Ensure Separation of Duties for Gateway Admins
Different people handle administrative tasks for gateways to reduce security risks.
Plain language
Separating duties for those who manage the gateways of a network means different people handle different tasks to reduce risks. This is important because if one person controls everything, they could make a mistake or do something harmful, putting the whole network at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Separation of duties is implemented in performing administrative activities for gateways.
Why it matters
Without separation of duties for gateway admins, a single error or malicious act could change gateway rules and expose the network to unauthorised access.
Operational notes
Define distinct gateway admin tasks (e.g., rule changes vs approval), enforce dual approval for changes, and review role assignments regularly to prevent overlap.
Implementation tips
- Managers should assign different tasks to different people within the IT team for managing gateways. Clearly define roles such as monitoring, update management, and access control to separate responsibilities effectively. Make sure each person knows their specific duties and who they need to report to.
- The IT team should establish clear procedures for each gateway management task. Define detailed steps for tasks like updating software, managing user access, and monitoring activity. Document these procedures in a 'Gateway Management Handbook' for consistency and clarity.
- An IT manager should perform a regular review of the assigned roles and tasks. Schedule quarterly check-ins to discuss roles and assess if any changes or updates are required due to shifts in personnel or technology. Document any changes and circulate them to the team.
- Human Resources should ensure that all new IT team members receive training on the importance of separated duties. Include an introductory session on their specific responsibilities when managing gateways, using real-life examples to illustrate the risks of not following procedures.
- The cybersecurity coordinator should implement checks and balances for each gateway task. Design specific oversight processes, like audits and peer reviews, to catch mistakes or malicious activities early. Conduct these checks according to a set schedule and revise them if necessary.
Audit / evidence tips
-
Askthe list of personnel assigned to gateway management tasks: Request documentation that lists who is responsible for each specific task
Gooddistinct names and clear task delineation per person
-
Goodprocedures are comprehensive, regularly updated, and accessible to all relevant team members
-
Askrecords of quarterly role review meetings: Request minutes or notes from these meetings
Gooddocumented discussions and decisions, with date and attendees listed
-
Gooddocuments include practical examples and outline specific responsibilities for new team members
-
Askrecords of gateway task audits or peer reviews: Request reports from recent reviews
Gooddetailed review notes with issues identified and corrective actions taken
Cross-framework mappings
How ISM-0616 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.2 | ISM-0616 requires separation of duties in performing administrative activities for gateways | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-RA-ML1.2 | ISM-0616 requires organisations to implement separation of duties when performing administrative activities for gateways to reduce the ri... | |
| E8-RA-ML2.4 | ISM-0616 requires administrative activities for gateways to be performed with separation of duties so that no single person can unilatera... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.