CISA-JPN 試験問題 506
内部侵入テストを計画する際、テストの範囲を確定する前に最も重要なステップは次のどれですか?
正解: B
Obtaining management's consent to the testing scope in writing is the most important step prior to finalizing the scope of testing, as it ensures that the penetration testers have the authorization and approval to perform the testing activities. It also protects them from any legal liabilities or accusations of unauthorized access or damage. The other options are not as important as obtaining management's consent, and they may vary depending on the specific situation and agreement. For example, some systems may not be excluded from the testing scope, and some tests may not be restricted to the test environment. References: CISA Review Manual (Digital Version) 1, page 381-382.
CISA-JPN 試験問題 507
インターネット プロトコル セキュリティ (IPsec) アーキテクチャを実装する場合、アプリケーション配信に関与するサーバーは次のようになります。
正解: A
When implementing Internet Protocol security (IPsec) architecture, the servers involved in application delivery communicate via Transport Layer Security (TLS), which is a protocol that provides encryption and authentication for data transmitted over a network. IPsec operates at the network layer and provides security for IP packets, while TLS operates at the transport layer and provides security for TCP connections. Blocking authorized users from unauthorized activities, channeling access only through the public-facing firewall, and channeling access through authentication are not functions of IPsec architecture. References: CISA Review Manual (Digital Version), Chapter 5, Section 5.4.2
CISA-JPN 試験問題 508
ある銀行が、他国にあるクラウド プロバイダーにシステムをアウトソーシングしたいと考えています。次のどれが最も適切な情報システム監査の推奨事項でしょうか。
正解: C
A post-implementation review (PIR) is a process to evaluate whether the objectives of the project were met, determine how effectively this was achieved, learn lessons for the future, and ensure that the organisation gets the most benefit from the implementation of projects1. A PIR is an important tool for assessing the success and value of a project, as well as identifying the areas for improvement and best practices for future projects.
One of the key elements of a PIR is to measure the benefits of the project against the expected outcomes and benefits that were defined at the beginning of the project. Measurable benefits are the quantifiable and verifiable results or outcomes that the project delivers to the organisation or its stakeholders, such as increased revenue, reduced costs, improved quality, enhanced customer satisfaction, or compliance with regulations2.
Measurable benefits should be aligned with the organisation's strategy, vision, and goals, and should be SMART (specific, measurable, achievable, relevant, and time-bound).
The finding that measurable benefits were not defined is of greatest significance among the four findings, because it implies that:
* The project did not have a clear and agreed-upon purpose, scope, objectives, and deliverables
* The project did not have a valid and realistic business case or justification for its initiation and implementation
* The project did not have a robust and effective monitoring and evaluation mechanism to track its progress, performance, and impact
* The project did not have a reliable and transparent way to demonstrate its value proposition and return on investment to the organisation or its stakeholders
* The project did not have a meaningful and actionable way to learn from its achievements and challenges, and to improve its processes and practices Therefore, an IS auditor should recommend that measurable benefits are defined for any project before its implementation, and that they are reviewed and reported regularly during and after the project's completion.
The other possible findings are:
* A lessons-learned session was never conducted: This is a significant finding, but not as significant as the lack of measurable benefits. A lessons-learned session is a process of capturing and documenting the knowledge, experience, and feedback gained from a project, both positive and negative. A lessons- learned session helps to identify the strengths and weaknesses of the project management process, as well as the best practices and lessons for future projects. A lessons-learned session should be conducted at the end of each project phase or milestone, as well as at the end of the project. However, even without a formal lessons-learned session, some learning may still occur informally or implicitly among the project team members or stakeholders.
* The projects 10% budget overrun was not reported to senior management: This is a significant finding, but not as significant as the lack of measurable benefits. A budget overrun is a situation where the actual cost of a project exceeds its planned or estimated cost. A budget overrun may indicate poor planning, estimation, or control of the project resources, or unexpected changes or risks that occurred during the project implementation. A budget overrun should be reported to senior management as soon as possible, along with the reasons for it and the corrective actions taken or proposed. However, a budget overrun may not necessarily affect the quality or value of the project deliverables or outcomes if they are still within acceptable standards or expectations.
