D, definately! FIRST step to address the risk? From a Risk officer's point of view it shoud be recommend developing a policy for disabling User access after empolee leaves the company. Risk officer is not responcible for disabling access (B)
B. Disable user access
The immediate priority when discovering terminated employee accounts with active access is to remove the potential threat by disabling those accounts. This action prevents any unauthorized access or misuse. After this immediate risk has been addressed, further analysis and policy development can be pursued.
B. Disable user access.
The FIRST step to address the risk of terminated employee accounts maintaining access should be to immediately disable user access. This is a crucial action to prevent unauthorized access to company systems and data by individuals who no longer have a legitimate reason to access them. Disabling user access should be done promptly upon an employee's termination to minimize the potential risks associated with unauthorized access.
Initially I thought answer should be b, but the way they've worded it "disable user access" seems to indicate disable it across the board which wouldn't really be a first thing.
Out of the options you'd want to route cause it before jumping to solution mode
More info.
In the 7th CRISC manual section 'root cause analysis' it says: a prudent risk practitioner examines the root cause of an incident to discover the conditions and factors that led to the event, rather than reacting to the symptoms of the problem.
Correction to 'B'.
root cause analysis is an important step in identifying the underlying causes of a security incident and addressing the root of the problem. A root cause analysis can help identify the factors that led to the event and enable the organization to take corrective actions to prevent similar incidents in the future.
However, in the case of terminated employee accounts maintaining access, the FIRST step should be to disable the user access immediately to prevent any potential damage or unauthorized access. Once the access has been disabled, the organization can then perform a root cause analysis to determine how and why the accounts were not disabled in a timely manner and take corrective actions to prevent similar incidents in the future.
The first step is to know why that access is maintained, it could be something exceptional for that user (in which case option 'B') or a general control problem ('D').
I like C as well
An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk? -> ISACA defines risk as 'the possibility of harm coming to an asset or an organization. risk = threat * vulnerability * impact. the question is about treating the general risk of employee accounts surviving termination procedures. it is not about the correcting the specific occurrence of these several accounts.
A. Perform a risk assessment -> plausible but I like C more because you will learn more about the risk through a post-mortem on an actual occurrence than through a proactive analysis of the theoretical risk
B. Disable user access -> will treat the occurrence but not the risk.
C. Perform root cause analysis -> if you want to treat the systemic risk then this is the first step
D. Develop an access control policy -> ineffective at treating the risk. 'access control' is the wrong type of policy and we dont know why the company's identity+account management/HR policies and termination procedures are not being followed.
It should be B. As a FIRST step, you want to address the risk, which is the active accesses in the system that can be exploited anytime.
Answer D: Developing an access control policy (even without analysing the root cause) could take months before approval. I believe nobody wants to wait for that long before they delete the undesired accesses.
i would do B, C, then D.
But it asks the first step to address the risk.
Which is not D.
Since the Users not working there anymore, no one should use the Accounts. therefore Disable them.
As a risk practitioner, right answer would be D. Cause disable those accounts is part of admin activity which system custodians will do not risk practitioner, risk practitioner cannot directly go and disable account.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Rooks
Highly Voted 3 years, 12 months agoDopy
Most Recent 1 month, 4 weeks agoSilvias4
6 months agoBertolini
1 year, 1 month ago01010100
1 year, 2 months agoStaanlee
1 year, 2 months ago[Removed]
1 year, 6 months agoBuzzkill_555
1 year, 6 months agojohn_boogieman
1 year, 9 months agojohn_boogieman
1 year, 9 months agojohn_boogieman
1 year, 9 months agocybervds
1 year, 10 months agoAdamchua1988
2 years, 1 month agok4d4v4r
2 years, 1 month agoKozy
2 years, 1 month agothkeldu6
2 years, 8 months agoRaj1510
2 years, 10 months agoCeecil1959
2 years, 7 months agoRaj1981
3 years, 4 months ago