[2024年03月最新リリース]CISA日本語問題集でIsaca Certification認証 [Q124-Q139]

[2024年03月最新リリース]CISA日本語問題集でIsaca Certification認証

最新の完璧なCISA日本語問題集問題と解答で100%パスさせます

質問 # 124
監査を計画する際、情報システム監査人の最初の活動は次のうちどれですか。

• A. 監査活動に適切なリソースを特定します。
• B. 確認する主要なコントロールのリストを作成します。
• C. 監査対象の領域を理解します。
• D. 監査プログラムに特定の質問を文書化

正解：C

質問 # 125
次のBESTのうち、低い目標復旧時間（RTO）といくつかの目標復旧時点（RPO）を必要とするeコマース組織のシステム回復力を実現するのはどれですか？

• A. ミラーサイト
• B. 毎晩のバックアップ
• C. リモートバックアップ
• D. 冗長アレイ

正解：A

質問 # 126
ピアツーピア（P2P）ファイル共有ネットワークを使用している組織に最大のセキュリティリスクをもたらすのは次のうちどれですか？

• A. IPアドレスを共有して接続を作成します。
• B. コントロールを非構造化ネットワークに適用することは困難です。
• C. 組織外にあるファイルの監査証跡はありません。
• D. 侵入テストでは、P2Pファイル共有ネットワークの問題を特定できません。

正解：B

質問 # 127
侵害に続いて、顧客に個人情報が漏洩した可能性があることを通知する必要があるまでの最大時間を決定する最良の情報源10は何ですか？

• A. 業界の規制
• B. インシデント対応計画
• C. 情報セキュリティポリシー
• D. 業界標準

正解：B

質問 # 128
組織の情報セキュリティ管理を検討する際に最も重要な発見は何ですか？

• A. 従業員の意識向上トレーニングおよび教育プログラムはありません
• B. 専任の警備員はいない
• C. 情報セキュリティ管理システムの公式憲章はありません
• D. 脅威と脆弱性を特定するための定期的な評価はありません

正解：A

質問 # 129
次のどのクラウドサービスモデルで、ユーザー組織は構成管理データベース（CMDB）の構成アイテムの精度を最大制御できますか？

• A. Infrastructure as a Service (laaS)
• B. Platform as a Service (PaaS)
• C. Software as a Service (SaaS)
• D. Database as a Service (DbaaS)

正解：A

質問 # 130
次のうちどれが分散型サービス拒否攻撃（DDoS）が発生していることを最もよく検出しますか？

• A. サーバーがクラッシュする
• B. 侵入テスト
• C. カスタマーサービスの苦情
• D. ログの自動監視

正解：C

質問 # 131
組織のセキュリティ情報およびイベント管理 (SIEM) システムのログの有効性と整合性を示す最良の証拠は次のうちどれですか?

• A. コンプライアンステスト
• B. ストップ・オア・ゴー・サンプリング
• C. 実体試験
• D. 可変サンプリング

正解：C

解説：
Explanation
Substantive testing provides the best evidence of the validity and integrity of logs in an organization's security information and event management (SIEM) system, because it is a type of audit testing that directly examines the accuracy, completeness, and reliability of the data and transactions recorded in the logs. Substantive testing can involve various methods, such as re-performance, inspection, observation, inquiry, or computer-assisted audit techniques (CAATs), to verify the existence, occurrence, valuation, ownership, presentation, and disclosure of the log data1. Substantive testing can also detect any errors, omissions, alterations, or manipulations of the log data that may indicate fraud or misstatement2.
Compliance testing (A) is not the best evidence of the validity and integrity of logs in an organization's SIEM system, because it is a type of audit testing that evaluates the design and effectiveness of the internal controls that are implemented to ensure compliance with laws, regulations, policies, and procedures. Compliance testing can involve various methods, such as walkthroughs, questionnaires, checklists, or flowcharts, to assess the adequacy, consistency, and operation of the internal controls1. Compliance testing can provide assurance that the log data are generated and processed in accordance with the established rules and standards, but it does not directly verify the accuracy and reliability of the log data itself2.
Stop-or-go sampling (B) is not a type of audit testing, but a type of sampling technique that auditors use to select a sample from a population for testing. Stop-or-go sampling is a sequential sampling technique that allows auditors to stop testing before reaching the predetermined sample size if the results are satisfactory or conclusive. Stop-or-go sampling can reduce the audit cost and time by avoiding unnecessary testing, but it can also increase the sampling risk and uncertainty by relying on a smaller sample3. Stop-or-go sampling does not provide any evidence of the validity and integrity of logs in an organization's SIEM system by itself; it depends on the type and quality of the audit tests performed on the selected sample.
Variable sampling (D) is not a type of audit testing, but a type of sampling technique that auditors use to estimate a numerical characteristic of a population for testing. Variable sampling is a statistical sampling technique that allows auditors to measure the amount or rate of error or deviation in a population by using quantitative methods. Variable sampling can provide precise and objective results by using mathematical formulas and confidence intervals4. Variable sampling does not provide any evidence of the validity and integrity of logs in an organization's SIEM system by itself; it depends on the type and quality of the audit tests performed on the selected sample.
References:
Audit Testing Procedures - 5 Types and Their Use Cases
5 Types of Testing Methods Used During Audit Procedures | I.S. Partners Stop-or-Go Sampling Definition Variable Sampling Definition

