CRISC Certified in Risk and Information Systems Control – Question722

An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?

A.
Control owner
B. IT security manager
C. Risk owner
D. IT system owner

Correct Answer: A