Explanation/Reference:
B: Separation of duties is a classic security principle that restricts the amount of power held by any one individual in order to prevent conflict of interest, the appearance of conflict of interest, fraud, and errors.
Separation of duties is one of the fundamental principles of many regulatory mandates such as Sarbanes- Oxley (SOX) and the Gramm-Leach-Bliley Act (GLBA), and as a result IT organizations are placing greater emphasis on separation of duties across all IT functions, especially database administration.
D: Vacation, Job Rotation, and Transfer are policy considerations.. Once way to detect and deter misuse of systems is to have a new person perform the duties of an existing worker. The new person might notice irregularities or questionable circumstances and be able to report it. The new worker might be there temporarily, i.e. filling in for someone on vacation, or might be a replacement as a result of periodic job rotations and transfers. In addition, workers that expect periodic rotations are less likely to misuse systems as they know others following behind them will eventually discover it and report them.
E: Each user should have only those privileges appropriate to the tasks she needs to do, an idea termed the principle of least privilege. Least privilege mitigates risk by limiting privileges, so that it remains easy to do what is needed while concurrently reducing the ability to do inappropriate things, either inadvertently or maliciously.
Note: The principle of least privilege. Users are given the least amount of privileges necessary in order to carry out their job functions. This applies to interactions between systems as well as user interactions. This reduces the opportunity for unauthorized access to sensitive information.
Incorrect answers:
A: There is no policy consideration 'Principle of Alternating Privilege'.
C: Defense in depth is more general and is not considered to be a policy consideration affecting internal users.
Note: Defense in depth should be applied so that a combination of firewalls, intrusion detection and prevention, user management, authentication, authorization, and encryption mechanisms are employed across tiers and network zones.
Defense in depth is a security strategy in which multiple, independent, and mutually reinforcing security controls are leveraged to secure an IT environment. The basic premise is that a combination of mechanisms, procedures and policies at different layers within a system are harder to bypass than a single or small number security mechanisms. An attacker may penetrate the outer layers but will be stopped before reaching the target, which is usually the data or content stored in the 'innermost' layers of the environment. Defense in depth is also adopted from military defense strategy, where the enemy is defeated by attrition as it battles its way against several layers of defense.
Reference: Oracle Reference Architecture, Security , Release 3.1