CISA合格させる問題集でISACA24時間で試験合格できます [Q282-Q299]

Share

CISA合格させる問題集でISACA24時間で試験合格できます

最新問題を使おうCISA試験問題と解答でPDFで一年間無料更新


CISA認定試験を受験するためには、候補者は情報システム監査、コントロール、セキュリティの専門的な経験を最低5年以上持っている必要があります。必要な経験がない場合でも、特定の教育や他の関連する認定を持っている場合は試験を受験する資格がある場合があります。また、候補者はISACAの職業倫理規定に従う必要があり、CISA認定試験に合格することで認定を取得することができます。

 

質問 # 282
In which of the following RFID risks competitor potentially could gain unauthorized access to RFID- generated information and use it to harm the interests of the organization implementing the RFID system?

  • A. Business Intelligence Risk
  • B. Business Process Risk
  • C. Externality Risk
  • D. Privacy Risk

正解:A

解説:
Section: Information System Operations, Maintenance and Support
Explanation:
An adversary or competitor potentially could gain unauthorized access to RFID-generated information and use it to harm the interests of the organization implementing the RFID system.
RFID is a powerful technology, in part, because it supports wireless remote access to information about assets and people that either previously did not exist or was difficult to create or dynamically maintain.
While this wireless remote access is a significant benefit, it also creates a risk that unauthorized parties could also have similar access to that information if proper controls are not in place. This risk is distinct from the business process risk because it can be realized even when business processes are functioning as intended.
A competitor or adversary can gain information from the RFID system in a number of ways, including eavesdropping on RF links between readers and tags, performing independent queries on tags to obtain relevant data, and obtaining unauthorized access to a back-end database storing information about tagged items. Supply chain applications may be particularly vulnerable to this risk because a variety of external entities may have read access to the tags or related databases.
The risk of unauthorized access is realized when the entity engaging in the unauthorized behavior does something harmful with that information. In some cases, the information may trigger an immediate response. For example, someone might use a reader to determine whether a shipping container holds expensive electronic equipment, and then break into the container when it gets a positive reading. This scenario is an example of targeting. In other cases, data might also be aggregated over time to provide intelligence regarding an organization's operations, business strategy, or proprietary methods.
For instance, an organization could monitor the number of tags entering a facility to provide a reasonable indication of its business growth or operating practices. In this case, if someone determined that a warehouse recently received a number of very large orders, then that might trigger an action in financial markets or prompt a competitor to change its prices or production schedule.
For your exam you should know the information below:
Radio-frequency identification (RFID) is the wireless non-contact use of radio-frequency electromagnetic fields to transfer data, for the purposes of automatically identifying and tracking tags attached to objects.
The tags contain electronically stored information. Some tags are powered by and read at short ranges (a few meters) via magnetic fields (electromagnetic induction). Others use a local power source such as a battery, or else have no battery but collect energy from the interrogating EM field, and then act as a passive transponder to emit microwaves or UHF radio waves (i.e., electromagnetic radiation at high frequencies).
Battery powered tags may operate at hundreds of meters. Unlike a barcode, the tag does not necessarily need to be within line of sight of the reader, and may be embedded in the tracked object.
RFID tags are used in many industries. An RFID tag attached to an automobile during production can be used to track its progress through the assembly line. Pharmaceuticals can be tracked through warehouses.
Livestock and pets may have tags injected, allowing positive identification of the animal.
RFID RISKS
RFID technology enables an organization to significantly change its business processes to:
Increase its efficiency, which results in lower costs, Increase its effectiveness, which improves mission performance and makes the implementing organization more resilient and better able to assign accountability, and Respond to customer requirements to use RFID technology to support supply chains and other applications.
The RFID technology itself is complex, combining a number of different computing and communications technologies to achieve the desired objectives. Unfortunately, both change and complexity generate risk.
For RFID implementations to be successful, organizations need to effectively manage that risk, which requires an understanding of its sources and its potential characteristics. This section reviews the major high-level business risks associated with RFID systems so that organizations planning or operating these systems can better identify, characterize, and manage the risk in their environments.
The risks are as follows:
Business Process Risk -Direct attacks on RFID system components potentially could undermine the business processes the RFID system was designed to enable.
Business Intelligence Risk- An adversary or competitor potentially could gain unauthorized access to RFID- generated information and use it to harm the interests of the organization implementing the RFID system.
Privacy Risk - Personal privacy rights or expectations may be compromised if an RFID system uses what is considered personally identifiable information for a purpose other than originally intended or understood.
The personal possession of functioning tags also is a privacy risk because it could enable tracking of those holding tagged items.
Externality Risk -RFID technology potentially could represent a threat to non-RFID networked or collocated systems, assets, and people.
An important characteristic of RFID that impacts all of these risks is that RF communication is invisible to operators and users.
The following answers are incorrect:
Business Process Risk -Direct attacks on RFID system components potentially could undermine the business processes the RFID system was designed to enable.
Externality Risk -RFID technology potentially could represent a threat to non-RFID networked or collocated systems, assets, and people.
Privacy Risk - Personal privacy rights or expectations may be compromised if an RFID system uses what is considered personally identifiable information for a purpose other than originally intended or understood.
The personal possession of functioning tags also is a privacy risk because it could enable tracking of those holding tagged items.
Reference:
CISA review manual 2014 page number 248


