IIA-CIA-Part3-CN Exam Question 161
資料隱私政策中應包含下列哪一項?
1.規定一段時間後刪除某些資料。
2. 關於可接受的個人資料收集方法的指南。
3. 要求無限期保留個人資料以確保完整的審計追踪,
4. 描述什麼構成個人資料的適當使用。
1.規定一段時間後刪除某些資料。
2. 關於可接受的個人資料收集方法的指南。
3. 要求無限期保留個人資料以確保完整的審計追踪,
4. 描述什麼構成個人資料的適當使用。
Correct Answer: C
A data privacy policy outlines how an organization collects, stores, processes, and protects personal data. It should comply with global data protection regulations such as GDPR, CCPA, and IIA guidelines on data security.
(1) Stipulations for deleting certain data after a specified period of time. # Correct. Many data protection laws (e.g., GDPR Article 5) require organizations to delete personal data after a defined retention period to reduce data breach risks.
(2) Guidance on acceptable methods for collecting personal data. #
Correct. A privacy policy must define legal and ethical ways to collect personal data (e.g., user consent, lawful processing).
(3) A requirement to retain personal data indefinitely to ensure a complete audit trail. # Incorrect. Retaining personal data indefinitely violates most data privacy regulations (e.g., GDPR Right to Be Forgotten). Data must be stored only for as long as necessary.
(4) A description of what constitutes appropriate use of personal data. # Correct. A privacy policy should clearly define how collected data can and cannot be used to prevent misuse and ensure compliance.
IIA GTAG - "Auditing Privacy Risks"
IIA Standard 2110 - Governance (Data Protection & Privacy)
GDPR (General Data Protection Regulation) - Articles 5 & 17 (Data Retention & Deletion) Analysis of Answer Choices:IIA References:Thus, the correct answer is C (1, 2, and 4 only) because data should not be retained indefinitely, and the policy must include data collection, retention, and appropriate usage guidelines.
(1) Stipulations for deleting certain data after a specified period of time. # Correct. Many data protection laws (e.g., GDPR Article 5) require organizations to delete personal data after a defined retention period to reduce data breach risks.
(2) Guidance on acceptable methods for collecting personal data. #
Correct. A privacy policy must define legal and ethical ways to collect personal data (e.g., user consent, lawful processing).
(3) A requirement to retain personal data indefinitely to ensure a complete audit trail. # Incorrect. Retaining personal data indefinitely violates most data privacy regulations (e.g., GDPR Right to Be Forgotten). Data must be stored only for as long as necessary.
(4) A description of what constitutes appropriate use of personal data. # Correct. A privacy policy should clearly define how collected data can and cannot be used to prevent misuse and ensure compliance.
IIA GTAG - "Auditing Privacy Risks"
IIA Standard 2110 - Governance (Data Protection & Privacy)
GDPR (General Data Protection Regulation) - Articles 5 & 17 (Data Retention & Deletion) Analysis of Answer Choices:IIA References:Thus, the correct answer is C (1, 2, and 4 only) because data should not be retained indefinitely, and the policy must include data collection, retention, and appropriate usage guidelines.
IIA-CIA-Part3-CN Exam Question 162
以下關於資料備份的說法哪一項是正確的?
Correct Answer: C
A tape rotation schedule defines how often backup tapes are overwritten or archived, directly impacting data retention periods. This is essential for compliance, disaster recovery, and internal controls over data storage.
Correct Answer (C - The Tape Rotation Schedule Affects How Long Data is Retained) Organizations use backup rotation schemes such as Grandfather-Father-Son (GFS), Tower of Hanoi, or FIFO (First-In-First-Out) to determine how long backups are kept before being overwritten.
This impacts data retention policies, regulatory compliance, and recovery capabilities.
The IIA's GTAG 10: Business Continuity Management discusses backup strategies and retention management.
Why Other Options Are Incorrect:
Option A (System backups should always be performed real-time):
Real-time backups (continuous data protection) are useful but not always required. Many businesses use scheduled backups instead.
Option B (Backups should be stored in a secured location onsite for easy access):
Best practice recommends offsite or cloud storage to protect against disasters like fire or cyberattacks.
Option D (Backup media should be restored only in case of hardware or software failure):
Backups may also be restored for audit purposes, compliance checks, or business continuity testing.
