87、The ultimate purpose of IT governance is to: A、encourage optimal use of IT. B、reduce IT costs. C、decentralize IT resources across the organization. D、centralize control of IT. ANSWER: A NOTE: IT governance is intended to specify the combination of decision rights and accountability that is best for the enterprise. It is different for every enterprise. Reducing IT costs may not be the best IT governance outcome for an enterprise. Decentralizing IT resources across the organization is not always desired, although it may be desired in a decentralized environment. Centralizing control

2011.12.10考试成绩已公布了，大家一起截图交流考试成绩吧

100、Which of the following represents the GREATEST potential risk in an EDI environment? A、Transaction authorization B、Loss or duplication of EDI transmissions C、Transmission delay D、Deletion or manipulation of transactions prior to or after establishment of application controls ANSWER: A NOTE: Since the interaction between parties is electronic, there is no inherent authentication occurring; therefore, transaction authorization is the greatest risk. Choices B and D are examples of risks, but the impact is not as great as that of unauthorized transactions. Transmission delays may ter

中国移动信息安全实践培训圆满完成 时间：2011-12-29 11:58:22 2011年12月19-23，上海汇哲科技根据中国移动信息安全实践内部培训项目要求，顺利完成此次培训服务工作、整体学员评估调查满意度达90%以上；培训质量受到客户的高度认可。针对此次培训汇哲科技以马庆为讲师代表，并派遣相关工作人员，共同赴移动内部进行实施！在此感谢所有参与培训的学员以及中国移动的大力支持和配合！汇哲将在后期持续保障后续学习工作！ 通过五天的现场培训和交

艳娇<luling77lyj@hotmail.com> 9:29:38 1月17日国盟CISA每日一题 企业最终决定直接采购商业化的软件包，而不是开发。那么，传统的软件开发生产周期（SDLC）中设计和开发阶段，就被置换为： A、挑选和配置阶段 B、可行性研究和需求定义阶段 C、实施和测试阶段 D、（无，不需要置换） With respect to business continuity strategies, an IS auditor interviews key stakeholders in an organization to determine whether they understand their roles and responsibilities. The IS auditor is attempting to evaluate the: A

上海-汇哲培训(1662514988) 9:22:04 1月18日国盟CISA每日一题 下列那一项能最大的保证服务器操作系统的完整性？ A、用一个安全的地方来存放（保护）服务器 B、设置启动密码 C、加强服务器设置 D、实施行为记录 In reviewing the IS short-range (tactical) plan, an IS auditor should determine whether: A、there is an integration of IS and business staffs within projects. B、there is a clear definition of the IS mission and vision. C、a strategic information technology planning methodology is in place. D、the plan correlates business

101、An IS auditor performing a review of the backup processing facilities should be MOST concerned that: A、adequate fire insurance exists. B、regular hardware maintenance is performed. C、offsite storage of transaction and master files exists. D、backup processing facilities are fully tested. ANSWER: C NOTE: Adequate fire insurance and fully tested backup processing facilities are important elements for recovery, but without the offsite storage of transaction and master files, it is generally impossible to recover. Regular hardware maintenance does not relate to recovery.

上海汇哲信息科技有限公司开CISA,CISSP,CISP,COBIT,ITIL V3等培训课程拉 CISA国际注册信息系统审计师应用实践应考课程 上课时间：2012.3月3-7日上海， 2012.3月14-18日深圳， 2012.3月21-25日北京 CISSP国际信息系统安全专家培训课程 上课时间：2012.2月22-26日上海, 2012.3月14-18日北京 ,2012.3月21-25日上海 实践类课程： IT审计实践： 2012.3月16-18日 信息安全测试与安全加固实践课程： 2012.3月24-26日 优惠活动： 以上课程，提前一个月报名可优惠800，提前2周报名，可优惠500.

