CISA-JPN 試験問題 306
IS 監査人が、インターネット経由で顧客が直接アクセスする Web ベースの顧客関係管理 (CRM) システムのセキュリティをレビューしている場合、監査人が懸念すべき事項は次のどれですか。
正解: D
A web-based CRM system that is directly accessed by customers via the Internet should be hosted in a secure and isolated environment to protect it from external threats and unauthorized access. A web-based CRM system should also be reliable, trusted, and backed up regularly1.
Hosting the system on an external third-party service provider's servers (A) or a hybrid-cloud platform managed by a service provider (B) may not be a concern for the auditor if the service provider has adequate security measures and service level agreements in place. The auditor should verify the security controls and contractual terms of the service provider before trusting them with the CRM data23.
Hosting the system within a demilitarized zone (DMZ) of a corporate network is a common practice to provide an extra layer of security to the CRM system from untrusted networks, such as the Internet. A DMZ is a perimeter network that isolates the CRM system from the internal network and filters the incoming traffic from the external network using a security gateway4567.
Hosting the system within an internal segment of a corporate network (D) is a concern for the auditor because it exposes the CRM system and the internal network to potential attacks from the Internet. The CRM system should not be directly accessible from the Internet without a DMZ or a firewall to protect it. This could compromise the confidentiality, integrity, and availability of the CRM data and the internal network78.
Hosting the system on an external third-party service provider's servers (A) or a hybrid-cloud platform managed by a service provider (B) may not be a concern for the auditor if the service provider has adequate security measures and service level agreements in place. The auditor should verify the security controls and contractual terms of the service provider before trusting them with the CRM data23.
Hosting the system within a demilitarized zone (DMZ) of a corporate network is a common practice to provide an extra layer of security to the CRM system from untrusted networks, such as the Internet. A DMZ is a perimeter network that isolates the CRM system from the internal network and filters the incoming traffic from the external network using a security gateway4567.
Hosting the system within an internal segment of a corporate network (D) is a concern for the auditor because it exposes the CRM system and the internal network to potential attacks from the Internet. The CRM system should not be directly accessible from the Internet without a DMZ or a firewall to protect it. This could compromise the confidentiality, integrity, and availability of the CRM data and the internal network78.
CISA-JPN 試験問題 307
ファイアウォール ルールを評価する際に、IS 監査人が最初に考慮すべき事項は次のうちどれですか?
正解: A
This should be the first thing that an IS auditor considers when evaluating firewall rules, because it defines the objectives, standards, and guidelines for securing the organization's network and information assets. The firewall rules should be aligned with the organization's security policy, and reflect the level of risk and protection required for each type of network traffic, system, or data. The IS auditor should compare the firewall rules with the security policy, and identify any discrepancies, gaps, or conflicts that could compromise the security or performance of the network.
The other options are not as important as the organization's security policy when evaluating firewall rules:
* The number of remote nodes. This is a factor that may affect the complexity and scalability of the firewall rules, but it is not a primary consideration for the IS auditor. Remote nodes are devices or systems that connect to the network from outside locations, such as teleworkers, mobile users, or branch offices. The IS auditor should ensure that the firewall rules provide adequate security and access control for remote nodes, but this depends on the organization's security policy and business needs.
* The firewalls' default settings. These are the predefined configurations that come with the firewall devices or software, and that determine how they handle network traffic by default. The IS auditor should review the firewalls' default settings, and verify that they are appropriate and secure for the organization's network environment. However, the firewalls' default settings may not match the organization's security policy or specific requirements, and may need to be customized or overridden by firewall rules.
* The physical location of the firewalls. This is a factor that may affect the placement and design of the firewall rules, but it is not a critical consideration for the IS auditor. The physical location of the firewalls refers to where they are installed or deployed in relation to the network topology, such as at the network perimeter, between network segments, or on individual hosts. The IS auditor should ensure that the firewall rules are consistent and coordinated across different locations, but this depends on the organization's security policy and network architecture.
The other options are not as important as the organization's security policy when evaluating firewall rules:
* The number of remote nodes. This is a factor that may affect the complexity and scalability of the firewall rules, but it is not a primary consideration for the IS auditor. Remote nodes are devices or systems that connect to the network from outside locations, such as teleworkers, mobile users, or branch offices. The IS auditor should ensure that the firewall rules provide adequate security and access control for remote nodes, but this depends on the organization's security policy and business needs.
* The firewalls' default settings. These are the predefined configurations that come with the firewall devices or software, and that determine how they handle network traffic by default. The IS auditor should review the firewalls' default settings, and verify that they are appropriate and secure for the organization's network environment. However, the firewalls' default settings may not match the organization's security policy or specific requirements, and may need to be customized or overridden by firewall rules.
* The physical location of the firewalls. This is a factor that may affect the placement and design of the firewall rules, but it is not a critical consideration for the IS auditor. The physical location of the firewalls refers to where they are installed or deployed in relation to the network topology, such as at the network perimeter, between network segments, or on individual hosts. The IS auditor should ensure that the firewall rules are consistent and coordinated across different locations, but this depends on the organization's security policy and network architecture.