GTAG 10: Business Continuity Management - Covers backup strategies, data retention, and disaster recovery.
IIA Practice Guide: IT Controls - Discusses backup policies and risks in data management.
Step-by-Step Explanation:IIA References for Validation:Thus, the tape rotation schedule (C) is correct because it determines how long data is retained.
Correct Answer (C - The Tape Rotation Schedule Affects How Long Data is Retained) Organizations use backup rotation schemes such as Grandfather-Father-Son (GFS), Tower of Hanoi, or FIFO (First-In-First-Out) to determine how long backups are kept before being overwritten.
This impacts data retention policies, regulatory compliance, and recovery capabilities.
The IIA's GTAG 10: Business Continuity Management discusses backup strategies and retention management.
Why Other Options Are Incorrect:
Option A (System backups should always be performed real-time):
Real-time backups (continuous data protection) are useful but not always required. Many businesses use scheduled backups instead.
Option B (Backups should be stored in a secured location onsite for easy access):
Best practice recommends offsite or cloud storage to protect against disasters like fire or cyberattacks.
Option D (Backup media should be restored only in case of hardware or software failure):
Backups may also be restored for audit purposes, compliance checks, or business continuity testing.
GTAG 10: Business Continuity Management - Covers backup strategies, data retention, and disaster recovery.
IIA Practice Guide: IT Controls - Discusses backup policies and risks in data management.
Step-by-Step Explanation:IIA References for Validation:Thus, the tape rotation schedule (C) is correct because it determines how long data is retained.
IIA-CIA-Part3-CN Exam Question 163
下列哪一個網路適合在多個城市和國家/地區開展業務的組織?
Correct Answer: A
A Wide Area Network (WAN) is the most suitable type of network for an organization that has operations in multiple cities and countries. WANs connect multiple local area networks (LANs) and other types of networks across long geographical distances, enabling seamless communication and data sharing among remote offices and branches.
* A. Wide Area Network (WAN) (Correct Answer)
* WANs cover extensive geographical areas, such as multiple cities, countries, or even continents.
* They use various communication technologies, including leased lines, satellite connections, VPNs, and MPLS.
* WANs enable organizations with distributed operations to centralize data management and enhance business continuity.
* Example: An international corporation like a multinational bank or a global retail chain relies on a WAN to link its offices worldwide.
* B. Local Area Network (LAN) (Incorrect Answer)
* LANs are confined to a small area, such as an office building, factory, or campus.
* They provide high-speed connectivity but are not designed for geographically dispersed locations.
* Example: A single office using Ethernet and Wi-Fi to connect employees' devices.
* C. Metropolitan Area Network (MAN) (Incorrect Answer)
* MANs span a city or a large campus but do not extend to multiple countries.
* Example: A city's government agencies using a fiber-optic MAN for interdepartmental communication.
* D. Storage Area Network (SAN) (Incorrect Answer)
* SANs are dedicated high-speed networks designed for large-scale data storage and retrieval.
* They are not meant for interconnecting geographically dispersed locations.
* Example: A financial institution using a SAN for high-speed access to critical databases.
* The IIA's Global Technology Audit Guide (GTAG) - IT Risks and Controls emphasizes the importance of network infrastructure in securing and managing organizational data across multiple locations.
* IIA Standard 2110 - Governance requires internal auditors to evaluate whether the organization's IT strategy (including WAN infrastructure) supports business objectives and risk management.
* IIA GTAG 17 - Auditing Network Security highlights the importance of WAN security, VPNs, and encryption when managing international operations.
Explanation of Answer Choices:IIA References:Thus, the correct answer is A. Wide Area Network (WAN).
* A. Wide Area Network (WAN) (Correct Answer)
* WANs cover extensive geographical areas, such as multiple cities, countries, or even continents.
* They use various communication technologies, including leased lines, satellite connections, VPNs, and MPLS.
* WANs enable organizations with distributed operations to centralize data management and enhance business continuity.
* Example: An international corporation like a multinational bank or a global retail chain relies on a WAN to link its offices worldwide.
* B. Local Area Network (LAN) (Incorrect Answer)
* LANs are confined to a small area, such as an office building, factory, or campus.
* They provide high-speed connectivity but are not designed for geographically dispersed locations.
* Example: A single office using Ethernet and Wi-Fi to connect employees' devices.
