Certified in Risk and Information Systems Control (CRISC) — Question 155

A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. The BEST course of action would be to:

Answer options

• A. obtain management approval for policy exception
• B. continue the implementation with no changes
• C. develop an improved password software routine
• D. select another application with strong password controls

Correct answer: A

Explanation

The correct answer is A because obtaining management approval for a policy exception acknowledges the risk and ensures that leadership is aware of the implications. Option B is not advisable as it ignores the risks associated with weak password controls. Option C, while improving security, may not address the immediate need for compliance, and Option D is a valid consideration but does not fit the context of accepting the current risk.