98、The PRIMARY objective of performing a postincident review is that it presents an opportunity to: A、improve internal control procedures. B、harden the network to industry best practices. C、highlight the importance of incident response management to management. D、improve employee awareness of the incident response process. ANSWER: A NOTE: A postincident review examines both the cause and response to an incident. The lessons learned from the review can be used to improve internal controls. Understanding the purpose and structure of postincident reviews and follow-up procedures enables

86、The database administrator (DBA) suggests that DB efficiency can be improved by denormalizing some tables. This would result in: A、loss of confidentiality. B、increased redundancy. C、unauthorized accesses. D、application malfunctions. ANSWER: B NOTE: Normalization is a design or optimization process for a relational database (DB) that minimizes redundancy; therefore, denormalization would increase redundancy. Redundancy which is usually considered positive when it is a question of resource availability is negative in a database environment, since it demands additional and otherwise

85、Disaster recovery planning (DRP) addresses the: A、technological aspect of business continuity planning. B、operational piece of business continuity planning. C、functional aspect of business continuity planning. D、overall coordination of business continuity planning. ANSWER: A NOTE: Disaster recovery planning (DRP) is the technological aspect of business continuity planning. Business resumption planning addresses the operational part of business continuity planning. 85、灾难性恢复计划 (DRP) 基于: A、技术方面的业务连续性规划. B、进行一块业务连续性规

84、Which of the following is a feature of Wi-Fi Protected Access (WPA) in wireless networks? A、Session keys are dynamic B、Private symmetric keys are used C、Keys are static and shared D、Source addresses are not encrypted or authenticated ANSWER: A NOTE: WPA uses dynamic session keys, achieving stronger encryption than wireless encryption privacy (WEP), which operates with static keys (same key is used for everyone in the wireless network). All other choices are weaknesses of WEP. 84、下列哪一项是Wi - Fi在无线网络中保护访问(WPA)的一项功能? A、会话密钥是动

83、A financial institution that processes millions of transactions each day has a central communications processor (switch) for connecting to automated teller machines (ATMs). Which of the following would be the BEST contingency plan for the communications processor? A、Reciprocal agreement with another organization B、Alternate processor in the same location C、Alternate processor at another network node D、Installation of duplex communication links ANSWER: C NOTE: The unavailability of the central communications processor would disrupt all access to the banking network. This could be c

81、Which of the following is an example of a passive attack initiated through the Internet? A、Traffic analysis B、Masqueradin***enial of service D、E-mail spoofing ANSWER: A NOTE: Internet security threats/vulnerabilities are divided into passive and active attacks. Examples of passive attacks include network analysis, eavesdropping and traffic analysis. Active attacks include brute force attacks, masquerading, packet replay, message modification, unauthorized access through the Internet or web-based services, denial-of-service attacks, dial-in penetration attacks, e-mail bombing and spa

80、Which of the following methods of suppressing a fire in a data center is the MOST effective and environmentally friendly? A、Halon gas B、Wet-pipe sprinklers C、Dry-pipe sprinklers D、Carbon dioxide gas ANSWER: C NOTE: Water sprinklers, with an automatic power shutoff system, are accepted as efficient because they can be set to automatic release without threat to life, and water is environmentally friendly. Sprinklers must be dry-pipe to prevent the risk of leakage. Halon is efficient and effective as it does not threaten human life and, therefore, can be set to automatic release, but

79、The rate of change in technology increases the importance of: A、outsourcing the IS function. B、implementing and enforcing good processes. C、hiring personnel willing to make a career within the organization. D、meeting user requirements. ANSWER: B NOTE: Change requires that good change management processes be implemented and enforced. Outsourcing the IS function is not directly related to the rate of technological change. Personnel in a typical IS department are highly qualified and educated; usually they do not feel their jobs are at risk and are prepared to switch jobs frequently.

