Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 151:

  An enterprise recently implemented a significant change in its business strategy by moving to a technologically advanced product with considerable impact on the business. What should be the FINAL step in completing the changes to IT processes?

  A. Updating the configuration management database (CMDB)
  B. Empowering the business to embrace the changes
  C. Ensuring a return to stabilized business operations
  D. Updating the enterprise architecture (EA)
  C. Ensuring a return to stabilized business operations

  ---

  According to the web search results, IT change management is the process of tracking and managing a change throughout its entire life cycle, from start to closure, with the aim to minimize risk. One of the steps in the IT change management process is to collect and analyze data, quantify gaps and understand resistance, and modify the plan as needed. The final step in completing the changes to IT processes is to ensure a return to stabilized business operations, which means that the change has been successfully implemented and the expected benefits have been realized. This step also involves closing the change request, documenting the lessons learned, and celebrating the achievements. The other options are not the final step in completing the changes to IT processes, but rather intermediate steps that occur before or during the change implementation. Updating the configuration management database (CMDB) is a step that occurs during the change implementation, as it involves recording and tracking the changes made to the IT assets and services. Empowering the business to embrace the changes is a step that occurs before and during the change implementation, as it involves providing communication, training, and support to help the stakeholders adopt and adapt to the changes. Updating the enterprise architecture (EA) is a step that occurs before or during the change implementation, as it involves aligning the IT strategy, processes, and systems with the business goals and requirements. References: 1: IT change management: A comprehensive guide - ManageEngine 2: What is Change Management? Organizational, Process, Definition ... - ASQ 3: The Evolution of IT Change Management | Atlassian 4: What is IT Change Management? - ServiceNow 4 : What is Configuration Management Database (CMDB)? | ServiceNow : What is Organizational Change Management? | Prosci : What is Enterprise Architecture? | Gartner

• Question 152:

  Which of the following should be the PRIMARY consideration when developing an IT strategy for the global implementation of Internet of Things (IoT) solutions?

  A. Hiring additional IT staff with IoT expertise
  B. Addressing security and privacy
  C. Identifying cost-effective IoT devices
  D. Maintaining compatibility with legacy systems
  B. Addressing security and privacy

  ---

  Security and privacyare paramount when implementing IoT on a global scale. IoT devices often introduce vulnerabilities and handle sensitive data across diverse jurisdictions, making security controls and privacy compliance essential from the outset. While staffing, cost, and integration are important,security and privacyrepresent the greatest strategic and reputational risk if not addressed early in the strategy. CGEIT Review Manual: Domain 4 ?Risk Optimization COBIT 2019: DSS05 (Manage Security Services) and APO13 (Manage Security).

• Question 153:

  Which of the following BEST demonstrates the effectiveness of enterprise IT governance?

  A. An IT balanced scorecard is used.
  B. Business objectives are achieved.
  C. Business objectives are defined.
  D. IT processes are measured.
  B. Business objectives are achieved.

  ---

  Enterprise IT governance is the process of ensuring that IT supports the business objectives and strategies of the enterprise, and that IT investments and resources are aligned with the enterprise's needs and priorities. The effectiveness of enterprise IT governance can be measured by the extent to which the business objectives are achieved through IT-enabled initiatives and services. An IT balanced scorecard, business objectives definition, and IT processes measurement are all tools or activities that can help implement and monitor enterprise IT governance, but they do not demonstrate its effectiveness by themselves. References: IT Governance: Definition, Frameworks, and Best Practices - InvGate The keys to effective IT governance in the digital era | CIO Defining IT Governance and Its Roles for Business Success - ISACA Governance of Enterprise IT - The Institute of Internal Auditors or The IIA Holistic IT Governance, Risk Management, Security and Privacy ... - ISACA

• Question 154:

  An enterprise is initiating efforts to improve system availability to mitigate IT risk to the business. Which of the following results would be MOST important to report to the CIO to measure progress?

