CISA-JPN 試験問題 336
IS 監査人は、組織が質の高いセキュリティ ポリシーを持っていると結論付けました。次に決定すべき最も重要なのは次のうちどれですか。ポリシーは次のとおりである必要があります。
正解: A
The most important thing to determine next after concluding that an organization has a quality security policy is whether the policy is well understood by all employees. A security policy is a document that defines the objectives, scope, roles, responsibilities, and rules for information security within an organization. A quality security policy is one that is clear, concise, consistent, comprehensive, and aligned with business goals and requirements. However, a quality security policy is useless if it is not well understood by all employees who are expected to comply with it.Therefore, the IS auditor should assess the level of awareness and understanding of the security policy among employees and identify any gaps or issues that need to be addressed. The other options are not as important as ensuring that the security policy is well understood by all employees, as they do not directly affect the implementation and effectiveness of the security policy. References: CISA Review Manual, 27th Edition, page 317
CISA-JPN 試験問題 337
従業員による不正なソフトウェア パッケージのインストールを検出する最も効果的な方法は何ですか?
正解: A
Regular scanning of hard drives is the most effective way to detect installation of unauthorized software packages by employees because it can identify any software that is not approved by the organization and may pose a security risk or violate the software policy. Communicating the policy to employees is important, but it may not prevent or detect unauthorized software installation. Logging of activity on the network can monitor network traffic, but it may not capture all software installation events. Maintaining current antivirus software can protect the system from malicious software, but it may not detect all unauthorized software packages. References:
* ISACA, CISA Review Manual, 27th Edition, 2020, p. 2381
* ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
* ISACA, CISA Review Manual, 27th Edition, 2020, p. 2381
* ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
CISA-JPN 試験問題 338
侵入テスト サイクルのどの段階で、テスターは特定された脆弱性を利用して対象システムへのアクセスを試行しますか?
正解: B
Comprehensive and Detailed Step-by-Step Explanation:
Exploitationis the phase where testersleverage identified vulnerabilitiestogain unauthorized accessto systems.
* Exploitation (Correct Answer - B)
* Attackers use techniques such as SQL injection, buffer overflow, or privilege escalation.
* Example:A tester exploits a weak password to gain admin access.
* Exfiltration (Incorrect - A)
* The process of stealing dataaftergaining access.
* Reconnaissance (Incorrect - C)
* The initial stage where attackers gather information about the target.
* Scanning (Incorrect - D)
* Involves identifying open ports and services but does not involve actual attacks.
References:
* ISACA CISA Review Manual
* NIST 800-115 (Technical Guide to Security Testing)
Exploitationis the phase where testersleverage identified vulnerabilitiestogain unauthorized accessto systems.
* Exploitation (Correct Answer - B)
* Attackers use techniques such as SQL injection, buffer overflow, or privilege escalation.
* Example:A tester exploits a weak password to gain admin access.
* Exfiltration (Incorrect - A)
* The process of stealing dataaftergaining access.
* Reconnaissance (Incorrect - C)
* The initial stage where attackers gather information about the target.
* Scanning (Incorrect - D)
* Involves identifying open ports and services but does not involve actual attacks.
References:
* ISACA CISA Review Manual
* NIST 800-115 (Technical Guide to Security Testing)
CISA-JPN 試験問題 339
CFO は、月末報告中に財務システムが何度も減速したため、IT 容量管理の監査を要求しました。この監査をプログラムに含める前に考慮すべき最も重要なことは何でしょうか。
正解: B
The most important thing to consider before including an audit of IT capacity management in the program is whether the system's performance poses a significant risk to the organization. IT capacity management is a process that ensures that IT resources are sufficient to meet current and future business needs, and that they are optimized for cost and performance. A poor IT capacity management can result in system slowdowns, outages, failures, or breaches, which can affect the availability, reliability, security, and efficiency of IT services and business processes. Therefore, before conducting an audit of IT capacity management, the auditor should assess the potential impact and likelihood of these risks on the organization's objectives, reputation, compliance, and customer satisfaction.
Whether system delays result in more frequent use of manual processing (option A) is not the most important thing to consider before including an audit of IT capacity management in the program, as it is only one possible consequence of poor IT capacity management. Manual processing can introduce errors, delays, inefficiencies, and inconsistencies in the data and reports, which can affect the quality and accuracy of financial information. However, manual processing is not the only or the worst outcome of poor IT capacity management; there may be other more severe or frequent risks that need to be considered.
Whether stakeholders are committed to assisting with the audit (option C) is also not the most important thing to consider before including an audit of IT capacity management in the program, as it is a factor that affects the feasibility and effectiveness of the audit, not the necessity or priority of it. Stakeholder commitment is important for ensuring that the auditor has access to relevant information, documents, data, and personnel, as well as for facilitating communication, collaboration, and feedback during the audit process. However, stakeholder commitment is not a sufficient reason to conduct an audit of IT capacity management; there must be a clear risk-based rationale for selecting this area for audit.
