[2023年10月12日] 最新更新されたのはCISA試験問題2023年更新 [Q313-Q338]

Share

[2023年10月12日] 最新更新されたのはCISA試験問題2023年更新

無料更新されたISACA CISAテストエンジン問題には690問題と解答

質問 # 313
What is the MOST important role of a Certificate Authority (CA) when a private key becomes
compromised?

  • A. Issue a new private key to the user
  • B. Refresh the key information database in the certificate publishing server
  • C. Refresh the metadata of the certificates
  • D. Publish the certificate revocation lists (CRL) into the repository

正解:D

解説:
Section: Information System Operations, Maintenance and Support


質問 # 314
Digital signatures require the:

  • A. signer and receiver to have a public key.
  • B. signer to have a public key and the receiver to have a private key.
  • C. signer and receiver to have a private key.
  • D. signer to have a private key and the receiver to have a public key.

正解:D

解説:
Section: Protection of Information Assets
Explanation:
Digital signatures are intended to verify to a recipient the integrity of the data and the identity of the sender.
The digital signature standard is a public key algorithm. This requires the signer to have a private key and
the receiver to have a public key.


質問 # 315
Which of the following is the BEST reason to perform root cause analysis after a critical server failure?

  • A. To enable the gathering of system availability data
  • B. To enable timely follow-up audits
  • C. To enable appropriate corrective measures
  • D. To enable the optimization of IT investments

正解:C


質問 # 316
Who is mainly responsible for protecting information assets they have been entrusted with on a daily basis by defining who can access the data, it's sensitivity level, type of access, and adhering to corporate information security policies?

  • A. Security Officer
  • B. Data Owner
  • C. End User
  • D. Senior Management

正解:B

解説:
Section: Information System Acquisition, Development and Implementation Explanation:
The Data Owner is the person who has been entrusted with a data set that belong to the company. As such they are responsible to classify the data according to it's value and sensitivity. The Data Owner decides who will get access to the data, what type of access would be granted. The Data Owner will tell the Data Custodian or System Administrator what access to configure within the systems.
A business executive or manager is typically responsible for an information asset. These are the individuals that assign the appropriate classification to information assets. They ensure that the business information is protected with appropriate controls. Periodically, the information asset owners need to review the classification and access rights associated with information assets. The owners, or their delegates, may be required to approve access to the information. Owners also need to determine the criticality, sensitivity, retention, backups, and safeguards for the information. Owners or their delegates are responsible for understanding the risks that exist with regards to the information that they control.
The following answers are incorrect:
Executive Management/Senior Management - Executive management maintains the overall responsibility for protection of the information assets. The business operations are dependent upon information being available, accurate, and protected from individuals without a need to know.
Security Officer - The security officer directs, coordinates, plans, and organizes information security activities throughout the organization. The security officer works with many different individuals, such as executive management, management of the business units, technical staff, business partners, auditors, and third parties such as vendors. The security officer and his or her team are responsible for the design, implementation, management, and review of the organization's security policies, standards, procedures, baselines, and guidelines.
End User - The end user does not decide on classification of the data
Reference:
CISA review manual 2014 page number 108
Official ISC2 guide to CISSP CBK 3rd Edition Page number 342


質問 # 317
What is me BEST method to determine If IT resource sporting Is aligned with planned project spending?

  • A. Critical path analysis
  • B. Earned value analysis (EVA)
  • C. Gantt chart
  • D. Return on investment (ROI) analysis

正解:B


質問 # 318
________________ (fill in the blank) is/are are ultimately accountable for the functionality, reliability, and security within IT governance. Choose the BEST answer.

  • A. The board of directors and executive officers
  • B. Data custodians
  • C. IT security administration
  • D. Business unit managers

正解:A

解説:
Explanation/Reference:
The board of directors and executive officers are ultimately accountable for the functionality, reliability, and security within IT governance.


質問 # 319
Management has decided to include a compliance manager in the approval process for a new business that may require changes to tie IT infrastructure. Which of the following is the GREATEST benefit of this approach?

  • A. Regulatory risk exposures can be identified before they materialize
  • B. Security breach incidents can be identified in early stages
  • C. Fewer views are needed when updating the IT compliance process
  • D. Process accountabilities to external stakeholders are improved

正解:A


質問 # 320
A data analytics team has developed a process automation bot for internal audit that scans user access to all servers in the environment and then randomly selects a sample of new users for testing. Which of the following presents the GREATEST concern with this approach?

