Exam CISSP topic 1 question 74 discussion

A & D - We don't create audit reports to save storage space or cost B - Audit reports for analysis, it does not have any corrective actions I would go for C - Audit report helps to find the root cause after the security incident

Also agree RCA is the goal

A. Avoid lengthy audit reports: While storage space can be a concern, it's not the primary reason for detail selection. Having the right information for analysis is more important. B. Enable generation of corrective action reports: Audit records do contribute to corrective actions, but identifying the root cause (RCA) comes first. The root cause helps determine the most effective corrective actions. C. Facilitate a root cause analysis (RCA): This is the primary reason. You need detailed audit records to understand the sequence of events, identify weaknesses, and pinpoint the underlying cause of the issue. D. Lower costs throughout the System Development Life Cycle (SDLC): Although proper audit practices can contribute to cost reduction, it's not the main driver for detail selection.

Audit is all about finding out whether you are compliant with standards, policies, controls etc. and shows you where there could be any gaps to be compliant. Those gaps somehow needs to be corrected after talking to management.

Ans B. Audit does not do RCA, its purpose is compliance to a standard. A typical finding would identify the following: Condition. Statement that describes the results of the audit Criteria. Standards used to measure the activity or performance of the auditee Cause. Explanation of why a problem occurred Effect. Difference between and significance of the condition and the criteria Recommendation. Action that must be taken to correct the cause

This topic is talk about what kinds of standards shall used for audit report. It is SOC knowledge test. No matter SOC 1 or SOC2 . It focus on checking whether the actions is reasonable and suitable for organization. So it is B .

Answer is C! the PRIMARY Reason is to facilitate the RCA..

Answer C) Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. https://csf.tools/reference/nist-sp-800-171/r2/3-3/3-3-1/#:~:text=Selecting%20the%20appropriate%20level%20of%20abstraction%20is%20a%20critical%20aspect%20of%20an%20audit%20logging%20capability%20and%20can%20facilitate%20the%20identification%20of%20root%20causes%20to%20problems.

RCA is not correct - for example Cisco IOS code has enough reporting to enable developers to easily identify with the code numbers what is the cause within the IOS. B. Enable generation of corrective action reports. corrective action - NOT reporting, to correct the code

B is correct

the correct answer is B. Enable generation of corrective action reports. When audit records are generated with the appropriate level of detail, they provide valuable information that can be used to analyze security events, identify vulnerabilities, and determine the necessary corrective actions. These corrective actions can help address any identified weaknesses or shortcomings in the system's security posture. By having detailed audit records, organizations can generate comprehensive reports that highlight the specific actions or changes needed to mitigate risks and improve security. These corrective action reports serve as a guide for implementing necessary measures and making improvements to the system's security controls.

B. RCA is a report that must be generated after an incident. the RCA will document the Time/Date, Impact, Duration, Cause and How to Prevent this from happening again. Audit Report is to gain a more general understanding of the environment and to make & take corrective action and make greater improvements.

CISSP Official Study Guide pg 10 - "Auditing is the programmatic means by which a subject's actions are tracked and recorded for the purpose of holding the subject accountable for their actions while authenticated on a system through the documentation or recording of subject activities. It is also the process by which unauthorized or abnormal activities are detected on a system. Auditing is recording activities of a subject and its objects as well as recording the activities of application and system functions. Log files provide an audit trail for re-creating the history of an event, intrusion, or system failure. Auditing is needed to detect malicious actions by subjects, attempted intrusions, and system failures and to reconstruct events, provide evidence for prosecution, and produce problem reports and analysis."

C. Facilitate a root cause analysis (RCA) is the primary reason for selecting the appropriate level of detail for audit record generation. Root cause analysis (RCA) is an approach used to identify the underlying cause of an incident or problem. In order to conduct an RCA, it is necessary to have detailed information about what occurred during the incident or problem. This includes information about the actions taken, the systems involved, and the data that was accessed. By selecting the appropriate level of detail for audit record generation, organizations can ensure that they have the necessary information to conduct an RCA and understand the underlying cause of a security incident.

C would be correct. Facilitate Root Cause Analysis in Auditing will have benefit • Focused audit planning • More insight to findings • Improved rigor of analysis • Better recommendations • More impactful audits These will generate more detail for the audit record in the audit report. Reference : https://www.caaf-fcar.ca/images/content/performance-audit/Webinars/SpringWebinarSeries/RCA/RCA-EN_Slides%E2%80%93Apr-14-20.pdf

Agreed, C

CISSP 9th edition page 996 : Once the incident has been contained, you need to figure out what just happened by putting the available pieces together. This is the substage of analysis, where more data is gathered (audit logs, video captures, human accounts of activities, system activities) to try and figure out the root cause of the incident. The goals are to figure out who did this, how they did it, when they did it, and why.