
CISA問題集合格保証付きの合格できるCISA試験2024年更新
CISA試験問題集を試そう!ベストCISA試験問題トレーニングを提供していますGoShiken
CISA認定試験は、情報システム監査プロセス、ITのガバナンスとマネジメント、情報システムの取得、開発、実装、情報システムの運用、保守、サービスマネジメントの4つのドメインから構成されています。試験形式は多肢選択問題で、世界中でいくつかの言語で提供されています。認定は5年間有効であり、認定を維持するには、個人は毎年継続的なプロフェッショナル教育(CPE)クレジットを取得する必要があります。CISA認定は、世界中の組織にとって高く評価され、情報システム監査の分野での卓越性の基準として認められています。
質問 # 289
Which of the following refers to any authentication protocol that requires two independent ways to establish identity and privileges?
- A. Two-factor authentication
- B. Rich-factor authentication
- C. Dual-keys authentication
- D. Strong-factor authentication
- E. Two-passphrases authentication
- F. Dual-password authentication
正解:A
解説:
Two-factor authentication (T-FA) refers to any authentication protocol that requires two independent ways to establish identity and privileges. Common implementations of two-factor authentication use 'something you know' as one of the two factors, and use either 'something you have' or 'something you are' as the other factor. In fact, using more than one factor is also called strong authentication. On the other hand, using just one factor is considered by some weak authentication.
質問 # 290
Which of the following factors constitutes a strength in regard to the use of a disaster recovery planning reciprocal agreement?
- A. The two companies might share a need for a specialized piece of equipment
- B. Reciprocal agreements may not be formally established in a contract.
- C. A disaster could occur that would affect both companies.
- D. Changes to the hardware or software environment by one company could make the agreement ineffective or obsolete.
正解:A
質問 # 291
An organization has replaced all of the storage devices at its primary data center with new higher capacity units The replaced devices have been installed at the disaster recovery site to replace older units An IS auditor s PRIMARY concern would be whether.
- A. the procurement was in accordance with corporate policies and procedures
- B. the recovery site devices can handle the storage requirements
- C. the relocation plan has been communicated to all concerned parties
- D. a hardware maintenance contract is in place for both old and new storage devices
正解:A
質問 # 292
Which type of migration process would BEST minimize the risk associated with a payroll application when converting from an old to a new system?
- A. Simulated
- B. Parallel
- C. Direct
- D. Phased
正解:B
質問 # 293
Which of the following implementation strategies for new applications presents the GREATEST risk during data conversion and migration from an old system to a new system?
- A. Phased implementation
- B. Pilot implementation
- C. Parallel simulation
- D. Direct cutover
正解:D
質問 # 294
What is the BEST indicator of successful implementation of an organization s information security policy?
- A. Reduced number of successful phishing incidents
- B. Reduced number of false-positive security events
- C. Reduced number of noncompliance penalties incurred
- D. Reduced number of help desk calls
正解:A
質問 # 295
The BEST way to provide assurance that a project is adhering to the project plan is to:
- A. conduct compliance audits at major system milestones.
- B. have an IS auditor participate on the steering committee.
- C. require design reviews at appropriate points in the life cycle.
- D. have an IS auditor participate on the quality assurance (QA) team.
正解:A
解説:
Explanation
The best way to provide assurance that a project is adhering to the project plan is to conduct compliance audits at major system milestones. A compliance audit is a systematic and independent examination of the project's activities, documents, and deliverables to determine whether they conform to the project plan and its specifications, standards, and requirements1. A major system milestone is a significant point or event in the project's life cycle that marks the completion of a phase, stage, or deliverable2.
