CISSP · Question #962
An organization is attempting to strengthen the configuration of its enterprise resource planning (ERP) software in order to enforce sufficient segregation of duties (SoD). Which of the following appr
The correct answer is D. Review of employee responsibilities and ERP access profiles to differentiate mission activities. Segregation of Duties (SoD) requires that conflicting responsibilities be divided among different individuals to prevent fraud and errors. The best approach is to align access rights with distinct job roles after reviewing both responsibilities and ERP profiles.
Question
An organization is attempting to strengthen the configuration of its enterprise resource planning (ERP) software in order to enforce sufficient segregation of duties (SoD). Which of the following approaches would BEST improve SoD effectiveness?
Options
- AImplementation of frequent audits of access and activity in the ERP by a separate team with no
- BImplementation of strengthened authentication measures including mandatory second-factor
- CReview of ERP access profiles to enforce the least-privilege principle based on existing employee
- DReview of employee responsibilities and ERP access profiles to differentiate mission activities
How the community answered
(46 responses)- A9% (4)
- B2% (1)
- C4% (2)
- D85% (39)
Why each option
Segregation of Duties (SoD) requires that conflicting responsibilities be divided among different individuals to prevent fraud and errors. The best approach is to align access rights with distinct job roles after reviewing both responsibilities and ERP profiles.
Frequent audits detect SoD violations after the fact but do not proactively prevent conflicting access from being assigned, making this a detective control rather than a preventive one that directly enforces SoD.
Strengthened authentication (e.g., MFA) verifies identity but does not address whether a single authenticated user holds conflicting privileges across ERP functions, which is the core concern of SoD.
Applying least-privilege based only on existing employee roles reduces excessive access but does not evaluate whether current role assignments create SoD conflicts, as employees may legitimately hold roles that are nonetheless incompatible from an SoD perspective.
SoD is fundamentally about ensuring that no single individual can perform incompatible or conflicting functions end-to-end, such as initiating and approving transactions. Reviewing employee responsibilities alongside ERP access profiles allows an organization to identify and remediate role conflicts by differentiating mission activities across separate users or roles. This dual-lens approach-examining both what employees do and what the system allows them to do-is the definitive method for enforcing true SoD within an ERP.
Concept tested: Enforcing segregation of duties in ERP access control
Source: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-3/segregation-of-duties-in-erp-systems
Topics
Community Discussion
No community discussion yet for this question.