Which of the following is used to interrupt the opportunity to use or perform collusion to subvert operation forfraudulent purposes?

A.
Key escrow

B.
Rotation of duties

C.
Principle of need-to-know

D.
Principle of least privilege

Explanation:
Job rotations reduce the risk of collusion of activities between individuals. Companies with individuals working
with sensitive information or systems where there might be the opportunity for personal gain through collusion
can benefit by integrating job rotation with segregation of duties. Rotating the position may uncover activities
that the individual is performing outside of the normal operating procedures, highlighting errors or fraudulent
behavior.
Rotation of duties is a method of reducing the risk associated with a subject performing a (sensitive) task by
limiting the amount of time the subject is assigned to perform the task before being moved to a different task.
Separation of duties is a basic control that prevents or detects errors and irregularities by assigning
responsibility for different parts of critical tasks to separate individuals, thus limiting the effect a single person
can have on a system. One individual should not have the capability to execute all of the steps of a particular
process. This is especially important in critical business areas, where individuals may have greater access and
capability to modify, delete, or add data to the system. Failure to separate duties could result in individuals
embezzling money from the company without the involvement of others.
Incorrect Answers:
A: Key escrow is related to the protection of keys in storage by splitting the key in pieces that will be controlled
by different departments. Key escrow is the process of ensuring a third party maintains a copy of a private key
or key needed to decrypt information. Key escrow also should be considered mandatory for most organization’s
use of cryptography as encrypted information belongs to the organization and not the individual; however often
an individual’s key is used to encrypt the information. Key escrow will not interrupt the opportunity to use or
perform collusion to subvert operation for fraudulent purposes.
C: The need-to-know principle specifies that a person must not only be cleared to access classified or other
sensitive information, but have requirement for such information to carry out assigned job duties. Ordinary or
limited user accounts are what most users are assigned. They should be restricted only to those privileges that
are strictly required, following the principle of least privilege. Access should be limited to specific objects
following the principle of need-to-know. The principle of need-to-know will not interrupt the opportunity to use or
perform collusion to subvert operation for fraudulent purposes.
D: The principle of least privilege requires that each subject in a system be granted the most restrictive set of
privileges (or lowest clearance) needed for the performance of authorized tasks. Least privilege refers to
granting users only the accesses that are required to perform their job functions. Some employees will require
greater access than others based upon their job functions. For example, an individual performing data entry on
a mainframe system may have no need for Internet access or the ability to run reports regarding the information
that they are entering into the system. Conversely, a supervisor may have the need to run reports, but should
not be provided the capability to change information in the database. The principle of least privilege will not
interrupt the opportunity to use or perform collusion to subvert operation for fraudulent purposes.