Certified in Risk and Information Systems Control (CRISC) — Question 173

An organization practices the principle of least privilege. To ensure access remains appropriate, application owners should be required to review user access rights on a regular basis by obtaining:

Answer options

• A. security logs to determine the cause of invalid login attempts.
• B. documentation indicating the intended users of the application.
• C. an access control matrix and approval from the user's manager.
• D. business purpose documentation and software license counts.

Correct answer: C

Explanation

The correct answer, C, is essential as an access control matrix along with managerial approval ensures that access rights are aligned with current user roles and responsibilities. Option A focuses on login attempts rather than access rights, option B lacks the necessary oversight from management, and option D does not directly relate to user access evaluations.