SID-ORG-02 — Roles, Responsibilities, and Segregation of Duties
| Property | Value |
|---|---|
| Owner | operator |
| Category | policy |
| CSF Function | govern |
| Group | Governance and Policy Controls |
Description
Define and assign information security roles and responsibilities. Segregate conflicting duties to prevent a single person from controlling security-sensitive end-to-end processes.
Implementation requirements:
(1) Role taxonomy: document at minimum — Platform Administrator,
Wallet Operator, Credential Issuer Authority, Auditor, and
End-User Support. Each role MUST have a written description of
responsibilities and permitted actions.
(2) Conflicting duty pairs that MUST be separated:
- Development vs. production deployment (no self-deploy)
- Key management vs. audit/oversight
- Credential issuance authority vs. platform administration
- Code author vs. merge approver (no self-merge to main/prod)
(3) GitHub branch protection: require ≥1 reviewer, CODEOWNERS review
for sensitive paths (/internal/, /pkg/pki/, config files),
disallow self-approval. Enforce via repository ruleset.
(4) Admin access: admin API tokens MUST be per-role, not shared.
Token lifecycle and rotation policy MUST be documented.
(5) Organizational chart: document and maintain showing security
governance reporting lines; review annually.
Note: The platform enforces multi-tenant isolation and SPOCP policy-based authorization (SID-ACCESS-01, SID-ACCESS-04) as technical controls underpinning this policy.
Review criteria: documented role taxonomy, branch protection rules verified, conflicting-duty pairs documented with separation evidence, admin token inventory reviewed.
Source References
Framework Requirements
EUDI Security Requirements: GEN-7.1.1-01
ISO 27001 Annex A: A.5.2, A.5.3
GDPR Checklist: Designate someone responsible for ensuring GDPR