Certified in Risk and Information Systems Control (CRISC) — Question 201

An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?

Answer options

• A. Control owner
• B. IT security manager
• C. Risk owner
• D. IT system owner

Correct answer: C

Explanation

The correct answer is C, the Risk owner, as they are responsible for managing and accepting risks associated with the organization’s controls. The Control owner focuses on the implementation of the control, the IT security manager oversees security policies, and the IT system owner manages the system itself; none have the authority to approve changes to risk-related thresholds.