A chief Financial Officer (CFO) has asked the Chief Information Officer (CISO) to provide responses to a recent audit report detailing deficiencies in the organization security controls. The CFO would like to know ways in which the organization can improve its authorization controls. Given the request by the CFO, which of the following controls should the CISO focus on in the report? (Select Three)
A. Password complexity policies B. Hardware tokens C. Biometric systems D. Role-based permissions E. One time passwords F. Separation of duties G. Multifactor authentication H. Single sign-on I. Lease privilege
An audit has revealed that database administrators are also responsible for auditing database changes and backup logs. Which of the following access control methodologies would BEST mitigate this concern?
A. Time of day restrictions B. Principle of least privilege C. Role-based access control D. Separation of duties
During a third-party audit, it is determined that a member of the firewall team can request, approve, and implement a new rule-set on the firewall. Which of the following will the audit team most l likely recommend during the audit out brief?
A. Discretionary access control for the firewall team B. Separation of duties policy for the firewall team C. Least privilege for the firewall team D. Mandatory access control for the firewall team
While preparing for an audit a security analyst is reviewing the various controls in place to secure the operation of financial processes within the organization. Based on the pre assessment report, the department does not effectively maintain a strong financial transaction control environment due to conflicting responsibilities held by key personnel. If implemented, which of the following security concepts will most effectively address the finding?
A. Least privilege B. Separation of duties C. Time-based access control D. Dual control
A recent audit has revealed that several users have retained permissions to systems they should no longer have rights to after being promoted or changed job positions. Which of the following controls would BEST mitigate this issue?
A. Separation of duties B. User account reviews C. Group based privileges D. Acceptable use policies
The software developer is responsible for writing the code and promoting from the development network to the quality network. The network administrator is responsible for promoting code to the application servers. Which of the following practices are they following to ensure application integrity?
A. Job rotation B. Implicit deny C. Least privilege D. Separation of duties
Ann works at a small company and she is concerned that there is no oversight in the finance department; specifically, that Joe writes, signs and distributes paycheques, as well as other expenditures. Which of the following controls can she implement to address this concern?
A. Mandatory vacations B. Time of day restrictions C. Least privilege D. Separation of duties
Correct Answer: D Section: Access Control and Identity Management
Separation of duties divides administrator or privileged tasks into separate groupings, which in turn, is individually assigned to unique administrators. This helps in fraud prevention,
error reduction, as well as conflict of interest prevention. For example, those who configure security should not be the same people who test security. In this case, Joe should not be
allowed to write and sign paycheques.
A: Mandatory vacations require each employee to be on vacation for a minimal amount of time each year. During this time a different employee sits at their desk and performs their
work tasks. This will not solve the problem, it will determine whether the user is committing fraud, being abusive, or if they are incompetent.
B: Time of day restrictions limits when a specific user account can log on to the network according to the time of day. This will not help solve the problem.
C: Least privilege states that users should only be granted the minimum necessary access, permissions, and privileges that are required for them to accomplish their work tasks. This
is used for normal employees, whereas Separation of duties is for administrators.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 81, 82, 280
Which of the following, if properly implemented, would prevent users from accessing files that are unrelated to their job duties? (Select TWO).
A. Separation of duties B. Job rotation C. Mandatory vacation D. Time of day restrictions E. Least privilege
Correct Answer: A,E Section: Compliance and Operational Security
Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that you are employing best practices. The segregation of duties and separation of environments is a way to reduce the likelihood of misuse of systems or information. A separation of duties policy is designed to reduce the risk of fraud and to prevent other losses in an organization. A least privilege policy should be used when assigning permissions. Give users only the permissions that they need to do their work and no more.
B: A job rotation policy defines intervals at which employees must rotate through positions.
C: A mandatory vacation policy requires all users to take time away from work to refresh. Mandatory vacation give the employee a chance to refresh, but it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfies the need to have replication or duplication at all levels. Mandatory vacations also provide an opportunity to discover fraud. In this case mandatory vacations can prevent the two members from colluding to steal the information that they have access to.
D: Time of day restrictions are used to configure when an account can have access to the system.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, p. 25
Everyone in the accounting department has the ability to print and sign checks. Internal audit has asked that only one group of employees may print checks while only two other employees may sign the checks. Which of the following concepts would enforce this process?
A. Separation of Duties B. Mandatory Vacations C. Discretionary Access Control D. Job Rotation
Correct Answer: A Section: Compliance and Operational Security
Separation of duties means that users are granted only the permissions they need to do their work and no more.
B: A mandatory vacation policy requires all users to take time away from work to refresh.
C: Discretionary Access Control makes allowance for flexibility on access control within the company which is to be avoided in this scenario.
D: Rotating jobs would mean that all the employees will at any one time still have authority to sign checks.
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 25, 151, 153