deploying it to production.
- Initiating a payment versus authorizing and reconciling it.
- Administering a system versus reviewing its logs.
- Creating user accounts versus auditing them.
SoD is tightly linked to least privilege: both aim to ensure no individual holds more combined power than their role legitimately needs, limiting the damage from a mistake or a compromised account.
Enforcing and verifying SoD
Segregation of duties is enforced through technical and procedural means, such as role design, approval workflows, and system permissions that prevent toxic combinations of access. It is verified through review.
Periodic access reviews are a primary way to confirm SoD holds in practice, by surfacing any user who has accumulated a conflicting combination of rights. Ongoing continuous control monitoring can flag such conflicts as they arise.
In small organizations, full separation is sometimes impossible because too few people are available. In those cases, a documented compensating control such as independent after-the-fact review of one person's actions is the accepted alternative.
Frequently asked questions
- What is a toxic combination of access?
- It is a set of permissions that, held by one person, lets them complete a sensitive process unchecked, such as both creating and approving payments. Identifying and breaking up these combinations is the core of enforcing SoD.
- How do small teams handle segregation of duties?
- When there are not enough people to fully separate duties, organizations use compensating controls, such as independent review of a single person's actions or additional logging and oversight, and document the constraint.
- How is segregation of duties different from least privilege?
- Least privilege limits how much access one person has, while segregation of duties splits a single process across people. They reinforce each other but address different angles of the same goal.
- How do auditors test segregation of duties?
- Auditors look for role and access designs that prevent conflicting permissions, plus evidence from access reviews and approval workflows showing that sensitive actions genuinely require more than one person.