198 Eleventh Hour Security : Exam SY0-201 Study Guide Whether an employee can only take vacations at certain times of the year. If employees must take all of their vacation time at once, or can split it up throughout the year. Mandatory vacation policies exist for a number of reasons. Contracts may require specific amounts of time off from work. By having employees take time off of work, they tend to be able to do their jobs better when they get back. Another reason is to prevent employees from carrying their vacation time over to subsequent years. Before having individuals take time off of work, it is important to ensure that the job can still be performed without their presence. This means having multiple people trained in different tasks. EXAM WARNING Mandatory vacation policies are covered in the exam, so don't skim over the information provided here believing it won't appear on the test. Vacations are important as they have implications to the business, can be legislated or contractually agreed on, and have security requirements for insuring that individuals are available to cover the duties of employees who are unavailable. Separation of duties Separation of duties ensures that tasks are assigned to personnel in a manner that no single employee can control a process from the beginning to end. Separation of duties is a common occurrence in secure environments and involves each person having a different job, thus allowing each to special- ize in a specific area. This provides a number of benefits to the security of an organization. In an organization that uses a separation of duties model, there is less chance of people leaking information because of the isolated duties that each employee performs in contribution to the whole. Another benefit of separating duties is that each person (or group of people) can become an expert in his or her job. PERSONALLY IDENTIFIABLE INFORMATION Personally identifiable information (PII) is private information that identifies you, members of your organization, and your clients. PII can be found in numerous places. It can exist in databases used by your company, directory services used in your network, and various other sources that contain names, phone num- bers, addresses, credit card numbers, and so on. If such information became available to unauthorized users, it could result in embarrassment, liability, and possibly even criminal charges.