Which of the following are types of policy considerations designed to affect the way privileges are
assigned to users?
A.
Principle of Alternating Privilege
B.
Separation of Duties
C.
DefenseinDepth
D.
Vacation, Job Rotation, and Transfer
E.
Principle of Least Privilege
Explanation:
B: Separation of duties is a classic security principle that restricts the amount of
power held by any one individual in order to prevent conflict of interest, the appearance of conflict
of interest, fraud, and errors. Separation of duties is one of the fundamental principles of many
regulatory mandates such as Sarbanes-Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA),
and as a result IT organizations are placing greater emphasis on separation of duties across all IT
functions, especially database administration.
D: Vacation, Job Rotation, and Transfer are policy considerations.. Once way to detect and deter
misuse of systems is to have a new person perform the duties of an existing worker. The new
person might notice irregularities or questionable circumstances and be able toreport it. The new worker might be there temporarily, i.e. filling in for someone on
vacation, or might be a replacement as a result of periodic job rotations and
transfers. In addition, workers that expect periodic rotations are less likely to
misuse systems as they know others following behind them will eventually
discover it and report them.
E:Each user should have only those privileges appropriate to the tasks she needs to do, an idea
termed the principle of least privilege. Least privilege mitigates risk by limiting privileges, so that it
remains easy to do what is needed while concurrently reducing the ability to do inappropriate
things, either inadvertently or maliciously.
Note: The principle of least privilege. Users are given the least amount of privileges
necessary in order to carry out their job functions. This applies to interactions
between systems as well as user interactions. This reduces the opportunity for
unauthorized access to sensitive information.
Reference: Oracle Reference Architecture,Security, Release 3.1