When to use this
Practical use
Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.
Use this to identify incompatible duties and document whether they are segregated or covered by compensating controls.
| Process / System | Conflicting duty 1 | Conflicting duty 2 | Risk | Segregated? | Compensating control | Owner | Review frequency |
|---|---|---|---|---|---|---|---|
| Access management | Request access | Approve access | Unauthorized access | Yes/No | Access review, approval workflow | System Owner | Quarterly |
| Production deployment | Develop code | Deploy to production | Unauthorized or untested changes | Yes/No | Peer review, CI/CD approval | Engineering Manager | Per release |
| Security logging | Perform admin activity | Modify/delete logs | Evidence tampering | Yes/No | Immutable logging, SIEM review | Security Lead | Weekly |
| Supplier payments | Create vendor | Approve payment | Fraud | Yes/No | Finance review, dual approval | Finance Manager | Monthly |
| Backup administration | Manage backups | Delete backup sets | Loss of recovery capability | Yes/No | Deletion approval, backup reports | IT Manager | Monthly |
| Vulnerability remediation | Own remediation | Validate closure | False closure of findings | Yes/No | Security validation | CISO | Monthly |
- Template
- Sod
- A5 3
Note Metadata
Aliases: Segregation of Duties Matrix
Source: 90 Templates/Segregation of Duties Matrix.md