nerdexam
(ISC)2

CISSP · Question #1205

Which of the following is the PRIMARY reason for selecting the appropriate level of detail for audit record generation?

The correct answer is B. Facilitate a root cause analysis (RCA). Selecting the appropriate level of detail in audit records is primarily driven by the need to support effective root cause analysis when security incidents or system failures occur.

Submitted by brentm· Mar 5, 2026Security Operations

Question

Which of the following is the PRIMARY reason for selecting the appropriate level of detail for audit record generation?

Options

  • ALower costs throughout the System Development Life Cycle (SDLC)
  • BFacilitate a root cause analysis (RCA)
  • CEnable generation of corrective action reports
  • DAvoid lengthy audit reports

How the community answered

(35 responses)
  • A
    3% (1)
  • B
    86% (30)
  • C
    9% (3)
  • D
    3% (1)

Why each option

Selecting the appropriate level of detail in audit records is primarily driven by the need to support effective root cause analysis when security incidents or system failures occur.

ALower costs throughout the System Development Life Cycle (SDLC)

While audit configuration can influence storage and processing costs, cost reduction throughout the SDLC is not the primary driver for selecting audit record detail levels; security and accountability requirements take precedence.

BFacilitate a root cause analysis (RCA)Correct

Root cause analysis (RCA) requires sufficiently detailed audit records to trace events back to their origin, identify contributing factors, and determine the sequence of actions that led to an incident. If audit records lack the right level of detail, investigators cannot reconstruct events accurately, making it impossible to identify the true cause of a failure or breach. Appropriate granularity ensures that audit logs capture enough contextual information-such as timestamps, user identities, and system states-to support thorough forensic investigation.

CEnable generation of corrective action reports

Corrective action reports are a downstream output of analysis, not the primary reason for determining audit record granularity; the detail level is set to enable the investigation that may eventually inform corrective actions.

DAvoid lengthy audit reports

Avoiding lengthy reports is a convenience consideration rather than a security or operational requirement, and it would actually argue for less detail, which could undermine the investigative value of audit records.

Concept tested: Audit record detail level selection for incident analysis

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-92.pdf

Topics

#Audit logs#Logging detail#Root cause analysis#Incident investigation

Community Discussion

No community discussion yet for this question.

Full CISSP Practice