CompTIA Security Plus Mock Test Q892

Ann works at a small company and she is concerned that there is no oversight in the finance department; specifically, that Joe writes, signs and distributes paycheques, as well as other expenditures. Which of the following controls can she implement to address this concern?

A. Mandatory vacations
B. Time of day restrictions
C. Least privilege
D. Separation of duties

Correct Answer: D
Section: Access Control and Identity Management

Explanation:
Separation of duties divides administrator or privileged tasks into separate groupings, which in turn, is individually assigned to unique administrators. This helps in fraud prevention,
error reduction, as well as conflict of interest prevention. For example, those who configure security should not be the same people who test security. In this case, Joe should not be
allowed to write and sign paycheques.

Incorrect Answers:
A: Mandatory vacations require each employee to be on vacation for a minimal amount of time each year. During this time a different employee sits at their desk and performs their
work tasks. This will not solve the problem, it will determine whether the user is committing fraud, being abusive, or if they are incompetent.
B: Time of day restrictions limits when a specific user account can log on to the network according to the time of day. This will not help solve the problem.
C: Least privilege states that users should only be granted the minimum necessary access, permissions, and privileges that are required for them to accomplish their work tasks. This
is used for normal employees, whereas Separation of duties is for administrators.

References:
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 81, 82, 280