Which security principle prevents one individual from controlling all aspects of a process?

A. Least Privilege
B. Separation of Duties
C. Implicit Deny
D. Job Rotation

Answer: B. Separation of Duties
Explanation:

Separation of Duties (SoD) is a fundamental administrative control designed to prevent fraud, error, and conflict of interest. The core philosophy is simple: no single person should have the power to both execute and conceal a transaction. In a CISSP context, SoD is about "splitting" a task into two or more steps that require different individuals to complete. This creates a system of checks and balances where collusion would be required to bypass security.

Real-World Examples of SoD:

• Finance: The employee who adds a new vendor to the system cannot be the same employee who authorizes payments to that vendor.

• IT Operations: The developer who writes code for a production environment should not have the administrative rights to move that code into production (this prevents "backdoors" or untested bugs).

• Physical Security: The person who audits the security logs should not be the same person who manages the physical access badges.

Understanding why an answer is wrong is often more important for the CISSP than knowing why one is right.

A. Least Privilege (The "Access" Control)

Least Privilege is often confused with SoD. While SoD splits a process, Least Privilege limits the scope of access.

• The Difference: Least Privilege says, "You only have access to the HR folder because you work in HR." SoD says, "Even though you work in HR, you can't both hire a person and set their salary."

• CISSP Rule: Least Privilege = Minimal permissions. SoD = Divided responsibilities.

C. Implicit Deny (The "Default" Control)

Implicit Deny is a technical configuration used in firewalls and Access Control Lists (ACLs).

• The Logic: If a specific permission isn't "Explicitly Allowed," it is "Implicitly Denied." It is a foundational security stance (Zero Trust), but it doesn't address the human workflow of a business process.

D. Job Rotation (The "Detective" Control)

Job Rotation is a powerful administrative control, but it is primarily detective, not preventive.

• The Logic: By moving people to different roles, you increase the likelihood that a new person will discover the "creative accounting" or malicious activity of their predecessor. It doesn't stop a person from owning a whole process; it just ensures they won't own it forever.