CISSP · Question #578
Which of the following would an internal technical security audit BEST validate?
The correct answer is D. Implementation of changes to a system. An internal technical security audit focuses on verifying that technical controls and configurations have been properly implemented within systems. It is best suited for validating hands-on, system-level changes rather than organizational or managerial oversight.
Question
Options
- AWhether managerial controls are in place
- BSupport for security programs by executive management
- CAppropriate third-party system hardening
- DImplementation of changes to a system
How the community answered
(25 responses)- A4% (1)
- B4% (1)
- C4% (1)
- D88% (22)
Why each option
An internal technical security audit focuses on verifying that technical controls and configurations have been properly implemented within systems. It is best suited for validating hands-on, system-level changes rather than organizational or managerial oversight.
Validating whether managerial controls are in place is the function of a management or compliance audit, not a technical security audit, since managerial controls involve policies, procedures, and organizational accountability rather than system-level configurations.
Executive management support for security programs is an organizational and governance concern assessed through interviews, policy reviews, or program audits-not through a technical security audit that examines system-level implementations.
Third-party system hardening would be evaluated through a vendor assessment, supply chain audit, or third-party risk management review, not an internal technical audit which focuses on internally managed systems and controls.
An internal technical security audit directly examines system configurations, logs, and change records to confirm that specific technical changes-such as patches, access control updates, or configuration hardening-have been correctly implemented. This type of audit involves reviewing technical artifacts like system states and audit trails, making it the most appropriate mechanism for validating implementation of system changes. Technical audits are designed precisely to verify that documented changes match the actual state of systems.
Concept tested: Purpose and scope of internal technical security audits
Source: https://csrc.nist.gov/publications/detail/sp/800-115/final
Topics
Community Discussion
No community discussion yet for this question.