Page 1129 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1129

difficult for individuals to engage in malicious, fraudulent, or
               unauthorized activities and broadens the scope of detection and

               reporting. In contrast, individuals may be more tempted to perform
               unauthorized acts if they think they can get away with them. With two
               or more people involved, the risk of detection increases and acts as an
               effective deterrent.

               Here’s a simple example. Movie theaters use separation of duties to
               prevent fraud. One person sells tickets. Another person collects the

               tickets and doesn’t allow entry to anyone who doesn’t have a ticket. If
               the same person collects the money and grants entry, this person can
               allow people in without a ticket or pocket the collected money without
               issuing a ticket. Of course, it is possible for the ticket seller and the
               ticket collector to get together and concoct a plan to steal from the
               movie theater. This is collusion because it is an agreement between
               two or more persons to perform some unauthorized activity. However,
               collusion takes more effort and increases the risk to each of them.

               Separation of duties policies help reduce fraud by requiring collusion
               between two or more people to perform the unauthorized activity.

               Similarly, organizations often break down processes into multiple
               tasks or duties and assign these duties to different individuals to
               prevent fraud. For example, one person approves payment for a valid
               invoice, but someone else makes the payment. If one person controlled

               the entire process of approval and payment, it would be easy to
               approve bogus invoices and defraud the company.

               Another way separation of duties is enforced is by dividing the security
               or administrative capabilities and functions among multiple trusted
               individuals. When the organization divides administration and
               security responsibilities among several users, no single person has
               sufficient access to circumvent or disable security mechanisms.


               Separation of Privilege


               Separation of privilege is similar in concept to separation of duties
               and responsibilities. It builds on the principle of least privilege and
               applies it to applications and processes. A separation-of-privilege
               policy requires the use of granular rights and permissions.
   1124   1125   1126   1127   1128   1129   1130   1131   1132   1133   1134