Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 171:

  As a result of a new regulatory requirement, an enterprise's board has mandated that steps be taken to ensure related IT governance activities are performing as originally designed and are continuously improved. Which of the following is the BEST approach?

  A. Mandate ongoing enterprise risk and control self-assessments (CSAs)
  B. Conduct quarterly reviews of the enterprise business architecture
  C. Engage periodic external audit reviews of IT governance processes
  D. Require annual mapping of key IT governance processes
  A. Mandate ongoing enterprise risk and control self-assessments (CSAs)

  ---

  Control self-assessments (CSAs)are the best method to continuously monitor and improve IT governance activities. CSAs empower internal teams to regularly evaluate performance, identify gaps, and initiate corrective actions, ensuring ongoing compliance and alignment with governance objectives. External audits and mappings are periodic and less dynamic, whereasCSAs offer proactive, continuous oversight. CGEIT Review Manual: Domain 1 ?Governance of Enterprise IT, Performance Measurement COBIT 2019: MEA02 (Monitor, Evaluate and Assess the System of Internal Control).

• Question 172:

  A data governance strategy has been defined by the IT strategy committee which includes privacy objectives related to access controls, authorized use. and data collection. Which of the following should the committee do NEXT?

  A. Mandate data privacy training for employees.
  B. Establish a data privacy budget
  C. Perform a data privacy impact assessment.
  D. Mandate the creation of a data privacy policy.
  D. Mandate the creation of a data privacy policy.

  ---

  The IT strategy committee should mandate the creation of a data privacy policy next, because this would provide a formal and consistent framework for implementing and enforcing the data governance strategy and the privacy objectives related to access controls, authorized use, and data collection. A data privacy policy should define the roles and responsibilities of the data owners, stewards, custodians, and users, and specify the principles, standards, and procedures for collecting, processing, storing, sharing, and disposing of personal data in compliance with the legal and regulatory requirements. A data privacy policy should also include the mechanisms for monitoring and auditing the data privacy practices, and for handling any data breaches or incidents. References: ISACA, CGEIT Review Manual, 7th Edition, 2019, page 57-58.

• Question 173:

  A series of cyber events impacting internet-facing business services has been successfully contained. To minimize future business risk exposure, which of the following should the board require of the IT team?

  A. Review the internet service provider (ISP) contract.
  B. Purchase cybersecurity insurance.
  C. Conduct a business impact analysis (BIA).
  D. Perform a root cause analysis.
  D. Perform a root cause analysis.

• Question 174:

  The results of an internal audit show that the business and IT acquire resources differently, which causes duplicate purchases. Which of the following is the BEST way to address this issue?

  A. Align IT objectives to the business procurement process.
  B. Involve business in IT procurement decisions.
  C. Establish a centralized procurement approval process.
  D. Define roles and responsibilities through a RAG chart
  C. Establish a centralized procurement approval process.

  ---

  The best way to address the issue of duplicate purchases caused by different acquisition methods of business and IT is to establish a centralized procurement approval process. A centralized procurement approval process is a process that organizations use to obtain approval for purchases that they intend to make. The process typically involves several steps, such as identifying a need, requesting a quote, obtaining quotes, and obtaining approval from a designated authority. By centralizing the procurement approval process, the organization can avoid duplication, inconsistency, and inefficiency in purchasing decisions. A centralized procurement approval process can also help the organization to achieve the following benefits : Visibility and control: The organization can have a clear view of all purchase requests and transactions, and can monitor and manage the budgets, requesters, and suppliers. Better purchasing power: The organization can leverage its volume and history to negotiate better prices and discounts with vendors, and can establish long-term relationships with preferred suppliers. Standardization: The organization can implement and enforce policies and standards for data quality, security, privacy, and usage, and can create a single source of truth for purchasing information. Eliminates maverick spending: The organization can identify and prevent individual spending that goes against the purchasing policies or that results in duplicate or unnecessary purchases. Therefore, establishing a centralized procurement approval process is the best way to address the issue of duplicate purchases caused by different acquisition methods of business and IT. References: Centralized vs. Decentralized Purchasing: Key Differences | Pipefy, Centralizing Procurement: What Companies Need to Consider, What is the Procurement Approval Process: Detailed Guide

• Question 175:

  An enterprise has performed a business impact analysis (BIA) considering a number of risk scenarios. Which of the following should the enterprise do NEXT?

