The principles of security operation design express common sense application of simplicity and restriction in terms of system administration. These principles are fundamental to proper security operation that supports best practices in security governance. Some of the major ones are clear roles, separation of duties, need to know, rotation of duties and least privilege.
The principles of clear roles state that every position should have a well defined responsibility. Individuals are assigned to that role and procedures for operating in that role are actually assigned to that job responsibility and not to individuals (Panko, 2004). This removes the responsibility from individuals and places it on the job position so that no one is doubt as to what role is responsible for a particular operation.
In order to adequately ensure the security and integrity of an organization’s resources, the organization must implement adequate internal controls by dividing functions so that no one person has control over all parts of a transaction (Kizza & Kizza, 2008). This means that different functions of a transaction are assigned to different individuals so that there seems to be a "second set of eyes" for quality control, if you will. The principle of separation of duties is based on these observations. It breaks down the process of authorization into basic steps and requires that for every request for authorization from a subject to a system resource, each step be given different privileges. It also requires that each different key step in a process be assigned different privileges for different individual subjects. This division of labor in the authorization process of one individual request and between individual subjects, stipulates not only that one subject should never be given a blanket authorization to do all the requested functions, but also that no one individual request to an object should be granted blanket access rights to an object. This hierarchical or granular authorization distributes responsibilities and creates accountability because no one subject is responsible for large processes where responsibility and accountability may be lax. For example, authorization to administer a Web server or an e-mail server can be granted to one person without granting him or her administrative rights to other parts of the organization's system.
The principle of least privileges requires that the subject be granted authorizations based on needs. The least privileges principle is itself based on two other principles: less rights and less risk (Peltier, 2004). The basic idea behind these principles is that security is improved if subjects using system resources are given no more privileges than the minimum they require to perform their tasks and in the minimum amount of time required to perform the tasks. The least privileges principle has the ability, if followed, to reduce the risks of un-authorized accesses into the system. When designing a security policy, one must invoke the principle of least privilege by identifying for every request what the user's role is, determining the minimum set of privileges required to perform that role, and restricting the user to a domain with those privileges and nothing more. The principle of least privileges insures the security and integrity of the resources by denying privileges that can be used to circumvent the organizational security policy.
Rotation of duties is a similar control that is intended to detect abuse of privileges or fraud and is a practice to help your organization avoid becoming overly dependent on a single member of the staff (Chirillio & Danelyan, 2005). By rotating staff, the organization has more chances of discovering violations or fraud. It also ensures that individuals cannot blackmail a firm because they are the only ones who can operate in a particular function.
The need to know principle requires that even if an individual has all necessary and required official security clearances and approvals, his or her request to access specific resources and information should not be granted unless such access to the requested resources or information is necessary for the conduct of that individual's official duties (Bishop, 2004). The principle ensures the security and integrity of resources by preventing user browsing.

Ola Osunkoya, Ph.D