so the definition of thes terms thes air. All administrative controls, like I've mentioned
and administrative controls come from management policies, procedure standards and guidelines. And just like other types of controls, they could be preventive. They can be deterrents. They can be corrective or detective or so on.
So when we talk about segregation of duties or separation of duties or separation of roles,
don't get married to the terms, get married to the ideas, right? So however, they're gonna refer to this idea of separation of duties, What we're trying to do is preventing
a single person from having too much power,
too much knowledge on the network.
We don't want a network administrator. We want a network administrator group each one with Sefer, separate rights and privileges.
Otherwise, we had somebody that has ultimate control over the network.
Um, segregation of duties means we don't have the person that prints the paycheque, signed the paycheck.
Otherwise, you know somebody could commit fraud.
All right, Job rotation Job rotation is a detective control. Segregation of duties we just talked about was a preventive control.
So the idea is we're gonna prevent anyone from being too powerful
with job rotation. Well, this so it's a detective control. It can also have the purpose of cross training and providing redundancy for employees. So that's a good thing, too,
but we'll probably see it on the exam is more of a detective mechanism.
So if your database administrator one after six months, you go and you administer database, too,
and then I step in behind you. In that way, we have a means of determining, if anything, fraudulence going on. So job rotation,
mandatory vacations associate that with the banking industry, and they're probably a couple of others. But that's where I've seen it.
So the bank is coming up a couple 100 bucks short every week, week after week after week. So one Monday morning, the bank manager comes to me and says, Kelly, you look tired.
Why don't you have a 14 day vacation where you get out of the office?
You don't check your email. You don't contact anyone at the bank, you know, access any files. You don't show up on physical premises. You are totally banned from anything having to do with this bank for 14 days. You go have a good time.
Well, of course, What they're doing is they're looking at how things operate without my presence versus how they operate with my present.
And I know many of us see mandatory vacations and they think I wish that was me. I feel that way sometimes, too. But it's in the financial industry, usually banking,
all right, dual control and then em of in control.
Sometimes we have actions so significant on the network
that we don't trust a single entity to do those,
you know, even in a trusted admin.
You know, think about recovery of private keys. If your private, he gets corrupted, that's okay, cause their archives.
But if any single individual is able to recover your private key will, then your private key is compromised, really?
Right. And the possibility of someone you know framing you for an activity or whatever that may be exists. And remember forever trying to get a conviction in criminal court.
We want beyond a reasonable doubt.
So rather than having a single administrator be able to recover keys, maybe we have two administrators and dual control, and we both have to enter our password in order for a key to be recovered.
It's much less likely that two of us are colluding to frame an individual.
And that starts to build up,
you know, getting beyond that reasonable doubt.
Now the problem with dual control, technically, is that you and I, whoever's named, would both have to be there.
Well, what if I'm sick that you're you're sick that day? You're often vacation.
So instead, MFN gives us a little bit more flexibility m and n or just variables.
And ultimately, what we're looking at, there is,
um, maybe out of seven network admin cz three have to be present
four out of eight. Whatever that may be, the variables don't matter. But the benefit there's we have many total at Mons.
Any three or any six or whatever it is would have to be there, so it's less bound to an individual
Secure state means things should fail in such a way. Specifically, this applies to systems. A system should fail in such a way, no further compromise can happen.
Have you seen the beloved blue screen of death?
Blue screen of death means there's been a failure,
and it fails in such a way that you can't do anything else And that's defending
principle and lead of Lise privilege and need to know Lise Privileges about action. Need to knows about Gabby.
I won't let users install applications. That's principle of Lise privy.
If you're not in the sales team, you don't get access. The sales folder
are acceptable use policies where senior management lays out the expectations for how company resource is will be used.
Can you browse the Internet on company time on company system?
Maybe, Maybe not sin the acceptable use policy.
Can I make personal phone calls on the telephones? Can I print a personal material to the printer
so all of those things should be spelled out?
And the data ownership and system ownership
And that's not always clear.
And if we don't have a clear data owner,
then how in the world are we gonna have a data owner that enforced that determines classifications?
If there's a conflict across department,
so there should be a well document process in place to determine who the owner of data is as well as the system, because they're the ones that dictate