Separation of Duties (SoD) divides critical tasks among multiple people so that no single individual can complete a high-risk process alone. The person who requests a purchase order cannot also approve it. The developer who writes code cannot deploy it to production without review. The accountant who cuts checks cannot also reconcile bank statements.
SoD prevents fraud, reduces errors, and limits insider threats. Even if one person becomes malicious or makes mistakes, the involvement of others provides checks. The principle is foundational to internal controls and compliance frameworks.
CISSP Relevance
SoD appears in Domain 1 (Security and Risk Management) under governance and Domain 5 (Identity and Access Management) for implementation. Exam questions test understanding of which duties must be separated and how access controls enforce separation. Know the difference between SoD and dual control (two people simultaneously).
ISACA provides guidance on SoD in their journal resources.
Related terms: Least Privilege, Governance