
CISA PDF試験材料2023年最新の実際に出るCISA問題集
更新されたのはISACA CISA問題集PDFオンラインエンジン
質問 # 198
The MOST likely explanation for the use of applets in an Internet application is that:
- A. the server does not run the program and the output is not sent over the network.
- B. it is a JAVA program downloaded through the web browser and executed by the web server of the client machine.
- C. it is sent over the network from the server.
- D. they improve the performance of the web server and network.
正解:D
解説:
Explanation/Reference:
Explanation:
An applet is a JAVA program that is sent over the network from the web server, through a web browser and to the client machine; the code is then run on the machine. Since the server does not run the program and the output is not sent over the network, the performance on the web server and network-over which the server and client are connected-drastically improves through the use of applets. Performance improvement is more important than the reasons offered in choices A and
B. Since JAVA virtual machine (JVM) is embedded in most web browsers, the applet download through the web browser runs on the client machine from the web browser, not from the web server, making choice D incorrect.
質問 # 199
An organization has begun using social media to communicate with current and potential clients. Which of the following should be of PRIMARY concern to the auditor?
- A. Using a third-party provider to host and manage content
- B. Reduced productivity of stuff using social media
- C. Negative posts by customers affecting the organization's image
- D. Lack of guidance on appropriate social media usage and monitoring
正解:D
解説:
Section: Protection of Information Assets
質問 # 200
Which of the following will be the MOST effective method to verify that a service vendor keeps control levels as required by the client?
- A. Conduct periodic on-site assessments using agreed-upon criteria.
- B. Periodically review the service level agreement (SLA) with the vendor.
- C. Conduct an unannounced vulnerability assessment of vendor's IT systems.
- D. Obtain evidence of the vendor's control self-assessment (CSA).
正解:C
質問 # 201
Which of the following is an example of a control that is both detective and preventive at the same lime?
- A. A payment order to a sanctioned country is detected in the system before the payment is actually made.
- B. Detection of unauthorized activity in a database prevents further manipulation by the database administrator (DBA).
- C. Detective fraud controls performed on past transactions prevent legal action being taken against the organization.
- D. A misconfiguration of an operating system is detected and future recurrence can successfully be prevented.
正解:B
質問 # 202
An organization's plans to implement a virtualization strategy enabling multiple operating systems on a single host. Which of the following should be the GREATEST concern with this strategy?
- A. Network bandwidth
- B. Application performance
- C. Adequate storage space
- D. Complexity of administration
正解:D
質問 # 203
The use of symmetric key encryption controls to protect sensitive data transmitted over a communications network requires that:
- A. encryption keys be changed only when a compromise is detected at both ends.
- B. encryption keys at one end be changed on a regular basis.
- C. public keys be stored in encrypted form.
- D. primary keys for encrypting the data be stored in encrypted form.
正解:D
解説:
Section: Protection of Information Assets
質問 # 204
An IS auditor finds that firewalls are outdated and not supported by vendors. Which of the following should be the auditor's NEXT course of action?
- A. Determine the risk of not replacing the firewall.
- B. Report the mitigating controls.
- C. Report the security posture of the organization.
- D. Determine the value of the firewall.
正解:A
質問 # 205
Which of the following sampling techniques is BEST to use when verifying the operating effectiveness of internal controls during an audit of transactions?
- A. Attribute sampling
- B. Stop-or-go sampling
- C. Statistical sampling
- D. Judgmental sampling
正解:C
質問 # 206
Which of the following MOST effectively provides assurance of ongoing service delivery by a vendor?
- A. Regular monitoring by service management team
- B. Short incident response time by the vendor
- C. Pre-defined service and operational level agreements
- D. Regular status reporting provided by the vendor
正解:C
解説:
Section: Information System Operations, Maintenance and Support
質問 # 207
An employee transfers from an organization's risk management department to become the lead IS auditor.
While in the risk management department, the employee helped develop the key performance indicators (KPIs) now used by the organization. Which of the following would pose the GREATEST threat to the independence of this auditor?
- A. Developing KPIs to measure the internal audit team
- B. Evaluating the effectiveness of IT risk management processes
- C. Recommending controls to address the IT risks identified by KPIs
- D. Training the IT audit team on IT risk management processes
正解:C
解説:
Section: The process of Auditing Information System
質問 # 208
An integrated test facility is considered a useful audit tool because it:
- A. is a cost-efficient approach to auditing application controls.
