Which of the following questions is LEAST likely to help in assessing controls covering audit trails?

A.
Does the audit trail provide a trace of user actions?

B.
Are incidents monitored and tracked until resolved?

C.
Is access to online logs strictly controlled?

D.
Is there separation of duties between security personnel who administer the access control function and
those who administer the audit trail?

Explanation:
Audit trails maintain a record of system activity by system or application processes and by user activity. In
conjunction with appropriate tools and procedures, audit trails can provide individual accountability, a means to
reconstruct events, detect intrusions, and identify problems. Audit trail controls are considered technical
controls.
Monitoring and tracking of incidents is more an operational control related to incident response capability.
Therefore, asking if incidents monitored and tracked until resolved will not help in assessing controls covering
audit trails.
Incorrect Answers:
A: An audit trail should provide a trace of user actions. Asking about this will help in assessing controls covering
audit trails.
C: Access to online logs should be strictly controlled. Asking about this will help in assessing controls covering
audit trails.
D: There should be separation of duties between security personnel who administer the access control function
and those who administer the audit trail. Asking about this will help in assessing controls covering audit trails.