07 Jul Job Rotation and Mandatory Vacations

Job rotation and mandatory vacation policies are two security best practices that help to prevent employee fraud and abuse.  Both of these practices discourage fraud and other abuses because employees know another person will be soon be assuming their duties and the new person would be likely to discover any patterns of bad behavior. Although job rotation and mandatory vacations are often thought of as human resources policies, they must also be considered in their IT security context where they play a significant role in access control.  If you are studying for a security certification exam you will need to understand how the policies are defined and their importance in the security framework. Job Rotation A policy that compels employees to rotate into different jobs, or at least rotate some of their duties, has many benefits for the employee and the organization.  Employees are less likely to become stale or “burned out” in their positions and will become enriched by learning new skills. Also, by cross-training the staff, no business critical skills are limited to a single person and the organization is better able to cope with injury, illness and employee turnover. Routine job rotation is a powerful fraud deterrent and helps prevent other misdeeds such as sabotage and information misuse as well.  It is much harder for a fraudster to cover their tracks if another employee will be stepping into their shoes. The same logic makes job rotation useful in detecting fraud once it has occurred, and even finding innocent mistakes as the next employee transitions into the role with a fresh set of eyes. Of course, no solution is perfect and job rotation can also expose a company to risk.  As an employee learns additional roles in the organization and the procedures associated with those roles, that employee is more likely to discover vulnerabilities to be exploited. Job rotation policies place a responsibility on IT security staff to ensure that the principle of least privilege is maintained.  As employees transition through multiple roles and are assigned new duties, they are likely to be granted additional system privileges.  Left unchecked, they will almost certainly accumulate more privileges than they need to perform their current duties. This accumulation of excess privileges is called privilege creep.  To counter privilege creep it is important to periodically review the privileges and other access rights of rotating employees and remove rights that are no longer needed to do their jobs. Mandatory Vacations Mandatory vacation policies have a fraud deterrent purpose similar to job rotation.  Many companies will have a policy of requiring employees in sensitive positions to take mandatory vacations of five or ten consecutive business days.  These policies are particularly common in the finance industry where complex embezzlement and fraud schemes might require the bad actor to take steps daily to cover up the crimes. As with job rotation, the knowledge that another person will be performing their duties and examining their work is often enough to deter the fraudster.  If they are undeterred, the mandatory vacation policy makes it more likely they will be caught. It is not uncommon for security conscious organizations to also schedule audits to coincide with mandatory vacations to increase the likelihood of discovering fraud and other crimes. Understanding job rotation and mandatory vacation policies is an important component of your preparation for a variety of security certification programs.  If you’re interested in earning your next security certification, sign up for the free CertMike study groups for the CISSP, Security+, SSCP, or CySA+ exam....