If you’re planning to take the SY0-501 version of the Security+ exam, you should have a basic understanding of the importance of policies, plans and procedures related to organizational security. This includes personnel management policies. Personnel learn these policies when they are hired and as changes occur.
For example, can you answer this question?
Q. Martin has worked as a network administrator for several years within your organization. Over time, he has been tasked with performing several jobs, including database administration and application development. Security personnel are concerned that his level of access represents a serious risk. Which of the following is the BEST solution to reduce this risk?
A. Mandatory vacations
B. Exit interview
C. Change management
D. Separation of duties
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Mandatory Vacations
Mandatory vacation policies help detect when employees are involved in malicious activity, such as fraud or embezzlement. As an example, employees in positions of fiscal trust, such as stock traders or bank employees, are often required to take an annual vacation of at least five consecutive workdays.
For embezzlement actions of any substantial size to succeed, an employee would need to be constantly present in order to manipulate records and respond to different inquiries. On the other hand, if an employee is forced to be absent for at least five consecutive workdays, someone else would be required to answer any queries during the employee’s absence. This increases the likelihood of discovering illegal activities by employees. It also acts as an effective deterrent.
Mandatory vacations aren’t limited to only financial institutions, though. Many organizations require similar policies for administrators. For example, an administrator might be the only person required to perform sensitive activities such as reviewing certain logs. A malicious administrator can overlook or cover up certain activities revealed in the logs. However, a mandatory vacation policy would require someone else to perform these activities, which increases the chance of discovery.
Of course, mandatory vacations by themselves won’t prevent fraud. Most companies will implement the principle of defense in depth by using multiple layers of protection. Additional policies may include separation of duties and job rotation to provide as much protection as possible.
Separation of Duties
Separation of duties is a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process. It’s designed to prevent fraud, theft, and errors.
Accounting provides a classic example. It’s common to divide Accounting departments into two divisions: Accounts Receivable and Accounts Payable. Personnel in the Accounts Receivable division review and validate bills. They then send the validated bills to the personnel in the Accounts Payable division, who pay the bills. Similarly, this policy would ensure personnel are not authorized to print and sign checks. Instead, a separation of duties policy separates these two functions to reduce the possibility of fraud.
If Homer were the only person doing all these functions, it would be possible for him to create and approve a bill from Homer’s Most Excellent Retirement Account. After approving the bill, Homer would then pay it. If Homer doesn’t go to jail, he may indeed retire early at the expense of the financial health of the company.
Separation of duties policies also apply to IT personnel. For example, it’s common to separate application development tasks from application deployment tasks. In other words, developers create and modify applications and then pass the compiled code to administrators. Administrators then deploy the code to live production systems. Without this policy in place, developers might be able make quick, untested changes to code, resulting in unintended outages. This provides a high level of version control and prevents potential issues created through uncontrolled changes.
As another example, a group of IT administrators may be assigned responsibility for maintaining a group of database servers. However, they would not be granted access to security logs on these servers. Instead, security administrators regularly review these logs, but these security administrators will not have access to data within the databases.
Imagine that Bart has been working as an IT administrator but recently changed jobs and is now working as a security administrator. What should happen? Based on separation of duties, Bart should now have access to the security logs, but his access to the data within the databases should be revoked. If his permissions to the data are not revoked, he will have access to more than he needs, violating the principle of least privilege. A user rights and permissions review often discovers these types of issues.
Job Rotation
Job rotation is a concept that has employees rotate through different jobs to learn the processes and procedures in each job. From a security perspective, job rotation helps to prevent or expose dangerous shortcuts or even fraudulent activity. Employees might rotate through jobs temporarily or permanently.
For example, your company could have an Accounting department. In separation of duties, you would separate accounting into two divisions—Accounts Receivable and Accounts Payable. Additionally, you could rotate personnel in and out of jobs in the two divisions. This would ensure more oversight over past transactions and help ensure that employees are following rules and policies.
In contrast, imagine a single person always performs the same function without any expectation of oversight. This increases the temptation to go outside the bounds of established policies.
Job rotation policies work well together with separation of duties policies. A separation of duties policy helps prevent a single person from controlling too much. However, if an organization only used a separation of duties policy, it is possible for two people to collude in a scheme to defraud the company. If a job rotation policy is also used, these two people will not be able to continue the fraudulent activity indefinitely.
Job rotation policies also apply to IT personnel. For example, the policy can require administrators to swap roles on a regular basis, such as annually or quarterly. This prevents any single administrator from having too much control over a system or network.
Q. Martin has worked as a network administrator for several years within your organization. Over time, he has been tasked with performing several jobs, including database administration and application development. Security personnel are concerned that his level of access represents a serious risk. Which of the following is the BEST solution to reduce this risk?
A. Mandatory vacations
B. Exit interview
C. Change management
D. Separation of duties
Answer is D. A separation of duties policy prevents any single person from performing multiple job functions that might allow the person to commit fraud. In this scenario, the administrator has accumulated privileges across several job functions, which represents the risk.
A mandatory vacation policy is useful to discover fraud committed by an individual, but this scenario clearly indicates this individual controls too many job functions.
An exit interview is performed when an employee leaves the organization.
Change management ensures changes are reviewed before being implemented.
See Chapter 11 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on security policies.