2024年最新の保証された成功できるCISA問題集でISACAのPDF問題 [Q182-Q204]

Share

2024年最新の保証された成功できるCISA問題集でISACAのPDF問題

格別な練習Certified Information Systems Auditor問題集で最速合格させます

質問 # 182
In determining the acceptable time period for the resumption of critical business processes:

  • A. both downtime costs and recovery costs need to be evaluated.
  • B. recovery operations should be analyzed.
  • C. indirect downtime costs should be ignored.
  • D. only downtime costs need to be considered.

正解:A

解説:
Explanation/Reference:
Explanation:
Both downtime costs and recovery costs need to be evaluated in determining the acceptable time period before the resumption of critical business processes. The outcome of the business impact analysis (BIA) should be a recovery strategy that represents the optimal balance. Downtime costs cannot be looked at in isolation. The quicker information assets can be restored and business processing resumed, the smaller the downtime costs. However, the expenditure needed to have the redundant capability required to recover information resources might be prohibitive for nonessential business processes. Recovery operations do not determine the acceptable time period for the resumption of critical business processes, and indirect downtime costs should be considered in addition to the direct cash outflows incurred due to business disruption. The indirect costs of a serious disruption to normal business activity, e.g., loss of customer and supplier goodwill and loss of market share, may actually be more significant than direct costs over time, thus reaching the point where business viability is threatened.


質問 # 183
Which of the following BEST helps to ensure data integrity across system interfaces?

  • A. Environment segregation
  • B. Access controls
  • C. System backups
  • D. Reconciliation

正解:B


質問 # 184
Which of the following is the MOST important security consideration when using infrastructure as a Service (IaaS)?

  • A. Compliance with internal standards
  • B. Backup and recovery strategy
  • C. Segmentation among guests
  • D. User access management

正解:D

解説:
Section: Information System Acquisition, Development and Implementation Explanation


質問 # 185
Which of the following provides a new IS auditor with the MOST useful information to evaluate overall IT performance?

  • A. IT value analysis
  • B. Prior audit reports
  • C. IT balanced scorecard
  • D. Vulnerability assessment report

正解:C

解説:
Explanation
An IT balanced scorecard (BSC) is a performance metric that is used to identify, improve, and control the various functions and outcomes of an IT department or organization. An IT BSC is based on the concept of the balanced scorecard, which was introduced by Robert Kaplan and David Norton in 1992 as a strategic management system that translates the vision and strategy of an organization into measurable objectives and actions. An IT BSC adapts the balanced scorecard framework to the specific needs and goals of the IT function, aligning it with the business strategy and value proposition.
An IT BSC typically consists of four perspectives that help managers plan, implement, and evaluate the IT performance: customer, internal process, learning and growth, and financial. Each perspective defines a set of objectives, measures, targets, and initiatives that reflect the IT contribution to the organization's success. For example, the customer perspective may measure the satisfaction and retention of internal and external customers who use IT services or products; the internal process perspective may measure the efficiency and effectiveness of IT processes such as development, delivery, support, or security; the learning and growth perspective may measure the skills, knowledge, innovation, and culture of the IT staff; and the financial perspective may measure the costs, benefits, and return on investment of IT projects or assets.
An IT BSC provides a new IS auditor with the most useful information to evaluate overall IT performance because it:
Provides a comprehensive and balanced view of the IT function from multiple angles and stakeholders Links the IT objectives and activities to the business strategy and value creation Enables a clear communication and alignment of expectations and priorities among IT managers, staff, customers, and other stakeholders Facilitates a continuous monitoring and improvement of IT performance based on data-driven feedback and analysis Supports a holistic and integrated approach to IT governance, risk management, and compliance Therefore, an IT BSC is a valuable tool for a new IS auditor to assess how well the IT function is fulfilling its mission and delivering value to the organization.
References:
The IT Balanced Scorecard (BSC) Explained - BMC Software
What Is a Balanced Scorecard (BSC), How Is it Used in Business?
Lost in the Woods: COBIT 2019 and the IT Balanced Scorecard - ISACA


質問 # 186
An organization having a number of offices across a wide geographical area has developed a disaster recovery plan (DRP). Using actual resources, which of the following is the MOST costeffective test of the DRP?

