Certified Business Analysis Professional (CBAP) — Question 145

A conservative company with rigorous risk control plans and internal audit rules has a recurrent problem with a core business application. As a result, access to this application must be restricted and controlled and maintenance must be on-site. However, the company feels that the application must have an emergency service team. The routine maintenance of this solution is provided by an external vendor and the vendor requested 24 hours remote access to quality and production data. In this context, what is the company's response to the vendor's request?

Answer options

• A. Denied, because the vendor requested it
• B. Denied, because of the company's risk aversion
• C. Accepted, because the company has an urgent problem to solve
• D. Accepted, because immediate remote access will resolve any issue

Correct answer: B

Explanation

The correct answer is B, as the company's strong focus on risk aversion prevents them from granting remote access to the vendor, despite the ongoing issues with the application. Options A and C misinterpret the company's policy; A suggests denial based solely on the vendor's request, while C incorrectly assumes urgency overrides risk concerns. Option D overlooks the company's established risk management framework.