CISA-JPN 試験問題 191
ある組織では、アジャイル プロジェクト管理方法論を使用する新しいエンタープライズ リソース プランニング (ERP) システムの実装のために運営委員会を設立しています。この委員会の構成において最も重要な基準は何ですか?
正解: D
CISA-JPN 試験問題 192
構成管理システムの主な目的は次のとおりです。
正解: B
A configuration management system is a process that establishes and maintains the consistency of a product's attributes throughout its life cycle. It helps to identify and control the functional and physical characteristics of a product, and to record and report any changes to those characteristics. A configuration management system also supports the audit of the product to verify its conformance to requirements.
One of the key activities of a configuration management system is to define baselines for software. A baseline is a fixed reference point that serves as a basis for comparison and measurement. A baseline can be established for any configuration item, such as a requirement, a design document, a test plan, or a software component. A baseline helps to ensure that the software product meets its intended purpose and quality standards, and that any changes to the software are controlled and documented.
A configuration management system also supports other activities, such as tracking software updates, supporting the release procedure, and standardizing change approval, but these are not its primary purpose.
Therefore, the other options are incorrect.
References: : What is configuration management - Red Hat : Configuration Management | Definition, Importance & Benefits - ServerWatch
One of the key activities of a configuration management system is to define baselines for software. A baseline is a fixed reference point that serves as a basis for comparison and measurement. A baseline can be established for any configuration item, such as a requirement, a design document, a test plan, or a software component. A baseline helps to ensure that the software product meets its intended purpose and quality standards, and that any changes to the software are controlled and documented.
A configuration management system also supports other activities, such as tracking software updates, supporting the release procedure, and standardizing change approval, but these are not its primary purpose.
Therefore, the other options are incorrect.
References: : What is configuration management - Red Hat : Configuration Management | Definition, Importance & Benefits - ServerWatch
CISA-JPN 試験問題 193
ライブラリ制御ソフトウェア パッケージの次の機能のうち、ソース コードの不正な更新から保護するものはどれですか。
正解: C
Access controls for source libraries are the features of a library control software package that would protect against unauthorized updating of source code. Access controls are the mechanisms that regulate who can access, modify, or delete the source code stored in the source libraries. Source libraries are the repositories that contain the source code files and their versions. By implementing access controls for source libraries, the library control software package can prevent unauthorized or malicious users from tampering with the source code and compromising its integrity, security, or functionality1.
The other options are not as effective as access controls for source libraries in protecting against unauthorized updating of source code. Option A, required approvals at each life cycle step, is a good practice but may not be sufficient to prevent unauthorized updates if the approval process is bypassed or compromised. Option B, date and time stamping of source and object code, is a useful feature but may not prevent unauthorized updates if the date and time stamps are altered or ignored. Option D, release-to-release comparison of source code, is a helpful feature but may not prevent unauthorized updates if the comparison results are not reviewed or acted upon.
References:
* ISACA, CISA Review Manual, 27th Edition, 2019
* ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
* How to protect your source code from attackers2
* How to Stop Unauthorized Use of Open Source Code
The other options are not as effective as access controls for source libraries in protecting against unauthorized updating of source code. Option A, required approvals at each life cycle step, is a good practice but may not be sufficient to prevent unauthorized updates if the approval process is bypassed or compromised. Option B, date and time stamping of source and object code, is a useful feature but may not prevent unauthorized updates if the date and time stamps are altered or ignored. Option D, release-to-release comparison of source code, is a helpful feature but may not prevent unauthorized updates if the comparison results are not reviewed or acted upon.
References:
* ISACA, CISA Review Manual, 27th Edition, 2019
* ISACA, CISA Review Questions, Answers & Explanations Database - 12 Month Subscription
* How to protect your source code from attackers2
* How to Stop Unauthorized Use of Open Source Code
CISA-JPN 試験問題 194
IS 監査人は、ビジネス オーナーが運用データにアクセスできる Web ページを作成して組織のセキュリティ ポリシーに違反したことを知りました。監査人の次のステップは次のようになります。
正解: B
CISA-JPN 試験問題 195
ある銀行が、他国にあるクラウド プロバイダーにシステムをアウトソーシングしたいと考えています。次のどれが最も適切な情報システム監査の推奨事項でしょうか。
正解: C
A post-implementation review (PIR) is a process to evaluate whether the objectives of the project were met, determine how effectively this was achieved, learn lessons for the future, and ensure that the organisation gets the most benefit from the implementation of projects1. A PIR is an important tool for assessing the success and value of a project, as well as identifying the areas for improvement and best practices for future projects.
One of the key elements of a PIR is to measure the benefits of the project against the expected outcomes and benefits that were defined at the beginning of the project. Measurable benefits are the quantifiable and verifiable results or outcomes that the project delivers to the organisation or its stakeholders, such as increased revenue, reduced costs, improved quality, enhanced customer satisfaction, or compliance with regulations2.
Measurable benefits should be aligned with the organisation's strategy, vision, and goals, and should be SMART (specific, measurable, achievable, relevant, and time-bound).
The finding that measurable benefits were not defined is of greatest significance among the four findings, because it implies that:
* The project did not have a clear and agreed-upon purpose, scope, objectives, and deliverables
* The project did not have a valid and realistic business case or justification for its initiation and implementation
* The project did not have a robust and effective monitoring and evaluation mechanism to track its progress, performance, and impact
* The project did not have a reliable and transparent way to demonstrate its value proposition and return on investment to the organisation or its stakeholders
* The project did not have a meaningful and actionable way to learn from its achievements and challenges, and to improve its processes and practices Therefore, an IS auditor should recommend that measurable benefits are defined for any project before its implementation, and that they are reviewed and reported regularly during and after the project's completion.
