NO.1 An IS auditor performing detailed network assessments and access control reviews should
A. evaluate users' access authorization.
B. determine the points of entry.
C. assess users' identification and authorization.
D. evaluate the domain-controlling server configuration.
Answer: B

CISA認定デベロッパー   CISA範囲   
In performing detailed network assessments and access control reviews, an IS auditor should first
determine the points of entry to the system and review the points of entry accordingly for
appropriate controls. Evaluation of user access authorization, assessment of user identification and
authorization, and evaluation of the domain-controlling server configuration are all implementation
issues for appropriate controls for the points of entry.

NO.2 Which of the following would effectively verify the originator of a transaction?
A. Using a portable document format (PDF) to encapsulate transaction content
B. Using a secret password between the originator and the receiver
C. Encrypting the transaction with the receiver's public key
D. Digitally signing the transaction with the source's private key
Answer: D

A digital signature is an electronic identification of a person, created by using a public key algorithm,
to verify to a recipient the identity of the source of a transaction and the integrity of its content.
Since they are a 'shared secret' between the user and the system itself, passwords are considered a
weaker means of authentication. Encrypting the transaction with the recipient's public key will
provide confidentiality for the information, while using a portable document format(PDF) will probe
the integrity of the content but not necessarily authorship.

NO.3 Which of the following is the MOST important action in recovering from a cyberattack?
A. Use of cybenforensic investigators
B. Filing an insurance claim
C. Execution of a business continuity plan
D. Creation of an incident response team
Answer: C

The most important key step in recovering from cyberattacks is the execution of a business continuity
plan to quickly and cost-effectively recover critical systems, processes and datA. The incident
response team should exist prior to a cyberattack. When a cyberattack is suspected, cyberforensics
investigators should be used to set up alarms, catch intruders within the network, and track and trace
them over the Internet. After taking the above steps, an organization may have a residual risk
thatneeds to be insured and claimed for traditional and electronic exposures.

NO.4 When developing a security architecture, which of the following steps should be executed
A. Defining a security policy
B. Defining roles and responsibilities
C. Developing security procedures
D. Specifying an access control methodology
Answer: A

Defining a security policy for information and related technology is the first step toward building a
security architecture. A security policy communicates a coherent security standard to users,
management and technical staff. Security policies willoften set the stage in terms of what tools and
procedures are needed for an organization. The other choices should be executed only after defining
a security policy.



試験科目:Certified Information Security Manager
問題と解答:全631問 CISM学習

>> CISM学習

試験科目:Certified Information Systems Auditor
問題と解答:全1178問 CISA模擬試験

>> CISA模擬試験