Process owners are responsible for an authorization matrix listing who has what access to data and functionality in relevant systems, in what capacity.
The authorisation matrix includes roles, the authorisations in roles, individuals and which roles the individuals are allowed to have.
Optionally, job functions can be used to identify which roles belong to those functions. If there conflicts between certain authorisations that cannot be given simultaneously, the authorisation matrix identifies which combinations of authorisations are not allowed.
Specification
The authorization matrix is immediately updated after changes are requested and approved, so it should be remain up-to-date. IST/SOLL control is performed and approved by proces owner.
Sensitive tasks and responsibilities are separated and require at least 2 individuals to complete the process. Conflicting roles may not be combined that could give rise to damage, such as the possibility of committing fraud. Process owners are responsible for identifying the roles within the process where segregation of duties is necessary. Conflicting roles are marked as such in the authorization matrix.
ISO 27001 & 27002:2022
A5.2,
A5.3,
A5.15,
A5.16,
A5.17,
A5.18,
A8.2
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
ID.01 Access rules