JPNTest Cybersecurity-Audit-Certificateリアル試験問題Cybersecurity-Audit-Certificate練習問題集 [Q40-Q60]

JPNTest Cybersecurity-Audit-Certificateリアル試験問題Cybersecurity-Audit-Certificate練習問題集

厳密検証されたCybersecurity-Audit-Certificate試験問題集と解答で無料提供のCybersecurity-Audit-Certificate問題と正解付き

質問 # 40
Which of the following is an example of an application security control?

A. User security awareness training
B. Security operations center
C. Secure coding
D. Intrusion detection

正解：C

解説：
Explanation
An example of an application security control is secure coding. Secure coding is the practice of developing software applications that follow security principles and standards to prevent or mitigate common vulnerabilities and risks. Secure coding involves applying techniques such as input validation, output encoding, error handling, encryption, and testing.

質問 # 41
What is the FIRST phase of the ISACA framework for auditors reviewing cryptographic environments?

A. Hands-on testing
B. Evaluation of implementation details
C. Hand-based shakeout
D. Inventory and discovery

正解：D

解説：
Explanation
The FIRST phase of the ISACA framework for auditors reviewing cryptographic environments is inventory and discovery. This is because the inventory and discovery phase helps auditors to identify and document the scope, objectives, and approach of the audit, as well as the cryptographic assets, systems, processes, and stakeholders involved in the cryptographic environment. The inventory and discovery phase also helps auditors to assess the maturity and effectiveness of the cryptographic governance and management within the organization. The other phases are not the first phase of the ISACA framework for auditors reviewing cryptographic environments, but rather follow after the inventory and discovery phase, such as evaluation of implementation details (A), hands-on testing (B), or risk-based shakeout C.

質問 # 42
Which of the following features of continuous auditing provides the BEST level of assurance over traditional sampling?

A. Voluminous dale can be analyzed at a high speed to show relevant patterns.
B. Automated tools provide more reliability than an auditors personal judgment
C. Continuous auditing tools are less complex for auditors to manage.
D. Reports can be generated more frequently for management.

正解：A

解説：
Explanation
The feature of continuous auditing that provides the BEST level of assurance over traditional sampling is that voluminous data can be analyzed at a high speed to show relevant patterns. This is because continuous auditing is a technique that uses automated tools and processes to perform audit activities on a continuous or near-real-time basis, and to analyze large amounts of data from various sources and systems. Continuous auditing helps to provide a higher level of assurance than traditional sampling, by covering the entire population of transactions or events, rather than a subset or sample, and by identifying trends, anomalies, or exceptions that may indicate risks or issues. The other options are not features of continuous auditing that provide the best level of assurance over traditional sampling, but rather different aspects or benefits of continuous auditing, such as reporting frequency (A), reliability (B), or complexity (D).

質問 # 43
A healthcare organization recently acquired another firm that outsources its patient information processing to a third-party Software as a Service (SaaS) provider. From a regulatory perspective, which of the following is MOST important for the healthcare organization to determine?

A. Encryption algorithms used to encrypt the data
B. Physical location of the data
C. Cybersecurity risk assessment methodology
D. Incident escalation procedures

正解：D

解説：
Explanation
From a regulatory perspective, the MOST important thing for the healthcare organization to determine when outsourcing its patient information processing to a third-party Software as a Service (SaaS) provider is the incident escalation procedures. This is because incident escalation procedures define how security incidents involving patient information are reported, communicated, escalated, and resolved between the healthcare organization and the SaaS provider. This is essential for complying with regulatory requirements such as HIPAA, which mandate timely notification and response to breaches of protected health information. The other options are not as important as incident escalation procedures from a regulatory perspective, because they either relate to technical aspects that may not affect compliance (A, B), or operational aspects that may not affect patient information security (D).

質問 # 44
Which of the following is MOST critical to guiding and managing security activities throughout an organization to ensure objectives are met?

A. Allocating a significant amount of budget to security investments
B. Adopting industry security standards and frameworks
C. Establishing metrics to measure and monitor security performance
D. Conducting annual security awareness training for all employees

正解：C

解説：
Explanation
The MOST critical thing to guiding and managing security activities throughout an organization to ensure objectives are met is establishing metrics to measure and monitor security performance. This is because metrics provide quantifiable and objective data that can be used to evaluate the effectiveness and efficiency of security activities, as well as identify gaps and areas for improvement. Metrics also enable communication and reporting of security performance to stakeholders, such as senior management, board members, auditors, regulators, customers, etc. The other options are not as critical as establishing metrics, because they either involve spending money without knowing the return on investment (A), adopting standards without customizing them to fit the organization's context and needs (B), or conducting training without assessing its impact on behavior change (D).

