Chapter 11: Security Operations - Administrative Management Continued

Along with the separation of duties, there are a few other important administrative controls that are a good idea to implement within a company. The concept of job rotation refers to not only having one person that knows how to perform certain duties of a particular role. If you only have one person that has the knowledge of how to perform a key duty in your organization, and that person decides to leave the company or is unable to work, the company could be in a world of hurt. It also makes it easier to spot activities that are either criminal or go against company policy. A second important administrative control is what is known as least privilege. This means that an employee should only have access to resources they need to do their job and nothing more. For example, it wouldn't make sense to have an analyst with the ability to go into the database and alter data or tables. That is the sole responsibility of your database administrators. A third important administrative control is mandatory vacations, meaning that the employee is required to take vacation time after working continuously for a certain period of time. This is another key way in order to spot fraudulent activities and is also a great way to deploy job rotation. While the employee is on vacation, another employee will be brought in to fulfill the vacationing employee's duties. If an employee does not want to take vacation (who doesn't want to take vacation time, right?) it is usually a red flag that they are doing something that they know they are not supposed to.