* C. Metropolitan Area Network (MAN) (Incorrect Answer)
* MANs span a city or a large campus but do not extend to multiple countries.
* Example: A city's government agencies using a fiber-optic MAN for interdepartmental communication.
* D. Storage Area Network (SAN) (Incorrect Answer)
* SANs are dedicated high-speed networks designed for large-scale data storage and retrieval.
* They are not meant for interconnecting geographically dispersed locations.
* Example: A financial institution using a SAN for high-speed access to critical databases.
* The IIA's Global Technology Audit Guide (GTAG) - IT Risks and Controls emphasizes the importance of network infrastructure in securing and managing organizational data across multiple locations.
* IIA Standard 2110 - Governance requires internal auditors to evaluate whether the organization's IT strategy (including WAN infrastructure) supports business objectives and risk management.
* IIA GTAG 17 - Auditing Network Security highlights the importance of WAN security, VPNs, and encryption when managing international operations.
Explanation of Answer Choices:IIA References:Thus, the correct answer is A. Wide Area Network (WAN).
IIA-CIA-Part3-CN Exam Question 164
下列哪一項是比營運資金更可靠的流動性指標?
Correct Answer: A
The acid-test (quick) ratio is a more dependable liquidity indicator than working capital because it excludes inventory, which may not be easily converted to cash in the short term. This ratio measures a company's ability to pay its short-term liabilities using only its most liquid assets (cash, marketable securities, and accounts receivable).
Formula for the Acid-Test Ratio:Acid-Test Ratio=Current Assets#InventoryCurrent Liabilities\text{Acid-Test Ratio} = \frac{\text{Current Assets} - \text{Inventory}}{\text{Current Liabilities}}Acid- Test Ratio=Current LiabilitiesCurrent Assets#Inventory This ratio is more reliable than working capital since it removes inventory, which may be difficult to liquidate quickly in financial distress.
A). Acid-test (quick) ratio (Correct Answer) - This provides a stronger measure of liquidity because it excludes inventory, which might not be quickly converted to cash.
B). Average collection period - This measures the efficiency of accounts receivable collections, but it does not directly measure overall liquidity.
C). Current ratio - While this ratio is commonly used, it includes inventory, which can distort liquidity assessments if inventory is not easily sold.
D). Inventory turnover - This measures how quickly inventory is sold, but it does not directly assess liquidity.
IIA IPPF Standard 2130 - Control emphasizes liquidity monitoring as a key financial control.
COSO ERM Framework - Financial Performance Measures discusses acid-test ratio as a critical liquidity metric.
IFRS 7 - Financial Instruments Disclosures outlines the importance of liquidity risk assessments.
Explanation of Each Option:IIA References:
Formula for the Acid-Test Ratio:Acid-Test Ratio=Current Assets#InventoryCurrent Liabilities\text{Acid-Test Ratio} = \frac{\text{Current Assets} - \text{Inventory}}{\text{Current Liabilities}}Acid- Test Ratio=Current LiabilitiesCurrent Assets#Inventory This ratio is more reliable than working capital since it removes inventory, which may be difficult to liquidate quickly in financial distress.
A). Acid-test (quick) ratio (Correct Answer) - This provides a stronger measure of liquidity because it excludes inventory, which might not be quickly converted to cash.
B). Average collection period - This measures the efficiency of accounts receivable collections, but it does not directly measure overall liquidity.
C). Current ratio - While this ratio is commonly used, it includes inventory, which can distort liquidity assessments if inventory is not easily sold.
D). Inventory turnover - This measures how quickly inventory is sold, but it does not directly assess liquidity.
IIA IPPF Standard 2130 - Control emphasizes liquidity monitoring as a key financial control.
COSO ERM Framework - Financial Performance Measures discusses acid-test ratio as a critical liquidity metric.
IFRS 7 - Financial Instruments Disclosures outlines the importance of liquidity risk assessments.
Explanation of Each Option:IIA References:
IIA-CIA-Part3-CN Exam Question 165
根據11A指導;關於電子商務交易中所使用的網站,下列哪一項敘述是正確的?
Correct Answer: D
E-commerce transactions involve multiple security layers to ensure the protection of customers' sensitive financial information. The correct answer is D, as payment gateways serve as intermediaries that authorize online credit card transactions by securely transmitting the payment details to the bank or card networks for approval. Let's examine each option carefully:
Option A: HTTP sites provide sufficient security to protect customers' credit card information.