質問 # 283
.What is often assured through table link verification and reference checks?

  • A. Database accuracy
  • B. Database synchronization
  • C. Database integrity
  • D. Database normalcy

正解:C

解説:
Database integrity is most often ensured through table link verification and reference checks.


質問 # 284
An organization has virtualized its server environment without making any other changes to the network or security infrastructure. Which of the following is the MOST significant risk?

  • A. Inability of the network intrusion detection system (IDS) to monitor virtual server-lo-server communications
  • B. Data center environmental controls not aligning with new configuration
  • C. System documentation not being updated to reflect changes in the environment
  • D. Vulnerability in the virtualization platform affecting multiple hosts

正解:C


質問 # 285
The reliability of an application system's audit trail may be questionable if:

  • A. date and time stamps are recorded when an action occurs.
  • B. users can amend audit trail records when correcting system errors.
  • C. user IDs are recorded in the audit trail.
  • D. the security administrator has read-only rights to the audit file.

正解:B

解説:
Section: Protection of Information Assets
Explanation:
An audit trail is not effective if the details in it can be amended.


質問 # 286
Above almost all other concerns, what often results in the greatest negative impact on the implementation of new application software?

  • A. Lack of user training for the new system
  • B. Insufficient unit, module, and systems testing
  • C. Failing to perform user acceptance testing
  • D. Lack of software documentation and run manuals

正解:C

解説:
Explanation/Reference:
Explanation:
Above almost all other concerns, failing to perform user acceptance testing often results in the greatest negative impact on the implementation of new application software.


質問 # 287
Which of the following physical access controls effectively reduces the risk of piggybacking?

  • A. Deadman doors
  • B. Bolting door locks
  • C. Combination door locks
  • D. Biometric door locks

正解:A

解説:
Explanation/Reference:
Explanation:
Deadman doors use a pair of doors. For the second door to operate, the first entry door must close and lock with only one person permitted in the holding area. This effectively reduces the risk of piggybacking.
An individual's unique body features such as voice, retina, fingerprint or signature activate biometric door locks; however, they do not prevent or reduce the risk of piggybacking. Combination door locks, also known as cipher locks, use a numeric key pad or dial to gain entry. They do not prevent or reduce the risk of piggybacking since unauthorized individuals may still gain access to the processing center. Bolting door locks require the traditional metal key to gain entry. Unauthorized individuals could still gain access to the processing center along with an authorized individual.


質問 # 288
Which of the following programs would a sound information security policy MOST likely include to handle suspected intrusions?

  • A. Detection
  • B. Correction
  • C. Response
  • D. Monitoring

正解:C

解説:
Explanation/Reference:
Explanation:
A sound IS security policy will most likely outline a response program to handle suspected intrusions.
Correction, detection and monitoring programs are all aspects of information security, but will not likely be included in an IS security policy statement.


質問 # 289
An organization allows employees to retain confidential data on personal mobile devices Which of the following is the BEST recommendation to mitigate the risk of data leakage from lost or stolen devices?

  • A. Enable device auto-lock function.
  • B. Require employees to attend security awareness training.
  • C. Password protect critical data files.
  • D. Configure to auto-wipe after multiple failed access attempts.

正解:C


質問 # 290
Which of the following is the BEST reason to utilize blockchain technology to record accounting transactions?

  • A. Confidentiality of records
  • B. Integrity of records
  • C. Availability of records
  • D. Distribution of records

正解:B


質問 # 291
In the process of evaluating program change controls, an IS auditor would use source code comparison
software to:

  • A. examine source program changes without information from IS personnel.
  • B. ensure that all changes made in the current source copy are detected.
  • C. confirm that the control copy is the current version of the production program.
  • D. detect a source program change made between acquiring a copy of the source and the comparison
    run.

