CompTIA Security+ Question L-61

Which of the following can result in significant administrative overhead from incorrect reporting?

A. Job rotation
B. Acceptable usage policies
C. False positives
D. Mandatory vacations

Answer: C

Explanation:
False positives are essentially events that are mistakenly flagged and are not really events to be concerned about. This causes a significant administrative overhead because the reporting is what results in the false positives.

CompTIA Security+ Question L-23

Everyone in the accounting department has the ability to print and sign checks. Internal audit has asked that only one group of employees may print checks while only two other employees may sign the checks. Which of the following concepts would enforce this process?

A. Separation of Duties
B. Mandatory Vacations
C. Discretionary Access Control
D. Job Rotation

Answer: A

Explanation:
Separation of duties means that users are granted only the permissions they need to do their work and no more.

CompTIA Security+ Question L-19

Privilege creep among long-term employees can be mitigated by which of the following procedures?

A. User permission reviews
B. Mandatory vacations
C. Separation of duties
D. Job function rotation

Answer: A

Explanation:
Privilege creep is the steady build-up of access rights beyond what a user requires to perform his/her task. Privilege creep can be decreased by conducting sporadic access rights reviews, which will confirm each user’s need to access specific roles and rights in an effort to find and rescind excess privileges.

CompTIA Security+ Question J-53

In order to prevent and detect fraud, which of the following should be implemented?

A. Job rotation
B. Risk analysis
C. Incident management
D. Employee evaluations

Answer: A

Explanation:
A job rotation policy defines intervals at which employees must rotate through positions. Similar in purpose to mandatory vacations, it helps to ensure that the company does not become too dependent on one person and it does afford the company with the opportunity to place another person in that same job and in this way the company can potentially uncover any fraud perhaps committed by the incumbent.

CompTIA Security+ Question J-41

A company that has a mandatory vacation policy has implemented which of the following controls?

A. Risk control
B. Privacy control
C. Technical control
D. Physical control

Answer: A

Explanation:
Risk mitigation is done anytime you take steps to reduce risks. Thus mandatory vacation implementation is done as a risk control measure because it is a step that is taken as risk mitigation.

CompTIA Security+ Question J-14

Two members of the finance department have access to sensitive information. The company is concerned they may work together to steal information. Which of the following controls could be implemented to discover if they are working together?

A. Least privilege access
B. Separation of duties
C. Mandatory access control
D. Mandatory vacations

Answer: D

Explanation:
A mandatory vacation policy requires all users to take time away from work to refresh. Mandatory vacation give the employee a chance to refresh, but it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfies the need to have replication or duplication at all levels. Mandatory vacations also provide an opportunity to discover fraud. In this case mandatory vacations can prevent the two members from colluding to steal the information that they have access to.

CompTIA Security+ Question J-8

Which of the following types of risk reducing policies also has the added indirect benefit of cross training employees when implemented?

A. Least privilege
B. Job rotation
C. Mandatory vacations
D. Separation of duties

Answer: B

Explanation:
A job rotation policy defines intervals at which employees must rotate through positions. Similar in purpose to mandatory vacations, it helps to ensure that the company does not become too dependent on one person and it does afford the company with the opportunity to place another person in that same job.

CompTIA Security+ Question H-77

Ann works at a small company and she is concerned that there is no oversight in the finance department; specifically, that Peter writes, signs and distributes paycheques, as well as other expenditures. Which of the following controls can she implement to address this concern?

A. Mandatory vacations
B. Time of day restrictions
C. Least privilege
D. Separation of duties

Answer: D

Explanation:
Separation of duties divides administrator or privileged tasks into separate groupings, which in turn, is individually assigned to unique administrators. This helps in fraud prevention, error reduction, as well as conflict of interest prevention. For example, those who configure security should not be the same people who test security. In this case, Peter should not be allowed to write and sign paycheques.

CompTIA Security+ Question H-8

A security administrator notices that a specific network administrator is making unauthorized changes to the firewall every Saturday morning. Which of the following would be used to mitigate this issue so that only security administrators can make changes to the firewall?

A. Mandatory vacations
B. Job rotation
C. Least privilege
D. Time of day restrictions

Answer: C

Explanation:
A least privilege policy is to give users only the permissions that they need to do their work and no more. That is only allowing security administrators to be able to make changes to the firewall by practicing the least privilege principle.

CompTIA Security+ Question G-60

Mandatory vacations are a security control which can be used to uncover which of the following?

A. Fraud committed by a system administrator
B. Poor password security among users
C. The need for additional security staff
D. Software vulnerabilities in vendor code

Answer: A

Explanation:
Mandatory vacations also provide an opportunity to discover fraud apart from the obvious benefits of giving employees a chance to refresh and making sure that others in the company can fill those positions and make the company less dependent on those persons; a sort pf replication and duplication at all levels.