Collusion with Personnel: Examining Security Controls

A.

The questions specifically said:"within a different function" which eliminate Job Rotation as a choice.

Management monitoring of audit logs is a detective control and it would not prevent collusion.

Changing passwords regularly would not prevent such attack.

This question validates if you understand the concept of separation of duties and least privilege.By having operators that have only the minimum access level they need and only what they need to do their duties within a company, the operations personnel would be force to use collusion to defeat those security mechanism.

Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.

The security control that might force an operator into collusion with personnel assigned organizationally within a different function in order to gain access to unauthorized data is job rotation of operations personnel.

Job rotation is a security control that involves moving employees between different jobs within an organization, to reduce the risk of fraud, errors, and other security breaches. However, in some cases, job rotation may create opportunities for collusion, which occurs when two or more people work together to commit a fraud or other security breach.

In the context of the given question, limiting the local access of operations personnel and enforcing regular password changes are security controls that aim to prevent unauthorized access to data, but they do not directly create opportunities for collusion. Management monitoring of audit logs, on the other hand, can help detect and prevent collusion, but it does not force an operator into collusion.

Therefore, the correct answer is B. Job rotation of operations personnel, as this security control may require the operator to collaborate with personnel from a different function who have access to the data they need to perform their job, creating an opportunity for collusion.