CISA/CISM认证学习讨论区

winterism

我今年(08)12月考,想做試題, 但好像又找不到最新的, 請問各位可以分享一下嗎?

winterism

原帖由 winterism 于 2008-8-31 22:34 发表
我今年(08)12月考,想做試題, 但好像又找不到最新的, 請問各位可以分享一下嗎?

已覓得試題, 往後多多指教!

你好！ 可以发给我试题吗？  谢谢

mccoys

共同学习讨论

1. At what stage during the system development life cycle would the verification of security controls take place?

A. Solution definition.
B. Construction.
C. Implementation.
D. Post-implementation.

2. Using a methodology to respond to a security related incident is almost an absolute requirement for legal considerations. The most obvious being which one of the following?

A. Adherence to statutory audit requirements.
B. Demonstrating due care.
C. Data protection law.
D. Working with law enforcement agencies.

3. Which one of the following best describes the outcome from benchmarking?

A. A set of internally focused information security performance measurement for uniform scoring.
B. A process for auditing compliance of internal activities against a known standard.
C. A technique that enables process improvement steps to be prioritized.
D. An external focus on internal activities, functions, or operations in order to achieve continuous improvement.

4. Which one of the following is the appropriate document to describe risk mitigation strategies?

A. Risk analysis.
B. Information security policy.
C. Information security architecture.
D. Information classification scheme.

5. Which one of the following will be the most important part of problem management practices for security?

A. Being systematic.
B. Tracking results.
C. Define the problem.
D. Maintaining protection.

6. A security architecture presupposes the existence of which one of the following?

A. Overall policy.
B. Standards.
C. Security guidelines.
D. Technical solutions.

7. Good advice for developing an enterprise-wide security awareness campaign is which one of the following?

A. Resist the influence of culture.
B. Keep it simple.
C. Concentrate on a single medium.
D. Make use of threats to get results.

8. Advance planning and preparation for incident response can be enhanced by which one of the following activities?

A. Risk analysis.
B. Penetration testing.
C. Historical records of loss.
D. Archived system logs.

9. When is it most appropriate to implement employee awareness about information security?

A. Application related user training.
B. Staff appraisals.
C. On-the-job training.
D. Employee induction training.

10. Why is it important that the awareness of security baselines is integrated in the design and management of security for business applications and the infrastructure?

A. It removes the need to document security requirements.
B. Incorporating security post-implementation is difficult .
C. Helps with the development of better security assessment programs
D. It removes the requirement for a risk assessment

dystrophy

ｃｅｒｔａｉｎｌｔｙ　Ｂ，ｔｈａｔ　ｉｓ　ｒｅｆｅｒ　ｔｏ　ｐｒｏｃｅｄｕｒｅｓ　ｆａｉｌ　ｔｏ　ｄｅｔｅｃｔ　ｒｉｓｋ，ｎｏｔ　ｐｅｒｓｏｎｎｅｌ　ｆａｉｌ　ｔｏ．

Jobsz

为什么今年就没贴了呢> 我是6月份考试.

durexlollipop

顶

dreamitpub

信息系统审计学习之路讨教：
小弟从事IT近10年，最近打算学习信息系统审计，并考取CISA证书，从学习的角度出发，有没有好的教材、书籍、资料推荐

superatao

偶来占位观察的。

linkenpark

审计风险是指会计报表存在重大错误或漏报,而审计人员审计后发表不恰当审计意见的可能性。审计风险包括固有风险、控制风险和检查风险。固有风险和控制风险与被审计单位有关,审计人员对此无能为力。一般情况下,固有风险与被审计企业经营系统的安全性相关,在会计信息化环境下信息披露错误会跨越不同的企业信息系统,因此影响十分严重,导致被审计企业的固有风险增大。

  传统审计中的控制风险通常不容易被企业内部控制系统及时地防范、侦察和纠正。但在会计信息化环境下,由于企业经济业务数据通过企业的信息系统自动地进行加工和处理,而且数据由计算机系统进行实时的反馈,因此出现控制风险的概率比较低。

  在审计风险三个基本要素中,只有检查风险是审计人员能够真正控制的。检查风险是指某一账户或交易类别单独或联同其他账户、交易类别产生重大错报或漏报,而未能被实质性测试发现的可能性。在会计信息化环境下,审计人员需要综合考虑对固有风险的评估结果以及符合性测试对控制风险的测定结论,决定对被审计企业的信息系统以及生成数据的实质性测试范围。固有风险和控制风险的程度越高,审计人员就越有必要执行详细的实质性测试,将审计业务的误差控制在可容忍的范围内。