M of N control

Non-Profit Techie · May 2006

Hi guys.

Quick question. Can anyone explain to me what the difference between M of N control and seperation of dutys is.

Thanks.

Megadeth4168 · May 2006

I hope my understanding of these makes sense and are correct...

M of N requires that a certain number of people need to be present for something to happen...

Like 5 of 7 people might need to log in for something to be available on a server....

Seperation of Duties is where tasks are divided to help prevent or isolate fraud.

Example:
One person is in charge of Taking orders however a different person is incharge of of the actual billing.

It's kind of a weak example but I think it gets the point across.

M of N and Separation of Duties are simialr but they are different and might be confusing on the real exam.... I've yet to take the exam myself though.

Breadfan · May 2006

I also like his examples

Think of it like this M of N: how many people does it take to screw in a light bulb?

Separation of duties: In order for the light to come on (be replaced) You have to screw it in and I have to hold the ladder for you. If i dont hold the ladder for you, you fall, and the light doesnt come on.

OK...bad examples but one of the ways I was able to separate the 2

Basically M of N: so many people have to present (like using access codes to bank vaults, etc) in order to open the door. if one person is missing the whole transaction cannot happen

With separation of duties, think of it as you do a job, but i check behind you to make sure you did it right (like with computer programs) before it's actually implemented

Hope this helps and didnt confuse you worse

Webmaster · May 2006

Breadfan wrote:

Separation of duties: In order for the light to come on (be replaced) You have to screw it in and I have to hold the ladder for you. If i dont hold the ladder for you, you fall, and the light doesnt come on.

.....

With separation of duties, think of it as you do a job, but i check behind you to make sure you did it right (like with computer programs) before it's actually implemented

The first part is correct, but the second doesn't quite cover it. The duties are separated into different tasks, as in your example one holds the ladder, the other replaces the bulb. They don't check each other's work, they can't even because they don't know how to and/or aren't authorized to perform the other part of the dutie. This prevents them from doing the task alone without the help of the other, which in turn prevent unintentional mistakes and security breaches and fraud for example.

That second part from you I quoted above, is actually more a valid description for 'rotation of duties', which refers to a policy that dicates certain duties are performed by different people of a period of time. So one person works for 3 months as the head accountant, and then another replaces him/her for 3 months. The main purpose of rotation of duties is to prevent mistakes and fraud.

M of N control is more about controlling access, in other words to prevent unauthorized access (to for example a digital keys repository). For example, at least 2 of the 5 people who have a password need to enter it to gain access. While a separation of duties policy can be implemented to prevent unauthorized access as well, it does so by separating the duties into different tasks, while with M of N control they perform the same task (ie. fill in a password).

Breadfan · May 2006

I realized my mistake after I wrote out everything and then hit the submit button

I hope I didnt mess you up

keatron · May 2006

A common operation in banks, one person or group actually holds the numbers to authorize a wire transfer, however another person or group are the only ones who know how or actually have needed system access to actually carry out the wire transfer. And to completely seperate it, the people actually carrying it out, never know the access codes. For example, a supervisor might have to log in to one system and authorize the transfer, however through the seperation of duty principle applied, that same supervisor DOES NOT have the system privileges needed to execute the transfer. Then another employee, has to login to another system, locate the authorized transfer, then execute it. That's a real world example of how it is actually used daily.

In actuality, this is really the combining of principle of least privilege (which basically means a given user or system has only rights needed to do their jobs)and seperation of duty. It is now very common to find these two principles implemented conjunctively.

Keatron.

Non-Profit Techie · May 2006

thanks very much you guys. I think i got it now. Thanks for all the great examples. This section has been a bit slow so i figured, what the heck, why not ask if im not 100% sure

Im sure i will have other questions.

Megadeth4168 · May 2006

Keep the questions coming!

They help me just as much as they help you... I knew the diffreance between the 2 but still went back to double check myself. Which is good, because now I am even that much more sure of the diffreence between the 2 and will remember that if it comes up on the test.

Non-Profit Techie · May 2006

u got it!

M of N control

Comments