正解:A

解説:
Section: Protection of Information Assets
Explanation:
An IS auditor has an objective, independent and relatively complete assurance of program changes
because the source code comparison will identify changes. Choice B is incorrect, because the changes
made since the acquisition of the copy are not included in the copy of the software. Choice C is incorrect,
as an IS auditor will have to gain this assurance separately.
Choice D is incorrect, because any changes made between the time the control copy was acquired and the
source code comparison is made will not be detected.


質問 # 292
For an organization which uses a VoIP telephony system exclusively, the GREATEST concern associated with leaving a connected telephone in an unmonitored public area is the possibility of:

  • A. unauthorized use leading to theft of services and financial loss,
  • B. theft of destruction of an expensive piece of electronic equipment.
  • C. connectivity issues when used with an analog local exchange earner.
  • D. network compromise due to the introduction of malware.

正解:D


質問 # 293
During the system testing phase of an application development project the IS auditor should review the:

  • A. error reports.
  • B. program change requests.
  • C. vendor contract.
  • D. conceptual design specifications.

正解:A

解説:
Testing is crucial in determining that user requirements have been validated. The IS auditor should be involved in this phase and review error reports for their precision in recognizing erroneous data and review the procedures for resolving errors. Aconceptual design specification is a document prepared during the requirements definition phase. A vendor contract is prepared during a software acquisition process. Program change requests would normally be reviewed as a part of the postimplementation phase.


質問 # 294
To install backdoors, hackers generally prefer to use:

  • A. either eavedropper or computer worm.
  • B. either Trojan horse or eavedropper.
  • C. either Trojan horse or computer worm.
  • D. either Tripwire or computer virus.
  • E. None of the choices.

正解:C

解説:
Explanation/Reference:
Explanation:
A backdoor is a method of bypassing normal authentication procedures.
Many computer manufacturers used to preinstall backdoors on their systems to provide technical support for customers. Hackers typically use backdoors to secure remote access to a computer, while attempting to remain hidden from casual inspection. To install backdoors, hackers prefer to use either Trojan horse or computer worm.


質問 # 295
Buffer overflow in an Internet environment is of particular concern to the IS auditor because it can:

  • A. cause printers to lose some of the document text when printing.
  • B. corrupt databases during the build.
  • C. cause the loss of critical data during processing.
  • D. be used to obtain importer access to a system.

正解:D

解説:
Section: Protection of Information Assets


質問 # 296
Which of the following intrusion detection systems (IDSs) will MOST likely generate false alarms resulting from normal network activity?

  • A. Signature-based
  • B. Neural network
  • C. Statistical-based
  • D. Host-based

正解:C

解説:
Explanation/Reference:
Explanation:
A statistical-based IDS relies on a definition of known and expected behavior of systems. Since normal network activity may at times include unexpected behavior (e.g., a sudden massive download by multiple users), these activities will be flagged as suspicious. A signature-based IDS is limited to its predefined set of detection rules, just like a virus scanner. A neural network combines the previous two IDSs to create a hybrid and better system. Host-based is another classification of IDS. Any of the three IDSs above may be host- or network-based.


質問 # 297
After initial investigation, an IS auditor has reasons to believe that fraud may be present. The IS auditor should:

  • A. report the matter to the audit committee.
  • B. consult with external legal counsel to determine the course of action to be taken.
  • C. expand activities to determine whether an investigation is warranted.
  • D. report the possibility of fraud to top management and ask how they would like to proceed.

正解:C

解説:
An IS auditor's responsibilities for detecting fraud include evaluating fraud indicators and deciding whether any additional action is necessary or whether an investigation should be recommended. The IS auditor should notify the appropriate authorities within the organization only if it has determined that the indicators of fraud are sufficient to recommend an investigation. Normally, the IS auditor does not have authority to consult with external legal counsel.


質問 # 298
The business owner's approval of software changes being moved into production is PRIMARILY necessary to:

  • A. inform management of deployments of new functionality.
  • B. ensure that an application functionality requirement is satisfied.
  • C. confirm there is a process to control system changes.
  • D. prevent unauthorized access to data.

正解:A


質問 # 299
......

最新問題をダウンロードCISA問題集で2023年最新のCISA試験問題集:https://jp.fast2test.com/CISA-premium-file.html

最新のISACA CISA認定練習テスト問題:https://drive.google.com/open?id=178uO-c4CX-MOna76WLD_-mdfFIuirHPa


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어