Certified in Risk and Information Systems Control (CRISC) — Question 451

A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?

Answer options

• A. Reviewing access control lists
• B. Performing user access recertification
• C. Authorizing user access requests
• D. Terminating inactive user access

Correct answer: C

Explanation

The organization should retain the authorization of user access requests as it involves critical decision-making regarding who can access sensitive information. While reviewing access control lists and performing recertification are important, they are more operational and can be delegated to a vendor. Terminating inactive access is also essential, but the ultimate authority to allow access should remain with the organization.