  • A. Preparedness test
  • B. Paper test
  • C. Regression test
  • D. Full operational test

正解:A

解説:
Explanation/Reference:
Explanation:
A preparedness test is performed by each local office/area to test the adequacy of the preparedness of local operations for the disaster recovery.
Incorrect answers:
A. A full operational test is conducted after the paper and preparedness test.
C. A paper test is a structured walkthrough of the DRP and should be conducted before a preparedness test.
D. A regression test is not a DRP test and is used in software maintenance.


質問 # 187
The most common problem in the operation of an intrusion detection system (IDS) is:

  • A. receiving trap messages.
  • B. the detection of false positives.
  • C. denial-of-service attacks.
  • D. reject-error rates.

正解:B

解説:
Section: Protection of Information Assets
Explanation:
Because of the configuration and the way IDS technology operates, the main problem in operating IDSs is
the recognition (detection) of events that are not really security incidents- false positives, the equivalent of a
false alarm. An IS auditor needs to be aware of this and should check for implementation of related
controls, such as IDS tuning, and incident handling procedures, such as the screening process to know if
an event is a security incident or a false positive. Trap messages are generated by the Simple Network
Management Protocol (SNMP) agents when an important event happens, but are not particularly related to
security or IDSs.
Reject-error rate is related to biometric technology and is not related to IDSs. Denial-of-service is a type of
attack and is not a problem in the operation of IDSs.


質問 # 188
Which of the following types of firewalls provide the GREATEST degree and granularity of control?

  • A. Circuit gateway
  • B. Application gateway
  • C. Packet filter
  • D. Screaming router

正解:B

解説:
Section: Protection of Information Assets
Explanation:
The application gateway is similar to a circuit gateway, but it has specific proxies for each service. To
handle web services, it has an HTTP proxy that acts as an intermediary between externals and internals,
but is specifically for HTTP. This means that it not only checks the packet IP addresses (layer 3) and the
ports it is directed to (in this case port 80, or layer 4), it also checks every HTTP command (layers 5 and 7).
Therefore, it works in a more detailed (granularity) way than the others. Screening router and packet filter
(choices A and BJ work at the protocol, service and/or port level. This means that they analyze packets
from layers 3 and 4, and not from higher levels. A circuit gateway (choice D) is based on a proxy or
program that acts as an intermediary between external and internal accesses. This means that during an
external access, instead of opening a single connection to the internal server, two connections are
established-one from the external server to the proxy (which conforms the circuit-gateway) and one from
the proxy to the internal server. Layers 3 and 4 (IP and TCP) and some general features from higher
protocols are used to perform these tasks.


質問 # 189
Which of the following factors will BEST promote effective information security management?

  • A. Security policy framework
  • B. Identification and risk assessment of sensitive resources
  • C. Security awareness training
  • D. Senior management commitment

正解:D

解説:
Section: Governance and Management of IT


質問 # 190
As part of the IEEE 802.11 standard ratified in September 1999, WEP uses which stream cipher for
confidentiality?

  • A. 3DES
  • B. CRC-64
  • C. DES
  • D. RC5
  • E. RC4
  • F. None of the choices.
  • G. CRC-32

正解:E

解説:
Section: Protection of Information Assets
Explanation:
As part of the IEEE 802.11 standard ratified in September 1999, WEP uses the stream cipher RC4 for
confidentiality and the CRC-32 checksum for integrity.


質問 # 191
Which of the following is MOST important to include in a business continuity plan (BCP)?

  • A. Documentation of data center floor plans
  • B. Vendor contact information
  • C. Backup site location information
  • D. Documentation of critical systems

正解:C


質問 # 192
In an organization that has undergone an expansion through an acquisition, which of the following would BEST secure the enterprise network?

  • A. Encryption of data traversing networks.
  • B. Using security groups
  • C. Log analysis of system access
  • D. Business or role-based segmentation

正解:B

解説:
Section: Information System Acquisition, Development and Implementation


質問 # 193
Which of the following BEST enables the authentication of an email from an untrusted network?

  • A. Secure Shell (SSH) connections
  • B. Email encryption
  • C. Transport Layer Security (TLS)
  • D. Digital signatures

正解:D


質問 # 194
An online retailer is receiving customer complaints about receiving different items from what they ordered on the organization's website. The root cause has been traced to poor data quality. Despite efforts to clean erroneous data from the system, multiple data quality issues continue to occur. Which of the following recommendations would be the BEST way to reduce the likelihood of future occurrences?