* Monthly dashboards did not always contain deliverables: This is a significant finding, but not as significant as the lack of measurable benefits. A dashboard is a visual tool that displays key performance indicators (KPIs) or metrics related to a project's progress, status, or results. A dashboard helps to monitor and communicate the performance of a project to various stakeholders in a concise and clear manner. A dashboard should include deliverables as one of its components, along with other elements such as schedule, budget, quality, risks, issues, or benefits. However, even without deliverables in monthly dashboards, some information about them may still be available from other sources such as reports or documents.
References: 1: The role & importance of the Post Implementation Review 2: What is Post-Implementation Review in Project Management?
One of the key elements of a PIR is to measure the benefits of the project against the expected outcomes and benefits that were defined at the beginning of the project. Measurable benefits are the quantifiable and verifiable results or outcomes that the project delivers to the organisation or its stakeholders, such as increased revenue, reduced costs, improved quality, enhanced customer satisfaction, or compliance with regulations2.
Measurable benefits should be aligned with the organisation's strategy, vision, and goals, and should be SMART (specific, measurable, achievable, relevant, and time-bound).
The finding that measurable benefits were not defined is of greatest significance among the four findings, because it implies that:
* The project did not have a clear and agreed-upon purpose, scope, objectives, and deliverables
* The project did not have a valid and realistic business case or justification for its initiation and implementation
* The project did not have a robust and effective monitoring and evaluation mechanism to track its progress, performance, and impact
* The project did not have a reliable and transparent way to demonstrate its value proposition and return on investment to the organisation or its stakeholders
* The project did not have a meaningful and actionable way to learn from its achievements and challenges, and to improve its processes and practices Therefore, an IS auditor should recommend that measurable benefits are defined for any project before its implementation, and that they are reviewed and reported regularly during and after the project's completion.
The other possible findings are:
* A lessons-learned session was never conducted: This is a significant finding, but not as significant as the lack of measurable benefits. A lessons-learned session is a process of capturing and documenting the knowledge, experience, and feedback gained from a project, both positive and negative. A lessons- learned session helps to identify the strengths and weaknesses of the project management process, as well as the best practices and lessons for future projects. A lessons-learned session should be conducted at the end of each project phase or milestone, as well as at the end of the project. However, even without a formal lessons-learned session, some learning may still occur informally or implicitly among the project team members or stakeholders.
* The projects 10% budget overrun was not reported to senior management: This is a significant finding, but not as significant as the lack of measurable benefits. A budget overrun is a situation where the actual cost of a project exceeds its planned or estimated cost. A budget overrun may indicate poor planning, estimation, or control of the project resources, or unexpected changes or risks that occurred during the project implementation. A budget overrun should be reported to senior management as soon as possible, along with the reasons for it and the corrective actions taken or proposed. However, a budget overrun may not necessarily affect the quality or value of the project deliverables or outcomes if they are still within acceptable standards or expectations.
* Monthly dashboards did not always contain deliverables: This is a significant finding, but not as significant as the lack of measurable benefits. A dashboard is a visual tool that displays key performance indicators (KPIs) or metrics related to a project's progress, status, or results. A dashboard helps to monitor and communicate the performance of a project to various stakeholders in a concise and clear manner. A dashboard should include deliverables as one of its components, along with other elements such as schedule, budget, quality, risks, issues, or benefits. However, even without deliverables in monthly dashboards, some information about them may still be available from other sources such as reports or documents.
References: 1: The role & importance of the Post Implementation Review 2: What is Post-Implementation Review in Project Management?
CISA-JPN 試験問題 509
情報システムの取得、開発、実装プロセスを確認する IS 監査人にとって、最も注意すべき事項は次のどれですか?
正解: B
CISA-JPN 試験問題 510
システム インターフェイスのデータの整合性を保証するのに役立つのは次のどれですか。
正解: C
Validation checks are a type of data quality control that helps to ensure the integrity of data for a system interface. Validation checks verify that the data entered or transferred between systems is correct, consistent, and conforms to predefined rules or standards. Validation checks can prevent or detect errors, anomalies, or inconsistencies in the data that may affect the system's functionality, performance, or security.
Option C is correct because validation checks are a common and effective method of ensuring data integrity for a system interface. Validation checks can be performed at various stages of the data lifecycle, such as input, processing, output, or storage. Validation checks can also be applied to different types of data, such as data types, codes, ranges, formats, consistency, and uniqueness.
Option A is incorrect because system interface testing is a type of software testing that verifies the interaction between two separate systems or components of a system. System interface testing does not directly ensure the integrity of data for a system interface, but rather the functionality and reliability of the interface itself.
