PrepAway - Latest Free Exam Questions & Answers

When two or more separate entities (usually persons) op…

When two or more separate entities (usually persons) operating in concert to protect sensitive functions or
information must combine their knowledge to gain access to an asset, this is known as:

PrepAway - Latest Free Exam Questions & Answers

A.
Dual Control

B.
Need to know

C.
Separation of duties

D.
Segregation of duties

Explanation:
PCI DSS defines Dual Control as below:
Dual Control: Process of using two or more separate entities (usually persons) operating in concert to
protect sensitive functions or information. Both entities are equally responsible for the physical protection of
materials involved in vulnerable transactions. No single person is permitted to access or use the materials
(for example, the cryptographic key). For manual key generation, conveyance, loading, storage, and
retrieval, dual control requires dividing knowledge of the key among the entities. (See also Split Knowledge).
Split knowledge: Condition in which two or more entities separately have key components that individually
convey no knowledge of the resultant cryptographic key.
Incorrect Answers:
B: The term “need to know”, when used by government and other organizations (particularly those related to the
military), describes the restriction of data which is considered very sensitive. Under need-to-know restrictions,
even if one has all the necessary official approvals (such as a security clearance) to access certain information,
one would not be given access to such information, unless one has a specific need to know; that is, access to
the information must be necessary for the conduct of one’s official duties. As with most security mechanisms,
the aim is to make it difficult for unauthorized access to occur, without inconveniencing legitimate access.
Need-to-know also aims to discourage “browsing” of sensitive material by limiting access to the smallest
possible number of people. This is not what is described in the question.
C: Separation of duties is the practice of dividing steps in a function among different individuals, so as to keep a
single individual from being able to subvert the process. This is not what is described in the question.
D: Segregation of Duties address the splitting of various functions within a process to different users so that it
will not create an opportunity for a single user to perform conflicting tasks. This is not what is described in the
question.

https://www.pcisecuritystandards.org/security_standards/glossary.php

One Comment on “When two or more separate entities (usually persons) op…


Leave a Reply