Whether internal auditors have the required skills to perform the audit (option D) is also not the most important thing to consider before including an audit of IT capacity management in the program, as it is a factor that affects the quality and credibility of the audit, not the urgency or importance of it. Internal auditors should have the appropriate knowledge, skills, and experience to perform an audit of IT capacity management, which may include technical, business, analytical, and communication skills. However, internal auditors can also acquire or supplement these skills through training, coaching, consulting, or outsourcing.
Therefore, internal auditors' skills are not a decisive factor for choosing this area for audit.
Therefore, option B is the correct answer.
References:
* Guide to IT Capacity Management | Smartsheet
* ISO 27001 capacity management: How to implement control A.12.1.3 - Advisera
* ISO 27002:2022 - Control 8.6 - Capacity Management
Whether system delays result in more frequent use of manual processing (option A) is not the most important thing to consider before including an audit of IT capacity management in the program, as it is only one possible consequence of poor IT capacity management. Manual processing can introduce errors, delays, inefficiencies, and inconsistencies in the data and reports, which can affect the quality and accuracy of financial information. However, manual processing is not the only or the worst outcome of poor IT capacity management; there may be other more severe or frequent risks that need to be considered.
Whether stakeholders are committed to assisting with the audit (option C) is also not the most important thing to consider before including an audit of IT capacity management in the program, as it is a factor that affects the feasibility and effectiveness of the audit, not the necessity or priority of it. Stakeholder commitment is important for ensuring that the auditor has access to relevant information, documents, data, and personnel, as well as for facilitating communication, collaboration, and feedback during the audit process. However, stakeholder commitment is not a sufficient reason to conduct an audit of IT capacity management; there must be a clear risk-based rationale for selecting this area for audit.
Whether internal auditors have the required skills to perform the audit (option D) is also not the most important thing to consider before including an audit of IT capacity management in the program, as it is a factor that affects the quality and credibility of the audit, not the urgency or importance of it. Internal auditors should have the appropriate knowledge, skills, and experience to perform an audit of IT capacity management, which may include technical, business, analytical, and communication skills. However, internal auditors can also acquire or supplement these skills through training, coaching, consulting, or outsourcing.
Therefore, internal auditors' skills are not a decisive factor for choosing this area for audit.
Therefore, option B is the correct answer.
References:
* Guide to IT Capacity Management | Smartsheet
* ISO 27001 capacity management: How to implement control A.12.1.3 - Advisera
* ISO 27002:2022 - Control 8.6 - Capacity Management
CISA-JPN 試験問題 340
次のどれが是正制御ですか?
正解: D
A corrective control is a control that aims to restore normal operations after a disruption or incident has occurred. Executing emergency response plans is an example of a corrective control, as it helps to mitigate the impact of an incident and resume business functions. Separating equipment development testing and production is a preventive control, as it helps to avoid errors or unauthorized changes in production systems.
Verifying duplicate calculations in data processing is a detective control, as it helps to identify errors or anomalies in data processing. Reviewing user access rights for segregation is also a detective control, as it helps to detect any violations of segregation of duties principles. References: ISACA, CISA Review Manual,
27th Edition, 2018, page 64
Verifying duplicate calculations in data processing is a detective control, as it helps to identify errors or anomalies in data processing. Reviewing user access rights for segregation is also a detective control, as it helps to detect any violations of segregation of duties principles. References: ISACA, CISA Review Manual,
27th Edition, 2018, page 64
- 他のバージョン
- 3049ISACA.CISA-JPN.v2025-06-30.q593
- 1076ISACA.CISA-JPN.v2025-05-16.q572
- 2110ISACA.CISA-JPN.v2023-04-10.q297
- 1982ISACA.CISA-JPN.v2023-04-03.q306
- 2119ISACA.CISA-JPN.v2023-03-20.q319
- 2170ISACA.CISA-JPN.v2022-08-01.q273
- 2234ISACA.CISA-JPN.v2022-05-28.q253
- 最新アップロード
- 100Peoplecert.MSP-Practitioner.v2026-06-24.q75
- 157PaloAltoNetworks.SecOps-Generalist.v2026-06-23.q81
- 141NetworkAppliance.NS0-005.v2026-06-23.q110
- 135Google.Generative-AI-Leader.v2026-06-23.q31
- 135Google.Google-Workspace-Administrator.v2026-06-23.q111
- 168Databricks.Databricks-Certified-Professional-Data-Engineer.v2026-06-22.q208
- 174Oracle.1z0-1054-25.v2026-06-22.q64
- 136Fortinet.NSE5_FSW_AD-7.6.v2026-06-22.q41
- 144Salesforce.MC-202.v2026-06-22.q57
- 133Nutanix.NCA-6.10.v2026-06-22.q43