Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 191:

  An enterprise wishes to establish key risk indicators (KRIs) in an effort to better manage IT risk. Which of the following should be identified FIRST?

  A. Risk mitigation strategies
  B. Enterprise architecture (EA) components
  C. The enterprise risk appetite
  D. Key performance metrics
  C. The enterprise risk appetite

  ---

  An enterprise that wishes to establish key risk indicators (KRIs) in an effort to better manage IT risk should first identify the enterprise risk appetite, because this would help to define the level of risk that the enterprise is willing and able to accept in pursuit of its objectives and value creation. The enterprise risk appetite should consider the external and internal factors that influence the IT environment, such as market trends, customer demands, innovation opportunities, regulatory requirements, and business strategies. The KRIs should align with the enterprise risk appetite, and measure the potential impact and likelihood of the risks that may affect the IT performance and outcomes. References: ISACA, CGEIT Review Manual, 7th Edition, 2019, page 75-76.

• Question 192:

  A healthcare enterprise that is subject to strict compliance requirements has decided to outsource several key IT services to third-party providers. Which of the following would be the BEST way to assess compliance and avoid reputational damage?

  A. Require quarterly reports from the providers demonstrating compliance.
  B. Require documentation that the providers have adequate controls in place.
  C. Exercise the right to perform an audit.
  D. Impose monetary penalties for noncompliance.
  C. Exercise the right to perform an audit.

  ---

  Exercising the right to perform an audit is the best way to assess compliance and avoid reputational damage when outsourcing key IT services to third-party providers, especially in a highly regulated industry like healthcare. An audit is a systematic and independent examination of the provider's policies, procedures, controls, and performance related to the outsourced IT services, and it can help to verify that the provider is complying with the contractual obligations, service level agreements, and regulatory requirements. An audit can also help to identify and address any gaps, issues, or risks that may affect the quality, security, or reliability of the outsourced IT services, and to ensure that the provider is delivering value and meeting the expectations of the enterprise. An audit can also provide assurance and confidence to the enterprise's senior management, board, and stakeholders that the outsourcing arrangement is effective, efficient, and compliant. According to Outsourcing Compliance: What You Need to Know, "The right to audit clause should be included in every contract with a third-party service provider. It allows the organization to conduct an independent review of the provider's compliance with applicable laws and regulations, contractual terms and conditions, and industry standards and best practices."

• Question 193:

  Which of the following would be the MOST effective way to ensure IT capabilities are appropriately aligned with business requirements for specific business processes?

  A. Establishing key performance indicators {KPIs)
  B. Requiring Internal IT architecture and design reviews
  C. Requiring architecture and design reviews with business process stakeholders
  D. Issuing a management mandate that IT and business process stakeholders work together
  C. Requiring architecture and design reviews with business process stakeholders

  ---

  Architecture and design reviews are an effective way to ensure that IT solutions are aligned with the business requirements and objectives for specific business processes. By involving the business process stakeholders in these reviews, IT can gain a better understanding of the business needs, expectations, and constraints, as well as receive feedback and validation from the end users. This can help to avoid miscommunication, gaps, or conflicts between IT and business, and ensure that the IT capabilities are fit for purpose and deliver value to the business. References: CGEIT Review Manual, 27th Edition, Domain 1: Governance of Enterprise IT, page 20-21.

• Question 194:

  Which of the following BEST supports the implementation of an effective data classification policy?

  A. Monitoring with key performance indicators (KPIs)
  B. Implementation of data loss prevention (DLP) tools
  C. Clear guidelines adopted by the business
  D. Classification policy approval by the board
  C. Clear guidelines adopted by the business

  ---

  A data classification policy is a set of rules and standards that define how data is categorized and labeled according to its sensitivity, value, and criticality for the organization. An effective data classification policy helps to ensure that data is properly protected, accessed, and managed throughout its lifecycle. The best way to support the implementation of an effective data classification policy is to have clear guidelines adopted by the business, because they provide a common understanding and framework for data owners, stewards, and users to classify and handle data according to the business context and requirements3. Clear guidelines also help to ensure consistency, compliance, and accountability for data classification across the organization4. References: Data Classification Policy | Information Security Office Data Governance and Classification Policy - University of Cincinnati Data governance processes - Cloud Adoption Framework Data classification in the Microsoft Purview governance portal

• Question 195:

  Which of the following is MOST important when an IT-enabled business initiative involves multiple business functions?

  A. Defining cross-departmental budget allocation
  B. Conducting a systemic risk assessment
  C. Developing independent business cases
  D. Establishing a steering committee with business representation
  D. Establishing a steering committee with business representation

  ---

  Establishing a steering committee with business representation is the most important factor when an IT-enabled business initiative involves multiple business functions, because it ensures that the initiative is aligned with the strategic goals and needs of the organization, and that the different business functions have a voice and a stake in the decision-making process. A steering committee can also provide guidance, support, and oversight to the IT team and help resolve any conflicts or issues that may arise among the business functions. A steering committee can also monitor the progress and performance of the initiative and ensure that it delivers the expected benefits and value to the organization. References: What is an IT Steering Committee? ?BMC Software | Blogs, Steering Committee: Definition, Roles and Meeting Tips - ProjectManager, How To Create an IT Steering Committee in 6 Steps - Indeed

• Question 196:

  When an enterprise is evaluating potential IT service vendors, which of the following BEST enables a clear understanding of the vendor's capabilities that will be critical to the enterprise's strategy?

