UnixTime

Research Note

Template - Segregation of Duties Matrix

Use this to identify incompatible duties and document whether they are segregated or covered by compensating controls.

On this page

When to use this

Practical use

Use this as a working artifact. Fill it with real owners, dates, decisions, evidence locations, and review status.

Use this to identify incompatible duties and document whether they are segregated or covered by compensating controls.

Process / System Conflicting duty 1 Conflicting duty 2 Risk Segregated? Compensating control Owner Review frequency
Access management Request access Approve access Unauthorized access Yes/No Access review, approval workflow System Owner Quarterly
Production deployment Develop code Deploy to production Unauthorized or untested changes Yes/No Peer review, CI/CD approval Engineering Manager Per release
Security logging Perform admin activity Modify/delete logs Evidence tampering Yes/No Immutable logging, SIEM review Security Lead Weekly
Supplier payments Create vendor Approve payment Fraud Yes/No Finance review, dual approval Finance Manager Monthly
Backup administration Manage backups Delete backup sets Loss of recovery capability Yes/No Deletion approval, backup reports IT Manager Monthly
Vulnerability remediation Own remediation Validate closure False closure of findings Yes/No Security validation CISO Monthly