312-50V9 · Question #36
Which of the following processes evaluates the adherence of an organization to its stated security policy?
The correct answer is D. Security auditing. A security audit is the process that measures whether an organization's actual practices conform to its documented security policies and standards.
Question
Which of the following processes evaluates the adherence of an organization to its stated security policy?
Options
- AVulnerability assessment
- BPenetration testing
- CRisk assessment
- DSecurity auditing
How the community answered
(17 responses)- A6% (1)
- B6% (1)
- D88% (15)
Why each option
A security audit is the process that measures whether an organization's actual practices conform to its documented security policies and standards.
A vulnerability assessment identifies and quantifies technical security weaknesses in systems and software, not whether the organization follows its security policy.
Penetration testing simulates real-world attacks to test the effectiveness of security controls, not to evaluate adherence to internal policy.
A risk assessment identifies, analyzes, and prioritizes potential threats and their impacts, not whether the organization is following its stated policies.
A security audit specifically evaluates an organization's compliance with its own stated security policies, procedures, and standards by comparing actual practices against documented requirements. Auditors systematically review controls, configurations, and behaviors to identify gaps and non-compliance. This distinguishes auditing from assessments that focus on technical weaknesses or risk levels rather than policy adherence.
Concept tested: Security audit evaluating policy adherence
Source: https://csrc.nist.gov/publications/detail/sp/800-53a/rev-5/final
Topics
Community Discussion
No community discussion yet for this question.