78、What is the BEST backup strategy for a large database with data supporting online sales? A、Weekly full backup with daily incremental backup B、Daily full backup C、Clustered servers D、Mirrored hard disks ANSWER: A NOTE: Weekly full backup and daily incremental backup is the best backup strategy; it ensures the ability to recover the database and yet reduces the daily backup time requirements. A full backup normally requires a couple of hours, and therefore it can be impractical to conduct a full backup every day. Clustered servers provide a redundant processing capability, but are n

77、Functionality is a characteristic associated with evaluating the quality of software products throughout their life cycle, and is BEST described as the set of attributes that bear on the: A、existence of a set of functions and their specified properties. B、ability of the software to be transferred from one environment to another. C、capability of software to maintain its level of performance under stated conditions. D、relationship between the performance of the software and the amount of resources used. ANSWER: A NOTE: Functionality is the set of attributes that bears on the existen

76、Which of the following would BEST ensure continuity of a wide area network (WAN) across the organization? A、Built-in alternative routing B、Completing full system backup daily C、A repair contract with a service provider D、A duplicate machine alongside each server ANSWER: A NOTE: Alternative routing would ensure the network would continue if a server is lost or if a link is severed as message rerouting could be automatic. System backup will not afford immediate protection. The repair contract is not as effective as permanent alternative routing. Standby servers will not provide cont

74、Which of the following is widely accepted as one of the critical components in networking management? A、Configuration management B、Topological mappings C、Application of monitoring tools D、Proxy server troubleshooting ANSWER: A NOTE: Configuration management is widely accepted as one of the key components of any network, since it establishes how the network will function internally and externally. It also deals with the management of configuration and monitoring performance. Topological mappings provide outlines of the components of the network and its connectivity. Application mon

72、In addition to the backup considerations for all systems, which of the following is an important consideration in providing backup for online systems? A、Maintaining system software parameters B、Ensuring periodic dumps of transaction logs C、Ensuring grandfather-father-son file backups D、Maintaining important data at an offsite location ANSWER: B NOTE: Ensuring periodic dumps of transaction logs is the only safe way of preserving timely historical data. The volume of activity usually associated with an online system makes other more traditional methods of backup impractical. 72中

71、Change control for business application systems being developed using prototyping could be complicated by the: A、iterative nature of prototyping. B、rapid pace of modifications in requirements and design. C、emphasis on reports and screens. D、lack of integrated tools. ANSWER: B NOTE: Changes in requirements and design happen so quickly that they are seldom documented or approved. Choices A, C and D are characteristics of prototyping, but they do not have an adverse effect on change control. 71 ，变更控制的商业应用系统正在开发使用原型可复杂，由： A，迭代

70、During the requirements definition phase of a software development project, the aspects of software testing that should be addressed are developing: A、test data covering critical applications. B、detailed test plans. C、quality assurance test specifications. D、user acceptance testing specifications. ANSWER: D NOTE: A key objective in any software development project is to ensure that the developed software will meet the business objectives and the requirements of the user. The users should be involved in the requirements definition phase of a development project and user acceptance

69、An organization has implemented a disaster recovery plan. Which of the following steps should be carried out next? A、Obtain senior management sponsorship. B、Identify business needs. C、Conduct a paper test. D、Perform a system restore test. ANSWER: C NOTE: A best practice would be to conduct a paper test. Senior management sponsorship and business needs identification should have been obtained prior to implementing the plan. A paper test should be conducted first, followed by system or full testing. 69 ，组织实施了灾难恢复计划。下列哪些步骤应进行下一步如何

67、The PRIMARY objective of a logical access control review is to: A、review access controls provided through software. B、ensure access is granted per the organization's authorities. C、walk through and assess the access provided in the IT environment. D、provide assurance that computer hardware is adequately protected against abuse. ANSWER: B NOTE: The scope of a logical access control review is primarily to determine whether or not access is granted per the organization's authorizations. Choices A and C relate to procedures of a logical access control review, rather than objectives. C

66、When a new system is to be implemented within a short time frame, it is MOST important to: A、finish writing user manuals. B、perform user acceptance testing. C、add last-minute enhancements to functionalities. D、ensure that the code has been documented and reviewed. ANSWER: B NOTE: It would be most important to complete the user acceptance testing to ensure that the system to be implemented is working correctly. The completion of the user manuals is similar to the performance of code reviews. If time is tight, the last thing one would want to do is add another enhancement, as it wou