By conducting compliance audits at major system milestones, the auditor can provide assurance that the project is adhering to the project plan by:
Verifying that the project's scope, schedule, budget, quality, and risks are aligned with the project plan and its objectives1 Identifying any deviations, discrepancies, or non-compliances that may affect the project's performance or outcome1 Recommending and monitoring corrective and preventive actions to address the identified issues and improve the project's compliance1 Reporting and communicating the audit findings, conclusions, and recommendations to the relevant stakeholders1 The other options are not as effective as conducting compliance audits at major system milestones for providing assurance that the project is adhering to the project plan. Requiring design reviews at appropriate points in the life cycle is a useful technique for ensuring that the project's design meets the user and business requirements and follows the design standards and best practices3. However, design reviews are not sufficient for providing assurance that the project is adhering to the project plan, as they do not cover other aspects of the project such as schedule, budget, quality, or risks. Having an IS auditor participate on the steering committee is a possible way for providing assurance that the project is adhering to the project plan, as the auditor can provide independent advice and oversight to the steering committee on quality management issues and remediation efforts4. However, this may not be feasible or appropriate for every project, as it may create a conflict of interest or compromise the auditor's objectivity and independence. Having an IS auditor participate on the quality assurance (QA) team is another possible way for providing assurance that the project is adhering to the project plan, as the auditor can assist the QA team in implementing procedures to facilitate adoption of quality management best practices5. However, this may also not be feasible or appropriate for every project, as it may create a conflict of interest or compromise the auditor's objectivity and independence. Therefore, option D is the correct answer.
References:
What Is Compliance Audit? Definition & Process | ASQ
What Is A Project Milestone? - The Basics
Design Review - an overview | ScienceDirect Topics
Project success through project assurance - Project Management Institute Quality Assurance Team: Roles & Responsibilities
質問 # 296
Which of the following would provide the important input during the planning phase for an audit on the implementation of a bring your own device (BYOD) program?
- A. Results of a risk assessment
- B. Findings from prior audits
- C. Policies including BYOD acceptable use statements
- D. An inventory of personal devices to be connected to the corporate network
正解:C
質問 # 297
Which of the following reflects inadequate segregation of duties?
- A. The same employee who maintains, configures, and backs up servers also runs batch jobs.
- B. The same employee who builds and monitors databases also maintains and configures servers.
- C. The same employee who maintains and configures servers also monitors network event logs.
- D. The same employee who maintains and configures servers also develops application software.
正解:B
質問 # 298
Which of the following is the MOST effective control to mitigate unintentional misuse of authorised access?
- A. Security awareness training
- B. Annual sign-off of acceptable use policy
- C. Regular monitoring of user access logs
- D. Formalized disciplinary action
正解:A
質問 # 299
Which of the following types of firewalls provide the GREATEST degree and granularity of control?
- A. Application gateway
- B. Screening router
- C. Circuit gateway
- D. Packet filter
正解:A
解説:
Explanation/Reference:
Explanation:
The application gateway is similar to a circuit gateway, but it has specific proxies for each service. To handle web services, it has an HTTP proxy that acts as an intermediary between externals and internals, but is specifically for HTTP. This means that it not only checks the packet IP addresses (layer 3) and the ports it is directed to (in this case port 80, or layer 4), it also checks every HTTP command (layers 5 and
7). Therefore, it works in a more detailed (granularity) way than the others. Screening router and packet filter (choices A and BJ work at the protocol, service and/or port level. This means that they analyze packets from layers 3 and 4, and not from higher levels. A circuit gateway (choice D) is based on a proxy or program that acts as an intermediary between external and internal accesses. This means that during an external access, instead of opening a single connection to the internal server, two connections are established-one from the external server to the proxy(which conforms the circuit-gateway) and one from the proxy to the internal server. Layers 3 and 4 (IP and TCP) and some general features from higher protocols are used to perform these tasks.
質問 # 300
What is the Most critical finding when reviewing an organization's information security management?
