The fun part about security controls is that Well, a lot of them are. How should I describe interesting? You see, the thing is, is for a nerd like me, if you tell me that installing a firewall is a security control, I'm like, okay, I can buy that. Or if you tell me that, we have to provide training for users as a security control, I'm like, Okay, goodbye, that too. Fortunately, the world of it, security can make things a bit more challenging. So what I want to do now is go through some examples of rather interesting security controls.
Now, before we get into this, I also want to warn you that other people may not call these security controls. But in general, if you look at these in terms of security controls, you'll do fine on the security plus. So let's dive into the world of interesting security controls. The first type of interesting security control I'd like to discuss is mandatory vacations. Yep, that's a security control. Mandatory vacation.
Simply requires individuals to take vacations, usually at different times of the year. The whole idea behind the mandatory vacation is that it's used to detect fraud and unauthorized activity. So if something bad is happening, and then it quits happening when Bob's on vacation, that could be a clue. Second is job rotation. Job rotation means periodically switching people around to work in different positions. Now, this is handy in that it'll enable rapid replacement of somebody who's mission critical suddenly becomes sick or quits.
But it also avoids contempt of position, everybody gets jealous of Bob because he gets to work in that first position. And in that way, it keeps people happy and doing their job. Third is multi person control. And that simply means that more than one person is required to accomplish a task or function. So it prevents one person from initiating an action that could be bad like launching missiles or formatting hard drives. But it also allows multiple people to make sure that something is done in a right way.
So for example, Entering secure areas accessing sensitive documents, there's lots of places where a multi person control comes into play. Next separation of duties is, by the way, security plus wants to make sure you know this is an administrative control means that single individuals should not perform all critical are privileged duties across the board. So for example, the auditing department should do auditing. And the security folks should do security and the salespeople should do sales, we shouldn't have them. intermixing. Last is principle of least privilege.
This simply means that users are granted only the level of privilege necessary for them to perform their job. So when we hear the term privilege, we usually use the word need to know and then that way people don't get into privileges that they shouldn't have. I always love exposing people who are new to security on these terms, because they're not ones that we really think about is we first enter the world of IT security, but boy, are they important