312-50V11 · Question #263
Which of the following processes evaluates the adherence of an organization to its stated security policy?
The correct answer is D. Security auditing. Security auditing is the formal process of evaluating whether an organization's practices and controls comply with its own defined security policies and standards.
Question
Which of the following processes evaluates the adherence of an organization to its stated security policy?
Options
- AVulnerability assessment
- BPenetration testing
- CRisk assessment
- DSecurity auditing
How the community answered
(36 responses)- A3% (1)
- C3% (1)
- D94% (34)
Why each option
Security auditing is the formal process of evaluating whether an organization's practices and controls comply with its own defined security policies and standards.
A vulnerability assessment identifies technical weaknesses in systems and infrastructure but does not measure adherence to organizational security policy.
Penetration testing simulates adversarial attacks to identify and exploit vulnerabilities, not to evaluate compliance with internal security policies.
A risk assessment identifies, analyzes, and prioritizes potential threats and their business impact, rather than evaluating whether stated policies are being followed.
A security audit systematically examines an organization's security controls, configurations, and operational procedures against its stated policies, regulations, or standards to determine conformance or non-conformance. Unlike vulnerability assessments or penetration tests, the primary focus of an audit is measuring policy adherence rather than discovering exploitable weaknesses. Audit results produce documented evidence of compliance status and identify gaps between policy requirements and actual practice.
Concept tested: Security auditing definition and purpose
Source: https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final
Topics
Community Discussion
No community discussion yet for this question.