In a quarterly system access review, an active privileged account was discovered that did not exist in the prior review on the production system. The account was created one hour after the previous access review. Which of the following is the BEST option to reduce overall risk in addition to quarterly access reviews?
In a quarterly system access review, an active privileged account was discovered that did not exist in the prior review on the production system. The account was created one hour after the previous access review. To reduce overall risk between these reviews, implementing and reviewing risk-based alerts is the most effective approach. This would allow for real-time detection of unusual activities, such as the creation of privileged accounts, thereby providing an immediate response to potential security threats instead of waiting for the next scheduled review.
I agree with B. If you create a policy on when system accounts can be created, they would have to be logged or someone would have to actively break policy. Think like a manager!
I agree, the key here is to think like a manager.
B is correct
sorry, should be C?
Why though? Without the established policy, there won’t be any concern of creating accts, hence there should not be any trigger or anything like that. So answer most likely B. But if anyone has confirmed answer I’ll be happy to take that. Thx
Between quarterly review you have to implement a detective control i.e. an alert. A policy will not solve the imediate issue with a new privileged account created in between.
In summary, option B emphasizes the establishment of access control policies and procedures, while option C emphasizes the implementation of risk-based alerts for proactive monitoring and incident detection. Both measures are important in reducing overall risk, but they focus on different aspects of access control and security monitoring. It is often beneficial to implement both measures in combination to establish a comprehensive approach to security.
I'm going with C because there are policies in place regarding access control (the quarterly audit). Implementing C could be an augmentation to the existing policy that specifically addresses the issue. For being more specific and directly addressing the issue, I'm going with C.
C is the answer The best option to reduce risk in this situation in addition to quarterly access reviews is C - Implement and review risk-based alerts. Configuring alerts to detect unauthorized privileged account creation in close proximity to access reviews would directly detect this suspicious activity. Regularly reviewing alerts improves visibility. Option A may be useful but does not address real-time detection. Option B helps set policy but does not provide technical enforcement. Option D gives more data but alerts actively surface high-risk events. In summary, implementing risk-based alerts that trigger on anomalies like this, along with prompt review, would provide the fastest mitigation and risk reduction.
Well, this is quite contentious a question, huh. But as you can see, you will have to change the policy along the way, anyway, every time after you have done a quarterly check. So B would be out of the question very necessary, fundamental and routine; however, C is directly resolving the problem depicted in the question body, so C is more relevant an answer which is heavily implied by the question composer. And C is the conclusion that you should have as a manager after adopting doubleloop thinking method.
50. b => Create policies for system access to reduce overall risk in addition to quarterly access reviews.
The correct answer is C. An organization that already review their system access quarterly, obviously has a System Access policy in place so no need in creating policies for system access.
D. Implement and review risk-based alerts. Explanation: Implementing and reviewing risk-based alerts will help detect and respond to unusual or potentially risky activities in real-time. In this specific case, the creation of an active privileged account that did not exist in the prior review raises concerns about potential unauthorized or suspicious activities. By implementing risk-based alerts, you can set up automated monitoring systems that notify you when certain high-risk events occur, allowing for immediate investigation and action. The discovery of an active privileged account that was created shortly after the previous access review highlights the need for more frequent monitoring and alerting. Implementing risk-based alerts can help identify and respond to potential security issues in real-time, rather than waiting for the next quarterly review. This can help reduce the overall risk of unauthorized access or malicious activity.
C. the key is here was created 1 hour after of previous review, so they will detect the account until the next review will be performed. The best option is C. Answer B should be a good option but not accomplish the detection and response.
Policy vs. Alert
In the context of the scenario provided, implementing and reviewing risk-based alerts be the better option for immediate risk mitigation.
The best option for reducing overall risk in addition to quarterly access reviews is : C. Implement and review risk-based alerts. Implementing and reviewing risk-based alerts would enable early detection of suspicious or unauthorized activity, such as the creation of new privileged accounts, and react accordingly. This proactive approach helps to identify and mitigate potential risks in real time, rather than relying solely on periodic reviews.
C. The trick here is that it was created immediately after the previous check. The implication is that the user is very aware that it wouldn't be allowed UNDER THE POLICIES THEY ALREADY HAVE, and are choosing to ignore that. A new policy does not enforce compliance, but setting up alerts to monitor would immediately detect non-compliance regardless of the users intent or timing.
B policies encompasses C alert implementation. B enforces C and holds the stake holders (usually Sr professionals) accountable for implementation alignment with the police B. I finally understand why CISSP exam emphasizes managerial view. B takes precedence C. In order words, B must be in place first. I choose B.
B is a good answer, but C is better.