- A. No employee awareness training and education program
- B. No periodic assessments to identify threats and vulnerabilities
- C. No official charier for the information security management system
- D. No dedicated security officer
正解:B
解説:
The most critical finding when reviewing an organization's information security management is no periodic assessments to identify threats and vulnerabilities. Periodic assessments are essential for ensuring that the organization's information security policies, procedures, standards, and controls are aligned with the current and emerging risks and threats that may affect its information assets. Without periodic assessments, the organization may not be aware of its actual security posture, gaps, or weaknesses, and may not be able to take appropriate measures to mitigate or prevent potential security incidents. No dedicated security officer, no official charter for the information security management system, and no employee awareness training and education program are also findings that may indicate some deficiencies in the organization's information security management, but they are not as critical as no periodic assessments to identify threats and vulnerabilities. References: ISACA CISA Review Manual 27th Edition, page 343.
質問 # 301
Which of the following type of testing validate functioning of the application under test with other system, where a set of data is transferred from one system to another?
- A. Unit Testing
- B. Final acceptance testing
- C. Interface testing
- D. System Testing
正解:C
解説:
Section: Information System Acquisition, Development and Implementation Explanation:
Interface or integration testing is a hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective it to take unit tested module and build an integrated structure dictated by design. The term integration testing is also referred to tests that verify and validate functioning of the application under test with other systems, where a set of data is transferred from one system to another.
For CISA exam you should know below types of testing:
Unit Testing - The testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensure internal operation of the programs according to the specification.
Interface or integration testing - A hardware or software test that evaluates the connection of two or more components that pass information from one area to another. The objective it to take unit tested module and build an integrated structure dictated by design. The term integration testing is also referred to tests that verify and validate functioning of the application under test with other systems, where a set of data is transferred from one system to another.
System Testing - A series of tests designed to ensure that modified programs, objects, database schema, etc , which collectively constitute a new or modified system, function properly. These test procedures are often performed in a non-production test/development environment by software developers designated as a test team. The following specific analysis may be carried out during system testing.
Recovery Testing - Checking the systems ability to recover after a software or hardware failure.
Security Testing - Making sure the modified/new system includes provisions for appropriate access control and does not introduce any security holes that might compromise other systems.
Load Testing - Testing an application with large quantities of data to evaluate its performance during peak hour.
Volume testing - Studying the impact on the application by testing with an incremental volume of records to determine the maximum volume of records that application can process.
Stress Testing - Studying the impact on the application by testing with an incremental umber of concurrent users/services on the application to determine maximum number of concurrent user/service the application can process.
Performance Testing - Comparing the system performance to other equivalent systems using well defined benchmarks.
Final Acceptance Testing - It has two major parts: Quality Assurance Testing(QAT) focusing on the technical aspect of the application and User acceptance testing focusing on functional aspect of the application.
QAT focuses on documented specifications and the technology employed. It verifies that application works as documented by testing the logical design and the technology itself. It also ensures that the application meet the documented technical specifications and deliverables. QAT is performed primarily by IS department. The participation of end user is minimal and on request. QAT does not focus on functionality testing.
UAT supports the process of ensuring that the system is production ready and satisfies all documented requirements. The methods include:
Definition of test strategies and procedure.
Design of test cases and scenarios
Execution of the tests.
Utilization of the result to verify system readiness.
Acceptance criteria are defined criteria that a deliverable must meet to satisfy the predefined needs of the user. A UAT plan must be documented for the final test of the completed system. The tests are written from a user's perspective and should test the system in a manner as close to production possible.
The following were incorrect answers:
Unit Testing - The testing of an individual program or module. Unit testing uses set of test cases that focus on control structure of procedural design. These tests ensures internal operation of the programs according to the specification.
System Testing - A series of tests designed to ensure that modified programs, objects, database schema, etc , which collectively constitute a new or modified system, function properly. These test procedures are often performed in a non-production test/development environment by software developers designated as a test team.
Final Acceptance Testing - During this testing phase the defined methods of testing to apply should be incorporated into the organization's QA methodology.
