CRISC Certified in Risk and Information Systems Control – Question102

Which of the following is the HIGHEST risk of a policy that inadequately defines data and system ownership?

A.
User management coordination does not exist
B. Audit recommendations may not be implemented
C. Users may have unauthorized access to originate, modify or delete data
D. Specific user accountability cannot be established

Correct Answer: C

Explanation:

Explanation:
There is an increased risk without a policy defining who has the responsibility for granting access to specific data or systems, as one could gain system access without a justified business needs. There is better chance that business objectives will be properly supported when there is appropriate ownership.
Incorrect Answers: A, B, D: These risks are not such significant as compared to unauthorized access.