nerdexam
(ISC)2

CISSP · Question #370

When conducting a security assessment of access controls, which activity is part of the data analysis phase?

The correct answer is C. Categorize and identify evidence gathered during the audit.. The activity that is part of the data analysis phase when conducting a security assessment of access controls is to categorize and identify evidence gathered during the audit. A security assessment of access controls is a process that evaluates the effectiveness and compliance of

Submitted by tyler.j· Mar 5, 2026Security Assessment and Testing

Question

When conducting a security assessment of access controls, which activity is part of the data analysis phase?

Options

  • APresent solutions to address audit exceptions.
  • BConduct statistical sampling of data transactions.
  • CCategorize and identify evidence gathered during the audit.
  • DCollect logs and reports.

How the community answered

(42 responses)
  • A
    2% (1)
  • B
    7% (3)
  • C
    86% (36)
  • D
    5% (2)

Explanation

The activity that is part of the data analysis phase when conducting a security assessment of access controls is to categorize and identify evidence gathered during the audit. A security assessment of access controls is a process that evaluates the effectiveness and compliance of the access controls implemented in a system or an organization. A security assessment of access controls typically consists of four phases: planning, data collection, data analysis, and reporting. The data analysis phase is the phase where the collected data is processed, interpreted, and evaluated, based on the audit objectives, criteria, and standards. The data analysis phase involves activities such as categorizing and identifying evidence gathered during the audit, which means sorting and labeling the data according to their type, source, and relevance, and verifying their validity, reliability, and sufficiency. Presenting solutions to address audit exceptions, conducting statistical sampling of data transactions, and collecting logs and reports are not activities that are part of the data analysis phase, but of the reporting, data collection, and data collection phases, respectively.

Topics

#Security assessment#Audit process#Data analysis#Access control audit

Community Discussion

No community discussion yet for this question.

Full CISSP Practice