Which of the following security controls might force an operator into collusion with personnel assigned organizationally within a different function in order to gain access to unauthorized data?
Click on the arrows to vote for the correct answer
A. B. C. D.A.
The questions specifically said:"within a different function" which eliminate Job Rotation as a choice.
Management monitoring of audit logs is a detective control and it would not prevent collusion.
Changing passwords regularly would not prevent such attack.
This question validates if you understand the concept of separation of duties and least privilege.By having operators that have only the minimum access level they need and only what they need to do their duties within a company, the operations personnel would be force to use collusion to defeat those security mechanism.
Source: TIPTON, Hal, (ISC)2, Introduction to the CISSP Exam presentation.
The security control that might force an operator into collusion with personnel assigned organizationally within a different function in order to gain access to unauthorized data is B. Job rotation of operations personnel.
Job rotation is a security control that involves periodically transferring an employee from one job position to another within the organization. This control is implemented to prevent fraud, limit collusion, and improve overall security posture.
However, in some cases, job rotation can actually increase the risk of collusion. For example, if an operator is rotated into a position where they have access to data that they are not authorized to view, they may collude with personnel assigned organizationally within a different function who have the necessary access rights to obtain that data.
Limiting the local access of operations personnel (A) is a security control that involves restricting an operator's ability to access resources on a local network. This control is implemented to prevent unauthorized access to sensitive data by limiting the number of people who have access to it. This control does not increase the risk of collusion.
Management monitoring of audit logs (C) is a security control that involves monitoring the logs generated by computer systems to detect security events. This control is implemented to identify suspicious activities, such as attempts to access unauthorized data. This control does not increase the risk of collusion.
Enforcing regular password changes (D) is a security control that involves requiring users to change their passwords at regular intervals. This control is implemented to prevent unauthorized access to sensitive data by making it more difficult for attackers to guess passwords. This control does not increase the risk of collusion.
In conclusion, the security control that might force an operator into collusion with personnel assigned organizationally within a different function in order to gain access to unauthorized data is job rotation of operations personnel (B).