3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.

Using Windows Server with Active Directory: By extensive use of User Groups. Do not use any users directly in assigning access to anything. By locking directories by authorized groups and deny access to directories not designated to the proper group.  Devices are also allowed/blocked by group access.   Users are assigned to groups where they need access and removed when access is no longer necessary. There is also an element of having the proper people assigned to the proper assignments and duties that are properly outlined and adhered too.

Monitoring: There is monitoring software available to monitor activity in group assignments to ensure compliance. This also must be monitored by administrators to ensure the proper people are doing their respective jobs and not carrying over to people that should have no involvement.