質問 # 45
Which of the following is the GREATEST risk pertaining to sensitive data leakage when users set mobile devices to "always on" mode?

A. Authorization tokens could be exploited.
B. A user's behavior pattern can be predicted.
C. Mobile connectivity could be severely weakened.
D. An adversary can predict a user's login credentials.

正解：A

解説：
Explanation
The GREATEST risk pertaining to sensitive data leakage when users set mobile devices to "always on" mode is that authorization tokens could be exploited. Authorization tokens are pieces of data that are used to authenticate users and grant them access to certain resources or services. Authorization tokens are often stored on mobile devices to enable seamless and convenient access without requiring users to enter their credentials repeatedly. However, if users set their mobile devices to "always on" mode, they increase the risk of losing their devices or having them stolen by attackers. Attackers can then access the authorization tokens stored on the devices and use them to impersonate the users or access their sensitive data.

質問 # 46
Which of the following describes specific, mandatory controls or rules to support and comply with a policy?

A. Basedine
B. Guidelines
C. Standards
D. Frameworks

正解：C

解説：
Explanation
Specific, mandatory controls or rules to support and comply with a policy are known as standards. This is because standards define the minimum level of performance or behavior that is expected from an organization or its employees in order to achieve a policy objective or requirement. Standards also provide clear and measurable criteria for auditing and monitoring compliance with policies. The other options are not specific, mandatory controls or rules to support and comply with a policy, but rather different types of documents or tools that provide guidance or recommendations for implementing policies or controls, such as frameworks (A), guidelines (B), or baselines C.

質問 # 47
Availability can be protected through the use of:

A. user awareness training and related end-user training.
B. access controls. We permissions, and encryption.
C. redundancy, backups, and business continuity management
D. logging, digital signatures, and write protection.

正解：C

解説：
Explanation
Availability can be protected through the use of redundancy, backups, and business continuity management.
This is because these measures help to ensure that systems, data, and services are accessible and functional at all times, even in the event of a disruption or disaster. The other options are not directly related to protecting availability, but rather focus on enhancing confidentiality (A), integrity C, or awareness (D).

質問 # 48
Using digital evidence to provide validation that an attack has actually occurred is an example of;

A. computer forensic
B. extraction.
C. data acquisition.
D. identification.

正解：A

解説：
Explanation
Using digital evidence to provide validation that an attack has actually occurred is an example of computer forensics. This is because computer forensics is a discipline that involves the identification, preservation, analysis, and presentation of digital evidence from various sources, such as computers, networks, mobile devices, etc., to support investigations of cyber incidents or crimes. Computer forensics helps to provide validation that an attack has actually occurred, by examining the digital traces or artifacts left by the attackers on the compromised systems or devices, and by reconstructing the sequence and timeline of events that led to the attack. The other options are not examples of using digital evidence to provide validation that an attack has actually occurred, but rather different techniques or processes that are related to computer forensics, such as extraction (B), identification C, or data acquisition (D).

質問 # 49
Which of the following is the GREATEST advantage of using a virtual private network (VPN) over dedicated circuits and dial-in servers?

A. It is higher speed.
B. It is more cost effective.
C. It is more secure
D. It is more reliable

正解：B

解説：
Explanation
The GREATEST advantage of using a virtual private network (VPN) over dedicated circuits and dial-in servers is that it is more cost effective. This is because a VPN is a technology that creates a secure and encrypted connection between a client and a server over an existing public network, such as the Internet. A VPN reduces the cost of establishing and maintaining a secure communication channel, as it does not require any additional hardware, software, or infrastructure, unlike dedicated circuits and dial-in servers, which require dedicated lines, modems, routers, switches, etc. The other options are not the greatest advantage of using a VPN over dedicated circuits and dial-in servers, because they either involve security (A), reliability (B), or speed C aspects that may not be significantly different or better than dedicated circuits and dial-in servers.

質問 # 50
What is the MAIN consideration when storing backup files?