  • A. Auditor judgment is removed from the process
  • B. The bot can only select samples from the current period.
  • C. Data must be validated manually before being loaded into the bot.
  • D. Evidence of population completeness is not maintained.

正解:A


質問 # 321
Which of the following comparisons are used for identification and authentication in a biometric system?

  • A. One-to-one for identification and one-to-many for authentication
  • B. One-to-one for identification and authentication
  • C. One-to-many for identification and one-to-one for authentication
  • D. One-to-many for identification and authentication

正解:C

解説:
Explanation/Reference:
In identification mode the system performs a one-to-many comparison against a biometric database in attempt to establish the identity of an unknown individual. The system will succeed in identifying the individual if the comparison of the biometric sample to a template in the database falls within a previously set threshold. Identification mode can be used either for 'positive recognition' (so that the user does not have to provide any information about the template to be used) or for 'negative recognition' of the person
"where the system establishes whether the person is who she (implicitly or explicitly) denies to be" In verification (or authentication) mode the system performs a one-to-one comparison of a captured biometric with a specific template stored in a biometric database in order to verify the individual is the person they claim to be.
Management of Biometrics
Management of biometrics should address effective security for the collection, distribution and processing of biometrics data encompassing:
Data integrity, authenticity and non-repudiation
Management of biometric data across its life cycle - compromised of the enrollment, transmission and storage, verification, identification, and termination process Usage of biometric technology, including one-to-one and one-to-many matching, for identification and authentication Application of biometric technology for internal and external, as well as logical and physical access control Encapsulation of biometric data Security of the physical hardware used throughout the biometric data life cycle Techniques for integrity and privacy protection of biometric data.
The following were incorrect answers:
All other choices presented were incorrectly describing identification and authentication mapping.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 331
http://en.wikipedia.org/wiki/Biometrics


質問 # 322
Which of the following is the PRIMARY purpose of conducting a business impact analysis (BIA)?

  • A. Identifying risk mitigation options
  • B. Identifying key business risks
  • C. Identifying critical business processes
  • D. Identifying the threat environment

正解:B

解説:
Section: Governance and Management of IT


質問 # 323
The PRIMARY purpose of audit trails is to:

  • A. improve the operational efficiency of the system.
  • B. establish accountability and responsibility for processed transactions.
  • C. improve response time for users.
  • D. provide useful information to auditors who may wish to track transactions

正解:B

解説:
Section: Protection of Information Assets
Explanation:
Enabling audit trails helps in establishing the accountability and responsibility of processed transactions by
tracing transactions through the system. The objective of enabling software to provide audit trails is not to
improve system efficiency, since it often involves additional processing which may in fact reduce response
time for users. Enabling audit trails involves storage and thus occupies disk space.


質問 # 324
.When should application controls be considered within the system-development process?

  • A. After application unit testing
  • B. After application module testing
  • C. After applications systems testing
  • D. As early as possible, even in the development of the project's functional specifications

正解:D

解説:
Application controls should be considered as early as possible in the system-development process, even in the development of the project's functional specifications.


質問 # 325
Which of the following communication modes should be of GREATEST concern to an IS auditor evaluating end-user networking?

  • A. Client-to-server
  • B. System-to-system
  • C. Host-to-host
  • D. Peer-to-peer

正解:D

解説:
Section: The process of Auditing Information System


質問 # 326
Which of the following findings should be of GREATEST concern to an IS auditor reviewing an organization s newly implemented online security awareness program'?

  • A. Metrics have not been established to assess training results
  • B. Employees do not receive immediate notification of results
  • C. The timing for program updates has not been determined
  • D. Only new employees are required to attend the program

正解:A


質問 # 327
While reviewing similar issues in an organization s help desk system, an IS auditor finds that they were analyzed independently and resolved differently This situation MOST likely indicates a deficiency in:

  • A. problem management
  • B. IT service level management
  • C. configuration management
  • D. change management

正解:A


質問 # 328
Which of the following is a passive attack on a network?

  • A. Message service interruption
  • B. Sequence analysis
  • C. Traffic analysis
  • D. Message modification

正解:C


質問 # 329
Which of the following layer from an enterprise data flow architecture captures all data of interest to an
organization and organize it to assist in reporting and analysis?

