By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
A practical guide to segregation of duties, access controls, cybersecurity, and business continuity.
Internal controls are policies, procedures, and technical safeguards that protect an organization’s assets, ensure data integrity, and maintain operational resilience. You use them to prevent fraud, errors, cyberattacks, and downtime—critical for compliance (e.g., SOX, GDPR) and trust in automated systems.
Principle: Split critical tasks among multiple people to prevent conflicts of interest or fraud.Example: - Bad: One employee creates, approves, and pays invoices.- Good: Separate roles for invoice creation, approval, and payment.
Key Controls: - Dual control: Two people must approve high-risk actions (e.g., wire transfers).- Job rotation: Rotate roles periodically to deter fraud.- Mandatory vacations: Force employees to take time off to uncover hidden misconduct.
Principle: Grant the minimum necessary access to users, systems, and data.Layers: - Authentication: Verify identity (e.g., passwords, MFA, biometrics).- Authorization: Define what a user can do (e.g., read-only vs. admin).- Accounting: Log all access attempts (e.g., SIEM tools like Splunk).
Models: - Role-Based Access Control (RBAC): Assign permissions to roles (e.g., "Accountant" can view financial data but not modify it).- Attribute-Based Access Control (ABAC): Grant access based on attributes (e.g., "Only managers in the Finance department can approve budgets").
Principle: Protect systems from unauthorized access, attacks, and data leaks.Critical Areas: - Network security: Firewalls, VPNs, intrusion detection (e.g., Snort).- Endpoint security: Antivirus, EDR (e.g., CrowdStrike), patch management.- Data security: Encryption (AES-256), tokenization, DLP (Data Loss Prevention).- Application security: Secure coding (e.g., OWASP Top 10), API gateways.
Threat Vectors: - Phishing: Fake emails tricking users into revealing credentials.- Ransomware: Malware encrypting data for extortion.- Insider threats: Employees or contractors misusing access.
Principle: Ensure critical operations continue during disruptions.Key Components: - Business Impact Analysis (BIA): Identify critical processes and their dependencies.- Recovery Time Objective (RTO): Max acceptable downtime (e.g., 4 hours for payroll).- Recovery Point Objective (RPO): Max data loss (e.g., 15 minutes for transactional data).- Redundancy: Backup systems (e.g., cloud failover, RAID storage).- Incident Response Plan (IRP): Steps to contain and recover from breaches.
Testing: - Tabletop exercises: Simulate disasters (e.g., "What if AWS goes down?").- Failover drills: Test backup systems (e.g., switch to a secondary data center).
[Primary Data Center] → [Backup Data Center] (automatic failover) ↑ [Payment API] → [Encrypted DB] → [SIEM Logs] ↑ [MFA + RBAC] → [User]
Goal: Restrict access to a mock "Finance Dashboard" API.
bash docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=password quay.io/keycloak/keycloak:24.0.0 start-dev
finance-reader
finance-writer
finance-admin
Expected Outcome: Users only access what their role permits.
Goal: Block unauthorized SSH access to a Linux server.
bash sudo netstat -tulnp
bash sudo ufw allow from 192.168.1.100 to any port 22 # Allow only your IP sudo ufw enable
Expected Outcome: SSH access restricted to approved IPs.
Goal: Automate database backups with Duplicati.
bash sudo apt install duplicati
/var/lib/mysql
Expected Outcome: Data is recoverable after accidental deletion.
Fix: Follow the principle of least privilege (start with no access, add only what’s needed).
Ignoring SoD in Small Teams
Fix: Even in small teams, split duties (e.g., CEO approves payments, accountant records them).
Backup Without Testing
Fix: Test backups quarterly (e.g., "Can we restore the payroll database in 30 minutes?").
Static Access Controls
Fix: Automate deprovisioning (e.g., sync HR system with IAM).
No Incident Response Plan
unattended-upgrades
A company’s finance team has one employee who creates invoices, approves them, and processes payments. Which internal control is missing?
A) Multi-factor authentication B) Segregation of duties C) Data encryption D) Incident response plan
Correct Answer: B) Segregation of duties Explanation: Segregation of duties splits critical tasks to prevent fraud. Here, one person controls the entire payment process, creating a risk of embezzlement.Why the Distractors Are Tempting: - A) MFA is important but doesn’t address the conflict of interest.- C) Encryption protects data but doesn’t prevent internal fraud.- D) An incident response plan is for breaches, not fraud prevention.
Your team uses AWS IAM to manage permissions. A developer needs temporary access to a production database to debug an issue. What’s the most secure way to grant access?
A) Give them permanent admin permissions.B) Create a time-limited IAM role with read-only access.C) Share the root account credentials.D) Whitelist their IP in the database security group.
Correct Answer: B) Create a time-limited IAM role with read-only access.Explanation: Temporary, least-privilege access reduces risk. IAM roles can be set to expire automatically.Why the Distractors Are Tempting: - A) Permanent admin access violates least privilege.- C) Sharing root credentials is a major security risk.- D) IP whitelisting doesn’t limit what the user can do.
A ransomware attack encrypts your company’s database. Your backup system has an RPO of 1 hour and an RTO of 4 hours. What does this mean?
A) You’ll lose 1 hour of data and recover in 4 hours.B) You’ll lose 4 hours of data and recover in 1 hour.C) The backup runs every 1 hour and takes 4 hours to restore.D) The ransomware will be contained in 1 hour and removed in 4 hours.
Correct Answer: A) You’ll lose 1 hour of data and recover in 4 hours.Explanation: - RPO (Recovery Point Objective): Max data loss (1 hour).- RTO (Recovery Time Objective): Max downtime (4 hours).Why the Distractors Are Tempting: - B) Swaps RPO and RTO.- C) Misinterprets RPO/RTO as backup frequency/restore time.- D) Confuses recovery metrics with incident response.
Understand compliance frameworks (SOX, GDPR, HIPAA, PCI DSS).
Hands-On:
Create a backup plan with Duplicati or Veeam.
Advanced:
Simulate disasters with Chaos Monkey or Gremlin.
Specialization:
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.