Personnel Policies – Separation of Duties

If you plan on taking the Security+ exam you should have a good understanding of the various personnel policies that organizations implement including a separation of duties policy. These policies are used to define and clarify issues such as personnel behavior, expectations, and possible consequences. Personnel learn these policies when they are hired and as changes occur.

This blog is an excerpt of acceptable use topics from the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.

Some of the other policies directly related to personnel are:

• Acceptable use
• Mandatory vacations
• Job rotation

Separations of Duties Practice Test Question

Here’s a sample separations of duties question for the Security+ exam from the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide.

Q. A group of server administrators maintains several database servers, but they cannot access security logs on these servers. Security administrators can access the security logs, but they cannot access data within the databases. What policy is the company using?

A. Separation of duties policy

B. Policy requiring dual accounts for administrators

C. Job rotation policy

D. Mandatory vacations policy

Ideally, you should not only know what the correct answer is, but also why it is correct and why the incorrect answers are incorrect.

Separation of Duties

Separation of duties is a principle that prevents any single person or entity from being able to complete all the functions of a critical or sensitive process. It’s designed to prevent fraud, theft, and errors.

Accounting provides the classic example. It’s common to divide accounting departments into two divisions: Accounts Receivable and Accounts Payable. Personnel in the Accounts Receivable division review and validate bills. They then send the validated bills to the personnel in the Accounts Payable division, who pay the bills.

If Joe was the only person doing both functions, it would be possible for him to create and approve a bill from Joe’s Most Excellent Retirement Account. After approving the bill, Joe would then pay it. If Joe doesn’t go to jail, he may indeed retire early at the expense of the financial health of the company.

Separation of duties policies also apply to IT personnel. Consider network defense. A firewall is a preventative control that attempts to prevent attacks and a network-based intrusion detection system (NIDS) is a detective control that attempts to detect attacks. If a single administrator managed both systems, it’s possible that issues could be overlooked resulting in errors. However, by separating the tasks between two people, it reduces the possibility of errors.

As another example, a group of IT administrators may be assigned responsibility for maintaining a group of database servers, but do not have access to security logs on these servers. Instead, security administrators regularly review these logs, but these security administrators will not have access to data within the databases.

Consider what should happen if one of the IT administrators is promoted and is now working as a security administrator? Based on separation of duties, this administrator should now have access to security logs, but access to the data within the databases should be revoked. However, if the administrator’s permissions to the data are not revoked, the administrator will have more permissions than needed violating the principle of least privilege. A user rights and permissions review will often discover these types of issues.

Remember this

Separation of duties prevents any single person or entity from being able to complete all the functions of a critical or sensitive process by dividing the tasks between employees. Job rotation policies require employees to change roles on a regular basis. This helps ensure that employees cannot continue with fraudulent activity indefinitely.

Separations of Duties Practice Test Question

Q. A group of server administrators maintains several database servers, but they cannot access security logs on these servers. Security administrators can access the security logs, but they cannot access data within the databases. What policy is the company using?

A. Separation of duties policy

B. Policy requiring dual accounts for administrators

C. Job rotation policy

D. Mandatory vacations policy

Answer. A is correct. A separation of duties policy separates individual tasks of an overall function between different people, and in this case it is separating maintenance of the database servers with security oversight of the servers.

Dual accounts for administrators (one for administrative use and one for regular use) help prevent privilege escalation attacks.

Job rotation policies require employees to change roles on a regular basis.

Mandatory vacation policies require employees to take time away from their job and help detect malicious activities.

Personnel Policy Comparisons

• Separation of duties policies separate individual tasks of an overall function between different entities or different people.
• An acceptable use policy defines proper system usage for users. Users are often required to read and sign an acceptable use policy when hired, and in conjunction with refresher training.
• Mandatory vacations policies require employees to take time away from their job. These policies help to reduce fraud and discover malicious activities by employees.
• Job rotation policies require employees to change roles on a regular basis. These policies help to prevent employees from continuing with fraudulent activities.

Security+ Study Resources

Security+ Full Access Package

Pass the First Time!

Up-to-date Content

New multiple-choice and performance-based questions added regularly

Pass the first time with quality practice test questions, performance-based questions, flashcards, and audio.

Buy The Full Access Study Package Today

60 Days Access

Need more time? You can easily renew for another 60 days at a significantly reduced price.

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Our online Security+ study materials are the perfect complement to the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. They can also be used to help ensure you’re ready no matter what study guide you’re using.

This exam is expensive.

Make sure you’re ready before exam day. 

Here’s what you’ll get:

• All of the multiple-choice questions from the best-selling CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. See a demo here. All questions have full explanations so you’ll know why the correct answers are correct and why the incorrect answers are incorrect.
• Over 40 new multiple-choice questions we’ve added after publishing the study guide.
• Over 30 performance-based questions. See a demo here.
• All of the flashcards from the study guide. View them in any Web browser.
• All of the audio from the study guide. Listen to a sample here.
• Access to a free discount code for 10% off your Security+ voucher.

Buy The Full Access Study Package Today

60 Days Access

All materials are available online shortly after making your payment.

Get the Security+ Full Access Study Package Here

Study Guide Pass the Security+ exam the first time you take it with the CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide. Each of the eleven chapters presents topics in an easy to understand manner and includes real-world examples of security principles in action. The author uses many of the same analogies and explanations he’s honed in the classroom. These analogies an explanations have helped hundreds of students master the Security+ content. You’ll understand the important and relevant security topics for the Security+ exam, without being overloaded with unnecessary details.

You’ll be ready to take and pass the exam the first time you take it. Each chapter includes a comprehensive review section to help you focus on what’s important. Over 440 realistic practice test questions with in-depth explanations will help you test your comprehension and readiness for the exam. Includes a 100 question pre-test, a 100 question post-test, and practice test questions at the end of every chapter. Each practice test question includes a detailed explanation to help you understand the content and the reasoning behind the question.

Audio

Learn by Listening Supplement your studies with Security+ audio files read directly from the CompTIA Security+ Get Certified Get Ahead SY0-401 book. A total of over 4 hours and 40 minutes are now available. Supplement your studies with Security+ audio files you can listen to while on the go. Listen to key topics from all the chapters of the top selling CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide, or focus on just the topics you want to brush up on. Learn while driving or commuting Learn while exercising Learn any time

Practice Test Questions

Check your readiness for the Security+ exam with the CompTIA Security+ SY0-401 Practice Test Questions (Get Certified Get Ahead) book. Available in both paperback and Kindle format. Includes 307 realistic practice test questions with in-depth explanations so that you’ll know why the correct answers are correct, and why the incorrect answers are incorrect. Kindle edition includes dozens of flash cards specifically formatted for the Kindle. You can download free Kindle applications for just about any device from here.

Mobile Apps

Practice test questions for your mobile devices. Learnzapp has apps for a wide assortment of mobile devices including Apple, Android, Amazon, Nook, and Blackberry. In-depth coverage of all six domains in the CompTIA Security+ SY0-401 exam. App includes realistic practice questions to help you assess your exam readiness. Questions include in-depth explanations to help you understand why the correct answers are correct and the incorrect answers are incorrect. Flashcards to help you review important testable concepts. Buy once. Use on any device. Amazing interactive user experience. Internet connection not required.