IIA-CIA-Part3-KR 문제 1
* Prevents Unauthorized Entry - Ensures that only approved personnel have access to the power plant.
* Implements Segregation of Duties (SoD) - Supervisors validate access requests, reducing insider threats.
* Aligns with Least Privilege Principle - Employees get only the minimum access necessary for their role.
* Prevents Security Risks Before They Happen - Unlike detective or corrective controls, this method stops unauthorized access before it occurs.
* A. Offboarding procedure (monthly review) - This is a detective control, identifying issues after access is granted, not preventing them.
* B. Smart lock anomaly scanning - Also detective, as it identifies suspicious behavior after access has been used.
* D. Automatic notifications for after-hours entry - A corrective control, responding to potential violations instead of preventing them.
* IIA's GTAG on Identity and Access Management - Recommends pre-approval processes for sensitive locations.
* ISO 27001 Annex A.9 (Access Control) - Requires role-based access management for critical infrastructures.
* NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems) - Defines supervisor approval as a key preventive measure.
Why Approval-Based Access Control is the Best Preventive Measure?Why Not the Other Options?IIA References:
IIA-CIA-Part3-KR 문제 2
Initiation Phase: Identifies the need for a contract and sets initial objectives.
Bidding Phase: Potential vendors or partners submit proposals, and negotiations begin.
Development Phase: Contracts are drafted, negotiated, and finalized before execution.
Management Phase: The contract is executed, monitored, and evaluated for compliance.
Why Option C is Correct?
The development phase is where contracts are formally drafted based on agreements made during bidding and negotiation.
This phase includes legal review, compliance verification, and risk assessment, ensuring the contract aligns with business objectives and legal requirements.
IIA Standard 2110 - Governance requires auditors to assess how contract risks are managed, ensuring formal contract development processes.
Why Other Options Are Incorrect?
Option A (Initiation phase):
This phase defines the business need but does not involve drafting contracts.
Option B (Bidding phase):
In this phase, businesses solicit proposals, but contracts are not fully drafted until vendor selection.
Option D (Management phase):
The management phase involves executing and monitoring the contract, not drafting it.
Contracts are drafted during the development phase after vendor selection and before execution.
IIA Standard 2110 supports governance over contract risk and formal agreement processes.
Final Justification:IIA References:
IPPF Standard 2110 - Governance (Contract Risk & Compliance)
COSO ERM - Risk Management in Contracting
IIA-CIA-Part3-KR 문제 3
* Correct Answer (C - Business Impact Analysis Plan)
* The BIA is a systematic process that identifies essential functions, assesses potential disruptions, and determines the recovery time requirements to ensure business continuity.
* The Recovery Time Objective (RTO) defines the maximum acceptable downtime for critical business functions.
* The Recovery Point Objective (RPO) identifies how much data loss is tolerable.
* According to the IIA Global Technology Audit Guide (GTAG) 10: Business Continuity Management, a BIA is essential for assessing the financial, operational, and reputational impact of disruptions.
* Why Other Options Are Incorrect:
* Option A (Business Continuity Management Charter):
* A charter defines the governance, responsibilities, and overall framework of business continuity but does not focus on RTOs or critical business processes.
* Option B (Business Continuity Risk Assessment Plan):
* A risk assessment identifies threats and vulnerabilities but does not define recovery time objectives.
* While risk assessments inform the BIA, they do not replace it.
* Option D (Business Case for Business Continuity Planning):
* A business case justifies investment in continuity planning but does not map business processes to RTOs.
* GTAG 10: Business Continuity Management - Defines BIA as the process for identifying critical business functions and their RTOs.
* IIA Practice Guide: Auditing Business Continuity - Emphasizes the role of BIA in business resilience.
Step-by-Step Explanation:IIA References for Validation:Thus, the Business Impact Analysis (BIA) Plan (C) is the correct answer because it pairs critical business processes with recovery time objectives.
IIA-CIA-Part3-KR 문제 4
Options A and D (supervisor or team) may assist but do not hold accountability. Option C (the board) receives reports but is not responsible for them.
Reference:
IIA Standards - Standard 2400: Communicating Results.
IIA-CIA-Part3-KR 문제 5
Regular vendor control reports to monitor security and performance.
A right-to-audit clause, allowing the organization to periodically assess compliance and security controls.
Correct Answer (B - Drafting a Strong Contract with Vendor Control Reports & Right-to-Audit Clause) IIA Practice Guide: Auditing Third-Party Risk Management recommends that contracts with vendors include clear security expectations, reporting requirements, and audit rights.
A right-to-audit clause allows internal auditors to verify compliance with security policies.
Vendor control reports (e.g., SOC 2 reports) provide assurance that the vendor meets security and compliance standards.
Why Other Options Are Incorrect:
Option A (Creating a comprehensive reporting system for vendors):
While useful, a reporting system alone is not the first step-it should be included after contractual protections are in place.
Option C (Applying administrative privileges to ensure appropriate access controls):
This applies to internal access management but does not address third-party risk management.
Option D (Creating a cybersecurity committee):
A cybersecurity committee helps manage ongoing risks, but contractual controls are the first step in managing third-party risk.
IIA Practice Guide: Auditing Third-Party Risk Management - Recommends strong contracts with right-to- audit clauses.
GTAG 7: Information Technology Outsourcing - Discusses vendor risk management and contractual safeguards.
Step-by-Step Explanation:IIA References for Validation:Thus, the best first step is drafting a strong contract with vendor control reports and a right-to-audit clause (B).
- 최근 업로드
- 109SolarWinds.Hybrid-Cloud-Observability-Network-Monitoring.v2026-07-18.q115
- 123SAP.C_ARCIG.v2026-07-18.q27
- 128SAP.C_CR125_2601.v2026-07-17.q26
- 139SAP.P-C4H34-2601.v2026-07-17.q32
- 153GInI.CInP.v2026-07-16.q100
- 156Peoplecert.ITIL-4-CDS.v2026-07-16.q32
- 165PythonInstitute.PCAP-31-03.v2026-07-16.q140
- 149Oracle.1Z0-171.v2026-07-16.q39
- 159IAM.IAM-Certificate.v2026-07-16.q74
- 162InsuranceLicensing.NY-Life-Accident-and-Health.v2026-07-15.q40
PDF 파일 다운로드
메일 주소를 입력하시고 다운로드 하세요. IIA.IIA-CIA-Part3-KR.v2026-05-02.q255 모의시험 시험자료를 다운 받으세요.