- B. provides the IS auditor with a tool to analyze a large range of information
- C. compares processing output with independently calculated data.
- D. enables the financial and IS auditors to integrate their audit tests.
正解:C
解説:
Section: Protection of Information Assets
Explanation:
An integrated test facility is considered a useful audit tool because it uses the same programs to compare
processing using independently calculated data. This involves setting up dummy entities on an application
system and processing test or production data against the entity as a means of verifying processing
accuracy.
質問 # 209
Who is responsible for restricting and monitoring access of a data user?
- A. Data Owner
- B. Security Administrator
- C. Data User
- D. Data Custodian
正解:B
解説:
Explanation/Reference:
Security administrator are responsible for providing adequate and logical security for IS programs, data and equipment.
For CISA exam you should know below roles in an organization
Data Owners - These peoples are generally managers and directors responsible for using information for running and controlling the business. Their security responsibilities include authorizing access, ensuring that access rules are updated when personnel changes occur, and regularly review access rule for the data for which they are responsible.
Data Custodian or Data Steward - These people are responsible for storing and safeguarding the data, and include IS personnel such as system analysis and computer operators.
Security Administrator-Security administrator are responsible for providing adequate physical and logical security for IS programs, data and equipment.
Data Users - Data users, including internal and external user community, are the actual user of computerized data. Their level of access into the computer should be authorized by data owners, and restricted and monitor by security administrator.
The following were incorrect answers:
Data Owner - These peoples are generally managers and directors responsible for using information for running and controlling the business.
Data Users - Data users, including internal and external user community, are the actual user of computerized data.
Data custodian is responsible for storing and safeguarding the data, and include IS personnel such as system analyst and computer operators.
The following reference(s) were/was used to create this question:
CISA review manual 2014 Page number361
質問 # 210
An organization is in the process of acquiring a competitor. The information security manager has been asked to report on the security posture of the target acquisition. Which of the following should be the security manager's FIRST course of action?
- A. Implement a security dashboard
- B. Perform a vulnerability assessment
- C. Perform a gap analysis
- D. Quantity the potential risk
正解:A
解説:
Section: Information System Acquisition, Development and Implementation
質問 # 211
The BEST overall quantitative measure of the performance of biometric control devices is:
- A. false-acceptance rate.
- B. equal-error rate.
- C. false-rejection rate.
- D. estimated-error rate.
正解:B
解説:
A low equal-error rate (EER) is a combination of a low false-rejection rate and a low false-acceptance rate. EER, expressed as a percentage, is a measure of the number of times that the false-rejection and false-acceptance rates are equal. A low EERis the measure of the more effective biometrics control device. Low false-rejection rates or low false-acceptance rates alone do not measure the efficiency of the device. Estimated-error rate is nonexistent and therefore irrelevant.
質問 # 212
Which of the following layer of an enterprise data flow architecture does the scheduling of the tasks necessary to build and maintain the Data Warehouse (DW) and also populates Data Marts?
- A. Desktop Access Layer
- B. Data preparation layer
- C. Data access layer
- D. Warehouse management layer
正解:D
解説:
Section: Information System Acquisition, Development and Implementation Explanation:
Warehouse Management Layer - The function of this layer is the scheduling of the tasks necessary to build and maintain the DW and populate data marts. This layer is also involved in administration of security.
For CISA exam you should know below information about business intelligence:
Business intelligence(BI) is a broad field of IT encompasses the collection and analysis of information to assist decision making and assess organizational performance. To deliver effective BI, organizations need to design and implement a data architecture. The complete data architecture consists of two components The enterprise data flow architecture (EDFA) A logical data architecture Various layers/components of this data flow architecture are as follows:
Presentation/desktop access layer - This is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas and business objects, and purpose built application such as balanced source cards and digital dashboards.
Data Source Layer - Enterprise information derives from number of sources:
Operational data - Data captured and maintained by an organization's existing systems, and usually held in system-specific database or flat files.
External Data - Data provided to an organization by external sources. This could include data such as customer demographic and market share information.
Nonoperational data - Information needed by end user that is not currently maintained in a computer accessible format.
Core data warehouse - This is where all the data of interest to an organization is captured and organized to assist reporting and analysis. DWs are normally instituted as large relational databases. A property constituted DW should support three basic form of an inquiry.
Drilling up and drilling down - Using dimension of interest to the business, it should be possible to aggregate data as well as drill down. Attributes available at the more granular levels of the warehouse can also be used to refine the analysis.
