CRISC Information Systems Control Design

Question 1

Which control design principle ensures that no single individual can complete a sensitive transaction without involvement of another person?

Accepted Answer

Segregation of duties

Answer

Segregation of duties divides critical tasks among multiple people, preventing any single person from committing and concealing fraud or error.

Question 2

The principle of least privilege in access control design means that users should be granted:

Accepted Answer

Only the minimum permissions needed to perform their job functions

Answer

Least privilege limits each user's access to only what is required for their role, reducing the attack surface if credentials are compromised.

Question 3

Defense in depth is a control design strategy that involves:

Accepted Answer

Layering multiple controls so that failure of one does not expose the entire system

Answer

Defense in depth uses multiple overlapping controls so that if one layer fails, subsequent layers still protect the asset.

Question 4

Which control objective is MOST directly supported by implementing input validation in a web application?

Accepted Answer

Preventing injection attacks and data integrity violations

Answer

Input validation prevents malicious inputs (e.g., SQL injection, XSS) from compromising data integrity or allowing unauthorized system access.

Question 5

When designing controls for a high-risk IT process, which approach provides the GREATEST assurance?

Accepted Answer

Implementing both preventive and detective controls in combination

Answer

Combining preventive controls (to stop threats) with detective controls (to catch what gets through) provides layered assurance for high-risk processes.

CRISC - Certified in Risk and Information Systems Control Practice Test

CRISC - Certified in Risk and Information Systems Control Practice Test

CRISC Information Systems Control Design