The other possible findings are:
* A lessons-learned session was never conducted: This is a significant finding, but not as significant as the lack of measurable benefits. A lessons-learned session is a process of capturing and documenting the knowledge, experience, and feedback gained from a project, both positive and negative. A lessons- learned session helps to identify the strengths and weaknesses of the project management process, as well as the best practices and lessons for future projects. A lessons-learned session should be conducted at the end of each project phase or milestone, as well as at the end of the project. However, even without a formal lessons-learned session, some learning may still occur informally or implicitly among the project team members or stakeholders.
* The projects 10% budget overrun was not reported to senior management: This is a significant finding, but not as significant as the lack of measurable benefits. A budget overrun is a situation where the actual cost of a project exceeds its planned or estimated cost. A budget overrun may indicate poor planning, estimation, or control of the project resources, or unexpected changes or risks that occurred during the project implementation. A budget overrun should be reported to senior management as soon as possible, along with the reasons for it and the corrective actions taken or proposed. However, a budget overrun may not necessarily affect the quality or value of the project deliverables or outcomes if they are still within acceptable standards or expectations.
* Monthly dashboards did not always contain deliverables: This is a significant finding, but not as significant as the lack of measurable benefits. A dashboard is a visual tool that displays key performance indicators (KPIs) or metrics related to a project's progress, status, or results. A dashboard helps to monitor and communicate the performance of a project to various stakeholders in a concise and clear manner. A dashboard should include deliverables as one of its components, along with other elements such as schedule, budget, quality, risks, issues, or benefits. However, even without deliverables in monthly dashboards, some information about them may still be available from other sources such as reports or documents.
References: 1: The role & importance of the Post Implementation Review 2: What is Post-Implementation Review in Project Management?
One of the key elements of a PIR is to measure the benefits of the project against the expected outcomes and benefits that were defined at the beginning of the project. Measurable benefits are the quantifiable and verifiable results or outcomes that the project delivers to the organisation or its stakeholders, such as increased revenue, reduced costs, improved quality, enhanced customer satisfaction, or compliance with regulations2.
Measurable benefits should be aligned with the organisation's strategy, vision, and goals, and should be SMART (specific, measurable, achievable, relevant, and time-bound).
The finding that measurable benefits were not defined is of greatest significance among the four findings, because it implies that:
* The project did not have a clear and agreed-upon purpose, scope, objectives, and deliverables
* The project did not have a valid and realistic business case or justification for its initiation and implementation
* The project did not have a robust and effective monitoring and evaluation mechanism to track its progress, performance, and impact
* The project did not have a reliable and transparent way to demonstrate its value proposition and return on investment to the organisation or its stakeholders
* The project did not have a meaningful and actionable way to learn from its achievements and challenges, and to improve its processes and practices Therefore, an IS auditor should recommend that measurable benefits are defined for any project before its implementation, and that they are reviewed and reported regularly during and after the project's completion.
The other possible findings are:
* A lessons-learned session was never conducted: This is a significant finding, but not as significant as the lack of measurable benefits. A lessons-learned session is a process of capturing and documenting the knowledge, experience, and feedback gained from a project, both positive and negative. A lessons- learned session helps to identify the strengths and weaknesses of the project management process, as well as the best practices and lessons for future projects. A lessons-learned session should be conducted at the end of each project phase or milestone, as well as at the end of the project. However, even without a formal lessons-learned session, some learning may still occur informally or implicitly among the project team members or stakeholders.
* The projects 10% budget overrun was not reported to senior management: This is a significant finding, but not as significant as the lack of measurable benefits. A budget overrun is a situation where the actual cost of a project exceeds its planned or estimated cost. A budget overrun may indicate poor planning, estimation, or control of the project resources, or unexpected changes or risks that occurred during the project implementation. A budget overrun should be reported to senior management as soon as possible, along with the reasons for it and the corrective actions taken or proposed. However, a budget overrun may not necessarily affect the quality or value of the project deliverables or outcomes if they are still within acceptable standards or expectations.
* Monthly dashboards did not always contain deliverables: This is a significant finding, but not as significant as the lack of measurable benefits. A dashboard is a visual tool that displays key performance indicators (KPIs) or metrics related to a project's progress, status, or results. A dashboard helps to monitor and communicate the performance of a project to various stakeholders in a concise and clear manner. A dashboard should include deliverables as one of its components, along with other elements such as schedule, budget, quality, risks, issues, or benefits. However, even without deliverables in monthly dashboards, some information about them may still be available from other sources such as reports or documents.
References: 1: The role & importance of the Post Implementation Review 2: What is Post-Implementation Review in Project Management?
- 他のバージョン
- 1179ISACA.CISA-JPN.v2025-06-05.q596
- 1112ISACA.CISA-JPN.v2025-05-16.q572
- 2172ISACA.CISA-JPN.v2023-04-10.q297
- 2047ISACA.CISA-JPN.v2023-04-03.q306
- 2185ISACA.CISA-JPN.v2023-03-20.q319
- 2226ISACA.CISA-JPN.v2022-08-01.q273
- 2286ISACA.CISA-JPN.v2022-05-28.q253
- 最新アップロード
- 138Cisco.300-710.v2026-06-26.q474
- 139ISACA.CISM.v2026-06-26.q913
- 123Salesforce.Integration-Architect.v2026-06-26.q116
- 146Cisco.350-401.v2026-06-26.q363
- 135Salesforce.MC-101.v2026-06-26.q44
- 127CheckPoint.156-315.81.v2026-06-26.q678
- 183Peoplecert.MSP-Practitioner.v2026-06-24.q75
- 203PaloAltoNetworks.SecOps-Generalist.v2026-06-23.q81
- 198NetworkAppliance.NS0-005.v2026-06-23.q110
- 162Google.Generative-AI-Leader.v2026-06-23.q31