Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 141:

  Which of the following presents the GREATEST challenge for a large-scale enterprise when procuring Infrastructure as a Service (IaaS)?

  A. Testing the vendor resiliency plan annually
  B. Protecting the enterprise from labor liability
  C. Ensuring the vendor meets corporate requirements
  D. Monitoring key performance indicators (KPIs)
  C. Ensuring the vendor meets corporate requirements

  ---

  For large enterprises, the greatest challenge when procuring IaaS is ensuring the vendor meets corporate requirements, including compliance, integration standards, security, scalability, and service levels. The complexity of aligning cloud capabilities with internal policies and operational needs can create governance gaps. Other options represent necessary practices, but the alignment of vendor capabilities with enterprise standards is foundational to long-term success and risk mitigation. CGEIT Review Manual: Domain 2 ?IT Resources and Third-Party Risk COBIT 2019: APO03 (Manage Enterprise Architecture), APO10 (Manage Suppliers).

• Question 142:

  New legislation requires an enterprise to report cybersecurity incidents to a government agency within a defined timeline. Which of the following should be the FIRST course of action?

  A. Establish an incident reporting system and hotline.
  B. Require automation of incident reporting to agencies.
  C. Establish a cybersecurity incident manager role.
  D. Understand requirements and definitions for reportable incidents.
  D. Understand requirements and definitions for reportable incidents.

• Question 143:

  Which of the following is the FIRST step when developing an IT risk management framework?

  A. Promoting a culture of risk awareness
  B. Establishing a risk control library
  C. Aligning to enterprise risk management (ERM)
  D. Establishing risk appetite
  C. Aligning to enterprise risk management (ERM)

  ---

  Developing an IT risk management framework begins with aligning it to the enterprise risk management (ERM) framework. This ensures consistency across all organizational risk domains and supports the integration of IT risk into the broader enterprise risk strategy. The ERM provides a foundation for identifying, assessing, and managing IT risks in a way that aligns with the organization's overall objectives. Promoting a culture of risk awareness, while critical, is a subsequent step once the framework is defined. References: COBIT 2019 Risk Management Process, CGEIT Exam Manual.

• Question 144:

  Which of the following is MOST important for the effective design of an IT balanced scorecard?

  A. On-demand reporting and continuous monitoring
  B. Consulting with the CIO
  C. Emphasizing the financial results
  D. Identifying appropriate key performance indicators (KPls)
  D. Identifying appropriate key performance indicators (KPls)

  ---

  The most important factor for the effective design of an IT balanced scorecard is identifying appropriate key performance indicators (KPIs). KPIs are the measures that reflect the critical success factors of the IT strategy and goals, and that help to monitor and evaluate the IT performance and value. KPIs should be aligned with the four perspectives of the balanced scorecard: financial, customer, internal process, and learning and growth. KPIs should also be SMART: specific, measurable, achievable, relevant, and time- bound. By choosing the right KPIs, the IT balanced scorecard can provide a comprehensive and balanced view of the IT contribution to the business, and support the decision-making and improvement processes

• Question 145:

  Before establishing IT key risk indicators (KRls) which of the following should be defined FIRST?

  A. IT resource strategy
  B. IT risk and security framework
  C. IT goals and objectives
  D. IT key performance indicators (KPIs)
  C. IT goals and objectives

  ---

  IT goals and objectives are the desired outcomes and targets that IT aims to achieve in support of the business strategy and objectives. IT goals and objectives should be defined first before establishing IT key risk indicators (KRIs), because they provide the direction and scope for the IT risk management process. KRIs are metrics that measure and monitor the level and trend of risk exposure, and help to identify and manage potential threats or opportunities that could affect the achievement of IT goals and objectives. Therefore, by defining IT goals and objectives first, an enterprise can ensure that its KRIs are relevant, aligned, and consistent with its IT strategy and value delivery. References: Key Risk Indicators (KRIs) - ISACA, Integrating KRIs and KPIs for Effective Technology Risk Management - ISACA.

• Question 146:

  Which of the following aspects of IT governance BEST addresses the potential intellectual property implications of a cloud service provider having a database in another country?

  A. Contract management
  B. Continuity planning
  C. Data management
  D. Security architecture
  C. Data management

  ---

  Data management is the aspect of IT governance that BEST addresses the potential intellectual property implications of a cloud service provider having a database in another country. Data management involves defining and implementing policies and processes for the effective and efficient acquisition, storage, distribution, usage, and disposal of data in alignment with business objectives and regulatory requirements. Data management also includes ensuring the protection of data quality, integrity, availability, confidentiality, and ownership. Therefore, data management can help mitigate the risks of intellectual property infringement, theft, or misuse that may arise from storing data in a foreign jurisdiction with different legal and regulatory frameworks. References: CGEIT Review Manual (Digital Version), Chapter 4: Value Optimization, Section 4.2: IT Value Delivery, Subsection 4.2.3: IT Resource Management, Page 123 CGEIT Review Manual (Print Version), Chapter 4: Value Optimization, Section 4.2: IT Value Delivery, Subsection 4.2.3: IT Resource Management, Page 123 Cloud computing: A brief overview of intellectual property issues "in the cloud" - Lexology2 Protecting Intellectual Property in the Cloud - WIPO

• Question 147:

  An enterprise recently acquired technology that will enable it to offer products to customers through a mobile device application. The business is eager to use this technology as soon as possible for products currently offered through legacy IT systems. What is the CIO's MAIN responsibility?

