An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended.
Who should authorize changing this threshold?
A . Control owner
B . IT security manager
C . Risk owner
D . IT system owner
Answer: A