Privileged Operations Functions Privileged operations functions are activities that require special access or privileges to perform within a secured IT environment. In most cases, these functions are restricted to administrators and system operators. Maintaining privileged control over these functions is an essential part of sustaining the system’s security. Many of these functions could be easily exploited to violate the confidentiality, integrity, or availability of the system’s assets. The following list includes some examples of privileged operations functions: Using operating system control commands Configuring interfaces Accessing audit logs Managing user accounts Configuring security mechanism controls Running scripttask automation tools Backing up and restoring the system Controlling communication Using database recovery tools and log files Controlling system reboots Managing privileged access is an important part of keeping security under control. In addi- tion to restricting privileged operations functions, you should also employ separation of duties. Separation of duties ensures that no single person has total control over a system’s or environ- ment’s security mechanisms. This is necessary to ensure that no single person can compromise the system as a whole. It can also be called a form of split knowledge. In deployment, separation of duties is enforced by dividing the top- and mid-level administrative capabilities and functions among multiple trusted users. Further control and restriction of privileged capabilities can be implemented by using two- man controls and rotation of duties. Two-man controls is the configuration of privileged activ- ities so that they require two administrators to work in conjunction in order to complete the task. The necessity of two operators also gives you the benefits of peer review and reduced like- lihood of collusion and fraud. Rotation of duties is the security control that involves switching several privileged security or operational roles among several users on a regular basis. For exam- ple, if an organization has divided its administrative activities into six distinct roles or job descriptions, then six or seven people need to be cross-trained for those distinct roles. Each per- son would work in a specific role for two to three months, and then everyone in this group would be switched or rotated to a new role. When the organization has more than the necessary minimum number of trained administrators, every rotation leaves out one person, who can take some vacation time and serve as a fill-in when necessary. The rotation of duties security control provides for peer review, reduces collusion and fraud, and provides for cross-training. Cross- training makes your environment less dependent on any single individual.