Page 144 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 144

Job rotation requires that security privileges and accesses be reviewed
               to maintain the principle of least privilege. One concern with job

               rotation, cross-training, and long-tenure employees is their continued
               collection of privileges and accesses, many of which they no longer
               need. The assignment of privileges, permissions, rights, access, and so
               on, should be periodically reviewed to check for privilege creep or
               misalignment with job responsibilities. Privilege creep occurs when
               workers accumulate privileges over time as their job responsibilities
               change. The end result is that a worker has more privileges than the

               principle of least privilege would dictate based on that individual’s
               current job responsibilities.



                  Cross-training


                  Cross-training is often discussed as an alternative to job rotation.
                  In both cases, workers learn the responsibilities and tasks of

                  multiple job positions. However, in cross-training the workers are
                  just prepared to perform the other job positions; they are not
                  rotated through them on a regular basis. Cross-training enables
                  existing personnel to fill the work gap when the proper employee is
                  unavailable as a type of emergency response procedure.



               When several people work together to perpetrate a crime, it’s called
               collusion. Employing the principles of separation of duties, restricted
               job responsibilities, and job rotation reduces the likelihood that a co-

               worker will be willing to collaborate on an illegal or abusive scheme
               because of the higher risk of detection. Collusion and other privilege
               abuses can be reduced through strict monitoring of special privileges,
               such as those of an administrator, backup operator, user manager, and
               others.

               Job descriptions are not used exclusively for the hiring process; they
               should be maintained throughout the life of the organization. Only

               through detailed job descriptions can a comparison be made between
               what a person should be responsible for and what they actually are
               responsible for. It is a managerial task to ensure that job descriptions
               overlap as little as possible and that one worker’s responsibilities do
   139   140   141   142   143   144   145   146   147   148   149