Certified in Risk and Information Systems Control (CRISC) — Question 805

A risk practitioner has been asked to recommend a key performance indicator (KPI) to assess the effectiveness of a manual process to terminate user access.
Which of the following is the BEST KPI to recommend?

Answer options

• A. Percent increase in number of access termination requests
• B. Timeframe of notification from business management to IT
• C. Timeframe from user termination to access revocation
• D. Ratio of successful log-in attempts to unsuccessful log-in attempts

Correct answer: C

Explanation

The best KPI to recommend is C, as it directly measures the efficiency of the access termination process by tracking the time it takes to revoke access after a user is terminated. Option A does not assess effectiveness, but rather the volume of requests. Option B focuses on communication timing, which is less relevant to the actual termination process, and Option D measures login attempts, which does not relate to access termination effectiveness.