CISA-JPN 試験問題 308
継続的な監査に最も適しているのはどれですか?
正解: B
Continuous auditing is a method of performing audit-related activities on a real-time or near real-time basis.
Continuous auditing is best suited for real-time transactions, such as online banking, e-commerce, or electronic funds transfer, that require immediate verification and assurance. Low-value transactions are not necessarily suitable for continuous auditing, as they may not pose significant risks or require frequent monitoring. Irregular transactions are not suitable for continuous auditing, as they may not occur frequently or consistently enough to justify the use of continuous auditing techniques. Manual transactions are not suitable for continuous auditing, as they may not be captured or processed by automated systems that enable continuous auditing. References:
* CISA Review Manual, 27th Edition, pages 307-3081
* CISA Review Questions, Answers & Explanations Database, Question ID: 253
Continuous auditing is best suited for real-time transactions, such as online banking, e-commerce, or electronic funds transfer, that require immediate verification and assurance. Low-value transactions are not necessarily suitable for continuous auditing, as they may not pose significant risks or require frequent monitoring. Irregular transactions are not suitable for continuous auditing, as they may not occur frequently or consistently enough to justify the use of continuous auditing techniques. Manual transactions are not suitable for continuous auditing, as they may not be captured or processed by automated systems that enable continuous auditing. References:
* CISA Review Manual, 27th Edition, pages 307-3081
* CISA Review Questions, Answers & Explanations Database, Question ID: 253
CISA-JPN 試験問題 309
IS 監査でファイアウォールが多数の攻撃試行を認識できなかったことが判明した場合、監査人の最善の推奨事項は、ファイアウォールと次のものの間に侵入検知システム (IDS) を配置することです。
正解: D
The best recommendation is to place an intrusion detection system (IDS) between the firewall and the Internet. An IDS is a device or software that monitors network traffic for malicious activity and alerts the network administrator or takes preventive action. By placing an IDS between the firewall and the Internet, the IS auditor can enhance the security of the network perimeter and detect any attack attempts that the firewall was unable to recognize.
The other options are not as effective as placing an IDS between the firewall and the Internet:
* Placing an IDS between the firewall and the organization's web server would not protect the web server from external attacks that bypass the firewall. The web server should be placed in a demilitarized zone (DMZ), which is a separate network segment that isolates public-facing servers from the internal network.
* Placing an IDS between the firewall and the demilitarized zone (DMZ) would not protect the DMZ from external attacks that bypass the firewall. The DMZ should be protected by twofirewalls, one facing the Internet and one facing the internal network, with an IDS monitoring both sides of each firewall.
* Placing an IDS between the firewall and the organization's network would not protect the organization' s network from external attacks that bypass the firewall. The organization's network should be protected by a firewall that blocks unauthorized traffic from entering or leaving the network, with an IDS monitoring both sides of the firewall.
The other options are not as effective as placing an IDS between the firewall and the Internet:
* Placing an IDS between the firewall and the organization's web server would not protect the web server from external attacks that bypass the firewall. The web server should be placed in a demilitarized zone (DMZ), which is a separate network segment that isolates public-facing servers from the internal network.
* Placing an IDS between the firewall and the demilitarized zone (DMZ) would not protect the DMZ from external attacks that bypass the firewall. The DMZ should be protected by twofirewalls, one facing the Internet and one facing the internal network, with an IDS monitoring both sides of each firewall.
* Placing an IDS between the firewall and the organization's network would not protect the organization' s network from external attacks that bypass the firewall. The organization's network should be protected by a firewall that blocks unauthorized traffic from entering or leaving the network, with an IDS monitoring both sides of the firewall.
CISA-JPN 試験問題 310
組織のエンタープライズ リスク管理 (ERM) プログラムの責任者は誰ですか?
正解: D
- 他のバージョン
- 3049ISACA.CISA-JPN.v2025-06-30.q593
- 1118ISACA.CISA-JPN.v2025-06-05.q596
- 2110ISACA.CISA-JPN.v2023-04-10.q297
- 1982ISACA.CISA-JPN.v2023-04-03.q306
- 2119ISACA.CISA-JPN.v2023-03-20.q319
- 2170ISACA.CISA-JPN.v2022-08-01.q273
- 2234ISACA.CISA-JPN.v2022-05-28.q253
- 最新アップロード
- 102Peoplecert.MSP-Practitioner.v2026-06-24.q75
- 157PaloAltoNetworks.SecOps-Generalist.v2026-06-23.q81
- 141NetworkAppliance.NS0-005.v2026-06-23.q110
- 136Google.Generative-AI-Leader.v2026-06-23.q31
- 138Google.Google-Workspace-Administrator.v2026-06-23.q111
- 168Databricks.Databricks-Certified-Professional-Data-Engineer.v2026-06-22.q208
- 174Oracle.1z0-1054-25.v2026-06-22.q64
- 136Fortinet.NSE5_FSW_AD-7.6.v2026-06-22.q41
- 144Salesforce.MC-202.v2026-06-22.q57
- 133Nutanix.NCA-6.10.v2026-06-22.q43