  A. Incident severity and downtime trend analysis
  B. Probability and seventy of each IT risk
  C. Financial losses and bad press releases
  D. Customer and stakeholder complaints over time
  A. Incident severity and downtime trend analysis

  ---

  Incident severity and downtime trend analysis is the most important result to report to the CIO to measure progress in improving system availability to mitigate IT risk to the business, because it directly reflects the impact and frequency of system failures or disruptions on the business operations, processes, and functions. By analyzing the severity and duration of incidents over time, the CIO can evaluate the effectiveness of the IT risk management and system availability strategies, and identify any gaps, issues, or opportunities for improvement. Incident severity and downtime trend analysis can also help the CIO to communicate the value and performance of the IT risk management and system availability initiatives to the business stakeholders, and justify any further investment or action required to achieve the desired outcomes. The other options are not as important as incident severity and downtime trend analysis, because they are either too indirect or too subjective to measure progress in improving system availability to mitigate IT risk to the business. Probability and severity of each IT risk is a useful input for IT risk management, but it does not necessarily reflect the actual occurrence or impact of system failures or disruptions on the business. Financial losses and bad press releases are possible consequences of system failures or disruptions, but they may not capture the full extent or root causes of the IT risk to the business. Customer and stakeholder complaints over time are indicators of customer satisfaction and loyalty, but they may not be reliable or consistent measures of system availability or IT risk to the business

• Question 155:

  The PRIMARY reason for periodically evaluating IT resource staffing requirements is to:

  A. ascertain the IT function has sufficient skilled staff to maintain daily operations.
  B. ensure the enterprise has sufficient resources to address changing business and IT needs.
  C. verify that human resource recruitment and retention processes meet enterprise IT objectives.
  D. confirm IT-related responsibilities are defined for the enterprise's business and IT staff.
  B. ensure the enterprise has sufficient resources to address changing business and IT needs.

  ---

  IT resource staffing requirements are the human resources needed to deliver IT services and support business objectives. Periodically evaluating IT resource staffing requirements is important to ensure the enterprise has sufficient resources to address changing business and IT needs, such as new projects, technologies, regulations, or customer expectations. By assessing the current and future demand and supply of IT skills and competencies, the enterprise can identify any gaps or surpluses and plan accordingly to optimize IT performance and value. The other options are not the primary reason for periodically evaluating IT resource staffing requirements, although they may be related or beneficial outcomes. Ascertaining the IT function has sufficient skilled staff to maintain daily operations, verifying that human resource recruitment and retention processes meet enterprise IT objectives, and confirming IT-related responsibilities are defined for the enterprise's business and IT staff are all part of the IT resource staffing management process, but they are not the main driver or purpose of it. References: 3: https://www.aihr.com/blog/staffing-planning/ 1: https://www.mckinsey.com/capabilities/people-and-organizational-performance/our- insights/the-organization-blog/the-future-of-the-workplace-embracing-change-and- fostering-connectivity 2: https://www.ccl.org/articles/leading-effectively-articles/adaptability-1-idea-3-facts-5-tips/ 4: https://www.indeed.com/career-advice/career-development/staffing-plan

• Question 156:

  Which of the following would a CIO use to present the overall view of IT performance to the board of directors?

  A. Balanced scorecard
  B. Key risk indicators (KRIs)
  C. Maturity model
  D. Key performance indicators (KPIs)
  A. Balanced scorecard

  ---

  A balanced scorecard is a tool that a CIO would use to present the overall view of IT performance to the board of directors, because it is a framework that translates the enterprise's vision and strategy into a set of performance measures that cover four perspectives: financial, customer, internal business process, and learning and growth. A balanced scorecard can help to communicate and monitor the IT strategy and goals, and align the IT activities and resources with the business needs and expectations. A balanced scorecard can also provide a balanced and comprehensive view of the IT performance and value delivery, and highlight the strengths, weaknesses, opportunities, and threats for improvement. References: ISACA, CGEIT Review Manual, 7th Edition, 2019, page 43- 44.

• Question 157:

  An IT governance committee wants to ensure there is a clear description of the "data owner" in the enterprise data policy. Which of the following would BEST define the owner of data stored in an external cloud?

  A. The business leader who is most impacted by the loss of data.
  B. The risk manager who is responsible for protecting data stored in the cloud.
  C. The contract manager who monitors the security of the cloud provider.
  D. The vendor who submits the data to the organization via online forms
  A. The business leader who is most impacted by the loss of data.

