Which of the following is used to interrupt the opportunity to use or perform collusion to subvert operation for fraudulent purposes?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
Job rotations reduce the risk of collusion of activities between individuals.
Companies with individuals working with sensitive information or systems where there might be the opportunity for personal gain through collusion can benefit by integrating job rotation with segregation of duties.
Rotating the position may uncover activities that the individual is performing outside of the normal operating procedures, highlighting errors or fraudulent behavior.
Rotation of duties is a method of reducing the risk associated with a subject performing a (sensitive) task by limiting the amount of time the subject is assigned to perform the task before being moved to a different task.
The following are incorrect answers: Key escrow is related to the protection of keys in storage by splitting the key in pieces that will be controlled by different departments.Key escrow is the process of ensuring a third party maintains a copy of a private key or key needed to decrypt information.
Key escrow also should be considered mandatory for most organizations use of cryptography as encrypted information belongs to the organization and not the individual; however often an individuals key is used to encrypt the information.
Separation of duties is a basic control that prevents or detects errors and irregularities by assigning responsibility for different parts of critical tasks to separate individuals, thus limiting the effect a single person can have on a system.One individual should not have the capability to execute all of the steps of a particular process.
This is especially important in critical business areas, where individuals may have greater access and capability to modify, delete, or add data to the system.
Failure to separate duties could result in individuals embezzling money from the company without the involvement of others.
The need-to-know principle specifies that a person must not only be cleared to access classified or other sensitive information, but have requirement for such information to carry out assigned job duties.Ordinary or limited user accounts are what most users are assigned.
They should be restricted only to those privileges that are strictly required, following the principle of least privilege.
Access should be limited to specific objects following the principle of need-to-know.
The principle of least privilege requires that each subject in a system be granted the most restrictive set of privileges (or lowest clearance) needed for the performance of authorized tasks.Least privilege refers to granting users only the accesses that are required to perform their job functions.
Some employees will require greater access than others based upon their job functions.
For example, an individual performing data entry on a mainframe system may have no need for Internet access or the ability to run reports regarding the information that they are entering into the system.
Conversely, a supervisor may have the need to run reports, but should not be provided the capability to change information in the database.
Reference(s) used for this question: Hernandez CISSP, Steven (2012-12-21)
Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10628-10631)
Auerbach Publications.
Kindle Edition.
and Hernandez CISSP, Steven (2012-12-21)
Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10635-10638)
Auerbach Publications.
Kindle Edition.
and Hernandez CISSP, Steven (2012-12-21)
Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 10693-10697)
Auerbach Publications.
Kindle Edition.
and Hernandez CISSP, Steven (2012-12-21)
Official (ISC)2 Guide to the CISSP CBK, Third Edition ((ISC)2 Press) (Kindle Locations 16338-16341)
Auerbach Publications.
Kindle Edition.
The correct answer is B. Rotation of duties.
Rotation of duties is a technique used to prevent collusion and fraud in organizations. It involves rotating employees through different jobs, responsibilities, and roles within an organization on a regular basis, so that no one person becomes too familiar with a particular task or process. This limits the opportunity for employees to collude with each other to subvert operations for fraudulent purposes.
Key escrow is a mechanism used to store encryption keys for safekeeping in case they are lost or compromised. It is not directly related to preventing collusion or fraud.
The principle of need-to-know is a security principle that limits access to sensitive information to only those who need it to perform their job responsibilities. While this principle can help prevent unauthorized access to sensitive information, it does not directly address collusion or fraud.
The principle of least privilege is a security principle that limits user access rights to only the minimum level necessary to perform their job responsibilities. While this principle can help prevent unauthorized access to sensitive information or systems, it does not directly address collusion or fraud.