質問 # 132
組織の情報資産が適切に保護されていることを確認するために、情報の分類と処理のポリシーを作成する際に最も重要な考慮事項はどれですか。

• A. ポリシーは、その規定が最新であることを確認するために定期的なレビューの対象となります
• B. ポリシーは、組織にとっての情報資産の重要性に基づいて情報資産を保護するための要件を指定します
• C. ポリシーは、情報資産を分類するための業界フレームワークに対してマッピングされています。
• D. ポリシーは、ポリシーを施行する権限を持つ情報セキュリティの責任者が所有します。

正解：B

質問 # 133
次のうちどれが個人が犯した内部詐欺の検出を最も容易にするでしょうか？

• A. 職務の分離
• B. 必須休暇
• C. 企業詐欺ホットライン
• D. 柔軟な時間

正解：B

質問 # 134
アウトバウンドコンテンツを改ざんや盗聴から保護するためのプライマリプロトコルは次のうちどれですか？

• A. Point-to-Point Protocol (PPP)
• B. Internet Key Exchange (IKE)
• C. Transport Layer Security (TLS)
• D. Secure Shell (SSH)

正解：C

質問 # 135
アプリケーション インターフェイス エラーの迅速な識別を促進するための最良のテスト アプローチは次のうちどれですか?

• A. ユーザー受け入れテスト (UAT)
• B. 統合テスト
• C. 自動テスト
• D. 回帰テスト

正解：C

質問 # 136
銀行は、システムを別の国にあるクラウド プロバイダーにアウトソーシングしたいと考えています。次のうち、最も適切な IS 監査の推奨事項はどれですか?

• A. プロバイダーにディザスター リカバリー機能があることを確認します。
• B. プロバイダーはクライアント国のすべての法律を遵守する必要があるため、意図したとおりに進めます。
• C. プロバイダーの内部統制システムが銀行の要件を満たしていることを確認します。
• D. 銀行の本国で代替プロバイダーを探します。

