Page 1132 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1132

organization tailors it to fit the roles and responsibilities used
                  within the organization. A matrix such as the one shown in Figure

                  16.1 provides a guide to help identify potential conflicts.


               Ideally, personnel will never be assigned to two roles with a conflict of

               interest. However, if extenuating circumstances require doing so, it’s
               possible to implement compensating controls to mitigate the risks.


               Two-Person Control

               Two-person control (often called the two-man rule) requires the
               approval of two individuals for critical tasks. For example, safe deposit
               boxes in banks often require two keys. A bank employee controls one
               key and the customer holds the second key. Both keys are required to
               open the box, and bank employees allow a customer access to the box

               only after verifying the customer’s identification.

               Using two-person controls within an organization ensures peer review
               and reduces the likelihood of collusion and fraud. For example, an
               organization can require two individuals within the company (such as
               the chief financial officer and the chief executive officer) to approve
               key business decisions. Additionally, some privileged activities can be
               configured so that they require two administrators to work together to

               complete a task.

               Split knowledge combines the concepts of separation of duties and
               two-person control into a single solution. The basic idea is that the
               information or privilege required to perform an operation be divided
               among two or more users. This ensures that no single person has
               sufficient privileges to compromise the security of the environment.



               Job Rotation

               Further control and restriction of privileged capabilities can be
               implemented by using job rotation. Job rotation (sometimes called
               rotation of duties) means simply that employees are rotated through
               jobs, or at least some of the job responsibilities are rotated to different
               employees. Using job rotation as a security control provides peer

               review, reduces fraud, and enables cross-training. Cross-training helps
   1127   1128   1129   1130   1131   1132   1133   1134   1135   1136   1137