CRISC Certified in Risk and Information Systems Control – Question319

You are the administrator of your enterprise. Which of the following controls would you use that BEST protects an enterprise from unauthorized individuals gaining access to sensitive information?

A.
Monitoring and recording unsuccessful logon attempts
B. Forcing periodic password changes
C. Using a challenge response system
D. Providing access on a need-to-know basis

Correct Answer: D

Explanation:

Explanation: Physical or logical system access should be assigned on a need-to-know basis, where there is a legitimate business requirement based on least privilege and segregation of duties. This is done by user authentication.
Incorrect Answers:
A: Monitoring and recording unsuccessful logon attempts does not address the risk of appropriate access rights. In other words, it does not prevent unauthorized access.
B: Forcing users to change their passwords does not ensure that access control is appropriately assigned.
C: Challenge response system is used to verify the user’s identification but does not completely address the issue of access risk if access was not appropriately designed in the first place.