An organization has implemented a preventive control to lock user accounts after three unsuccessful login...

According to the CRISC Review Manual, a control owner is the person who is accountable for ensuring that specific control activities are performed. The control owner is responsible for defining, implementing, monitoring, and improving the control. Therefore, the control ownershould authorize changing the control threshold value, as it is part of their role to ensure that the control is effective and efficient. The other options are not the correct answers, because they are not directly involved in the control activities. The risk owner is the person who is accountable for the risk and its associated mitigation actions. The IT security manager is the person who is responsible for overseeing the IT security function and ensuring that the IT security policy is enforced. The IT system owner is the person who is responsible for the operation andmaintenance of the IT system and its associated data. References = CRISC Review Manual, 7th Edition, Chapter 3, Section 3.1.2, page 108.