System interface testing may use validation checks as part of its test cases, but it is not the same as validation checks.
Option B is incorrect because user acceptance testing (UAT) is a type of software testing that evaluates whether the system meets the user's expectations and requirements. UAT does not directly ensure the integrity of data for a system interface, but rather the usability and acceptability of the system from the user's perspective. UAT may use validation checks as part of its test scenarios, but it is not the same as validation checks.
Option D is incorrect because audit logs are records of events and activities that occur within a system or network. Audit logs do not directly ensure the integrity of data for a system interface, but rather provide evidence and accountability for the system's operations and security. Audit logs may use validation checks as part of their analysis or reporting, but they are not the same as validation checks.
References:
CISA Online Review Course1, Module 5: Protection of Information Assets, Lesson 4: Data Quality Management, slide 5-6.
CISA Review Manual (Digital Version)2, Chapter 5: Protection of Information Assets, Section 5.3: Data Quality Management, p. 281-282.
CISA Review Manual (Print Version), Chapter 5: Protection of Information Assets, Section 5.3: Data Quality Management, p. 281-282.
CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_722.
Data Validation - Overview, Types, Practical Examples4
Data Validity: The Best Practice for Your Business5
Validation - Data validation6
What is Data Validation? Types, Techniques, Tools7
Option C is correct because validation checks are a common and effective method of ensuring data integrity for a system interface. Validation checks can be performed at various stages of the data lifecycle, such as input, processing, output, or storage. Validation checks can also be applied to different types of data, such as data types, codes, ranges, formats, consistency, and uniqueness.
Option A is incorrect because system interface testing is a type of software testing that verifies the interaction between two separate systems or components of a system. System interface testing does not directly ensure the integrity of data for a system interface, but rather the functionality and reliability of the interface itself.
System interface testing may use validation checks as part of its test cases, but it is not the same as validation checks.
Option B is incorrect because user acceptance testing (UAT) is a type of software testing that evaluates whether the system meets the user's expectations and requirements. UAT does not directly ensure the integrity of data for a system interface, but rather the usability and acceptability of the system from the user's perspective. UAT may use validation checks as part of its test scenarios, but it is not the same as validation checks.
Option D is incorrect because audit logs are records of events and activities that occur within a system or network. Audit logs do not directly ensure the integrity of data for a system interface, but rather provide evidence and accountability for the system's operations and security. Audit logs may use validation checks as part of their analysis or reporting, but they are not the same as validation checks.
References:
CISA Online Review Course1, Module 5: Protection of Information Assets, Lesson 4: Data Quality Management, slide 5-6.
CISA Review Manual (Digital Version)2, Chapter 5: Protection of Information Assets, Section 5.3: Data Quality Management, p. 281-282.
CISA Review Manual (Print Version), Chapter 5: Protection of Information Assets, Section 5.3: Data Quality Management, p. 281-282.
CISA Questions, Answers & Explanations Database3, Question ID: QAE_CISA_722.
Data Validation - Overview, Types, Practical Examples4
Data Validity: The Best Practice for Your Business5
Validation - Data validation6
What is Data Validation? Types, Techniques, Tools7
- 他のバージョン
- 3043ISACA.CISA-JPN.v2025-06-30.q593
- 1074ISACA.CISA-JPN.v2025-06-05.q596
- 2110ISACA.CISA-JPN.v2023-04-10.q297
- 1982ISACA.CISA-JPN.v2023-04-03.q306
- 2119ISACA.CISA-JPN.v2023-03-20.q319
- 2170ISACA.CISA-JPN.v2022-08-01.q273
- 2234ISACA.CISA-JPN.v2022-05-28.q253
- 最新アップロード
- 125PaloAltoNetworks.SecOps-Generalist.v2026-06-23.q81
- 111NetworkAppliance.NS0-005.v2026-06-23.q110
- 116Google.Generative-AI-Leader.v2026-06-23.q31
- 109Google.Google-Workspace-Administrator.v2026-06-23.q111
- 161Databricks.Databricks-Certified-Professional-Data-Engineer.v2026-06-22.q208
- 150Oracle.1z0-1054-25.v2026-06-22.q64
- 132Fortinet.NSE5_FSW_AD-7.6.v2026-06-22.q41
- 135Salesforce.MC-202.v2026-06-22.q57
- 125Nutanix.NCA-6.10.v2026-06-22.q43
- 145Workday.Workday-Pro-Talent-and-Performance.v2026-06-20.q18