Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.

Unlimited Access

Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.

Exam CRISC topic 1 question 880 discussion

Actual exam question from Isaca's CRISC
Question #: 880
Topic #: 1
[All CRISC Questions]

An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:

  • A. security logs to determine the cause of invalid login attempts.
  • B. documentation indicating the intended users of the application.
  • C. an access control matrix and approval from the user's manager.
  • D. business purpose documentation and software license counts.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?) , you can switch to a simple comment.
Switch to a voting comment New
Raj1510
Highly Voted 2 years, 2 months ago
Agree with C . Generally this process in organization called recertification or attestation.
upvoted 8 times
...
CbtL
Most Recent 11 months, 2 weeks ago
Selected Answer: C
Agree it is C.
upvoted 1 times
...
Koulyo
11 months, 4 weeks ago
sticking to C: The principle of least privilege is a fundamental security principle that limits user access rights to the minimum necessary to perform their job functions. To ensure that access remains appropriate, application owners should review user access rights on a regular basis. The best way to do this is by obtaining an access control matrix that lists all users and their access rights, and obtaining approval from the user's manager to confirm that the access rights are still necessary for the user to perform their job functions.
upvoted 2 times
...
john_boogieman
1 year, 1 month ago
Selected Answer: C
It is more efficient to have a matrix that defines the access permissions and their associated actions and their approval by the user manager. In any case, this process is not called 'attestation' as mentioned here. https://www.isaca.org/resources/glossary#Attestation
upvoted 2 times
...
Ceecil1959
2 years ago
B is correct. [ documentation indicating the intended users of the application. ] Once the app owner can figure out who the intended users are, access can be authorized or not authorized.
upvoted 1 times
...
Tomm8125
2 years, 11 months ago
B When you create your application, write down what resources it must access and what special tasks it must perform. Examples of resources include files and registry data; examples of special tasks include the ability to log user accounts on to the system, debug processes, or backup data. Often you'll find you do not require many special privileges or capabilities to get any tasks done. Once you have a list of all your resources, determine what might need to be done with those resources. For example, a user might need to read and write to the resources but not create or delete them. Armed with this information, you can determine whether the user needs to run as an administrator to use your application. T
upvoted 3 times
...
Anon530
2 years, 11 months ago
Why not C?
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...