CISA-JPN 試験問題 486
IT 戦略文書をレビューする IS 監査人にとって、最も懸念されるのは次のどれでしょうか?
正解: C
The most concerning thing for an IS auditor reviewing an IT strategy document is that the strategic IT goals are derived solely from the latest market trends. An IT strategy document is a blueprint that defines how an organization will use technology to achieve its goals. It should be based on a thorough analysis of the organization's internal and external factors, such as its vision, mission, values, objectives, strengths, weaknesses, opportunities, threats, customers, competitors, regulations, and industry standards. An IT strategy document should also align with the organization's business strategy and reflect its unique needs and capabilities. If an IT strategy document is derived solely from the latest market trends, it may not be relevant or appropriate for the organization's specific situation. It may also lack coherence, consistency, feasibility, or sustainability.
The other options are not as concerning as option C. Target architecture is defined at a technical level is not a concern for an IS auditor reviewing an IT strategy document. Target architecture is the desired state of an organization's IT systems in terms of their structure, functionality, performance, security, interoperability, and integration. Defining target architecture at a technical level can help an IS auditor to understand how the organization plans to achieve its strategic IT goals and what technical requirements and standards it needs to follow. The previous year's IT strategic goals were not achieved is not a concern for an IS auditor reviewing an IT strategy document. The previous year's IT strategic goals are the outcomes that the organization intended to accomplish with its IT initiatives in the past year. Not achieving these goals may indicate some challenges or gaps in the organization's IT performance or execution. However, this does not necessarily affect the quality or validity of the current IT strategy document. An IS auditor should focus on evaluating whether the current IT strategy document is realistic, measurable, achievable, relevant, and time-bound.
Financial estimates of new initiatives are disclosed within the document is not a concern for an IS auditor reviewing an IT strategy document. Financial estimates are projections of the costs and benefits of new initiatives that are part of the IT strategy document. Disclosing financial estimates within the document can help an IS auditor to assess whether the new initiatives are aligned with the organization's budget and resources and whether they provide value for money. References: IT Strategy Template for a Successful Strategic Plan | Gartner, Definitive Guide to Developing an IT Strategy and Roadmap - CioPages, An Example of a Well-Developed IT Strategy Plan - Resolute
The other options are not as concerning as option C. Target architecture is defined at a technical level is not a concern for an IS auditor reviewing an IT strategy document. Target architecture is the desired state of an organization's IT systems in terms of their structure, functionality, performance, security, interoperability, and integration. Defining target architecture at a technical level can help an IS auditor to understand how the organization plans to achieve its strategic IT goals and what technical requirements and standards it needs to follow. The previous year's IT strategic goals were not achieved is not a concern for an IS auditor reviewing an IT strategy document. The previous year's IT strategic goals are the outcomes that the organization intended to accomplish with its IT initiatives in the past year. Not achieving these goals may indicate some challenges or gaps in the organization's IT performance or execution. However, this does not necessarily affect the quality or validity of the current IT strategy document. An IS auditor should focus on evaluating whether the current IT strategy document is realistic, measurable, achievable, relevant, and time-bound.
Financial estimates of new initiatives are disclosed within the document is not a concern for an IS auditor reviewing an IT strategy document. Financial estimates are projections of the costs and benefits of new initiatives that are part of the IT strategy document. Disclosing financial estimates within the document can help an IS auditor to assess whether the new initiatives are aligned with the organization's budget and resources and whether they provide value for money. References: IT Strategy Template for a Successful Strategic Plan | Gartner, Definitive Guide to Developing an IT Strategy and Roadmap - CioPages, An Example of a Well-Developed IT Strategy Plan - Resolute
CISA-JPN 試験問題 487
組織の情報セキュリティ ポリシーの正式なレビュー中に特定された次の問題のうち、組織にとって最大の潜在的リスクとなるものはどれですか。
正解: A
CISA-JPN 試験問題 488
仮想化環境にとって最も重要な制御は次のどれですか?
正解: B
The most important control for virtualized environments is hardening for the hypervisor and guest machines.
Hardening is the process of applying security measures and configurations to reduce the vulnerabilities and risks of a system or device. Hardening for the hypervisor and guest machines is essential for protecting the virtualized environments from attacks, as they are exposed to various threats from both the physical and virtual layers. Hardening for the hypervisor and guest machines involves the following steps:
* Applying the latest patches and updates for the hypervisor and guest operating systems, as well as the applications and drivers running on them.
* Configuring the firewall and network settings for the hypervisor and guest machines, to restrict and monitor the network traffic and prevent unauthorized access or communication.
