Page 1553 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1553

vacation policies ensure that employees take an extended time
                    away from their job, requiring someone else to perform their job

                    responsibilities, which increases the likelihood of discovering
                    fraud. Least privilege ensures that users have only the permissions
                    they need to perform their job and no more.

                6.  B. Mandatory vacation policies help detect fraud. They require
                    employees to take an extended time away from their job, requiring
                    someone else to perform their job responsibilities, and this

                    increases the likelihood of discovering fraud. It does not rotate job
                    responsibilities. While mandatory vacations might help employees
                    reduce their overall stress levels, and in turn increase productivity,
                    these are not the primary reasons for mandatory vacation policies.

                7.  A, B, C. Job rotation, separation of duties, and mandatory vacation
                    policies will all help reduce fraud. Baselining is used for
                    configuration management and would not help reduce collusion or

                    fraud.

                8.  B. Special privileges should not be granted equally to
                    administrators and operators. Instead, personnel should be
                    granted only the privileges they need to perform their job. Special
                    privileges are activities that require special access or elevated rights
                    and permissions to perform administrative and sensitive job tasks.
                    Assignment and usage of these privileges should be monitored, and

                    access should be granted only to trusted employees.

                9.  A. A service-level agreement identifies responsibilities of a third
                    party such as a vendor and can include monetary penalties if the
                    vendor doesn’t meet the stated responsibilities. A MOU is an
                    informal agreement and does not include monetary penalties. An
                    ISA defines requirements for establishing, maintaining, and
                    disconnecting a connection. SaaS is one of the cloud-based service

                    models and does not specify vendor responsibilities.

              10.  C. Systems should be sanitized when they reach the end of their
                    lifecycle to ensure that they do not include any sensitive data.
                    Removing CDs and DVDs is part of the sanitation process, but
                    other elements of the system, such as disk drives, should also be
                    checked to ensure that they don’t include sensitive information.
   1548   1549   1550   1551   1552   1553   1554   1555   1556   1557   1558