Page 1130 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1130

Administrators assign different rights and permissions for each type of
               privileged operation. They grant specific processes only the privileges

               necessary to perform certain functions, instead of granting them
               unrestricted access to the system.

               Just as the principle of least privilege can apply to both user and
               service accounts, separation-of-privilege concepts can also apply to
               both user and service accounts.

               Many server applications have underlying services that support the
               applications, and as described earlier, these services must run in the
               context of an account, commonly called a service account. It is

               common today for server applications to have multiple service
               accounts. Administrators should grant each service account only the
               privileges needed to perform its functions within the application. This
               supports a segregation of privilege policy.


               Segregation of Duties

               Segregation of duties is similar to a separation of duties and
               responsibilities policy, but it also combines the principle of least

               privilege. The goal is to ensure that individuals do not have excessive
               system access that may result in a conflict of interest. When duties are
               properly segregated, no single employee will have the ability to
               commit fraud or make a mistake and have the ability to cover it up. It’s
               similar to separation of duties in that duties are separated, and it’s also
               similar to a principle of least privilege in that privileges are limited.

               A segregation of duties policy is highly relevant for any company that

               must abide by the Sarbanes–Oxley Act (SOX) of 2002 because SOX
               specifically requires it. However, it is also possible to apply segregation
               of duties policies in any IT environment.




                             SOX applies to all public companies that have registered

                  equity or debt securities with the Securities and Exchange
                  Commission (SEC). The United States (U.S.) government passed it
                  in response to several high-profile financial scandals that resulted
                  in the loss of billions of shareholder dollars.
   1125   1126   1127   1128   1129   1130   1131   1132   1133   1134   1135