  • A. Implement business rules to validate employee data entry.
  • B. Assign responsibility for improving data quality.
  • C. Outsource data cleansing activities to reliable third parties.
  • D. Invest in additional employee training for data entry.

正解:A

解説:
Explanation
Implementing business rules to validate employee data entry is the best way to reduce the likelihood of future occurrences of poor data quality that cause customer complaints about receiving different items from what they ordered on the organization's website. Business rules are logical statements that define the conditions and actions for data validation, such as checking for data completeness, accuracy, consistency, and integrity. Assigning responsibility for improving data quality, investing in additional employee training for data entry, and outsourcing data cleansing activities to reliable third parties are also possible ways to improve data quality, but they are not as effective as implementing business rules to validate employee data entry.
References: CISA Review Manual (Digital Version), Chapter 4, Section 4.3.1


質問 # 195
After completing the business impact analysis (BIA), what is the next step in the business continuity planning process?

  • A. Test and maintain the plan.
  • B. Develop a specific plan.
  • C. implement the plan.
  • D. Develop recovery strategies.

正解:D

解説:
Explanation/Reference:
Explanation:
The next phase in the continuity plan development is to identify the various recovery strategies and select the most appropriate strategy for recovering from a disaster. After selecting a strategy, a specific plan can be developed, tested and implemented.


質問 # 196
An organization has a recovery time objective (RTO) equal to zero and a recovery point objective (RPO)
close to 1 minute for a critical system. This implies that the system can tolerate:

  • A. both a data less and processing interruption longer than 1 minute.
  • B. a processing interruption of 1 minute or more.
  • C. a 1-minute processing interruption but cannot tolerate any data loss.
  • D. a data loss of up to 1 minute, but the processing must be continuous.

正解:D

解説:
Section: Protection of Information Assets
Explanation:
The recovery time objective (RTO) measures an organization's tolerance for downtime and the recovery
point objective (RPO) measures how much data loss can be accepted. Choices B, C and D are incorrect
since they exceed the RTO limits set by the scenario.


質問 # 197
Which of the following data validation control validates input data against predefined range values?

  • A. Existence check
  • B. Range Check
  • C. Table lookups
  • D. Reasonableness check

正解:B

解説:
Section: Information System Acquisition, Development and Implementation
Explanation/Reference:
In the Range Check control data should not exceed a predefined range of values
For CISA exam you should know below mentioned data validation edits and controls
Sequence Check - The control number follows sequentially and any sequence or duplicated control
numbers are rejected or noted on an exception report for follow-up purposes. For example, invoices are
numbered sequentially. The day's invoice begins with 12001 and ends with 15045. If any invoice larger than
15045 is encountered during processing, that invoice would be rejected as an invalid invoice number.
Limit Check -Data should not exceed a predefined amount. For example, payroll checks should not exceed
US $ 4000. If a check exceeds US $ 4000, data would be rejected for further verification/authorization.
Validity Check -Programmed checking of data validity in accordance with predefined criteria. For example,
a payroll record contains a field for marital status and the acceptable status codes are M or
S. If any other
code is entered, record should be rejected.
Range Check -Data should not exceed a predefined range of values. For example, product type code
range from 100 to 250. Any code outside this range should be rejected as an invalid product type.
Reasonableness check - Input data are matched to predefined reasonable limits or occurrence rates. For
example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more
than 20 widgets is received, the computer program should be designed to print the record with a warning
indicating that the order appears unreasonable.
Table Lookups - Input data comply with predefined criteria maintained in computerized table of possible
values. For example, an input check enters a city code of 1 to 10. This number corresponds with a
computerize table that matches a code to a city name.
Existence Check - Data are entered correctly and agree with valid predefined criteria. For example, a valid
transaction code must be entered in transaction code field.
Key verification -The keying process is repeated by a separate individual using a machine that compares
the original key stroke to the repeated keyed input. For ex. the worker number is keyed twice and
compared to verify the keying process.
Check digit - a numeric value that has been calculated mathematically is added to a data to ensure that
original data have not been p[ altered or incorrect, but Valid, value substituted. This control is effective in
detecting transposition and transcription error. For ex. A check digit is added to an account number so it
can be checked for accuracy when it is used.
Completeness check - a filed should always contain data rather than zero or blanks. A check of each byte
of that field should be performed to determine that some form of data, or not blanks or zeros, is present.
For ex. A worker number on a new employee record is left blank. His is identified as a key in filed and the
record would be rejected, with a request that the field be completed before the record is accepted for
processing.
Duplicate check- new transaction is matched to those previously input to ensure that they have not already
been entered. For ex. A vendor invoice number agrees with previously recorded invoice to ensure that the
current order is not a duplicate and, therefore, the vendor will not be paid twice.
Logical relationship check - if a particular condition is true, then one or more additional conditions or data
input relationship may be required to be true and consider the input valid. For ex. The hire data of an
employee may be required to be true and consider the input valid. For ex. The hire date of an employee
may be required to be more than 16 years past his her date of birth.
The following were incorrect answers:
Table Lookups - Input data comply with predefined criteria maintained in computerized table of possible
values. For example, an input check enters a city code of 1 to 10. This number corresponds with a
computerize table that matches a code to a city name.
Existence Check - Data are entered correctly and agree with valid predefined criteria. For example, a valid
transaction code must be entered in transaction code field.
Reasonableness check - Input data are matched to predefined reasonable limits or occurrence rates. For
example, a widget manufacturer usually receives an order for no more than 20 widgets. If an order for more
than 20 widgets is received, the computer program should be designed to print the record with a warning
indicating that the order appears unreasonable.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number 215


