Which of the following administrative policy controls is usually associated with government
classifications of materials and the clearances of individuals to access those materials?
A.
Separation of Duties
B.
Due Care
C.
Acceptable Use
D.
Need to Know
Explanation:
It is the concept of need to know, which is generally associated with government classifications of
materials and the clearances of individuals to access those materials. It is similar to the least
privilege principle.
Answer option C is incorrect. An acceptable or appropriate user policy details the conditions that a
user must agree to in order to use an account on an information system.
Answer option B is incorrect. Due Care policy identifies the level of confidentiality of information on
a computer. It specifies how the information is to be handled. The objective of this policy is to
protect confidential records, the unauthorized disclosure of which creates a strong potential for
liability.
Answer option A is incorrect. Separation of duties (SoD) is the concept of having more than one
person required to complete a task. It is alternatively called segregation of duties or, in the political
realm, separation of powers. Segregation of duties helps reduce the potential damage from the
actions of one person. IS or end-user department should be organized in a way to achieve adequate
separation of duties.
According to ISACA’s Segregation of Duties Control matrix, some duties should not be combined into
one position. This matrix is not an industry standard, just a general guideline suggesting which
positions should be separated and which require compensating controls when combined.
CISM Review Manual 2010, Contents: “Information security governance”