CompTIA Security+ Question F-18

A company is looking to reduce the likelihood of employees in the finance department being involved with money laundering. Which of the following controls would BEST mitigate this risk?

A. Implement privacy policies
B. Enforce mandatory vacations
C. Implement a security policy
D. Enforce time of day restrictions

Answer: B

Explanation:
A mandatory vacation policy requires all users to take time away from work to refresh. And in the same time it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfy the need to have replication or duplication at all levels in addition to affording the company an opportunity to discover fraud for when others do the same job in the absence of the regular staff member then there is transparency.

CompTIA Security+ Question E-32

Which of the following should Peter, a security manager, implement to reduce the risk of employees working in collusion to embezzle funds from their company?

A. Privacy Policy
B. Least Privilege
C. Acceptable Use
D. Mandatory Vacations

Answer: D

Explanation:
A mandatory vacation policy requires all users to take time away from work to refresh. But not only does mandatory vacation give the employee a chance to refresh, but it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfies the need to have replication or duplication at all levels as well as an opportunity to discover fraud.

CompTIA Security+ Question D-98

Which of the following, if properly implemented, would prevent users from accessing files that are unrelated to their job duties? (Select TWO).

A. Separation of duties
B. Job rotation
C. Mandatory vacation
D. Time of day restrictions
E. Least privilege

Answer: A,E

Explanation:
Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that you are employing best practices. The segregation of duties and separation of environments is a way to reduce the likelihood of misuse of systems or information. A separation of duties policy is designed to reduce the risk of fraud and to prevent other losses in an organization.

A least privilege policy should be used when assigning permissions. Give users only the permissions that they need to do their work and no more.

CompTIA Security+ Question D-69

While rarely enforced, mandatory vacation policies are effective at uncovering:

A. Help desk technicians with oversight by multiple supervisors and detailed quality control systems.
B. Collusion between two employees who perform the same business function.
C. Acts of incompetence by a systems engineer designing complex architectures as a member of a team.
D. Acts of gross negligence on the part of system administrators with unfettered access to system and no oversight.

Answer: D

Explanation:
Least privilege (privilege reviews) and job rotation is done when mandatory vacations are implemented. Then it will uncover areas where the system administrators neglected to check all users’ privileges since the other users must fill in their positions when they are on their mandatory vacation.

CompTIA Security+ Question D-34

Peter is the accounts payable agent for ABC Company. Peter has been performing accounts payable function for the ABC Company without any supervision. Management has noticed several new accounts without billing invoices that were paid. Which of the following is the BEST management option for review of the new accounts?

A. Mandatory vacation
B. Job rotation
C. Separation of duties
D. Replacement

Answer: A

Explanation:
A mandatory vacation policy requires all users to take time away from work to refresh. Mandatory vacation give the employee a chance to refresh, but it also gives the company a chance to make sure that others can fill in any gaps in skills and satisfies the need to have replication or duplication at all levels. Mandatory vacations also provide an opportunity to discover fraud. In this case mandatory vacations can allow the company to review all the new accounts.

CompTIA Security+ Question D-13

Which of the following should Peter, a security manager, implement to reduce the risk of employees working in collusion to embezzle funds from his company?

A. Privacy Policy
B. Least Privilege
C. Acceptable Use
D. Mandatory Vacations

Answer: D

Explanation:
When one person fills in for another, such as for mandatory vacations, it provides an opportunity to see what the person is doing and potentially uncover any fraud.

CompTIA Security+ Question C-73

Which of the following are examples of detective controls?

A. Biometrics, motion sensors and mantraps.
B. Audit, firewall, anti-virus and biometrics.
C. Motion sensors, intruder alarm and audit.
D. Intruder alarm, mantraps and firewall.

Answer: C

Explanation:
Detective controls are those that operate afterward so as to discover that has happened. Detective controls include security guards, motion detectors, recording and reviewing of events captured by security cameras or CCTV, job rotation, mandatory vacations, audit trails, honeypots or honeynets, IDSs, violation reports, supervision and reviews of users, and incident investigations.

CompTIA Security+ Question C-64

The Chief Technical Officer (CTO) has been informed of a potential fraud committed by a database administrator performing several other job functions within the company. Which of the following is the BEST method to prevent such activities in the future?

A. Job rotation
B. Separation of duties
C. Mandatory Vacations
D. Least Privilege

Answer: B

Explanation:
Separation of duties means that users are granted only the permissions they need to do their work and no more. More so it means that you are employing best practices. The segregation of duties and separation of environments is a way to reduce the likelihood of misuse of systems or information. A separation of duties policy is designed to reduce the risk of fraud and to prevent other losses in an organization.

CompTIA Security+ Question B-55

The Chief Security Officer (CSO) is concerned about misuse of company assets and wishes to determine who may be responsible. Which of the following would be the BEST course of action?

A. Create a single, shared user account for every system that is audited and logged based upon time of use.
B. Implement a single sign-on application on equipment with sensitive data and high-profile shares.
C. Enact a policy that employees must use their vacation time in a staggered schedule.
D. Separate employees into teams led by a person who acts as a single point of contact for observation purposes.

Answer: C

Explanation:
A policy that states employees should use their vacation time in a staggered schedule is a way of employing mandatory vacations. A mandatory vacation policy requires all users to take time away from work while others step in and do the work of that employee on vacation. This will afford the CSO the opportunity to see who is using the company assets responsibly and who is abusing it.

CompTIA Security+ Question B-54

A software developer is responsible for writing the code on an accounting application. Another software developer is responsible for developing code on a system in human resources. Once a year they have to switch roles for several weeks.
Which of the following practices is being implemented?

A. Mandatory vacations
B. Job rotation
C. Least privilege
D. Separation of duties

Answer: B

Explanation:
A job rotation policy defines intervals at which employees must rotate through positions.