Exam CISSP topic 1 question 50 discussion

I agree with B. If you create a policy on when system accounts can be created, they would have to be logged or someone would have to actively break policy. Think like a manager!

sorry, should be C?

En base a la pregunta, al C es la correcta

answer c is correct sinc alerts can detect changes

B is a good answer, but C is better.

Well, this is quite contentious a question, huh. But as you can see, you will have to change the policy along the way, anyway, every time after you have done a quarterly check. So B would be out of the question very necessary, fundamental and routine; however, C is directly resolving the problem depicted in the question body, so C is more relevant an answer which is heavily implied by the question composer. And C is the conclusion that you should have as a manager after adopting doubleloop thinking method.

B policies encompasses C alert implementation. B enforces C and holds the stake holders (usually Sr professionals) accountable for implementation alignment with the police B. I finally understand why CISSP exam emphasizes managerial view. B takes precedence C. In order words, B must be in place first. I choose B.

C. The trick here is that it was created immediately after the previous check. The implication is that the user is very aware that it wouldn't be allowed UNDER THE POLICIES THEY ALREADY HAVE, and are choosing to ignore that. A new policy does not enforce compliance, but setting up alerts to monitor would immediately detect non-compliance regardless of the users intent or timing.

The best option for reducing overall risk in addition to quarterly access reviews is : C. Implement and review risk-based alerts. Implementing and reviewing risk-based alerts would enable early detection of suspicious or unauthorized activity, such as the creation of new privileged accounts, and react accordingly. This proactive approach helps to identify and mitigate potential risks in real time, rather than relying solely on periodic reviews.

In the context of the scenario provided, implementing and reviewing risk-based alerts be the better option for immediate risk mitigation.

Policy vs. Alert

C. the key is here was created 1 hour after of previous review, so they will detect the account until the next review will be performed. The best option is C. Answer B should be a good option but not accomplish the detection and response.

D. Implement and review risk-based alerts. Explanation: Implementing and reviewing risk-based alerts will help detect and respond to unusual or potentially risky activities in real-time. In this specific case, the creation of an active privileged account that did not exist in the prior review raises concerns about potential unauthorized or suspicious activities. By implementing risk-based alerts, you can set up automated monitoring systems that notify you when certain high-risk events occur, allowing for immediate investigation and action. The discovery of an active privileged account that was created shortly after the previous access review highlights the need for more frequent monitoring and alerting. Implementing risk-based alerts can help identify and respond to potential security issues in real-time, rather than waiting for the next quarterly review. This can help reduce the overall risk of unauthorized access or malicious activity.

I'm going with C because there are policies in place regarding access control (the quarterly audit). Implementing C could be an augmentation to the existing policy that specifically addresses the issue. For being more specific and directly addressing the issue, I'm going with C.

C is the answer The best option to reduce risk in this situation in addition to quarterly access reviews is C - Implement and review risk-based alerts. Configuring alerts to detect unauthorized privileged account creation in close proximity to access reviews would directly detect this suspicious activity. Regularly reviewing alerts improves visibility. Option A may be useful but does not address real-time detection. Option B helps set policy but does not provide technical enforcement. Option D gives more data but alerts actively surface high-risk events. In summary, implementing risk-based alerts that trigger on anomalies like this, along with prompt review, would provide the fastest mitigation and risk reduction.

The correct answer is C. An organization that already review their system access quarterly, obviously has a System Access policy in place so no need in creating policies for system access.

Between quarterly review you have to implement a detective control i.e. an alert. A policy will not solve the imediate issue with a new privileged account created in between.