https://cmmcwiki.org/index.php?action=history&feed=atom&title=LLMResponse_AC.L2-3.1.4.aLLMResponse AC.L2-3.1.4.a - Revision history2026-05-31T11:46:23ZRevision history for this page on the wikiMediaWiki 1.43.8https://cmmcwiki.org/index.php?title=LLMResponse_AC.L2-3.1.4.a&diff=1568&oldid=prevDavid: Created page with "Ranking Evidence Types for Assessment Objective [a] For the assessment objective "[a] the duties of individuals requiring separation are defined," I'll rank the evidence types supported by assessment objects from most to least valuable: == Evidence Type Ranking == 1. **Documents (highest value)** - Access control policy documents - Written procedures addressing divisions of responsibility and separation of duties - System security plan with defined separation..."2025-04-30T02:29:31Z<p>Created page with "Ranking Evidence Types for Assessment Objective [a] For the assessment objective "[a] the duties of individuals requiring separation are defined," I'll rank the evidence types supported by assessment objects from most to least valuable: == Evidence Type Ranking == 1. **Documents (highest value)** - Access control policy documents - Written procedures addressing divisions of responsibility and separation of duties - System security plan with defined separation..."</p>
<p><b>New page</b></p><div>Ranking Evidence Types for Assessment Objective [a]<br />
<br />
For the assessment objective "[a] the duties of individuals requiring separation are defined," I'll rank the evidence types supported by assessment objects from most to least valuable:<br />
<br />
== Evidence Type Ranking ==<br />
<br />
1. **Documents (highest value)**<br />
- Access control policy documents<br />
- Written procedures addressing divisions of responsibility and separation of duties<br />
- System security plan with defined separation requirements<br />
- List of divisions of responsibility and separation of duties<br />
- Job descriptions that specify segregated duties<br />
<br />
2. **Artifacts**<br />
- System configuration settings showing role separations<br />
- Role matrices showing incompatible functions<br />
- Access control lists demonstrating separation implementation<br />
- Organizational charts showing functional separation<br />
<br />
3. **Physical Review**<br />
- On-site verification of physical access controls supporting separation<br />
- Observation of work areas arranged to support separation<br />
<br />
4. **Screen Share (lowest value)**<br />
- Demonstration of access control systems showing separation enforcement<br />
- Viewing system configurations that implement separation<br />
<br />
== Assessment Approach Prioritization ==<br />
<br />
I recommend prioritizing the three assessment approaches as follows:<br />
<br />
1. **Examine (highest priority)**<br />
- Start by examining documentation that explicitly defines which duties require separation<br />
- This provides the foundation for understanding how separation of duties is conceptualized in your organization<br />
- Focus on formal policies, procedures, and system security plans<br />
<br />
2. **Interview**<br />
- After examining documents, interview personnel with responsibilities for defining divisions of responsibility<br />
- Interview security personnel and system administrators to verify understanding<br />
- These interviews validate that the documented definitions are understood and followed<br />
<br />
3. **Test (supplementary)**<br />
- Finally, test mechanisms implementing separation of duties<br />
- This confirms that technical controls enforce the defined separations<br />
- Testing serves as verification of actual implementation rather than primary evidence<br />
<br />
This prioritization follows a logical progression: first understand what's defined, then verify understanding through interviews, and finally confirm implementation through testing.</div>David