CompTIA
CAS-002 · Question #338
CAS-002 Question #338: Real Exam Question with Answer & Explanation
The correct answer is C: Separation of duties. Requiring a second user with elevated privileges to authorize certain transactions is the definition of separation of duties, which divides critical functions among multiple users to prevent fraud or error.
Question
A software project manager has been provided with a requirement from the customer to place limits on the types of transactions a given user can initiate without external interaction from another user with elevated privileges. This requirement is BEST described as an implementation of:
Options
- AAn administrative control
- BDual control
- CSeparation of duties
- DLeast privilege
- ECollusion
Explanation
Requiring a second user with elevated privileges to authorize certain transactions is the definition of separation of duties, which divides critical functions among multiple users to prevent fraud or error.
Common mistakes.
- A. An administrative control refers to policies, procedures, and guidelines rather than a technical enforcement mechanism that limits transaction types per user role.
- B. Dual control requires two authorized users to act simultaneously and together, such as two keys to open a safe, rather than a tiered privilege approval workflow involving different roles.
- D. Least privilege restricts a user to the minimum access needed for their role but does not inherently require a second user's involvement to authorize or complete a transaction.
- E. Collusion describes two or more users cooperating to circumvent controls and is a threat model, not a security control or implementation approach.
Concept tested. Separation of duties for privileged transaction approval
Reference. https://csrc.nist.gov/glossary/term/separation_of_duties
Community Discussion
No community discussion yet for this question.