Incorrect. HyperText Transfer Protocol (HTTP) does not provide encryption, meaning that data transmitted over an HTTP connection can be intercepted by malicious actors. Instead, Secure HTTP (HTTPS), which uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS), is required to encrypt the data.
IIA Reference: Internal auditors evaluating e-commerce security should verify that organizations use HTTPS for secure transactions. (IIA GTAG: Information Security Governance) Option B: Web servers store credit cardholders' information submitted for payment.
Incorrect. While web servers may temporarily process customer data, they should not store sensitive credit card information due to security risks. Instead, organizations follow the Payment Card Industry Data Security Standard (PCI DSS), which mandates secure storage and encryption protocols.
IIA Reference: IIA Standards recommend compliance with PCI DSS to protect sensitive payment information. (IIA Practice Guide: Auditing IT Governance) Option C: Database servers send cardholders' information for authorization in clear text.
Incorrect. Transmitting cardholder data in clear text is a severe security vulnerability. Secure encryption protocols such as SSL/TLS or tokenization must be used to protect data in transit.
IIA Reference: Internal auditors should ensure encryption measures are in place for financial transactions.
(IIA GTAG: Auditing Cybersecurity Risk)
Option D: Payment gateways authorize credit card online payments.
Correct. Payment gateways act as secure intermediaries between merchants and payment processors, verifying the transaction details before authorization. This ensures a secure transaction by encrypting sensitive data before transmitting it for approval.
IIA Reference: IIA guidance on IT controls emphasizes the importance of secure payment processing through payment gateways. (IIA GTAG: Managing and Auditing IT Vulnerabilities)
Option A: HTTP sites provide sufficient security to protect customers' credit card information.
Incorrect. HyperText Transfer Protocol (HTTP) does not provide encryption, meaning that data transmitted over an HTTP connection can be intercepted by malicious actors. Instead, Secure HTTP (HTTPS), which uses Secure Sockets Layer (SSL) or Transport Layer Security (TLS), is required to encrypt the data.
IIA Reference: Internal auditors evaluating e-commerce security should verify that organizations use HTTPS for secure transactions. (IIA GTAG: Information Security Governance) Option B: Web servers store credit cardholders' information submitted for payment.
Incorrect. While web servers may temporarily process customer data, they should not store sensitive credit card information due to security risks. Instead, organizations follow the Payment Card Industry Data Security Standard (PCI DSS), which mandates secure storage and encryption protocols.
IIA Reference: IIA Standards recommend compliance with PCI DSS to protect sensitive payment information. (IIA Practice Guide: Auditing IT Governance) Option C: Database servers send cardholders' information for authorization in clear text.
Incorrect. Transmitting cardholder data in clear text is a severe security vulnerability. Secure encryption protocols such as SSL/TLS or tokenization must be used to protect data in transit.
IIA Reference: Internal auditors should ensure encryption measures are in place for financial transactions.
(IIA GTAG: Auditing Cybersecurity Risk)
Option D: Payment gateways authorize credit card online payments.
Correct. Payment gateways act as secure intermediaries between merchants and payment processors, verifying the transaction details before authorization. This ensures a secure transaction by encrypting sensitive data before transmitting it for approval.
IIA Reference: IIA guidance on IT controls emphasizes the importance of secure payment processing through payment gateways. (IIA GTAG: Managing and Auditing IT Vulnerabilities)
- Other Version
- 1200IIA.IIA-CIA-Part3-CN.v2025-06-26.q187
- Latest Upload
- 140Microsoft.AB-731.v2026-07-03.q32
- 141Microsoft.AI-900-CN.v2026-07-03.q148
- 156GIAC.GICSP.v2026-07-03.q43
- 200EC-COUNCIL.212-89.v2026-07-03.q125
- 162Salesforce.Plat-Admn-201.v2026-07-02.q74
- 308AAPC.CPC.v2026-07-02.q224
- 181Cisco.820-605.v2026-07-02.q83
- 182Cisco.300-435.v2026-07-02.q95
- 138PaloAltoNetworks.XSIAM-Analyst.v2026-07-02.q35
- 244IIA.IIA-CIA-Part3-CN.v2026-07-02.q222
[×]
Download PDF File
Enter your email address to download IIA.IIA-CIA-Part3-CN.v2026-07-02.q222 Practice Test
