nerdexam
(ISC)2

CISSP · Question #762

An auditor carrying out a compliance audit requests passwords that are encrypted in the system to verify that the passwords are compliant with policy. Which of the following is the BEST response to th

The correct answer is C. Demonstrate that non-compliant passwords cannot be created in the system.. The best response to the auditor is to demonstrate that the system enforces the password policy and does not allow non-compliant passwords to be created. This way, the auditor can verify the compliance without compromising the confidentiality or integrity of the encrypted passwor

Submitted by lucia.co· Mar 5, 2026Security and Risk Management

Question

An auditor carrying out a compliance audit requests passwords that are encrypted in the system to verify that the passwords are compliant with policy. Which of the following is the BEST response to the auditor?

Options

  • AProvide the encrypted passwords and analysis tools to the auditor for analysis.
  • BAnalyze the encrypted passwords for the auditor and show them the results.
  • CDemonstrate that non-compliant passwords cannot be created in the system.
  • DDemonstrate that non-compliant passwords cannot be encrypted in the system.

How the community answered

(23 responses)
  • A
    17% (4)
  • B
    13% (3)
  • C
    65% (15)
  • D
    4% (1)

Explanation

The best response to the auditor is to demonstrate that the system enforces the password policy and does not allow non-compliant passwords to be created. This way, the auditor can verify the compliance without compromising the confidentiality or integrity of the encrypted passwords. Providing the encrypted passwords and analysis tools to the auditor (A) may expose the passwords to unauthorized access or modification. Analyzing the encrypted passwords for the auditor and showing them the results (B) may not be sufficient to convince the auditor of the compliance, as the results could be manipulated or falsified. Demonstrating that non-compliant passwords cannot be encrypted in the system (D) is not a valid response, as encryption does not depend on the compliance of the passwords.

Topics

#auditor interaction#password policy enforcement#security compliance#preventative controls

Community Discussion

No community discussion yet for this question.

Full CISSP Practice