Exam CISSP topic 1 question 50 discussion

I agree with B. If you create a policy on when system accounts can be created, they would have to be logged or someone would have to actively break policy. Think like a manager!

sorry, should be C?

While B (Create policies for system access) is important and should already be in place, it doesn't directly address the specific issue of a rogue privileged account being created between reviews. Policies are guidelines, but they don't actively prevent or detect this type of activity in real-time. Risk-based alerts, on the other hand, do address this gap. By implementing alerts for specific high-risk actions (like the creation of new privileged accounts, especially outside of normal change windows), the security team can be notified immediately when such an event occurs. This allows for rapid investigation and mitigation, significantly reducing the window of opportunity for malicious activity. It complements the quarterly reviews by providing continuous monitoring and detection capabilities.

Creating policies for system access is more important than increasing logging levels in this case. The policies created should actually include logging. That way, policy drives system access and logging levels.

C. Implement and review risk-based alerts. Here's why: Risk-based alerts provide real-time or near-real-time monitoring and alerting for unusual or suspicious activities, such as the creation of new privileged accounts. This enables a more proactive approach to security, allowing the organization to quickly identify and respond to potential threats. Implementing bi-annual reviews (A) would reduce the frequency of reviews, potentially increasing the risk of unnoticed issues. Creating policies for system access (B) is important, but on its own, it may not provide the necessary real-time detection and response capabilities. Increasing logging levels (D) can be helpful, but without active monitoring and alerting, it might not effectively reduce risk. Risk-based alerts enhance your security posture by providing timely information and enabling swift action to mitigate potential risks.

nobody ever comes back on here after failing or passing lol

From a managerial standpoint, establishing clear policies is fundamental. Policies provide a framework for consistent and secure access management, ensuring that all actions are governed by well-defined rules. This helps in maintaining control and accountability, which are key managerial responsibilities.

En base a la pregunta, al C es la correcta

answer c is correct sinc alerts can detect changes

B is a good answer, but C is better.

Well, this is quite contentious a question, huh. But as you can see, you will have to change the policy along the way, anyway, every time after you have done a quarterly check. So B would be out of the question very necessary, fundamental and routine; however, C is directly resolving the problem depicted in the question body, so C is more relevant an answer which is heavily implied by the question composer. And C is the conclusion that you should have as a manager after adopting doubleloop thinking method.

B policies encompasses C alert implementation. B enforces C and holds the stake holders (usually Sr professionals) accountable for implementation alignment with the police B. I finally understand why CISSP exam emphasizes managerial view. B takes precedence C. In order words, B must be in place first. I choose B.

C. The trick here is that it was created immediately after the previous check. The implication is that the user is very aware that it wouldn't be allowed UNDER THE POLICIES THEY ALREADY HAVE, and are choosing to ignore that. A new policy does not enforce compliance, but setting up alerts to monitor would immediately detect non-compliance regardless of the users intent or timing.

The best option for reducing overall risk in addition to quarterly access reviews is : C. Implement and review risk-based alerts. Implementing and reviewing risk-based alerts would enable early detection of suspicious or unauthorized activity, such as the creation of new privileged accounts, and react accordingly. This proactive approach helps to identify and mitigate potential risks in real time, rather than relying solely on periodic reviews.

In the context of the scenario provided, implementing and reviewing risk-based alerts be the better option for immediate risk mitigation.

Policy vs. Alert

C. the key is here was created 1 hour after of previous review, so they will detect the account until the next review will be performed. The best option is C. Answer B should be a good option but not accomplish the detection and response.