CISSP · Question #578
CISSP Question #578: Real Exam Question with Answer & Explanation
The correct answer is D: Implementation of changes to a system. An internal technical security audit focuses on verifying that technical controls and configurations have been properly implemented within systems. It is best suited for validating hands-on, system-level changes rather than organizational or managerial oversight.
Question
Which of the following would an internal technical security audit BEST validate?
Options
- AWhether managerial controls are in place
- BSupport for security programs by executive management
- CAppropriate third-party system hardening
- DImplementation of changes to a system
Explanation
An internal technical security audit focuses on verifying that technical controls and configurations have been properly implemented within systems. It is best suited for validating hands-on, system-level changes rather than organizational or managerial oversight.
Common mistakes.
- A. Validating whether managerial controls are in place is the function of a management or compliance audit, not a technical security audit, since managerial controls involve policies, procedures, and organizational accountability rather than system-level configurations.
- B. Executive management support for security programs is an organizational and governance concern assessed through interviews, policy reviews, or program audits-not through a technical security audit that examines system-level implementations.
- C. Third-party system hardening would be evaluated through a vendor assessment, supply chain audit, or third-party risk management review, not an internal technical audit which focuses on internally managed systems and controls.
Concept tested. Purpose and scope of internal technical security audits
Reference. https://csrc.nist.gov/publications/detail/sp/800-115/final
Topics
Community Discussion
No community discussion yet for this question.