65、A lower recovery time objective (RTO) results in: A、higher disaster tolerance. B、higher cost. C、wider interruption windows. D、more permissive data loss. ANSWER: B NOTE: A recovery time objective (RTO) is based on the acceptable downtime in case of a disruption of operations. The lower the RTO, the higher the cost of recovery strategies. The lower the disaster tolerance, the narrower the interruption windows, and the lesser the permissive data loss. 较低的恢复时间目标（道路交通条例）的结果如下： A ，更高的容灾。 B ，成本较高。 C ，更广泛的Wi

63、The output of the risk management process is an input for making: A、business plans. B、audit charters. C、security policy decisions. D、software design decisions. ANSWER: C NOTE: The risk management process is about making specific, security-related decisions, such as the level of acceptable risk. Choices A, B and D are not ultimate goals of the risk management process. 63 ，输出的风险管理过程是一个投入决策 a、业务计划 b ，审计章程。 c ，安全政策决定。 d、发展，软件设计的决定。

62、A retail outlet has introduced radio frequency identification (RFID) tags to create unique serial numbers for all products. Which of the following is the PRIMARY concern associated with this initiative? A、Issues of privacy B、Wavelength can be absorbed by the human body C、RFID tags may not be removable D、RFID eliminates line-of-sight reading ANSWER: A NOTE: The purchaser of an item will not necessarily be aware of the presence of the tag. If a tagged item is paid for by credit card, it would be possible to tie the unique ID of that item to the identity of the purchaser. Privacy vio

61、What process uses test data as part of a comprehensive test of program controls in a continuous online manner? A、Test data/deck B、Base-case system evaluation C、Integrated test facility (ITF) D、Parallel simulation ANSWER: B NOTE: A base-case system evaluation uses test data sets developed as part of comprehensive testing programs. It is used to verify correct systems operations before acceptance, as well as periodic validation. Test data/deck simulates transactions through real programs. An ITF creates fictitious files in the database with test transactions processed simultaneously

59、A decision support system (DSS): A、is aimed at solving highly structured problems. B、combines the use of models with nontraditional da

57、Which of the following antivirus software implementation strategies would be the MOST effective in an interconnected corporate network?

56、In an online banking application, which of the following would BEST protect against identity theft? A、Encryption of personal password B

55、An IS auditor finds out-of-range data in some tables of a database. Which of the following controls should the IS auditor recommend to a

54、A company uses a bank to process its weekly payroll. Time sheets and payroll adjustment forms (e.g., hourly rate changes, terminations)

53、The use of digital signatures: A、requires the use of a one-time password generator. B、provides encryption to a message. C、validates t

52、Which of the following is the PRIMARY objective of an IT performance measurement process? A、Minimize errors B、Gather performance data

中国大陆 6620 Beijing 6635 Guangzhou 6640 Nanjing 6650 Shanghai 6680 Shenzhen

报考条件不限,均可报名参加考试，但通过考试后需申请CISA资质！ 若想成为注册信息系统审计师，申请人必须： 1. 取得 CISA 考试的及格分数。仅通过 CIS

CISA考试试题涉及ISACA公布考纲中五大知识领域，但不会按范畴分类。范围覆盖根据最新 CISA 工作实务分析所创建的五个工作实务领域。下面的实务领域和

50、Which of the following is BEST suited for secure communications within a small group? A、Key distribution center B、Certification author

49、Which of the following is a risk of cross-training? A、Increases the dependence on one employee B、Does not assist in succession plannin

48、To ensure that audit resources deliver the best value to the organization, the FIRST step would be to: A、schedule the audits and monito

47、In a small organization, an employee performs computer operations and, when the situation demands, program modifications. Which of the f

46、During the review of a web-based software development project, an IS auditor realizes that coding standards are not enforced and code re