Personnel Policies – Separation of Duties
If you plan on taking the Security+ exam you should have a good understanding of the various personnel policies that organizations implement including a separation of duties policy. These policies are used to define and clarify issues such as personnel behavior, expectations, and possible consequences. Personnel learn these policies when they are hired and as changes occur.
This blog is an excerpt of acceptable use topics from the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.
Some of the other policies directly related to personnel are:
Separations of Duties Practice Test Question
Here’s a sample separations of duties question for the Security+ exam from the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.
Q. A group of server administrators maintains several database servers, but they cannot access security logs on these servers. Security administrators can access the security logs, but they cannot access data within the databases. What policy is the company using?
A. Separation of duties policy
B. Policy requiring dual accounts for administrators
C. Job rotation policy
D. Mandatory vacations policy
Ideally, you should not only know what the correct answer is, but also why it is correct and why the incorrect answers are incorrect.
Separation of Duties
Separation of duties is a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process. It’s designed to prevent fraud, theft, and errors.
Accounting provides the classic example. It’s common to divide accounting departments into two divisions: Accounts Receivable and Accounts Payable. Personnel in the Accounts Receivable division review and validate bills. They then send the validated bills to the personnel in the Accounts Payable division, who pay the bills.
If Joe was the only person doing both functions, it would be possible for him to create and approve a bill from Joe’s Most Excellent Retirement Account. After approving the bill, Joe would then pay it. If Joe doesn’t go to jail, he may indeed retire early at the expense of the financial health of the company.
Separation of duties policies also apply to IT personnel. Consider network defense. A firewall is a preventative control that attempts to prevent attacks and a network-based intrusion detection system (NIDS) is a detective control that attempts to detect attacks. If a single administrator managed both systems, it’s possible that issues could be overlooked resulting in errors. However, by separating the tasks between two people, it reduces the possibility of errors.
As another example, a group of IT administrators may be assigned responsibility for maintaining a group of database servers, but do not have access to security logs on these servers. Instead, security administrators regularly review these logs, but these security administrators will not have access to data within the databases.
Consider what should happen if one of the IT administrators is promoted and is now working as a security administrator? Based on separation of duties, this administrator should now have access to security logs, but access to the data within the databases should be revoked. However, if the administrator’s permissions to the data are not revoked, the administrator will have more permissions than needed violating the principle of least privilege. A user rights and permissions review will often discover these types of issues.
Remember this
Separation of duties prevents any single person or entity from being able to complete all the functions of a critical or sensitive process by dividing the tasks between employees. Job rotation policies require employees to change roles on a regular basis. This helps ensure that employees cannot continue with fraudulent activity indefinitely.
Separations of Duties Practice Test Question
Q. A group of server administrators maintains several database servers, but they cannot access security logs on these servers. Security administrators can access the security logs, but they cannot access data within the databases. What policy is the company using?
A. Separation of duties policy
B. Policy requiring dual accounts for administrators
C. Job rotation policy
D. Mandatory vacations policy
Answer. A is correct. A separation of duties policy separates individual tasks of an overall function between different people, and in this case it is separating maintenance of the database servers with security oversight of the servers.
Dual accounts for administrators (one for administrative use and one for regular use) help prevent privilege escalation attacks.
Job rotation policies require employees to change roles on a regular basis.
Mandatory vacation policies require employees to take time away from their job and help detect malicious activities.
Personnel Policy Comparisons
- Separation of duties policies separate individual tasks of an overall function between different entities or different people.
- An acceptable use policy defines proper system usage for users. Users are often required to read and sign an acceptable use policy when hired, and in conjunction with refresher training.
- Mandatory vacations policies require employees to take time away from their job. These policies help to reduce fraud and discover malicious activities by employees.
- Job rotation policies require employees to change roles on a regular basis. These policies help to prevent employees from continuing with fraudulent activities.
Security+ Study Resources
Study GuidePass the Security+ exam the first time you take it with the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.
| ![]() |
You’ll be ready to take and pass the exam the first time you take it.
|
Audio
Learn by ListeningSupplement your studies with Security+ audio files read directly from the CompTIA Security+ Get Certified Get Ahead SY0-401 book. A total of over 4 hours and 40 minutes are now available. Supplement your studies with Security+ audio files you can listen to while on the go. Listen to key topics from all the chapters of the top selling CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide, or focus on just the topics you want to brush up on.
| ![]() |
Practice Test Questions
Check your readiness for the Security+ exam with the CompTIA Security+ SY0-401 Practice Test Questions (Get Certified Get Ahead) book. Available in both paperback and Kindle format.
You can download free Kindle applications for just about any device from here. | ![]() |
The book is organized in six chapters matched to the six Security+ domains.Each chapter in the Kindle edition includes three sections:
Additionally, the acronym list at the end of the book provides relevant details on many of the acronyms referenced in the Security+ exam. |
Mobile Apps
Practice test questions for your mobile devices. Learnzapp has apps for a wide assortment of mobile devices including Apple, Android, Amazon, Nook, and Blackberry.
| ![]() |