CRISC Information Systems Control Design and Implementation

Question 1

What is the primary objective of designing information systems controls?

Accepted Answer

To reduce risk to an acceptable level while enabling business operations to continue efficiently

Answer

To achieve zero risk across all IT systems and processes

Answer

To satisfy external auditor requirements exclusively

Answer

To maximize the technical complexity of the security architecture

Question 2

What is the difference between a general control and an application control?

Accepted Answer

General controls govern the overall IT environment; application controls are specific to individual systems or processes

Answer

Application controls apply to all systems; general controls apply only to databases

Answer

General controls are preventive; application controls are always detective

Answer

There is no functional difference between the two types

Question 3

Which principle requires that no single individual has control over all phases of a critical process?

Accepted Answer

Segregation of duties (SoD)

Answer

Least privilege

Answer

Need to know

Answer

Defense in depth

Question 4

What is the principle of least privilege in information systems control?

Accepted Answer

Users and systems should have only the minimum access rights required to perform their authorized functions

Answer

All users should have administrative rights to ensure productivity

Answer

Access should be granted based on seniority rather than job function

Answer

Systems should deny all access by default and never grant permissions

Question 5

What is the purpose of input validation controls in application systems?

Accepted Answer

To ensure that data entered into a system meets defined criteria before processing, preventing corrupt or malicious data

Answer

To encrypt data at rest in the database

Answer

To log all user activity for audit trail purposes

Answer

To restrict physical access to server hardware

Question 6

Which control type is designed to reduce the severity of an incident after it has occurred?

Accepted Answer

Corrective control

Answer

Preventive control

Answer

Detective control

Answer

Deterrent control