  ---

  The owner of data stored in an external cloud is the business leader who is most impacted by the loss of data. This is because the data owner is the person who has the accountability and authority over a specific dataset, and who is responsible for its security, quality, classification, and access control. The data owner is usually a senior-level employee or a subject-matter expert who has the knowledge and motivation to ensure that the data is handled correctly and in compliance with policies and regulations. The data owner is not the same as the data custodian, who is the person who implements the technical and operational measures to protect and manage the data according to the data owner's directives. Therefore, the risk manager, the contract manager, and the vendor are not the data owners, as they do not have the final say or accountability over the data stored in the external cloud. References: What Is a Data Owner? - Firewall Times1, Data Owners vs. Data Stewards vs. Data Custodians - CPO Magazine

• Question 158:

  Which of the following methods is MOST likely to be used to assess plausible risk scenarios that could result in reputational risk to the enterprise?

  A. Controls gap analysis
  B. Qualitative analysis
  C. Quantitative analysis
  D. SWOT analysis
  B. Qualitative analysis

  ---

  Qualitative analysis is a method that uses subjective judgments and opinions to assess plausible risk scenarios that could result in reputational risk to the enterprise. Qualitative analysis can help identify the sources, causes, and impacts of reputational risk, as well as the likelihood and severity of such risk. Qualitative analysis can also involve stakeholder feedback, surveys, interviews, focus groups, and expert opinions to evaluate the reputation of the enterprise and its IT functions. The other options are not the most likely methods to assess plausible risk scenarios that could result in reputational risk to the enterprise. Controls gap analysis is a method that compares the existing controls with the required controls to identify any deficiencies or weaknesses that could expose the enterprise to risk. Controls gap analysis can help improve the effectiveness and efficiency of IT processes and services, but it does not directly assess the reputational risk scenarios. Quantitative analysis is a method that uses numerical data and mathematical models to measure and evaluate risk scenarios. Quantitative analysis can help estimate the financial impact and probability of risk events, but it may not capture the intangible and subjective aspects of reputational risk. SWOT analysis is a method that evaluates the strengths, weaknesses, opportunities, and threats of an organization or a project. SWOT analysis can help identify the internal and external factors that affect the performance and success of the organization or the project, but it does not specifically assess the reputational risk scenarios. For more information on qualitative analysis and reputational risk, you can refer to these web sources: Qualitative Risk Analysis: What it is and how to implement it Reputational Risk Management: A Framework for Measurement Reputational Risk Management in IT Outsourcing: A Case Study

• Question 159:

  An enterprise is evaluating both a virtual reality (VR) project and an augmented reality (AR) project. Which of the following should be the MOST important objective when evaluating these two projects within IT portfolio management?

  A. Maximizing the earned value of IT investments
  B. Determining which IT project to discontinue
  C. Implementing efficient and effective solutions
  D. Reducing the risk exposure of the projects
  A. Maximizing the earned value of IT investments

  ---

  Within IT portfolio management, themost important objective is maximizing the earned value of IT investments.This ensures that projects contribute meaningfully to enterprise goals, provide strong return on investment, and optimize the use of limited IT resources. Decisions about discontinuation or risk are part of the process, butvalue delivery is the primary metricin portfolio optimization. CGEIT Review Manual: Domain 3 ?Benefits Realization COBIT 2019: EDM02 (Ensure Benefits Delivery), APO05 (Manage Portfolio).

• Question 160:

  An ongoing project is on track according to project plan. However, a recent regulation change will have a major impact to the project. The project sponsor's NEXT step should be to:

  A. Seek exemption from the appropriate regulatory body
  B. Perform an impact analysis and update the business case
  C. Submit the project to the IT steering committee for reapproval
  D. Rescope the project to remove work impacted by the regulation
  B. Perform an impact analysis and update the business case

  ---

  When a regulatory change significantly affects an ongoing project, thefirst step should be to perform an impact analysis and update the business case.This helps the organization understand how the change influences cost, timelines, compliance, and value delivery. Only after understanding the impact should actions such as seeking reapproval, changing scope, or applying for exemptions be considered. This aligns with the principle of informed decision-making in IT governance. CGEIT Review Manual: Domain 3 ?Benefits Realization, Change Management COBIT 2019: BAI01 (Manage Programs and Projects), EDM02 (Ensure Benefits Delivery).