  A. Perform a risk controls gap analysis
  B. Update the disaster recovery plan (DRP)
  C. Verify compliance with relevant legislation
  D. Assess risk mitigation strategies
  D. Assess risk mitigation strategies

  ---

  The next step that the enterprise should do after performing a business impact analysis (BIA) considering a number of risk scenarios is to assess risk mitigation strategies. A risk mitigation strategy is a plan of action that aims to reduce the likelihood or impact of a risk event, or to transfer or accept the risk. Assessing risk mitigation strategies involves evaluating the costs, benefits, feasibility, and effectiveness of various options for addressing the risks identified in the BIA. Assessing risk mitigation strategies can help the enterprise prioritize and implement the most appropriate and efficient solutions for protecting its critical business processes and resources from potential disruptions. According to the Business Continuity Planning Process Diagram, assessing risk mitigation strategies is the fourth step in the business continuity planning process, following the BIA. The other options are not the next steps that the enterprise should do after performing a BIA. Performing a risk controls gap analysis is a step that precedes the BIA, as it helps to identify the existing controls and their effectiveness in preventing or reducing the risks. Updating the disaster recovery plan (DRP) is a step that follows after assessing risk mitigation strategies, as it involves documenting the procedures and resources for restoring the critical business functions and IT systems in case of a disaster. Verifying compliance with relevant legislation is a step that is done throughout the business continuity planning process, as it ensures that the enterprise meets the legal and regulatory requirements for its industry and location. References: 1: Risk Mitigation Strategies - ISACA 2: How to Conduct aComprehensive Business Impact Analysis: A Step-by-Step Guide 3: Business Continuity Planning Process Diagram - ISACA 4: Business Impact Analysis: Definition and How To Conduct One 5: The Complete Guide to Business Impact Analysis with Templates- Creately 6: How To Conduct Business Impact Analysis in 8 Easy Steps - G2

• Question 176:

  Which of the following is the MOST important aspect of business ethics?

  A. Ensuring fair and consistent vendor management practices
  B. Providing equal opportunities to employees
  C. Protecting stakeholders' interests
  D. Complying with legal and regulatory requirements
  C. Protecting stakeholders' interests

  ---

  Business ethics is the study of appropriate business policies and practices regarding potentially controversial subjects, such as corporate governance, insider trading, bribery, discrimination, corporate social responsibility, fiduciary responsibilities, and much more. The most important aspect of business ethics is to protect the interests of the stakeholders, who are the individuals or groups that have a stake in the success or failure of a business. Stakeholders include shareholders, customers, employees, suppliers, regulators, and the society at large. By protecting stakeholders' interests, a business can ensure its long-term viability, reputation, and profitability. References: CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 1: Governance of Enterprise IT, Section 1.1: IT Governance Frameworks and Principles, Subsection 1.1.2: IT Governance Principles, Page 14-15. Business Ethics: Definition, Principles, Why They're Important.

• Question 177:

  Which of the following BEST enables informed IT investment decisions?

  A. Business case
  B. Technology roadmap
  C. Program plan
  D. Risk classification
  A. Business case

• Question 178:

  A regulator has expressed concerns about the timeliness of information reported from an enterprise. Which of the following should be done FIRST to address this issue?

  A. Assess the reporting delivery process.
  B. Negotiate an exception process with the regulator.
  C. Automate the reporting process.
  D. Evaluate the implications of risk acceptance.
  A. Assess the reporting delivery process.

• Question 179:

  A major data leakage incident at an enterprise has resulted in a mandate to strengthen and enforce current data governance practices. Which of the following should be done FIRST to achieve this objective?

  A. Assess data security controls.
  B. Review data logs.
  C. Analyze data quality.
  D. Verify data owners.
  D. Verify data owners.

  ---

  The first step to strengthen and enforce current data governance practices after a data leakage incident is to verify data owners. Data owners are the individuals or groups who have the authority and responsibility to define, classify, protect, and manage the data assets of an enterprise. By verifying data owners, the enterprise can ensure that the data is properly accounted for, categorized, and secured according to its value, sensitivity, and risk. Data owners can also establish data policies, standards, and procedures, as well as monitor and report on data quality, usage, and compliance. Verifying data owners is a prerequisite for assessing data security controls, reviewing data logs, and analyzing data quality, as these activities depend on the accurate identification and assignment of data ownership roles and responsibilities. References: CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 4: Risk Optimization, Section 4.2: IT Risk Management Process, Subsection 4.2.1: IT Risk Identification, Page 163-164. Top 10 Effective Data Governance Tools.

• Question 180:

  A CIO engages a consulting firm to conduct a benchmark analysis of the organization's IT governance framework against industry best practices. Several recommendations to improve the maturity of the framework are identified. Which of the following should be the CIO's NEXT course of action?

  A. Develop a plan to integrate the recommendations
  B. Appoint a project manager to implement the recommendations
  C. Obtain approval from the IT steering committee to implement the recommendations
  D. Evaluate the feasibility of the recommendations
  D. Evaluate the feasibility of the recommendations

  ---

  After receiving recommendations, thefirst logical step is to evaluate the feasibility--this includes assessing alignment with strategic goals, resource availability, risk tolerance, and operational impact. Implementing or planning without a feasibility assessment may result in impractical or misaligned actions. CGEIT Review Manual: Domain 1 ?Governance of Enterprise IT COBIT 2019: EDM02 (Ensure Benefits Delivery), APO02 (Manage Strategy).