A bank requires tellers to get manager approval when a customer wants to open a new account. A
recent audit shows that there have been four cases in the previous year where tellers opened
accounts without management approval. The bank president thought separation of duties would
prevent this from happening. In order to implement a true separation of duties approach the bank
could:
A.
Require the use of two different passwords held by two different individuals to open an account
B.
Administer account creation on a role based access control approach
C.
Require all new accounts to be handled by someone else other than a teller since they have
different duties
D.
Administer account creation on a rule based access control approach
I would go for B, since the bank doesn’t want anyone else to create accounts, but the manager. Therefore, I would go for B. Only employees with the role of manager should be able to create accounts.
B.
Not sure I agree with you on this one. Manager approval is not the same as the manager doing the job. I think that hiring someone whose sole job is new accounts and answerable to the manager is preferable.
Ok, you are both right. here is why. Role based access control is the correct answer, and Paul, without knowing it, you chose the same answer in essence because by having someone else create the accounts and this be his sole job.. that is role based. So, both those answers are right, but B is the direct answer.
separation of duties means 1 person should not have complete control, 1st employee does 1 part of the job and 2nd employee does 2nd part of the same job, thus performing complementary roles, B doesn’t serve it. it would give full control to managers or tellers based on role, Option A is the true separation of duties. 2 employees having 2 different password required to open an account.