Question APPL-09

Does your application provide separation of duties between security administration, system administration, and standard user functions?

Standard Guidance

EDUCAUSE provides no guidance here

Answering "NO"

State plans to implement functionality to provide separation of duties between security administration and system administration functions.

Answering "YES"

Describe or provide a reference to the facilities available in the system to provide separation of duties between security administration and system administration functions.

Reason for Question

Managing a software/product/service may rely on various teams to administrate a system. In this question, it is security operations and systems administration. This question is focused on how system(s) administration, and the segregation of duties, are implemented in the vendor's organization, so that system administrators do not also have security responsibilities (e.g., monitoring, mitigating, reporting, etc.).

Follow-Up Inquiries

Ask the vendor to summarize their best practices for securing their system(s) administratively without the use of RBAC. Make sure to understand the administrative requirements/overhead introduced in the vendor's environment.

HECVAT Pro Advice

[Add expert insights and best practices]

Implementation Tips

[Add practical steps for SME SaaS vendors]

FAQ

[Add common questions related to this HECVAT item]

Resources

[Add links to relevant articles or tools]