Drill across - Use common attributes to access a cross section of information in the warehouse such as sum sales across all product lines by customer and group of customers according to length of association with the company.
Historical Analysis - The warehouse should support this by holding historical, time variant data. An example of historical analysis would be to report monthly store sales and then repeat the analysis using only customer who were preexisting at the start of the year in order to separate the effective new customer from the ability to generate repeat business with existing customers.
Data Mart Layer - Data mart represents subset of information from the core DW selected and organized to meet the needs of a particular business unit or business line. Data mart can be relational databases or some form on-line analytical processing (OLAP) data structure.
Data Staging and quality layer - This layer is responsible for data copying, transformation into DW format and quality control. It is particularly important that only reliable data into core DW. This layer needs to be able to deal with problems periodically thrown by operational systems such as change to account number format and reuse of old accounts and customer numbers.
Data Access Layer - This layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology now permits SQL access to data even if it is not stored in a relational database.
Data Preparation layer - This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed. Data mining is concern with exploring large volume of data to determine patterns and trends of information. Data mining often identifies patterns that are counterintuitive due to number and complexity of data relationships. Data quality needs to be very high to not corrupt the result.
Metadata repository layer - Metadata are data about data. The information held in metadata layer needs to extend beyond data structure names and formats to provide detail on business purpose and context. The metadata layer should be comprehensive in scope, covering data as they flow between the various layers, including documenting transformation and validation rules.
Warehouse Management Layer - The function of this layer is the scheduling of the tasks necessary to build and maintain the DW and populate data marts. This layer is also involved in administration of security.
Application messaging layer - This layer is concerned with transporting information between the various layers. In addition to business data, this layer encompasses generation, storage and targeted communication of control messages.
Internet/Intranet layer - This layer is concerned with basic data communication. Included here are browser based user interface and TCP/IP networking.
Various analysis models used by data architects/ analysis follows:
Activity or swim-lane diagram - De-construct business processes.
Entity relationship diagram - Depict data entities and how they relate. These data analysis methods obviously play an important part in developing an enterprise data model. However, it is also crucial that knowledgeable business operative is involved in the process. This way proper understanding can be obtained of the business purpose and context of the data. This also mitigates the risk of replication of suboptimal data configuration from existing systems and database into DW.
The following were incorrect answers:
Desktop access layer or presentation layer is where end users directly deal with information. This layer includes familiar desktop tools such as spreadsheets, direct querying tools, reporting and analysis suits offered by vendors such as Congas and business objects, and purpose built application such as balanced source cards and digital dashboards.
Data preparation layer - This layer is concerned with the assembly and preparation of data for loading into data marts. The usual practice is to per-calculate the values that are loaded into OLAP data repositories to increase access speed.
Data access layer - his layer operates to connect the data storage and quality layer with data stores in the data source layer and, in the process, avoiding the need to know to know exactly how these data stores are organized. Technology now permits SQL access to data even if it is not stored in a relational database.
Reference:
CISA review manual 2014 Page number 188
質問 # 213
Effective IT governance requires organizational structures and processes to ensure that:
- A. the IT strategy extends the organization's strategies and objectives.
- B. the organization's strategies and objectives extend the IT strategy.
- C. the business strategy is derived from an IT strategy.
- D. IT governance is separate and distinct from the overall governance.
正解:A
解説:
Effective IT governance requires that board and executive management extend governance to IT and provide the leadership, organizational structures and processes that ensure that the organization's IT sustains and extends the organization's strategiesand objectives, and that the strategy is aligned with business strategy. Choice A is incorrect because it is the IT strategy that extends the organizational objectives, not the opposite. IT governance is not an isolated discipline; it must become anintegral part of the overall enterprise governance.
質問 # 214
During a review of an insurance company's claims system, the IS auditor learns that claims for specific medical procedures are acceptable only from females. This is an example of a:
- A. completeness check.
- B. logical relationship check.
- C. reasonableness check.
- D. key verification.
正解:B
解説:
Section: The process of Auditing Information System
質問 # 215
......
ISACA CISA問題集PDFのベストを目指すなら問題集を使おう 目指そう高得点:https://jp.fast2test.com/CISA-premium-file.html
CISA.PDFで問題解答PDFサンプル問題は信頼され続ける:https://drive.google.com/open?id=178uO-c4CX-MOna76WLD_-mdfFIuirHPa