CRISC Information Systems Control Design and Implementation

Question 1

What is the primary objective of designing information systems controls?

Accepted Answer

To reduce risk to an acceptable level while enabling business operations to continue efficiently

Answer

Controls must balance risk reduction with operational efficiency — overly restrictive controls can impede business processes as much as the risks they are meant to prevent.

Question 2

What is the difference between a general control and an application control?

Accepted Answer

General controls govern the overall IT environment; application controls are specific to individual systems or processes

Answer

General controls (like change management and access administration) apply broadly across the IT environment, while application controls (like input validation) operate within specific applications.

Question 3

Which principle requires that no single individual has control over all phases of a critical process?

Accepted Answer

Segregation of duties (SoD)

Answer

Segregation of duties ensures that fraud or error requires collusion by splitting critical tasks across multiple individuals so no single person can complete a harmful act alone.

Question 4

What is the principle of least privilege in information systems control?

Accepted Answer

Users and systems should have only the minimum access rights required to perform their authorized functions

Answer

Least privilege limits access to the minimum necessary for each role, reducing the attack surface and limiting the damage that can be caused by compromised accounts or insider threats.

Question 5

What is the purpose of input validation controls in application systems?

Accepted Answer

To ensure that data entered into a system meets defined criteria before processing, preventing corrupt or malicious data

Answer

Input validation controls check that data conforms to expected format, type, and range before processing, preventing issues like SQL injection, data corruption, and processing errors.

CRISC - Certified in Risk and Information Systems Control Practice Test

CRISC - Certified in Risk and Information Systems Control Practice Test

CRISC Information Systems Control Design and Implementation