SY0-501 · Question #325
SY0-501 Question #325: Real Exam Question with Answer & Explanation
The correct answer is D: Separation of duties. The audit finding reveals that DBAs have conflicting responsibilities - both making changes and auditing those same changes - which is a classic internal control violation best addressed by Separation of Duties.
Question
An audit has revealed that database administrators are also responsible for auditing database changes and backup logs. Which of the following access control methodologies would BEST mitigate this concern?
Options
- ATime of day restrictions
- BPrinciple of least privilege
- CRole-based access control
- DSeparation of duties
Explanation
The audit finding reveals that DBAs have conflicting responsibilities - both making changes and auditing those same changes - which is a classic internal control violation best addressed by Separation of Duties.
Common mistakes.
- A. Time of day restrictions limit when users can access systems but do not address the conflict of interest created when the same person performs and audits the same tasks.
- B. Principle of least privilege ensures users only have the minimum access needed for their role, but it does not inherently prevent a single role from being assigned both operational and oversight responsibilities.
- C. Role-based access control (RBAC) assigns permissions based on job roles, but without enforcing SoD, a single role can still be granted both administrative and auditing privileges, leaving the conflict unresolved.
Concept tested. Separation of duties to prevent self-auditing conflicts
Reference. https://csrc.nist.gov/glossary/term/separation_of_duty
Community Discussion
No community discussion yet for this question.