It is a violation of the "separation of duties" principle when which of the following individuals access the software on systems implementing security?
Click on the arrows to vote for the correct answer
A. B. C. D.D.
Reason:The security administrator, security analysis, and the system auditor need access to portions of the security systems to accomplish their jobs.The system programmer does not need access to the working (AKA: Production) security systems.
Programmers should not be allowed to have ongoing direct access to computers running production systems (systems used by the organization to operate its business)
To maintain system integrity, any changes they make to production systems should be tracked by the organizations change management control system.
Because the security administrators job is to perform security functions, the performance of non-security tasks must be strictly limited.
This separation of duties reduces the likelihood of loss that results from users abusing their authority by taking actions outside of their assigned functional responsibilities.
References: OFFICIAL (ISC)2 GUIDE TO THE CISSP EXAM (2003), Hansche, S., Berti, J., Hare, H., Auerbach Publication, FL, Chapter 5 - Operations Security, section 5.3,"Security Technology and Tools," Personnel section (page 32)
KRUTZ, R.
& VINES, R.
The CISSP Prep Guide: Gold Edition (2003), Wiley Publishing Inc., Chapter 6: Operations Security, Separations of Duties (page 303).
The principle of separation of duties is an important security concept that requires that critical tasks should be divided among multiple individuals or groups to minimize the risk of unauthorized or malicious activity. The idea behind this principle is that no one individual should have complete control or access to a system, application, or data.
In the context of the question, the violation of the separation of duties principle would occur when an individual who should not have access to a system's security software is granted access to it.
A security administrator is responsible for implementing and maintaining security measures, including setting up and configuring security software. Thus, granting access to security software to a security administrator is not a violation of the separation of duties principle.
A security analyst is responsible for monitoring and analyzing security threats and vulnerabilities. They may use security software to perform their tasks, and therefore, access to security software is required for them to perform their job duties. Hence, allowing a security analyst to access security software is not a violation of the separation of duties principle.
A systems auditor is responsible for reviewing and assessing the effectiveness of security controls and policies. To do this, they need to have access to security software to examine logs and other data. Therefore, allowing a systems auditor to access security software is not a violation of the separation of duties principle.
A systems programmer is responsible for developing and maintaining software for the system. Their role does not typically involve security, and granting them access to security software could lead to a conflict of interest or allow them to abuse their privileges. Therefore, allowing a systems programmer to access security software could be a violation of the separation of duties principle.
In summary, the correct answer is (D) systems programmer.