  A. Ensure proper metrics are established to measure technology usage throughout the enterprise.
  B. Ensure business units are aware of new opportunities available with the acquired technology.
  C. Ensure the enterprise architecture (EA) is reviewed and updated.
  D. Ensure risk associated with implementation and support of the new technology is properly managed.
  D. Ensure risk associated with implementation and support of the new technology is properly managed.

• Question 148:

  Which of the following should be identified FIRST when determining appropriate IT key risk indicators (KRIs)?

  A. IT-related risk
  B. IT controls
  C. IT threats
  D. IT objectives
  A. IT-related risk

  ---

  IT key risk indicators (KRIs) are metrics that measure the likelihood and impact of IT- related risks on the enterprise's objectives and goals. Therefore, the first step in determining appropriate IT KRIs is to identify the IT-related risks that are relevant and significant for the enterprise. IT controls, IT threats and IT objectives are also important factors in developing IT KRIs, but they are not the first step. IT controls are the measures that mitigate or reduce IT risks, IT threats are the sources of potential harm or loss to IT assets or processes, and IT objectives are the desired outcomes or results of IT activities that support the enterprise's strategy and goals. References: ISACA, CGEIT Review Manual, 7th Edition, 2019, p. 90-91; Integrating KRIs and KPIs for Effective Technology Risk Management; Performance Measurement Metrics for IT Governance; State and Impact of Governance of Enterprise IT in Organizations: Key Findings of an International Study.

• Question 149:

  An enterprise has decided to use third-party software for a business process which is hosted and supported by the same third party. The BEST way to provide quality of service oversight would be to establish a process:

  A. for robust change management.
  B. for periodic service provider audits.
  C. for enterprise architecture (EA) updates.
  D. to qualify service providers.
  B. for periodic service provider audits.

  ---

  A periodic service provider audit is a process of conducting an independent and objective assessment of the service provider's performance, quality, compliance, and security in relation to the agreed service level agreement (SLA) and the enterprise's expectations and requirements. A periodic service provider audit can help provide quality of service oversight by: Verifying and validating the service provider's claims and credentials, and ensuring that they meet the contractual obligations and standards Identifying and evaluating the strengths, weaknesses, opportunities, and threats of the service provider's services, processes, and controls Detecting and reporting any issues, gaps, or risks that may affect the quality of service delivery or the enterprise's objectives and value Recommending and implementing corrective and preventive actions to address and resolve the issues, gaps, or risks Monitoring and measuring the outcomes and effectiveness of the corrective and preventive actions, and ensuring their alignment with the SLA References: According to the CGEIT Review Manual 2022, "Service provider audits are a key mechanism for ensuring that service providers are meeting their contractual obligations and delivering value to the enterprise. Service provider audits should be conducted periodically or as needed to assess the performance, quality, compliance, and security of the service provider's services, processes, and controls." According to the ISACA article on IT Outsourcing: Audit Considerations, "IT outsourcing audit is a process of examining and evaluating the IT outsourcing arrangements between an enterprise and its service providers. IT outsourcing audit aims to provide assurance that the IT outsourcing arrangements are aligned with the enterprise's strategy, objectives, and risk appetite; that the service providers are delivering the expected services in accordance with the SLAs; that the service providers are complying with the applicable laws, regulations, and standards; and that the service providers are managing and mitigating the IT outsourcing risks effectively." According to the PwC article on Service Provider Audits, "Service provider audits are an essential tool for organizations to gain insight into their service providers' operations, controls, risks, and compliance status. Service provider audits can help organizations ensure that their service providers are meeting their expectations and obligations; identify any areas of improvement or concern; enhance their relationship and communication with their service providers; and optimize their IT outsourcing strategy."

• Question 150:

  The PRIMARY reason for an enterprise to adopt an IT governance framework is to:

  A. assure IT sustains and extends the enterprise strategies and objectives.
  B. expedite IT investments among other competing business investments.
  C. establish IT initiatives focused on the business strategy.
  D. allow IT to optimize confidentiality, integrity, and availability of information assets.
  A. assure IT sustains and extends the enterprise strategies and objectives.

  ---

  IT governance is a framework that provides a formal structure for organizations to ensure that IT investments support business objectives. The primary reason for an enterprise to adopt an ITgovernance framework is to assure that IT sustains and extends the enterprise strategies and objectives, by aligning IT with business needs, optimizing IT performance and value, managing IT risks and resources, and measuring IT outcomes and benefits. References: ISACA, CGEIT Review Manual, 7th Edition, 2019, page 15. What Is IT Governance? Definition, Practices and Frameworks. IT Governance: Definition, Frameworks, and Best Practices.