nerdexam
EC-Council

312-50V9 · Question #36

Which of the following processes evaluates the adherence of an organization to its stated security policy?

The correct answer is D. Security auditing. A security audit is the process that measures whether an organization's actual practices conform to its documented security policies and standards.

Introduction to Ethical Hacking

Question

Which of the following processes evaluates the adherence of an organization to its stated security policy?

Options

  • AVulnerability assessment
  • BPenetration testing
  • CRisk assessment
  • DSecurity auditing

How the community answered

(17 responses)
  • A
    6% (1)
  • B
    6% (1)
  • D
    88% (15)

Why each option

A security audit is the process that measures whether an organization's actual practices conform to its documented security policies and standards.

AVulnerability assessment

A vulnerability assessment identifies and quantifies technical security weaknesses in systems and software, not whether the organization follows its security policy.

BPenetration testing

Penetration testing simulates real-world attacks to test the effectiveness of security controls, not to evaluate adherence to internal policy.

CRisk assessment

A risk assessment identifies, analyzes, and prioritizes potential threats and their impacts, not whether the organization is following its stated policies.

DSecurity auditingCorrect

A security audit specifically evaluates an organization's compliance with its own stated security policies, procedures, and standards by comparing actual practices against documented requirements. Auditors systematically review controls, configurations, and behaviors to identify gaps and non-compliance. This distinguishes auditing from assessments that focus on technical weaknesses or risk levels rather than policy adherence.

Concept tested: Security audit evaluating policy adherence

Source: https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final

Topics

#security auditing#policy compliance#assessment types#organizational security

Community Discussion

No community discussion yet for this question.

Full 312-50V9 Practice