* Disabling or removing any unnecessary or unused features, services, accounts, or ports on the hypervisor and guest machines, to minimize the attack surface and reduce the potential entry points for attackers.
* Enforcing strong authentication and authorization policies for the hypervisor and guest machines, to ensure that only authorized users or administrators can access or manage them.
* Encrypting the data and communication for the hypervisor and guest machines, to protect the confidentiality and integrity of the information stored or transmitted on them.
* Implementing logging and auditing mechanisms for the hypervisor and guest machines, to record and track any activities or events that occur on them, and enable detection and investigation of any incidents or anomalies.
Hardening for the hypervisor and guest machines can help prevent or mitigate common attacks on virtualized environments, such as:
* Hypervisor escape: An attack where a malicious guest machine breaks out of its isolated environment and gains access to the hypervisor or other guest machines.
* Hypervisor compromise: An attack where an attacker exploits a vulnerability or misconfiguration in the hypervisor to gain control over it or its resources.
* Guest compromise: An attack where an attacker exploits a vulnerability or misconfiguration in a guest machine to gain access to its data or applications.
* Guest impersonation: An attack where an attacker creates a fake or cloned guest machine to trick other guests or users into interacting with it.
* Guest denial-of-service: An attack where an attacker consumes or exhausts the resources of a guest machine to disrupt its availability or performance.
Therefore, hardening for the hypervisor and guest machines is the most important control for virtualized environments, as it can enhance their security, reliability, and performance. For more information about hardening for virtualized environments, you can refer to some of these web sources:
* Hypervisor security on the Azure fleet
* Chapter 2: Hardening the Hyper-V host
* Plan for Hyper-V security in Windows Server
Hardening is the process of applying security measures and configurations to reduce the vulnerabilities and risks of a system or device. Hardening for the hypervisor and guest machines is essential for protecting the virtualized environments from attacks, as they are exposed to various threats from both the physical and virtual layers. Hardening for the hypervisor and guest machines involves the following steps:
* Applying the latest patches and updates for the hypervisor and guest operating systems, as well as the applications and drivers running on them.
* Configuring the firewall and network settings for the hypervisor and guest machines, to restrict and monitor the network traffic and prevent unauthorized access or communication.
* Disabling or removing any unnecessary or unused features, services, accounts, or ports on the hypervisor and guest machines, to minimize the attack surface and reduce the potential entry points for attackers.
* Enforcing strong authentication and authorization policies for the hypervisor and guest machines, to ensure that only authorized users or administrators can access or manage them.
* Encrypting the data and communication for the hypervisor and guest machines, to protect the confidentiality and integrity of the information stored or transmitted on them.
* Implementing logging and auditing mechanisms for the hypervisor and guest machines, to record and track any activities or events that occur on them, and enable detection and investigation of any incidents or anomalies.
Hardening for the hypervisor and guest machines can help prevent or mitigate common attacks on virtualized environments, such as:
* Hypervisor escape: An attack where a malicious guest machine breaks out of its isolated environment and gains access to the hypervisor or other guest machines.
* Hypervisor compromise: An attack where an attacker exploits a vulnerability or misconfiguration in the hypervisor to gain control over it or its resources.
* Guest compromise: An attack where an attacker exploits a vulnerability or misconfiguration in a guest machine to gain access to its data or applications.
* Guest impersonation: An attack where an attacker creates a fake or cloned guest machine to trick other guests or users into interacting with it.
* Guest denial-of-service: An attack where an attacker consumes or exhausts the resources of a guest machine to disrupt its availability or performance.
Therefore, hardening for the hypervisor and guest machines is the most important control for virtualized environments, as it can enhance their security, reliability, and performance. For more information about hardening for virtualized environments, you can refer to some of these web sources:
* Hypervisor security on the Azure fleet
* Chapter 2: Hardening the Hyper-V host
* Plan for Hyper-V security in Windows Server
CISA-JPN 試験問題 489
ネットワーク経由で送信されるデータの整合性を最も効果的に保証できるのは次のどれですか?
正解: D
The most effective way to ensure the integrity of data transmitted over a network is to use a message digest. A message digest is a cryptographic function that generates a unique and fixed-length value (also known as a hash or checksum) from any input data. The message digest can be used to verify that the data has not been altered or corrupted during transmission by comparing it with the message digest generated at the destination.
