Which statement below is the BEST example of separation of duties?

Which statement below is the BEST example of separation of duties?

A.
Getting users to divulge their passwords.

B.
An activity that checks on the system, its users, or the environment.

C.
One person initiates a request for a payment and another authorizes that same payment.

D.
A data entry clerk may not have access to run database analysis reports.

Explanation:
Separation of duties refers to dividing roles and responsibilities so that a single individual cannot
subvert a critical process. In financial systems, no single individual should normally be given the
authority to issue checks. Checks and balances need to be designed into both the process as well as

the specific, individual positions of personnel who will implement the process. *Answer “An activity
that checks on the system, its users, or the environment” describes system monitoring. *Answer
“Getting users to divulge their passwords” is social engineering, a method of subverting system
controls by getting users or administrators to divulge information about systems, including their
passwords. *Answer “A data entry clerk may not have access to run database analysis reports”
describes least privilege. Least privilege refers to the security objective of granting users only those
accesses they need to perform their official duties. Least privilege does not mean that all users will
have extremely little functional access; some employees will have significant access if it is required
for their position. It is important to make certain that the implementation of least privilege does not
interfere with the ability to have personnel substitute for each other without undue delay. Without
careful planning, access control can interfere with contingency plans. Source: National Institute of
Standards and Technology, An Introduction to Computer Security: The NIST Handbook Special
Publication 800-12.