CISM Certified Information Security Manager – Question1132

The "separation of duties" principle is violated if which of the following individuals has update rights to the database access control list (ACL)?

A.
Data owner
B. Data custodian
C. Systems programmer
D. Security administrator

Correct Answer: C

Explanation:

Explanation:
A systems programmer should not have privileges to modify the access control list (ACL) because this would give the programmer unlimited control over the system. The data owner would request and approve updates to the ACL, but it is not a violation of the separation of duties principle if the data owner has update rights to the ACL. The data custodian and the security administrator could carry out the updates on the ACL since it is part of their duties as delegated to them by the data owner.