正解：B

解説：
Explanation
A post-implementation review (PIR) is a process to evaluate whether the objectives of the project were met, determine how effectively this was achieved, learn lessons for the future, and ensure that the organisation gets the most benefit from the implementation of projects1. A PIR is an important tool for assessing the success and value of a project, as well as identifying the areas for improvement and best practices for future projects.
One of the key elements of a PIR is to measure the benefits of the project against the expected outcomes and benefits that were defined at the beginning of the project. Measurable benefits are the quantifiable and verifiable results or outcomes that the project delivers to the organisation or its stakeholders, such as increased revenue, reduced costs, improved quality, enhanced customer satisfaction, or compliance with regulations2.
Measurable benefits should be aligned with the organisation's strategy, vision, and goals, and should be SMART (specific, measurable, achievable, relevant, and time-bound).
The finding that measurable benefits were not defined is of greatest significance among the four findings, because it implies that:
The project did not have a clear and agreed-upon purpose, scope, objectives, and deliverables The project did not have a valid and realistic business case or justification for its initiation and implementation The project did not have a robust and effective monitoring and evaluation mechanism to track its progress, performance, and impact The project did not have a reliable and transparent way to demonstrate its value proposition and return on investment to the organisation or its stakeholders The project did not have a meaningful and actionable way to learn from its achievements and challenges, and to improve its processes and practices Therefore, an IS auditor should recommend that measurable benefits are defined for any project before its implementation, and that they are reviewed and reported regularly during and after the project's completion.
The other possible findings are:
A lessons-learned session was never conducted: This is a significant finding, but not as significant as the lack of measurable benefits. A lessons-learned session is a process of capturing and documenting the knowledge, experience, and feedback gained from a project, both positive and negative. A lessons-learned session helps to identify the strengths and weaknesses of the project management process, as well as the best practices and lessons for future projects. A lessons-learned session should be conducted at the end of each project phase or milestone, as well as at the end of the project. However, even without a formal lessons-learned session, some learning may still occur informally or implicitly among the project team members or stakeholders.
The projects 10% budget overrun was not reported to senior management: This is a significant finding, but not as significant as the lack of measurable benefits. A budget overrun is a situation where the actual cost of a project exceeds its planned or estimated cost. A budget overrun may indicate poor planning, estimation, or control of the project resources, or unexpected changes or risks that occurred during the project implementation. A budget overrun should be reported to senior management as soon as possible, along with the reasons for it and the corrective actions taken or proposed. However, a budget overrun may not necessarily affect the quality or value of the project deliverables or outcomes if they are still within acceptable standards or expectations.
Monthly dashboards did not always contain deliverables: This is a significant finding, but not as significant as the lack of measurable benefits. A dashboard is a visual tool that displays key performance indicators (KPIs) or metrics related to a project's progress, status, or results. A dashboard helps to monitor and communicate the performance of a project to various stakeholders in a concise and clear manner. A dashboard should include deliverables as one of its components, along with other elements such as schedule, budget, quality, risks, issues, or benefits. However, even without deliverables in monthly dashboards, some information about them may still be available from other sources such as reports or documents.
References: 1: The role & importance of the Post Implementation Review 2: What is Post-Implementation Review in Project Management?

質問 # 137
ソフトウェア ライセンスの監査で最も重要なのは次のうちどれですか?

• A. 判定サンプリング
• B. ストップ・オア・ゴー・サンプリング
• C. 実体試験
• D. 適合性試験

正解：C

解説：
Explanation
Substantive testing is the most important type of testing during software license audits, as it provides evidence of the accuracy and completeness of the software inventory and licensing records. Substantive testing involves examining transactions, balances, and other data to verify their validity, existence, accuracy, and valuation.
Compliance testing, on the other hand, is more focused on assessing the adequacy and effectiveness of internal controls over software licensing, such as policies, procedures, and monitoring mechanisms. Compliance testing alone cannot provide sufficient assurance that the software license audit objectives are met, as it does not verify the actual software usage and compliance status. Judgmental sampling and stop-or-go sampling are methods of selecting samples for testing, not types of testing themselves. *References: According to the ISACA IT Audit and Assurance Standards, Guidelines and Tools and Techniques for IS Audit and Assurance Professionals, section 1206 Testing, "The IS audit and assurance professional should perform sufficient testing to obtain sufficient appropriate evidence to support conclusions reached." 1 The section also defines substantive testing as "testing performed to obtain audit evidence to detect material misstatements in transactions or balances" and compliance testing as "testing performed to obtain audit evidence on the operating effectiveness of controls." 1 According to the ISACA IT Audit and Assurance Guideline G15 Software License Management, "The objective of a software license audit is to provide management with an independent assessment relating to compliance with software license agreements." 2 The guideline also states that "substantive tests should be performed on a sample basis to verify that all software installed on devices within scope has been appropriately licensed." 2

質問 # 138
監査応答の一部として、被監査者は推奨事項に懸念を抱いており、それらを実装することを躊躇しています。次のうち、情報システム監査人にとって最善の行動方針はどれですか？

• A. 被監査者の回答を受け入れ、追加のテストを実行します。
• B. 緩和計画を作成するために、被監査者とさらに話し合いを行います。
• C. 現在の状態の評価を実行するためにサードパーティのコンサルタントを雇うことを提案します。
• D. 被監査者の意見を含めずに最終報告書を発行します。

正解：B

質問 # 139
......

最新のCISA日本語試験問題集でISACA試験トレーニング：https://www.jpntest.com/shiken/CISA-JPN-mondaishu