๐Ÿ  Back to Exam Syllabus ๐Ÿ“บ RooCloud on YouTube ๐ŸŒ RooCloud Practice Exams

CISSP 16.1 - Apply Foundational Security Operations Concepts (Part 2 of 2)

This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues the foundations of Domain 7, moving from broad principles into the specific personnel controls that enforce them. It covers the human controls that catch fraud and lock down power, from two-person control and split knowledge through privileged account management, just-in-time access, and service-level agreements with vendors.

What this episode covers

Watch the full episode above for the worked examples and detailed explanations of each concept.

Frequently Asked Questions

What is two-person control?

Two-person control requires two people to approve or complete a critical task, so neither can act alone. This forces peer review and blocks a lone insider. Think of a safe deposit box where the customer holds one key and the bank holds another, and the box opens only when both keys turn together. In the digital world, some privileged tools split an emergency password in half so two administrators must each type their piece.

What is split knowledge, and how is it different?

Split knowledge blends separation of duties with two-person control into one design. The information or privilege needed to do something is divided among two or more people, so no single person holds enough to compromise the environment on their own. Picture a launch code printed on two cards, each locked in a different officerโ€™s safe: only when both halves come together does the full code exist.

How do job rotation and mandatory vacations expose fraud?

Both work by putting fresh eyes on someoneโ€™s tasks. Job rotation moves employees through different roles over time, so whoever takes over is likely to stumble onto a scheme, and it adds the bonus of cross-training. Mandatory vacations force a person out for a week or two while a colleague covers their duties, often just long enough for hidden irregularities to surface. Both act as a deterrent and a detection tool.

How does just-in-time access defeat stolen credentials?

Just-in-time access makes elevated privilege temporary instead of permanent. Rather than standing admin rights, a user requests elevation only when they need it, and the system grants a time-limited pass that then expires. A stolen pass is almost worthless because it goes stale within minutes, like a hotel key card that self-destructs after checkout. Short-lived access shrinks the window an attacker can exploit.

What is a service-level agreement?

A service-level agreement is a formal contract between your organization and an outside vendor. It spells out the performance you expect and often carries penalties if the vendor falls short, such as promising a specific level of uptime for cloud servers. A lighter cousin, the memorandum of understanding, records a shared intention to work together but stays informal and carries no financial penalties.

๐Ÿ“š Master the ISC2 CISSP Exam!

Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.


Reference: This article is based on concepts discussed in CISSP 16.1 - Apply Foundational Security Operations Concepts (Part 2 of 2).