Isaca Updated CRISC Exam Questions and Answers by indy

The correct answer isBbecause technical controls affecting access permissions should be implemented according toseparation of duties. Access permissions must be structured so that no single individual has incompatible responsibilities that could enable unauthorized activity, fraud, or unapproved changes. This is a core principle of access control governance and control design.

The other options are less appropriate:

A. Integration testing requirementsrelate to testing system interactions, not the primary basis for assigning access permissions.

C. Configuration baselinesare important for standard settings, but access authorization must first align with role separation and accountability.

D. Contingency scenariosare related to continuity and recovery, not normal access permission design.

Exact Extracts supporting the answer:

“The PRIMARY reason that an enterprise would establish segregation of duties controls is to prevent errors or fraudulent activity on high-risk transactions.”

“The MOST effective control to prevent segregation of duties violations is implementing role-based access.”

“To ensure that developers do not have access to implement changes to production applications an enterprise must have segregation of duties between application development and operations.”

“The control a risk practitioner would recommend is segregation of duties” when personnel can both change system configuration settings and modify logs.

These extracts show that access permissions and technical access controls should be aligned withseparation of dutiesto prevent misuse and reduce risk.

===========

For closed risks, documented proof that controls are in place and working (e.g., logs, test results) is vital. ISACA’s CRISC Manual emphasizes that evidence is required to validate control effectiveness and support audit requirements

 The first step when conducting a business impact analysis (BIA) is identifying critical information assets. A BIA is a process of analyzing the potential impacts of disruptive events on the business processes,functions, and resources. A BIA identifies the criticality, dependencies, recovery priorities, and recovery objectives of the business processes, and quantifies the financial and non-financial impacts of disruption. Information assets are the data, information, and knowledge that are essential for the operation and performance of the business processes. Identifying critical information assets is the first step of the BIA, as it helps to determine which information assets are vital for the continuity and recovery of the business processes, and whichinformation assets are most vulnerable or exposed to the disruptive events. Identifying critical information assets also helps to scope and focus the BIA on the most important and relevant information assets, and to avoid unnecessary or redundant analysis. Identifying events impacting continuity of operations, creating a data classification scheme, and analyzing previous risk assessment results are not the first steps of the BIA, as they are either the inputs or the outputs of the BIA, and they depend on the identification of critical information assets. References = CRISC Review Manual, 6th Edition, ISACA, 2015, page 130.

Risk treatment options are the actions or plans that are implemented to modify or reduce the risk exposure of the organization. Risk treatment options receive adequate funding when the organization allocatessufficient resources and budget to support the risk response actions, and to ensure that the risk controls are effective and efficient. This is the best evidence that risk management is driving business decisions in the organization, as it shows that the organizationprioritizes and values the risk management process, and that it aligns its risk strategy and objectives with its business goals and value creation. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 245. CRISC: Certified in Risk & Information Systems Control Sample Questions, Question 245. CRISC Sample Questions 2024, Question 245.