Reference:
CISA review manual 2014 Page number 166
質問 # 302
The BEST way to preserve data integrity through all phases of application containerization is to ensure which of the following?
- A. Information security roles are defined and communicated in the information security policy.
- B. Segregation of duties is developed and maintained in the application container environment.
- C. The development team performs regular patching of application containers.
- D. Developers are educated about how their roles relate to application security best practices.
正解:B
質問 # 303
Which of the following is MOST critical for the successful implementation and maintenance of a security policy?
- A. Stringent implementation, monitoring and enforcing of rules by the security officer through access control software
- B. Assimilation of the framework and intent of a written security policy by all appropriate parties
- C. Management support and approval for the implementation and maintenance of a security policy
- D. Enforcement of security rules by providing punitive actions for any violation of security rules
正解:B
解説:
Explanation/Reference:
Explanation:
Assimilation of the framework and intent of a written security policy by the users of the system is critical to the successful implementation and maintenance of the security policy. A good password system may exist, but if the users of the system keep passwords written on their desk, the password is of little value.
Management support and commitment is no doubt important, but for successful implementation and maintenance of security policy, educating the users on the importance of security is paramount. The stringent implementation, monitoring and enforcing of rules by the security officer through access control software, and provision for punitive actions for violation of security rules, is also required, along with the user's education onthe importance of security.
質問 # 304
The use of risk assessment tools for classifying risk factors should be formalized in your IT audit effort
through:
- A. using computer assisted audit technology tools.
- B. None of the choices.
- C. the use of computer assisted functions.
- D. the use of risk controls.
- E. the development of written guidelines.
正解:E
解説:
Section: Protection of Information Assets
Explanation:
A successful risk-based IT audit program could be based on an effective scoring system. In establishing a
scoring system, management should consider all relevant risk factors and avoid subjectivity. Auditors
should develop written guidelines on the use of risk assessment tools and risk factors and review these
guidelines with the audit committee.
質問 # 305
Which of the following is the BEST information source for management to use as an aid in the identification
of assets that are subject to laws and regulations?
- A. CERT coordination center
- B. Significant contracts
- C. Vendor best practices
- D. Security incident summaries
正解:B
解説:
Section: Protection of Information Assets
Explanation:
Contractual requirements are one of the sources that should be consulted to identify the requirements for
the management of information assets. Vendor best practices provides a basis for evaluating how
competitive an enterprise is, while security incident summaries are a source for assessing the
vulnerabilities associated with the IT infrastructure. CERT {www.cert.org) is an information source for
assessing vulnerabilities within the IT infrastructure.
質問 # 306
Management receives information indicating a high level of risk associated with potential flooding near the organization's data center within the next few years. As a result, a decision has been made to move data center operations to another facility on higher ground. Which approach has been adopted?
- A. Risk acceptance
- B. Risk reduction
- C. Risk transfer
- D. Risk avoidance
正解:D
質問 # 307
Which of the following should be of GREATEST concern to an IS auditor assessing the effectiveness of an organization's vulnerability scanning program''
- A. Steps taken to address identified vulnerabilities are not formally documented
- B. Results are not reported to individuals with authority to ensure resolution
- C. Scans are performed less frequently than required by the organization's vulnerability scanning schedule
- D. Results are not approved by senior management
正解:B
質問 # 308
......
認定情報システム監査人(CISA)認定試験は、情報セキュリティの分野で最も認知され、尊敬される認定の1つです。 CISA認定は、Information Systems Audit and Control Association(ISACA)によって授与され、情報システムを効果的に監査、管理、監視するために必要な知識とスキルを専門家に提供するように設計されています。
最新100%合格率保証付きの素晴らしいCISA試験問題PDF:https://www.goshiken.com/ISACA/CISA-mondaishu.html
実践サンプルと問題集指導には2024年最新のCISA有効なテスト問題集:https://drive.google.com/open?id=1r5jv4SGtGzbdUXJQEeMVlK_PYyF7cI4h