The Chief Technical Officer (CTO) has been informed of a potential fraud committed by a database administrator performing several other job functions within the company. Which of the following is the BEST method to prevent such activities in the future?
A. Job rotation
B. Separation of duties
C. Mandatory Vacations
D. Least Privilege
Correct Answer: B
Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that you are employing best practices. The segregation of duties and separation of environments is a way to reduce the likelihood of misuse of systems or information. A separation of duties policy is designed to reduce the risk of fraud and to prevent other losses in an organization.
Incorrect Answers:
A: A job rotation policy defines intervals at which employees must rotate through positions. This is so that the company does not become too dependent on one person.
C: A mandatory vacation policy requires all users to take time away from work to refresh. If the company becomes too dependent on one person, they can end up in a real bind if something should happen to that person.
D: Least Privilege means giving users only the permissions that they need to do their work and no more.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014,pp 24, 25, 26, 153 http://en.wikipedia.org/wiki/Separation_of_duties
Question 1052:
In order to prevent and detect fraud, which of the following should be implemented?
A. Job rotation
B. Risk analysis
C. Incident management
D. Employee evaluations
Correct Answer: A
A job rotation policy defines intervals at which employees must rotate through positions. Similar in purpose to mandatory vacations, it helps to ensure that the company does not become too dependent on one person and it does afford the company with the opportunity to place another person in that same job and in this way the company can potentially uncover any fraud perhaps committed by the incumbent.
Incorrect Answers:
B: Risk assessment is also known as risk analysis or risk calculation and it deals with the threats, vulnerabilities, and impacts of a loss of information-processing capabilities or a loss of information itself.
C: Incident management refers to the steps that are followed when events occur.
D: The Evaluation process is called an audit.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 4, 10, 26
Question 1053:
Which of the following types of risk reducing policies also has the added indirect benefit of cross training employees when implemented?
A. Least privilege
B. Job rotation
C. Mandatory vacations
D. Separation of duties
Correct Answer: B
A job rotation policy defines intervals at which employees must rotate through positions. Similar in purpose to mandatory vacations, it helps to ensure that the company does not become too dependent on one person and it does afford the company with the opportunity to place another person in that same job.
Incorrect Answers:
A: A least privilege policy should be used when assigning permissions. Give users only the permissions that they need to do their work and no more. This does not involve cross-training.
C: A mandatory vacation policy requires all users to take time away from work to refresh.
D: Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that there is differentiation between users, employees and duties per se which form part of best practices. There is thus no cross training.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 24, 25, 26, 153
Question 1054:
A software developer is responsible for writing the code on an accounting application. Another software developer is responsible for developing code on a system in human resources. Once a year they have to switch roles for several weeks.
Which of the following practices is being implemented?
A. Mandatory vacations
B. Job rotation
C. Least privilege
D. Separation of duties
Correct Answer: B
A job rotation policy defines intervals at which employees must rotate through positions. Incorrect Answers:
A: A mandatory vacation policy requires all users to take time away from work to refresh.
C: A least privilege policy should be used when assigning permissions. Give users only the permissions that they need to do their work and no more.
D: A separation of duties policy means the segregation of duties and separation of environments as a way to reduce the likelihood of misuse of systems or information. Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that there is differentiation between users, employees and duties per se which form part of best practices.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 24, 25, 26, 153 http://en.wikipedia.org/wiki/Job_rotation
Question 1055:
The Chief Security Officer (CSO) is concerned about misuse of company assets and wishes to determine who may be responsible. Which of the following would be the BEST course of action?
A. Create a single, shared user account for every system that is audited and logged based upon time of use.
B. Implement a single sign-on application on equipment with sensitive data and high-profile shares.
C. Enact a policy that employees must use their vacation time in a staggered schedule.
D. Separate employees into teams led by a person who acts as a single point of contact for observation purposes.
Correct Answer: C
A policy that states employees should use their vacation time in a staggered schedule is a way of employing mandatory vacations. A mandatory vacation policy requires all users to take time away from work while others step in and do the work of that employee on vacation. This will afford the CSO the opportunity to see who is using the company assets responsibly and who is abusing it.
Incorrect Answers:
A: A single shared user account for every system will not single out any one who might be the guilty party. You need to see and audit individual accounts to single out the guilty party.
B: Single sign is about having a single / one only password for all resources on a given network which will make singling out a guilty party problematic.