質問 # 198
To ensure message integrity, confidentiality and non repudiation between two parties, the MOST effective method would be to create a message digest by applying a cryptographic hashing algorithm against:

  • A. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key by using the receiver's public key.
  • B. the entire message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering both the encrypted message and digest using the receiver's public key.
  • C. the entire message, enciphering the message digest using the sender's private key and enciphering the message using the receiver's public key.
  • D. any part of the message, enciphering the message digest using the sender's private key, enciphering the message with a symmetric key and enciphering the key using the receiver's public key.

正解:A

解説:
Applying a cryptographic hashing algorithm against the entire message addresses the message integrity issue. Enciphering the message digest using the sender's private key addresses non repudiation. Encrypting the message with a symmetric key, thereafter allowing the key to be enciphered using the receiver's public key, most efficiently addresses the confidentiality of the message as well as the receiver's non repudiation. The other choices would address only a portion of the requirements.


質問 # 199
What Is the BEST method to determine if IT resource spending is aligned with planned project spending?

  • A. Gantt chart
  • B. Critical path analysis
  • C. Return on investment (ROI) analysis
  • D. Earned value analysis (EVA)

正解:D


質問 # 200
Which of the following would be MOST useful when analyzing computer performance?

  • A. Statistical metrics measuring capacity utilization
  • B. Report of off-peak utilization and response time
  • C. Operations report of user dissatisfaction with response time
  • D. Tuning of system software to optimize resource usage

正解:C


質問 # 201
An organization uses electronic funds transfer (EFT) to pay its vendors. Which of the following should be an IS auditor s MAIN focus while reviewing controls in the accounts payable Application?

  • A. Changes to the vendor master file
  • B. Volume of transactions
  • C. Frequency of transactions
  • D. Amount of disbursements

正解:A


質問 # 202
One major improvement in WPA over WEP is the use of a protocol which dynamically changes keys as the system is used. What protocol is this?

  • A. SKIP
  • B. TKIP
  • C. EKIP
  • D. OKIP
  • E. RKIP
  • F. None of the choices.

正解:B

解説:
Explanation/Reference:
Explanation:
Wi-Fi Protected Access (WPA / WPA2) is a class of systems to secure wireless computer networks. It implements the majority of the IEEE 802.11i standard, and is designed to work with all wireless network interface cards (but not necessarily with first generation wireless access points). One major improvement in WPA over WEP is the Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used.


質問 # 203
Which of the following is The MOST effective accuracy control for entry of a valid numeric part number?

  • A. Self-checking digit
  • B. Hash totals
  • C. Comparison to historical order pattern
  • D. Online review of description

正解:B


質問 # 204
......

CISA試験問題集と保証された成功率:https://jp.fast2test.com/CISA-premium-file.html

最高品質のISACA CISA試験問題:https://drive.google.com/open?id=178uO-c4CX-MOna76WLD_-mdfFIuirHPa


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어