Message encryption is a method of protecting the confidentiality of data transmitted over a network by transforming it into an unreadable format using a secret key. Message encryption does not ensure the integrity of data, as it does not prevent or detect unauthorized modifications. Certificate authority (CA) is an entity that issues and manages digital certificates that bind public keys to identities. CA does not ensure the integrity of data, as it does not prevent or detect unauthorized modifications. Steganography is a technique of hiding data within other data, such as images or audio files. Steganography does not ensure the integrity of data, as it does not prevent or detect unauthorized modifications. References:
* CISA Review Manual, 27th Edition, pages 383-3841
* CISA Review Questions, Answers & Explanations Database, Question ID: 258
Message encryption is a method of protecting the confidentiality of data transmitted over a network by transforming it into an unreadable format using a secret key. Message encryption does not ensure the integrity of data, as it does not prevent or detect unauthorized modifications. Certificate authority (CA) is an entity that issues and manages digital certificates that bind public keys to identities. CA does not ensure the integrity of data, as it does not prevent or detect unauthorized modifications. Steganography is a technique of hiding data within other data, such as images or audio files. Steganography does not ensure the integrity of data, as it does not prevent or detect unauthorized modifications. References:
* CISA Review Manual, 27th Edition, pages 383-3841
* CISA Review Questions, Answers & Explanations Database, Question ID: 258
CISA-JPN 試験問題 490
管理されたアプリケーション開発環境では、最も重要な職務の分離は、運用環境に変更を実装する人と、次の人の間で行う必要があります。
正解: A
In a controlled application development environment, the most important segregation of duties should be between the person who implements changes into the production environment and the application programmer. This segregation of duties ensures that no one person can create and deploy code without proper review, testing, and approval. This reduces the risk of errors, fraud, or malicious code being introduced into the production environment.
The other options are not as important as the segregation between the application programmer and the person who implements changes into production, but they are still relevant for achieving a secure and reliable application development environment. The segregation of duties between the person who implements changes into production and the systems programmer is important to prevent unauthorized or untested changes to system software or configuration. The segregation of duties between the person who implements changes into production and the computer operator is important to prevent unauthorized or uncontrolled access to production data or resources. The segregation of duties between the person who implements changes into production and the quality assurance (QA) personnel is important to ensure independent verification and validation of code quality and functionality.
References:
* ISACA CISA Review Manual 27th Edition (2019), page 247
* Segregation of Duties in an Agile Environment | AKF Partners3
* Separation of Duties: How to Conform in a DevOps World4
The other options are not as important as the segregation between the application programmer and the person who implements changes into production, but they are still relevant for achieving a secure and reliable application development environment. The segregation of duties between the person who implements changes into production and the systems programmer is important to prevent unauthorized or untested changes to system software or configuration. The segregation of duties between the person who implements changes into production and the computer operator is important to prevent unauthorized or uncontrolled access to production data or resources. The segregation of duties between the person who implements changes into production and the quality assurance (QA) personnel is important to ensure independent verification and validation of code quality and functionality.
References:
* ISACA CISA Review Manual 27th Edition (2019), page 247
* Segregation of Duties in an Agile Environment | AKF Partners3
* Separation of Duties: How to Conform in a DevOps World4
CISA-JPN プレミアム問題集
365日無料更新
専門家プレゼンツ
1588 問題と解答
Windows / Mac / Android / iOS などをサポート
最新 ISACA CISA-JPN 試験問題集は GoShiken.com のサポートで CISA-JPN 試験を合格させます!
(40%OFF 特別割引: JPNPDF)
- 他のバージョン
- 3045ISACA.CISA-JPN.v2025-06-30.q593
- 1075ISACA.CISA-JPN.v2025-06-05.q596
- 2110ISACA.CISA-JPN.v2023-04-10.q297
- 1982ISACA.CISA-JPN.v2023-04-03.q306
- 2119ISACA.CISA-JPN.v2023-03-20.q319
- 2170ISACA.CISA-JPN.v2022-08-01.q273
- 2234ISACA.CISA-JPN.v2022-05-28.q253
- 最新アップロード
- 126PaloAltoNetworks.SecOps-Generalist.v2026-06-23.q81
- 117NetworkAppliance.NS0-005.v2026-06-23.q110
- 117Google.Generative-AI-Leader.v2026-06-23.q31
- 114Google.Google-Workspace-Administrator.v2026-06-23.q111
- 164Databricks.Databricks-Certified-Professional-Data-Engineer.v2026-06-22.q208
- 150Oracle.1z0-1054-25.v2026-06-22.q64
- 132Fortinet.NSE5_FSW_AD-7.6.v2026-06-22.q41
- 135Salesforce.MC-202.v2026-06-22.q57
- 125Nutanix.NCA-6.10.v2026-06-22.q43
- 145Workday.Workday-Pro-Talent-and-Performance.v2026-06-20.q18