CISA/CISM认证学习讨论区

kkndshhz

下面这道题做错了，制定文档保留期限时，我一般先考虑财务、会计的法律需求，然后，其他软件、文档的保留期限都按照项目要求来做。是不是还是要首先考虑业务需求呢？以前做过CISA的题目，都是提示法定需求最优先。

voca

恩，业务需求第一啊

照说业务需求不会估计违背法律什么的吧

opheliahan

向大家学习！！！

bacchusluo

88. Prices are charged on the basis of a standard master file rate that changes as the volume increases. Any exceptions must be manually approved. What is the MOST effective automated control to help ensure that all price exceptions are approved?


A. All amounts are displayed back to the data entry clerk, who must verify them visually.
B. Prices outside the normal range should be entered twice to verify data entry accuracy.
C. The system beeps when price exceptions are entered and prints such occurrences on a report.
D. A second-level password must be entered before a price exception can be processed.

The correct answer is:
D. A second-level password must be entered before a price exception can be processed.

Explanation:
Automated control should ensure that the system processes the price exceptions only upon approval of another user who is authorized to approve such exceptions. A second-level password would ensure that price exceptions will be approved by a user who has been authorized by management. Visual verification of all amounts by a data entry clerk is not a control, but a basic requirement for any data entry. The user's ability to visually verify what has been entered is a basic manual control. Entering of price exceptions twice is an input control. This does not ensure that exceptions will be verified automatically by another user. The system beeping on entry of a price exception is only a warning to the data entry clerk; it does not prevent proceeding further. Printing of these exceptions on a report is a detective (manual) control.
-----
这里的second level password输入好像不是auto control喔，是否算作一个manual control呢？

denniskwok

原帖由 bacchusluo 于 2008-4-25 15:43 发表
88. Prices are charged on the basis of a standard master file rate that changes as the volume increases. Any exceptions must be manually approved. What is the MOST effective automated control to help ensure that all price exceptions are approved?


A. All amounts are displayed back to the data entry clerk, who must verify them visually.
B. Prices outside the normal range should be entered twice to verify data entry accuracy.
C. The system beeps when price exceptions are entered and prints such occurrences on a report.
D. A second-level password must be entered before a price exception can be processed.

The correct answer is:
D. A second-level password must be entered before a price exception can be processed.

Explanation:
Automated control should ensure that the system processes the price exceptions only upon approval of another user who is authorized to approve such exceptions. A second-level password would ensure that price exceptions will be approved by a user who has been authorized by management. Visual verification of all amounts by a data entry clerk is not a control, but a basic requirement for any data entry. The user's ability to visually verify what has been entered is a basic manual control. Entering of price exceptions twice is an input control. This does not ensure that exceptions will be verified automatically by another user. The system beeping on entry of a price exception is only a warning to the data entry clerk; it does not prevent proceeding further. Printing of these exceptions on a report is a detective (manual) control.
-----
这里的second level password输入好像不是auto control喔，是否算作一个manual control呢？

A second-level password must be entered before a price exception can be processed，意思是当出现这种问题时系统会要求输入第二层密码，实际操作中，这个密码通常由操作员的上司输入，而非操作员本身。至于说密码的输入是手工控制，似乎有点钻牛角尖了，密码输入本身不是最重要的，控制的关键在于“出现异常需要输入第二层密码”，而这个输入请求本身是由系统完成的。

amyseeger

好贴阿，收藏~~~

bacchusluo

80. Which of the following ensures a sender's authenticity and an e-mail's confidentiality?


A. Encrypting the hash of the message with the sender's private key and thereafter encrypting the hash of the message with the receiver's public key
B. The sender digitally signing the message and thereafter encrypting the hash of the message with the sender's private key
C. Encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key
D. Encrypting the message with the sender's private key and encrypting the message hash with the receiver's public key

The correct answer is:
C. Encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key


Explanation:
To ensure authenticity and confidentiality, a message must be encrypted twice—first with the sender's private key and second with the receiver's public key. The receiver can decrypt the message, thus ensuring confidentiality of the message. Thereafter, the decrypted message can be decrypted with the public key of the sender, ensuring authenticity of the message. Encrypting the message with the sender's private key enables anyone to decrypt it.
------
receiver是如何得到sender的public key的？为什么说Encrypting the message with the sender's private key enables anyone to decrypt it？谢先

bacchusluo

131. Sending a message and a message hash encrypted by the sender's private key will ensure:


A. authenticity and integrity.
B. authenticity and privacy.
C. integrity and privacy.
D. privacy and nonrepudiation.

The correct answer is:
A. authenticity and integrity.


Explanation:
If the sender sends both a message and a message hash encrypted by its private key, then the receiver can apply the sender's public key to the hash and get the message hash. The receiver can apply the hashing algorithm to the message received and generate a hash. By matching the generated hash with the one received, the receiver is ensured that the message has been sent by the specific sender, i.e., authenticity, and that the message has not been changed enroute. Authenticity and privacy will be ensured by using first the sender's private key and then the receiver's public key to encrypt the message. Privacy and integrity can be ensured by using the receiver's public key to encrypt the message and sending a message hash/digest. Only nonrepudiation can be ensured by using the sender's private key to encrypt the message. The sender's public key, available to anyone, can decrypt a message; thus, it does not ensure privacy.

-----
谁能翻译下explanantion这段话？很晕~~~

denniskwok

原帖由 bacchusluo 于 2008-5-16 16:06 发表
80. Which of the following ensures a sender's authenticity and an e-mail's confidentiality?


A. Encrypting the hash of the message with the sender's private key and thereafter encrypting the hash of the message with the receiver's public key
B. The sender digitally signing the message and thereafter encrypting the hash of the message with the sender's private key
C. Encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key
D. Encrypting the message with the sender's private key and encrypting the message hash with the receiver's public key

The correct answer is:
C. Encrypting the hash of the message with the sender's private key and thereafter encrypting the message with the receiver's public key


Explanation:
To ensure authenticity and confidentiality, a message must be encrypted twice—first with the sender's private key and second with the receiver's public key. The receiver can decrypt the message, thus ensuring confidentiality of the message. Thereafter, the decrypted message can be decrypted with the public key of the sender, ensuring authenticity of the message. Encrypting the message with the sender's private key enables anyone to decrypt it.
------
receiver是如何得到sender的public key的？为什么说Encrypting the message with the sender's private key enables anyone to decrypt it？谢先

在PKI中，一个密钥对分为public key（公钥）和private key（私钥），在通信过程中，如果用公钥加密，则需要用私钥解密；反之，如果用私钥加密，则需要用公钥解密，这是非对称加密与对称加密最大的不同。公钥可以由任何人持有，而私钥理论上只能由密钥所有人持有，因此，receiver可以随意获得sender的public key。同样的理由，如果用sender的private key加密，则任何持有sender private key的人都可以进行解密。所以，sender的private key一般不用于加密。

bacchusluo

“用私钥加密，则需要用公钥解密”----  “公钥可以由任何人持有”

是否风险？这个如何解释呢？