  • A. Desktop access layer
  • B. Data access layer
  • C. Data preparation layer
  • D. Core data warehouse

正解:D

解説:
Section: Information System Acquisition, Development and Implementation
Explanation/Reference:
Core data warehouse -This is where all the data of interest to an organization is captured and organized to
assist reporting and analysis. DWs are normally instituted as large relational databases. A property
constituted DW should support three basic form of an inquiry.
For CISA exam you should know below information about business intelligence:
Business intelligence(BI) is a broad field of IT encompasses the collection and analysis of information to
assist decision making and assess organizational performance.
To deliver effective BI, organizations need to design and implement a data architecture. The complete data
architecture consists of two components
The enterprise data flow architecture (EDFA)
A logical data architecture
Various layers/components of this data flow architecture are as follows:
Presentation/desktop access layer - This is where end users directly deal with information. This layer
includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits
offered by vendors such as Congas and business objects, and purpose built application such as balanced
source cards and digital dashboards.
Data Source Layer - Enterprise information derives from number of sources:
Operational data - Data captured and maintained by an organization's existing systems, and usually held in
system-specific database or flat files.
External Data - Data provided to an organization by external sources. This could include data such as
customer demographic and market share information.
Nonoperational data - Information needed by end user that is not currently maintained in a computer
accessible format.
Core data warehouse -This is where all the data of interest to an organization is captured and organized to
assist reporting and analysis. DWs are normally instituted as large relational databases. A property
constituted DW should support three basic form of an inquiry.
Drilling up and drilling down - Using dimension of interest to the business, it should be possible to
aggregate data as well as drill down. Attributes available at the more granular levels of the warehouse can
also be used to refine the analysis.
Drill across - Use common attributes to access a cross section of information in the warehouse such as
sum sales across all product lines by customer and group of customers according to length of association
with the company.
Historical Analysis - The warehouse should support this by holding historical, time variant data. An
example of historical analysis would be to report monthly store sales and then repeat the analysis using
only customer who were preexisting at the start of the year in order to separate the effective new customer
from the ability to generate repeat business with existing customers.
Data Mart Layer- Data mart represents subset of information from the core DW selected and organized to
meet the needs of a particular business unit or business line. Data mart can be relational databases or
some form on-line analytical processing (OLAP) data structure.
Data Staging and quality layer -This layer is responsible for data copying, transformation into DW format
and quality control. It is particularly important that only reliable data into core DW. This layer needs to be
able to deal with problems periodically thrown by operational systems such as change to account number
format and reuse of old accounts and customer numbers.
Data Access Layer -This layer operates to connect the data storage and quality layer with data stores in the
data source layer and, in the process, avoiding the need to know to know exactly how these data stores are
organized. Technology now permits SQL access to data even if it is not stored in a relational database.
Data Preparation layer -This layer is concerned with the assembly and preparation of data for loading into
data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to
increase access speed. Data mining is concern with exploring large volume of data to determine patterns
and trends of information. Data mining often identifies patterns that are counterintuitive due to number and
complexity of data relationships. Data quality needs to be very high to not corrupt the result.
Metadata repository layer - Metadata are data about data. The information held in metadata layer needs to
extend beyond data structure names and formats to provide detail on business purpose and context. The
metadata layer should be comprehensive in scope, covering data as they flow between the various layers,
including documenting transformation and validation rules.
Warehouse Management Layer -The function of this layer is the scheduling of the tasks necessary to build
and maintain the DW and populate data marts. This layer is also involved in administration of security.
Application messaging layer -This layer is concerned with transporting information between the various
layers. In addition to business data, this layer encompasses generation, storage and targeted
communication of control messages.
Internet/Intranet layer - This layer is concerned with basic data communication. Included here are browser
based user interface and TCP/IP networking.
Various analysis models used by data architects/ analysis follows:
Activity or swim-lane diagram - De-construct business processes.
Entity relationship diagram -Depict data entities and how they relate. These data analysis methods
obviously play an important part in developing an enterprise data model. However, it is also crucial that
knowledgeable business operative is involved in the process. This way proper understanding can be
obtained of the business purpose and context of the data. This also mitigates the risk of replication of
suboptimal data configuration from existing systems and database into DW.
The following were incorrect answers:
Desktop access layer or presentation layer is where end users directly deal with information. This layer
includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits
offered by vendors such as Congas and business objects, and purpose built application such as balanced
source cards and digital dashboards.
Data access layer - his layer operates to connect the data storage and quality layer with data stores in the
data source layer and, in the process, avoiding the need to know to know exactly how these data stores are
organized. Technology now permits SQL access to data even if it is not stored in a relational database.
Data preparation layer -This layer is concerned with the assembly and preparation of data for loading into
data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to
increase access speed.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 188


質問 # 330
Which of the following provides the MOST relevant information for proactively strengthening security settings?

