According to the CISSP For Dummies3, the concept that restricts the ability of an individual to carry out all the steps of a particular process is separation of duties. Separation of duties is a security principle that divides the tasks and responsibilities of a process among different individuals or roles, so that no one person or role has complete control or authority over the process. Separation of duties helps to prevent or detect fraud, errors, abuse, or collusion, by requiring multiple approvals, checks, or verifications for each step of the process. Separation of duties also helps to enforce the principle of least privilege, which states that users and processes should only have the minimum access required to perform their tasks, and no more. Job rotation is not the concept that restricts the ability of an individual to carry out all the steps of a particular process, although it may be a technique that supports separation of duties. Job rotation is a security practice that requires the individuals or roles to periodically switch or rotate their tasks and responsibilities, so that no one person or role performs the same task or responsibility for a long period of time. Job rotation helps to prevent or detect fraud, errors, abuse, or collusion, by exposing the activities and performance of each individual or role to different perspectives and evaluations. Job rotation also helps to reduce the risk of insider threats, by limiting the opportunity and familiarity of each individual or role with the tasks and responsibilities. Least privilege is not the concept that restricts the ability of an individual to carry out all the steps of a particular process, although it may be a principle that supports separation of duties. Least privilege is a security principle that states that users and processes should only have the minimum access required to perform their tasks, and no more. Least privilege helps to prevent or limit unauthorized or malicious actions, as well as the impact of potential incidents, by reducing the access rights and permissions of each user and process. Mandatory vacations is not the concept that restricts the ability of an individual to carry out all the steps of a particular process, although it may be a technique that supports separation of duties. Mandatory vacations is a security practice that requires the individuals or roles to take a mandatory leave of absence from their tasks and responsibilities for a certain period of time, so that no one person or role performs the same task or responsibility continuously. Mandatory vacations helps to prevent or detect fraud, errors, abuse, or collusion, by allowing the activities and performance of each individual or role to be reviewed and audited by others during their absence. Mandatory vacations also helps to reduce the risk of insider threats, by disrupting the routine and plans of each individual or role with the tasks and responsibilities. References: 3