A. Protecting the off-site data backup copies from unauthorized access
B. Utilizing solid slate device (SSDJ media for quick recovery
C. Storing copies on-site for ease of access during incident response
D. Storing backup files on public cloud storage

正解：A

解説：
Explanation
The MAIN consideration when storing backup files is protecting the off-site data backup copies from unauthorized access. This is because protecting the off-site data backup copies from unauthorized access helps to ensure the confidentiality and integrity of the backup data, and prevent any unauthorized or malicious disclosure, modification, or deletion of the backup data. Protecting the off-site data backup copies from unauthorized access also helps to comply with any regulatory or contractual requirements that may apply to the backup data. The other options are not the main consideration when storing backup files, but rather different aspects or factors that affect the backup process, such as using solid state device (SSD) media (A), storing backup files on public cloud storage (B), or storing copies on-site (D).

質問 # 51
Cyber threat intelligence aims to research and analyze trends and technical developments in which of the following areas?

A. Cybersecurity operations management
B. Cybersecurity risk scenarios
C. Cybercrime, hacktism. and espionage
D. Industry-specific security regulator

正解：C

解説：
Explanation
Cyber threat intelligence aims to research and analyze trends and technical developments in the areas of cybercrime, hacktivism, and espionage. These are the main sources of malicious cyber activities that pose risks to organizations and individuals. Cyber threat intelligence helps to understand the motivations, capabilities, tactics, techniques, and procedures of various threat actors and groups.

質問 # 52
Which of the following backup procedure would only copy files that have changed since the last backup was made?

A. Daily backup
B. Incremental backup
C. Full backup
D. Differential backup

正解：B

解説：
Explanation
The backup procedure that would only copy files that have changed since the last backup was made is an incremental backup. This is because an incremental backup is a type of backup that only copies the files that have been created or modified since the previous backup, whether it was a full or an incremental backup. An incremental backup helps to reduce the backup time and storage space, as well as the recovery time, as only the changed files need to be restored. The other options are not backup procedures that would only copy files that have changed since the last backup was made, but rather different types of backup procedures that copy files based on different criteria, such as daily backup (B), differential backup C, or full backup (D).

質問 # 53
In public key cryptography, digital signatures are primarily used to;

A. prove sender authenticity.
B. ensure message integrity.
C. maintain confidentiality.
D. ensure message accuracy.

正解：A

解説：
Explanation
In public key cryptography, digital signatures are primarily used to prove sender authenticity. A digital signature is a cryptographic technique that allows the sender of a message to sign it with their private key, which can only be decrypted by their public key. The recipient can verify that the message was sent by the sender and not tampered with by using the sender's public key.

質問 # 54
Which of the following is a feature of an intrusion detection system (IDS)?

A. Back doors into applications
B. Intrusion prevention
C. Automated response
D. Interface with firewalls

正解：C

解説：
Explanation
A feature of an intrusion detection system (IDS) is automated response. This is because an IDS is a system that monitors network or system activities for malicious or anomalous behavior, and alerts or reports on any detected incidents. An IDS can also perform automated response actions, such as blocking traffic, terminating sessions, or sending notifications, to contain or mitigate the incidents. The other options are not features of an IDS, but rather different concepts or techniques that are related to intrusion detection or prevention, such as intrusion prevention (A), interface with firewalls C, or back doors into applications (D).

質問 # 55
An information security procedure indicates a requirement to sandbox emails. What does this requirement mean?

A. Ensure the emails are encrypted and provide nonrepudiation.
B. Guarantee rapid email delivery through firewalls.
C. Provide a backup of emails in the event of a disaster
D. isolate the emails and test for malicious content

正解：D

解説：
Explanation
An information security procedure that indicates a requirement to sandbox emails means that the emails need to be isolated and tested for malicious content. This is because sandboxing is a technique that creates a virtual or isolated environment, where suspicious or untrusted emails can be executed or analyzed without affecting the rest of the system or network. Sandboxing helps to detect and prevent malware, phishing, or spam attacks that may be embedded in emails, and protect the users and the organization from potential harm. The other options are not what sandboxing emails means, but rather different concepts or techniques that are related to information security, such as encryption and nonrepudiation (A), backup and recovery (B), or firewall and delivery (D).

質問 # 56
Which of the following devices is at GREATEST risk from activity monitoring and data retrieval?