  • A. Honeypot
  • B. Intrusion prevention system
  • C. Intrusion detection system
  • D. Bastion host

正解:A

解説:
Explanation/Reference:
Explanation:
The design of a honeypot is such that it lures the hacker and provides clues as to the hacker's methods and strategies and the resources required to address such attacks. A bastion host does not provide information about an attack. Intrusion detection systems and intrusion prevention systems are designed to detect and address an attack in progress and stop it as soon as possible. A honeypot allows the attack to continue, so as to obtain information about the hacker's strategy and methods.


質問 # 331
An IS auditor discovers instances where software with the same license key is depbyed to multiple workstations, in breach of the licensing agreement. Which of the following is the auditor's BEST recommendation?

  • A. Require business owner approval before granting software access
  • B. Evaluate the business case for funding of additional licenses.
  • C. Implement software licensing monitoring to manage duplications.
  • D. Remove embedded keys from offending packages.

正解:C


質問 # 332
What is an effective control for granting temporary access to vendors and external support personnel?

  • A. Creating user accounts that automatically expire by a predetermined date
  • B. Creating user accounts that restrict logon access to certain hours of the day
  • C. Creating permanent guest accounts for temporary use
  • D. Creating a single shared vendor administrator account on the basis of least-privileged access

正解:A

解説:
Section: Protection of Information Assets
Explanation:
Creating user accounts that automatically expire by a predetermined date is an effective control for granting
temporary access to vendors and external support personnel.


質問 # 333
Which of the following would BEST help in classifying an organization s data?

  • A. Data retention requirements
  • B. Impact of data loss or disclosure
  • C. Industry best practices for data classification
  • D. Analysis of existing data handling procedures

正解:B


質問 # 334
An IS auditor reviewing the database controls for a new e-commerce system discovers a security weakness in the database configuration. Which of the following should be the IS auditor's NEXT course of action?

  • A. Identify existing mitigating controls
  • B. Disclose the findings to senior management
  • C. Attempt to exploit the weakness
  • D. Assist in drafting corrective actions

正解:A


質問 # 335
Which of the following is a challenge in developing a service level agreement (SLA) for network services?

  • A. Finding performance metrics that can be measured properly
  • B. Reducing the number of entry points into the network
  • C. Ensuring that network components are not modified by the client
  • D. Establishing a well-designed framework for network services

正解:A


質問 # 336
An organization considers implementing a system that uses a technology that is not in line with the organization's IT strategy. Which of the following is the BEST justification for deviating from the IT strategy?

  • A. The system has a reduced cost of ownership
  • B. The system makes use of state-of-the-art technology
  • C. The organization has staff familiar with the technology
  • D. The business benefits are achieved even with extra costs

正解:D


質問 # 337
An organization has recently installed a security patch, which crashed the production server. To minimize the probability of this occurring again, an IS auditor should:

  • A. thoroughly test the patch before sending it to production.
  • B. approve the patch after doing a risk assessment.
  • C. ensure that a good change management process is in place.
  • D. apply the patch according to the patch's release notes.

正解:C

解説:
An IS auditor must review the change management process, including patch management procedures, and verify that the process has adequate controls and make suggestions accordingly. The other choices are part of a good change management process but arenot an IS auditor's responsibility.


質問 # 338
......


CISA認定試験を受験するためには、候補者は情報システム監査、コントロール、セキュリティの専門的な経験を最低5年以上持っている必要があります。必要な経験がない場合でも、特定の教育や他の関連する認定を持っている場合は試験を受験する資格がある場合があります。また、候補者はISACAの職業倫理規定に従う必要があり、CISA認定試験に合格することで認定を取得することができます。

 

100%の合格率を試そう!更新されたのはCISA試験問題 [2023年更新]:https://jp.fast2test.com/CISA-premium-file.html

ベストな問題集を使おうCertified Information Systems Auditor CISA専門試験問題:https://drive.google.com/open?id=1grKo2g5X7dJ5z88t34k9_1tYLuxulACd


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어