nerdexam
(ISC)2

CISSP · Question #962

An organization is attempting to strengthen the configuration of its enterprise resource planning (ERP) software in order to enforce sufficient segregation of duties (SoD). Which of the following appr

The correct answer is D. Review of employee responsibilities and ERP access profiles to differentiate mission activities. Segregation of Duties (SoD) requires that conflicting responsibilities be divided among different individuals to prevent fraud and errors. The best approach is to align access rights with distinct job roles after reviewing both responsibilities and ERP profiles.

Submitted by ricky.ec· Mar 5, 2026Identity and Access Management

Question

An organization is attempting to strengthen the configuration of its enterprise resource planning (ERP) software in order to enforce sufficient segregation of duties (SoD). Which of the following approaches would BEST improve SoD effectiveness?

Options

  • AImplementation of frequent audits of access and activity in the ERP by a separate team with no
  • BImplementation of strengthened authentication measures including mandatory second-factor
  • CReview of ERP access profiles to enforce the least-privilege principle based on existing employee
  • DReview of employee responsibilities and ERP access profiles to differentiate mission activities

How the community answered

(46 responses)
  • A
    9% (4)
  • B
    2% (1)
  • C
    4% (2)
  • D
    85% (39)

Why each option

Segregation of Duties (SoD) requires that conflicting responsibilities be divided among different individuals to prevent fraud and errors. The best approach is to align access rights with distinct job roles after reviewing both responsibilities and ERP profiles.

AImplementation of frequent audits of access and activity in the ERP by a separate team with no

Frequent audits detect SoD violations after the fact but do not proactively prevent conflicting access from being assigned, making this a detective control rather than a preventive one that directly enforces SoD.

BImplementation of strengthened authentication measures including mandatory second-factor

Strengthened authentication (e.g., MFA) verifies identity but does not address whether a single authenticated user holds conflicting privileges across ERP functions, which is the core concern of SoD.

CReview of ERP access profiles to enforce the least-privilege principle based on existing employee

Applying least-privilege based only on existing employee roles reduces excessive access but does not evaluate whether current role assignments create SoD conflicts, as employees may legitimately hold roles that are nonetheless incompatible from an SoD perspective.

DReview of employee responsibilities and ERP access profiles to differentiate mission activitiesCorrect

SoD is fundamentally about ensuring that no single individual can perform incompatible or conflicting functions end-to-end, such as initiating and approving transactions. Reviewing employee responsibilities alongside ERP access profiles allows an organization to identify and remediate role conflicts by differentiating mission activities across separate users or roles. This dual-lens approach-examining both what employees do and what the system allows them to do-is the definitive method for enforcing true SoD within an ERP.

Concept tested: Enforcing segregation of duties in ERP access control

Source: https://www.isaca.org/resources/isaca-journal/issues/2016/volume-3/segregation-of-duties-in-erp-systems

Topics

#Segregation of Duties (SoD)#ERP security#Access control#Role-based access control

Community Discussion

No community discussion yet for this question.

Full CISSP Practice