Full Access Isaca CRISC Tutorials

The average time to provision user accounts is the most useful indicator to measure the efficiency of an identity and access management (IAM) process, because it reflects how quickly and smoothly the process can grant access to the appropriate users. The average time to provision user accounts can be calculated by dividing the total time spent on provisioning user accounts by the number of user accounts provisioned in a given period. A lower average time indicates a more efficient IAM process, as it means that users can access the resources they need without unnecessary delays or errors. A higher average time may indicate problems or bottlenecks in the IAM process, such as manual steps, complex workflows, lack of automation, or insufficient resources. The average time to provision user accounts can also be compared across different applications, systems, or business units to identify areas for improvement or best practices. The other options are less useful indicators to measure the efficiency of an IAM process. The number of tickets for provisioning new accounts shows the demand for the IAM process, but not how well the process meets the demand. The password reset volume per month shows the frequency of password-related issues, but not how effectively the IAM process handles them. The average account lockout time shows the impact of account lockouts on user productivity, but not howefficiently the IAM process prevents or resolves them. References = Top Identity and Access Management Metrics 

 Understanding the Question:

The question asks which method best enables timely detection of changes in the security control environment.

 Analyzing the Options:

A. Control self-assessment (CSA):Allows for continuous monitoring and quick detection of any changes or deficiencies in controls.

B. Log analysis:Useful for detecting security incidents but not as comprehensive as CSA for overall control environment changes.

C. Security control reviews:Typically periodic and might not be as timely.

D. Random sampling checks:Not as systematic or comprehensive as CSA.



Control Self-Assessment (CSA):CSA involves regular, structured evaluations by internal staff to ensure controls are working effectively. It promotes early detection of issues by those directly responsible for the controls.

Timeliness:CSA is an ongoing process, making it more timely in identifying changes compared to periodic reviews or random checks.

Risk exposure is the potential loss or negative impact that may result from a risk. Expressing risk exposure in business terms means translating the technical or quantitative aspects of risk into meaningful and understandable information for the risk owner and other stakeholders. This canhelp the risk owner to make risk-aware decisions, as it can provide a clear and consistent basis for comparing and prioritizing risks, evaluating the cost-benefit of risk responses, and aligning the risk management strategy with the business objectives and value. The other options are not as helpful as risk exposure expressed in business terms, because they do not provide a comprehensive and relevant view of the risk, but rather focus on specific or partial aspects of the risk. References = Risk and Information Systems Control Study Manual, Chapter 2, Section 2.3.1, page 45.

According to the CRISC Review Manual (Digital Version), the most important consideration when sharing risk management updates with executive management is ensuring relevance toorganizational goals, as this helps to align risk management with business strategy and performance. The risk management updates should:

Highlight the key risks that may affect the achievement of the organizational goals and objectives

Demonstrate the value and benefits of risk management in supporting decision making and enhancing business resilience

Provide clear and concise information on the current risk profile, risk appetite, risk tolerance and risk exposure of the organization

Recommend appropriate risk response actions and resource allocation to address the identified risks

Communicate the roles and responsibilities of executive management in overseeing and governing risk management

References = CRISC Review Manual (Digital Version), Chapter 4: IT Risk Monitoring and Reporting, Section 4.2: IT Risk Reporting, pp. 221-2221