Exam SY0-501 topic 1 question 180 discussion

"Separation of duties" doesn't mean that different persons should be assigned to different jobs; conversely, it means that AT LEAST TWO (or more) persons are (both) necessary to complete ONE particular job; CompTIA's definition of "Separation of duties" is the following: "it's a security principle that prevents any SINGLE person or entity from controlling ALL the functions of A CRITICAL or sensitive process"; so in order to implement separation of duties for this sensitive process (creation of a new account) at least TWO persons MUST be involved: a teller AND a manager; but none of the two can carry out the entire process alone. The answer C instead suggests that "someone else than a teller" takes care of opening new accounts because tellers "have different duties" (different from opening new accounts; that means they are not involved at all in the process of new accounts creation); this is NOT separation of duties. Better A: two different persons (both) needed to complete the job.

The question states "The bank president thought separation of duties would prevent this from happening." Role based and Rule based won't work since they only limit access to resources and functions based on the role of an individual or a rule that permits/denies access to an individual or group. We need to ensure that the manager is consulted for approval before an account is created. That leaves A or C, but C wouldn't necessarily require manager approval. Option A, two different passwords by two different individuals to gain access to the account creation facility could work. As part of my administrator duties I would pre-configure accounts for groups of students, then activate them on class start date. So the tellers could pre-configure the accounts and the manager could activate them. It's a lot of supposition here. But A might be the best answer.

Best answer is B (role based access control). A (require the use of two different passwords held by two different individuals to open an account) seem good until you realize that it doesn't specify which individuals need to hold the passwords. The way "A" is currently worded allows for 2 employees in the same role to authorize the account. On the other hand, B (role based access control) takes the roles (teller and manager) into consideration.

B is identic of D!?!?!

In GCGA it’s A

C is the best answer. Separation of duties is not two different persons only. Its specifically two persons and different roles. A teller and manager. A is not because it implies two persons of the same role (two different teller). C because its initiated by Teller and approved by Manager.

Guys I think C is correct. Although I initially ruled it out like most of you, but for A it requires two different individuals who can be two tellers. So I'll just go with C but the question is just confusing. COMPTIA really needs some better test makers. Absurd.

In the separation of duties concept, a single individual should not perform all critical or privileged-level duties. These types of important duties must be separated or divided among several individuals. Separation of duties ensures that no single individual can perform sufficiently critical or privileged actions that could seriously damage a system, operation, or the organization. These critical or privileged actions can be split among two or more people, requiring some level of checks and balances. Security auditors responsible for reviewing security logs, for example, should not necessarily have administrative rights over systems. Likewise, a security administrator should not have the capability to review or alter logs, because he or she could perform unauthorized actions and then delete any trace of them from the logs. Two separate individuals are required to perform such activities to ensure verifiability and traceability. Mike Meyer’s CompTIA Security+ p. 48

I think answer is D: The teller will be able to create a new account only if the Manager approves this, so only if this RULE will apply. Not A: the two different persons could be tellers, so the Manager's approval is not mandatory Not B: This is currently in place and is not affective Not C: this will not mean that the new person will not be able to create a new account without the Manager's approval.

C is the true way to separate duties. A is doing the same thing twice. With C, teller handles existing account and another person maybe the manager itself handles new accounts

C, should be specific - different employees/duties (ie a Teller/ Manager), but Not Teller/Janitor or CO-OP.

Can't be A. Even though this seems like Separation of Duties, what if two different tellers (fulfilling the two different person requirement) input their passwords to open an account, bypassing the manager? A is meant to trick us

A mentions that two different people can create a new account and that could be two different tellers so there is no separation of duties anymore. C clearly says that other role than a teller should do it so separation of duties is implied.

I guess they are saying since getting a manager to come over and approve the opening of an account isn't working. In what way can they truly implement a separation if duties since the first way didn't work so C would be the best answer since the teller and whoever opens the account will have two different jobs the teller wont even have access.

It's A. In this case, the separation of duties policy dictates that the teller has the duty of initiating account creation while the manager has the duty of approving the account. The issue isn't that the duties aren't specified in policy - it's the implementation. You can say "managers are to approve account creation," but without controls in place (like 2 different passwords for each) then nothing is actually enforcing the separation of duties. Transferring form tellers to someone else doesn't enforce the policy. If they moved their duty to some other position, they could simply create the accounts without approval and the problem persists. Separation of duties is already good in the policy, but the technical control that enforces the separation are what's lacking.

Seperation of Duties

Go to a teller and ask them to open and new account, they'll send you to someone else because they have different things to do. I actually agree with this cause it is separation of duties