Exam CISSP topic 1 question 2 discussion

to me its B, the most important is the scope of the audit, the value it brings, is it sufficient to what the organization need inorder to call or even perform an actual audit. The requirement of disk size we can adjust as we needed, it can only be used to support the content of the information that the application can gather.

C, the keyword is "Capabilities". Remember the CIA, this question is about availability, not integrity. It would have been B if it was about the accuracy of the application.

I choose B

When assessing the audit capability of an application, ensuring that audit records contain sufficient information is most important because without complete and accurate audit data, it would be difficult to trace or investigate any suspicious activities. This sufficiency forms the foundation for all other audit-related activities, such as investigating suspicious activity (Option A) and planning responses to audit failures (Option D). Additionally, while storage (Option C) is necessary, it is secondary to ensuring that the content of the audit logs is comprehensive and reliable for effective auditing.

B. Keyword is "Mostly Important". They are all important but B sounds like the correct answer. To assess an application's audit capability effectively, the most critical activity is determining if the audit records contain sufficient information. Without detailed and comprehensive audit records, it's ALMOST impossible to reconstruct events, detect security incidents, or conduct forensic analysis. This sufficiency directly impacts the ability to monitor and review user activities, system operations, and potential security violations.

B. To assess an application's audit capability effectively, the most critical activity is determining if the audit records contain sufficient information. Without detailed and comprehensive audit records, it's ALMOST impossible to reconstruct events, detect security incidents, or conduct forensic analysis. This sufficiency directly impacts the ability to monitor and review user activities, system operations, and potential security violations.

Basically in auditing, an auditing tool should be able to capture every important part of the process as input. This determine if the amount of information the application has to work with, and then, enough storage space can then be provision to keep the expected logs. B is the best answer. However, in the absence of B, i'd easily go for C.

Its C not B. Its about audit capability not what is in the audit itself. Its like me saying I think what is inside the audit is sufficient to be called an audit... or could be looked at insufficient information to be called an audit... so if you put it in context of what is really insufficient in the audit.... you will see it doesnt make much sense. But in terms of capability now, C makes perfect sense... because I am now as a manager looking to see if this audit assessment capable has enough resources to run based on my company capacity requirements. How long do I have to hold the data and do I have enough for the long term. How do you audit an application? Auditing Applications, Part 1 Plan the audit. Determine audit objectives. Map systems and data flows. Identify key controls. Understand application's functionality. Perform applicable tests. Avoid/consider complications. Include financial assertions. More items... Auditing Applications, Part 1 - ISACA

I am having a hard time understanding this questions. How is the MOST important thing is to verify storage? https://www.techtarget.com/searchcio/definition/security-audit There are several reasons to do a security audit. They include these six goals: Identify security problems and gaps, as well as system weaknesses. Establish a security baseline that future audits can be compared with. Comply with internal organization security policies. Comply with external regulatory requirements. Determine if security training is adequate. Identify unnecessary resources.

B. Determine if audit records contain sufficient information is most important. Verifying storage space is important, but logs stored without the necessary information would be useless.

We were planning to roll out a Cloud VDI solution in the organisation where I work. they are providing 6 months retention on all audit logs. They are willing to extend the retention period for a smaller fee. But the project is on-hold because, we are not satisfied with their audit logs because it does not provide us enough audit events to detect security events (Suspicious or malicious activities). They only provide basic admin events in there audit logs. Retention is not a major concern when it comes to level of security events the audit log contain. This is a real world situation I had to dealt with. So answer is “B”

I feel like B is more appropriate because to audit an application, there has to be something to assess. Imagine auditing privileged changes made to an application in the past 3 days and find only login and logout times and that admin modifications are not being logged. I think storage is also important but there was no context of availability mentioned.

Question is asking, does the application has audit capability? And that is to make sure the application audit logs contain sufficient information.

Though both are important, but if can only choose 1 option, then B is more important. Cos if audit records do not contain sufficient information, then no matter how much storage alloacted also no use. Hence B is more correct.

B is answer

B is the correct option here as sufficient and valuable evidence / traces is the most focal point in Audit activities for Critical Applications.

B is correct. The Audit records need to be sufficient. Audit storage is not the responsibility of the application.