D: Separating and organizing employees into teams makes singling out a single guilty party problematic.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 25
Question 1056:
A company is looking to reduce the likelihood of employees in the finance department being involved with money laundering. Which of the following controls would BEST mitigate this risk?
A. Implement privacy policies
B. Enforce mandatory vacations
C. Implement a security policy
D. Enforce time of day restrictions
Correct Answer: B
A mandatory vacation policy requires all users to take time away from work to refresh. And in the same time it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfy the need to have replication or duplication at all levels in addition to affording the company an opportunity to discover fraud for when others do the same job in the absence of the regular staff member then there is transparency.
Incorrect Answers:
A: Privacy policies are used to define which controls are needed to implement and maintain sanctity/safety of data privacy.
C: Security policies are used to define which controls are needed to implement and maintain the security of the company resources such as systems, users and networks.
D: Time of day restrictions are used to configure when an account can have access to the system, this does not prevent anyone from laundering money.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, pp 24 -25, 153
Question 1057:
Which of the following should Joe, a security manager, implement to reduce the risk of employees working in collusion to embezzle funds from his company?
A. Privacy Policy
B. Least Privilege
C. Acceptable Use
D. Mandatory Vacations
Correct Answer: D
When one person fills in for another, such as for mandatory vacations, it provides an opportunity to see what the person is doing and potentially uncover any fraud. Incorrect Answers:
A: Privacy policies define what controls are required to implement and maintain the sanctity of data privacy in the work environment. Privacy policy is a legal document that outlines how data collected is secured. It should encompass information regarding the information the company collects, privacy choices you have based on your account, potential information sharing of your data with other parties, security measures in place, and enforcement.
B: A least privilege policy should be used when assigning permissions. Give users only the permissions that they need to do their work and no more.
C: Acceptable use policies (AUPs) describe how the employees in an organization can use company systems and resources, both software and hardware.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 25
Question 1058:
A company that has a mandatory vacation policy has implemented which of the following controls?
A. Risk control
B. Privacy control
C. Technical control
D. Physical control
Correct Answer: A
Risk mitigation is done anytime you take steps to reduce risks. Thus mandatory vacation implementation is done as a risk control measure because it is a step that is taken as risk mitigation.
Incorrect Answers:
B: Privacy control is carried out to protect the sanctity of data privacy.
C: Technical controls involves aspects such as Identification and Authentication; Access Control, Audit and Accountability as well as System and Communication Protection, not mandatory vacation implementation.
D: Physical control is a part of operational control type.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 25
Question 1059:
While rarely enforced, mandatory vacation policies are effective at uncovering:
A. Help desk technicians with oversight by multiple supervisors and detailed quality control systems.
B. Collusion between two employees who perform the same business function.
C. Acts of incompetence by a systems engineer designing complex architectures as a member of a team.
D. Acts of gross negligence on the part of system administrators with unfettered access to system and no oversight.
Correct Answer: D
Least privilege (privilege reviews) and job rotation is done when mandatory vacations are implemented. Then it will uncover areas where the system administrators neglected to check all users' privileges since the other users must fill in their positions when they are on their mandatory vacation.
Incorrect Answers:
A: Help desk technicians are not the main concern for having mandatory vacations.
B: Collusion implies two unlikely users fulfilling very different functions committing fraud, not two users performing the same business function.
C: Incompetency of the systems engineer regarding the architecture is not the focus of companies implementing mandatory vacations.
References:
D Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 25
Question 1060:
Mandatory vacations are a security control which can be used to uncover which of the following?
A. Fraud committed by a system administrator
B. Poor password security among users
C. The need for additional security staff
D. Software vulnerabilities in vendor code
Correct Answer: A
Mandatory vacations also provide an opportunity to discover fraud apart from the obvious benefits of giving employees a chance to refresh and making sure that others in the company can fill those positions and make the company less
dependent on those persons; a sort pf replication and duplication at all levels.
Incorrect Answers:
B: Poor password security is not the purpose of implementing mandatory vacations.
C: Mandatory vacations will have the opposite effect to needing additional security staff.
D: Software vulnerability can only be uncovered by looking at the software installed and its version and not by means by mandatory vacations.
References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, Sixth Edition, Sybex, Indianapolis, 2014, p 25
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only CompTIA exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your JK0-022 exam preparations and CompTIA certification application, do not hesitate to visit our Vcedump.com to find your solutions here.