A bank requires tellers to get manager approval when a customer wants to open a new account. A
recent audit shows that there have been four cases in the previous year where tellers opened
accounts without management approval. The bank president thought separation of duties would
prevent this from happening. In order to implement a true separation of duties approach the bank
could:
A.
Require the use of two different passwords held by two different individuals to open an account
B.
Administer account creation on a role based access control approach
C.
Require all new accounts to be handled by someone else other than a teller since they have
different duties
D.
Administer account creation on a rule based access control approach
I would go for B, since the bank doesn’t want anyone else to create accounts, but the manager. Therefore, I would go for B. Only employees with the role of manager should be able to create accounts.
B.
0
1
Not sure I agree with you on this one. Manager approval is not the same as the manager doing the job. I think that hiring someone whose sole job is new accounts and answerable to the manager is preferable.
0
1
Ok, you are both right. here is why. Role based access control is the correct answer, and Paul, without knowing it, you chose the same answer in essence because by having someone else create the accounts and this be his sole job.. that is role based. So, both those answers are right, but B is the direct answer.
0
1
separation of duties means 1 person should not have complete control, 1st employee does 1 part of the job and 2nd employee does 2nd part of the same job, thus performing complementary roles, B doesn’t serve it. it would give full control to managers or tellers based on role, Option A is the true separation of duties. 2 employees having 2 different password required to open an account.
8
0
I chose A 2
1
1
I might be crazy but…
Rule based access control should be able to force managers to approve new accounts. You would be forced to assign each teller and each manager to the rule. This would most likely be verified by username/passwords from a person in each group.
Role based access control might be able to set such a rule. Group A can make accounts, but group B has to approve it before it is active. This could be managed by group policy.
Both of these ways would require credentials from 2 different people, making A correct either way. That said, you cannot “require passwords” without B or D.
To me, C will do nothing without either B or D to enforce the policy. If the previous rule had been systematically enforced, 4 people would not have slipped thru the cracks in a year. Verbally assigning the job to another department would not stop a teller from creating an account.
So…if 2 people should be involved in the process, and that is the point of separation of duties, A is correct, and B or D is required to force it to happen. B is more efficient.
C stops tellers from making accounts with the help of roles or rules, but does not fit to the meaning behind separation of duties without still requiring a second party to be involved.
I think B scored more points.
0
1
Wait!
Neither B or D state that 2 sets of credentials will be required. Only A flat out demands separation of duties.
2
0