Ann works at a small company and she is concerned that there is no oversight in the finance department;
specifically, that Joe writes, signs and distributes paycheques, as well as other expenditures. Which of the
following controls can she implement to address this concern?

A.
Mandatory vacations

B.
Time of day restrictions

C.
Least privilege

D.
Separation of duties

Explanation:
Separation of duties divides administrator or privileged tasks into separate groupings, which in turn, is
individually assigned to unique administrators. This helps in fraud prevention, error reduction, as well as
conflict of interest prevention. For example, those who configure security should not be the same people
who test security. In this case, Joe should not be allowed to write and sign paycheques.
Incorrect Answers:
A: Mandatory vacations require each employee to be on vacation for a minimal amount of time each
year. During this time a different employee sits at their desk and performs their work tasks. This will not
solve the problem, it will determine whether the user is committing fraud, being abusive, or if they are
incompetent.
B: Time of day restrictions limits when a specific user account can log on to the network according to the
time of day. This will not help solve the problem.
C: Least privilege states that users should only be granted the minimum necessary access, permissions,
and privileges that are required for them to accomplish their work tasks. This is used for normal
employees, whereas Separation of duties is for administrators.
Stewart, James Michael, CompTIA Security+ Review Guide, Sybex, Indianapolis, 2014, pp. 81, 82, 280