CISSP Question #722: Real Exam Question with Answer & Explanation

Question

When assessing the audit capability of an application, which of the following activities is MOST important?

Options

• ADetermine if audit records contain sufficient information.
• BReview security plan for actions to be taken in the event of audit failure.
• CVerify if sufficient storage is allocated for audit records.
• DIdentify procedures to investigate suspicious activity.

Explanation

Audit capability is the ability of a system or application to generate and store audit records that can be used to monitor, analyze, and investigate the activities and events that occur within the system or application. Audit records should contain sufficient information to identify the who, what, when, where, and how of each auditable event. This information is essential for accountability, nonrepudiation, and forensic analysis. Therefore, when assessing the audit capability of an application, the most important activity is to determine if the audit records contain sufficient information. Reviewing the security plan for actions to be taken in the event of audit failure, verifying if sufficient storage is allocated for audit records, and identifying procedures to investigate suspicious activity are also important activities, but they are secondary to the quality of the audit records.

No community discussion yet for this question.