Hello, you are using an old browser that's unsafe and no longer supported. Please consider updating your browser to a newer version, or downloading a modern browser.

Global Accelerated Learning • Est. 1999
Glossary Term Mandatory Vacation

Training Camp • Cybersecurity Glossary

What is Mandatory Vacation?

A control requiring employees to take continuous time off so others handle their duties—exposing hidden fraud or unauthorized activity in high-risk roles.

Glossary > Governance, Risk & Compliance > Mandatory Vacation

Mandatory Vacation — A control requiring employees to take continuous time off so others handle their duties—exposing

Understanding Mandatory Vacation

Mandatory vacation is a security and risk-management control that requires employees—particularly those in sensitive or high-trust roles—to take a block of continuous time off. While they are away, their duties are handled by others, creating an opportunity to surface fraud, errors, or unauthorized activity that an active employee could otherwise conceal.

The control works by removing an individual's continuous control over a process. Many fraud schemes—falsified records, skimming, unauthorized transactions—require ongoing manipulation to stay hidden. When the employee is forced to step away for a sustained period (often one or two unbroken weeks), a colleague assumes their responsibilities, accesses their systems, and reviews their work, making irregularities visible. It is closely related to job rotation and complements separation of duties by ensuring no one person is the sole, uninterrupted operator of a critical function.

This matters because insider threats and fraud are among the hardest risks to detect, as trusted insiders understand and can evade normal controls. Mandatory vacation is a long-standing safeguard in banking and finance, where regulators and frameworks recommend it precisely because it has repeatedly exposed embezzlement that audits missed. It also reinforces operational resilience by proving that critical tasks can be performed by more than one person.

For example, a bank requires every employee in its wire-transfer department to take ten consecutive business days off each year. During one such absence, the colleague covering the role notices a series of small, recurring transfers to an unfamiliar account that the absent employee had been routing through a manual exception process. Investigation reveals an embezzlement scheme that had gone undetected for months, caught only because the mandatory vacation forced fresh eyes onto the work.

Learn More About Mandatory Vacation:

Ready to Get Certified?

Mandatory Vacation is one of the topics you'll master in the CISSP Boot Camp.

CISSP Boot Camp →