A. Desktop workstation
B. Mobile devices
C. Printing devices
D. Cloud storage devices

正解：B

解説：
Explanation
The device that is at GREATEST risk from activity monitoring and data retrieval is mobile devices. This is because mobile devices are devices that are portable, wireless, and connected to the Internet or other networks, such as smartphones, tablets, laptops, etc. Mobile devices are at greatest risk from activity monitoring and data retrieval, because they can be easily lost, stolen, or compromised by attackers who can access or extract the data stored or transmitted on the devices. Mobile devices can also be subject to activity monitoring and data retrieval by third-party applications or services that may collect or share the user's personal or sensitive information without their consent or knowledge. The other options are not devices that are at greatest risk from activity monitoring and data retrieval, but rather different types of devices that may have different levels of risk or protection from activity monitoring and data retrieval, such as cloud storage devices (B), desktop workstations C, or printing devices (D).

質問 # 57
Which of the following is the GREATEST drawback when using the AICPA/CICA Trust Sen/ices to evaluate a cloud service provider?

A. Incompatibility with cloud service business model
B. Lack of specificity m the principles
C. Omission of confidentiality in the criteria
D. Inability to issue SOC 2 or SOC 3 reports

正解：B

解説：
Explanation
The GREATEST drawback when using the AICPA/CICA Trust Services to evaluate a cloud service provider is the lack of specificity in the principles. This is because the AICPA/CICA Trust Services are a set of principles and criteria that provide guidance for evaluating and reporting on controls over information systems and services. However, the principles and criteria are very broad and generic, and do not address the specific risks and challenges that are associated with cloud services, such as data sovereignty, multi-tenancy, portability, etc. The other options are not drawbacks when using the AICPA/CICA Trust Services to evaluate a cloud service provider, but rather different aspects or benefits of using the AICPA/CICA Trust Services to evaluate a cloud service provider, such as compatibility (A), confidentiality C, or reporting (D).

質問 # 58
he MOST significant limitation of vulnerability scanning is the fact that modern scanners only detect:

A. known vulnerabilities.
B. common vulnerabilities.
C. unknown vulnerabilities.
D. zero-day vulnerabilities.

正解：A

解説：
Explanation
The MOST significant limitation of vulnerability scanning is the fact that modern scanners only detect known vulnerabilities. This is because vulnerability scanners rely on databases or repositories of known vulnerabilities, such as CVE (Common Vulnerabilities and Exposures), to compare and identify the weaknesses or flaws in systems or applications. Vulnerability scanners cannot detect unknown vulnerabilities, such as zero-day vulnerabilities, that have not been reported or disclosed yet, and may be exploited by attackers before they are patched or fixed. The other options are not the most significant limitation of vulnerability scanning, because they either involve detecting common (A), unknown (B), or zero-day (D) vulnerabilities, which are not the capabilities or limitations of modern scanners.

質問 # 59
Which of the following presents the GREATEST challenge to information risk management when outsourcing IT function to a third party?

A. Providers may be reluctant to share technical delays on the extent of their information protection mechanisms.
B. Providers may be restricted from providing detailed ^formation on their employees.
C. It is difficult to determine vendor financial viability to assess their potential inability to meet contract requirements.
D. It is difficult to know the applicable regulatory requirements when data is located on another country.

正解：A

解説：
Explanation
The GREATEST challenge to information risk management when outsourcing IT function to a third party is that providers may be reluctant to share technical details on the extent of their information protection mechanisms. This is because providers may consider their information protection mechanisms as proprietary or confidential, or may not want to reveal their weaknesses or vulnerabilities. This makes it difficult for the outsourcing organization to assess the level of security and compliance of the provider, and to monitor and audit their performance. The other options are not as challenging as providers being reluctant to share technical details, because they either involve legal or contractual aspects that can be clarified or negotiated before outsourcing (A, D), or human resource aspects that can be verified or validated by the provider C.

質問 # 60
......

無料でゲット！高評価ISACA Cybersecurity-Audit-Certificate試験問題集を今すぐダウンロード！：https://www.jpntest.com/shiken/Cybersecurity-Audit-Certificate-mondaishu

あなたを合格させるCybersecurity-Audit-Certificate無料最新問題集でISACA練習テスト：https://drive.google.com/open?id=1BrsAR550Qf5xN--wWM7CIK1ovu5_qxWB