CISSP QuestionInformation Assurance, Governance, Risk and Compliance

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATION
Already a Member Login Here

Tagged: 

This topic contains 7 replies, has 6 voices, and was last updated by  Santosh Kaimal 3 years, 9 months ago.

Viewing 8 posts - 1 through 8 (of 8 total)
  • Author
    Posts
  • #76524

    ankurj.hazarika
    Participant

    The ability of one person in the finance department to add vendors to the vendor database and subsequently pay the vendor violates which concept?
    A. A well-formed transaction B. Separation of duties C. Least privilege D. Sensitivity level

    Which one and why?

    #76528

    Anonymous
    Participant

    B. Sep. of duties

    That person can add and pay anyone
    Don’t know what A. is
    C. refers to having only enough rights to do ones job
    D. just doesn’t apply, this is not a sensitive issue

    #76530

    ankurj.hazarika
    Participant

    I am of the same opinion man, but the site says “c”. How the hell can it be “c”? The site didn’t provide any explanation.

    #76543

    cisatrainee1
    Participant

    There is a distinct difference between what a duty is versus what a privilege is.

    Oracle gives a good example:

    Oracle

    #76567

    Chin_Diesel
    Moderator

    Think about it. If someone has the rights to change/add vendors to a database, then they should not have the ability to also pay that vendor. That would mean that person has too many rights/privileges.

    That person is either in payroll, or is a DBA, which are separate duties, but that alone obviously isn’t stopping him from being able to do the mentioned tasks. Only by giving a user/role the minimum amount of privileges to do their job, and THEN combining that with properly separated duties, can an organization be protected from a situation like the example question.

    #76644

    ankurj.hazarika
    Participant

    Creno13- You have a point there, buddy.

    #79455

    kj2015
    Participant

    Nice explanation creno13

    #79710

    Santosh Kaimal
    Participant

    The explanation sounds good after you know the answer.

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic.

Our Revolution

We believe Cyber Security training should accessible for everyone, everywhere. Everyone deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is the world's largest community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel