* 必要な管理者の承認を得ずに、最近複数のネットワーク ユーザー アカウントが作成されました。これは、ネットワーク リソースまたはデータへの不正アクセス、使用、開示、変更、または破壊のリスクがあり、ネットワークの機密性、整合性、および可用性に影響を及ぼす可能性があることを示しています。
* この状況に対処するための最善の推奨事項は、非準拠の根本原因を調査することです。
This means that the risk practitioner should analyze the factors or reasons that led to the creation of the network user accounts without the required management approvals, such as human error, negligence, malice, system failure, process flaw, etc.
* Investigating the root cause of noncompliance helps to identify and correct the source of the problem, prevent or reduce the recurrence of the problem, and improve the compliance and security of the network user accounts.
* The other options are not the best recommendations to address this situation. They are either secondary or not effective for noncompliance.
The references for this answer are:
* Risk IT Framework, page 31
* Information Technology & Security, page 25
* Risk Scenarios Starter Pack, page 23

The business process owner is the person or entity that has the accountability and authority to manage a business process and its outcomes. The business process owner would be the most appropriate owner of the risk associated with an IT control gap in a key process, as they are responsible for ensuring that the process meets its objectives and delivers value to the enterprise. The business process owner should also ensure that the process is aligned with the enterprise's strategy and risk appetite, and that the process risks are identified, assessed, and mitigated effectively. References = ISACA Certified in Risk and Information Systems Control (CRISC) Certification Exam Question and Answers, Question 247. CRISC: Certified in Risk & Information Systems Control Sample Questions, Question 247. CRISC Sample Questions 2024, Question 247. CRISC by Isaca Actual Free Exam Q&As, Question 9.

セクション: ボリューム D
Explanation:
企業のリスク管理能力成熟度レベルが 1 となるのは、次の場合です。
* リスクは重要であり、管理する必要があることは理解されていますが、リスクは技術的な問題と見なされ、ビジネスでは主に IT リスクのマイナス面を考慮しています。
* リスク識別基準は企業によって大きく異なります。
* リスク選好度とリスク許容度は、一時的なリスク評価時にのみ適用されます。
* エンタープライズ リスク ポリシーと標準が不完全であるか、外部要件のみを反映しており、防御可能な根拠と実施メカニズムが欠けています。
* リスク管理スキルはアドホックに存在しますが、積極的に開発されていません。
* リスクとは無関係なコントロールのアドホック インベントリがデスクトップ アプリケーション全体に分散されています。
誤った回答:
A: リスク管理能力成熟度モデルのレベル 3 では、ローカル許容度がエンタープライズ リスク許容度を決定します。
B: リスク管理能力成熟度モデルのレベル 2 では、リスク許容度はローカルに設定され、集計することが困難な場合があります。
C: リスク管理能力成熟度モデルのレベル 4 では、ビジネス リスク許容度は企業のポリシーと標準によって反映されます。

* IT control self-assessments are techniques that involve identifying and evaluating the effectiveness and efficiency of the IT controls that are designed and implemented to mitigate the IT risks, by the managers and staff within the organization12.
* An ineffective control is a control that does not achieve its intended objective or purpose, or does not operate as designed or expected34.
* A low residual risk scenario is a situation or occurrence that has a low likelihood and impact of affecting the organization's objectives, performance, or value creation, after considering the existing controls and their effectiveness56.
* The next course of action when reviewing management's IT control self-assessments and noting an ineffective control that links to several low residual risk scenarios is to recommend management accept the low-risk scenarios, which is a risk response strategy that involves acknowledging and tolerating the level of risk exposure, and not taking any further action to reduce or eliminate it78.
* Recommending management accept the low-risk scenarios is the next course of action because it is the most cost-effective and reasonable option, given that the level of risk exposure is low and acceptable, and the cost and effort of implementing or improving the control may outweigh the potential benefits or value78.
* Recommending management accept the low-risk scenarios is also the next course of action because it is consistent with the risk management process and objectives, which are to identify and address the risks that may affect the achievement of the organization's goals and the delivery of value to the stakeholders, and to optimize the balance between risk and reward78.
* The other options are not the next course of action, but rather possible alternatives or steps that may be considered or followed in different circumstances or scenarios. For example:
* Assessing management's risk tolerance is a step that involves determining and communicating the acceptable or tolerable level of risk exposure for the organization or its business units, based on the organization's risk appetite, criteria, and objectives78. However, this step is not the next course of action because it is usually done before or during the risk assessment process, and not after noting an ineffective control that links to several low residual risk scenarios78.
* Proposing mitigating controls is a course of action that involves suggesting or recommending additional or alternative controls that can reduce or eliminate the level of risk exposure, and improve the effectiveness and efficiency of the risk management process78. However, this course of action is not the next course of action because it is not necessary or appropriate for low residual risk scenarios, as the cost and effort of implementing or improving the controls may outweigh the potential benefits or value78.
* Re-evaluating the risk scenarios associated with the control is a course of action that involves revising and updating the likelihood and impact of the risk scenarios, and the level of risk exposure or tolerance for the organization, based on the current or changed conditions or factors that influence the risk landscape78. However, this course of action is not the next course of action because it is not required or relevant for low residual risk scenarios, as the level of risk exposure is already low and acceptable, and the ineffective control does not significantly affect the risk assessment78. References
* 1: Control Self Assessments - PwC1
* 2: Control self-assessment - Wikipedia2
* 3: Ineffective Controls: What They Are and How to Identify Them3
* 4: Ineffective Controls: What They Are and How to Identify Them4
* 5: Residual Risk - Definition and Examples5
* 6: Residual Risk: Definition, Formula & Management6
* 7: Risk IT Framework, ISACA, 2009
* 8: IT Risk Management Framework, University of Toronto, 2017