  A. Due diligence process
  B. Independent audit results
  C. Historical service level agreements (SLAs)
  D. Benchmarking analysis results
  A. Due diligence process

  ---

  A due diligence process is the best way to enable a clear understanding of the vendor's capabilities that will be critical to the enterprise's strategy. A due diligence process is a systematic and comprehensive investigation and evaluation of the vendor's background, reputation, performance, quality, reliability, security, compliance, and suitability for the enterprise's needs and expectations. A due diligence process can help the enterprise: Verify the vendor's claims and credentials, and validate the vendor's references and testimonials Assess the vendor's financial stability, legal status, and ethical standards Identify the vendor's strengths, weaknesses, opportunities, and threats Compare the vendor's offerings, capabilities, and prices with other vendors and market benchmarks Determine the risks and benefits of engaging with the vendor, and the mitigation and contingency plans Negotiate the terms and conditions of the contract, service level agreement (SLA), and key performance indicators (KPIs) References: According to the CGEIT Review Manual 2022, "Due diligence is a comprehensive appraisal of a business undertaken by a prospective buyer or partner to establish its assets and liabilities and evaluate its commercial potential." According to the ISACA article on Third-Party Vendor Selection: If Done Right, It's a Win- Win, "Once you have identified which processes can be outsourced as well as their inherent risks, you can begin performing due diligence on potential vendors. The level of due diligence should be tailored to the significance of the relationship as well as the potential risks it poses." According to the Gartner article on How to Evaluate Technology Vendors in 4 Rigorous Steps, "Evaluating vendors requires detailed objectives, criteria, prioritization and monitoring. Here's help. When it comes to choosing a vendor, enterprise tech buyer teams can easily become bogged down in the details and documentation provided by sales teams."

• Question 197:

  From an IT governance perspective, which of the following would be the MOST significant impact of moving all IT applications to an external Software as a Service (SaaS) cloud provider?

  A. The integration of the IT department with business lines
  B. The shift from service delivery to service management
  C. The improvement Of IT service alignment with business
  D. The necessity to update key risk indicators (KRIs)
  B. The shift from service delivery to service management

  ---

  This is because moving all IT applications to an external SaaS cloud provider means that the organization is outsourcing the development, deployment, maintenance, and operation of its IT applications to a third-party vendor. This implies that the organization is relinquishing some control and ownership over its IT applications, and relying on the vendor to provide the required functionality, performance, quality, and security. Therefore, the organization needs to shift its focus from delivering IT services internally to managing IT services externally. This involves the following activities: Establishing and maintaining a clear and comprehensive contract or service level agreement (SLA) with the SaaS vendor that defines the roles, responsibilities, expectations, and outcomes of both parties. Monitoring and measuring the SaaS vendor's compliance with the contract or SLA, and ensuring that the vendor meets the agreed service levels, standards, and metrics. Communicating and collaborating with the SaaS vendor regularly, and resolving any issues, conflicts, or changes that may arise during the service delivery. Evaluating and improving the effectiveness and efficiency of the SaaS vendor's service delivery, and identifying and implementing any opportunities for innovation or optimization. Managing the risks and challenges associated with outsourcing IT services to a SaaS vendor, such as data privacy, security, availability, compatibility, integration, dependency, cost, and performance issues. The shift from service delivery to service management can have a significant impact on the IT governance framework, processes, policies, and practices of the organization. It can also affect the IT skills, roles, and responsibilities of the IT staff and stakeholders. Therefore, the organization needs to adapt and adjust its IT governance approach accordingly to ensure that it can effectively oversee and optimize its IT services in a SaaS environment. The other options, the integration of the IT department with business lines, the improvement of IT service alignment with business, and the necessity to update key risk indicators (KRIs) are not as significant as the shift from service delivery to service management for moving all IT applications to an external SaaS cloud provider from an IT governance perspective. They are more related to the outcomes or consequences of moving to a SaaS environment, rather than the impact or change itself. They may also not be unique or specific to a SaaS environment, as they may apply to other types or models of IT service delivery as well.

• Question 198:

  Which of the following is the BEST method for determining an enterprise's current appetite for risk?

  A. Interviewing senior management
  B. Evaluating the balanced scorecard
  C. Reviewing recent audit findings
  D. Assessing social media adoption
  A. Interviewing senior management

  ---

  According to the CGEIT certification guide, the best method for determining an enterprise's current appetite for risk is interviewing senior management. This is because senior management is responsible for setting the risk appetite and tolerance of the enterprise, and for balancing the security and business needs. The risk appetite reflects the amount and type of risk that an organization is willing to take in order to meet their strategic objectives. Interviewing senior management can help to understand their perspectives, expectations, and preferences regarding risk taking. The other options are less effective than option A, as they do not directly capture the senior management's input or risk-based decision making. References: CGEIT certification guide, domain 3: Risk Optimization, section 3.1: Risk Governance, page 87.

• Question 199:

  Which of the following is the MOST important reason that IT strategic planning processes need to be adequately documented and communicated?

  A. To justify spending on IT projects
  B. To promote transparency to stakeholders
  C. To ensure other departments are aligned with the direction set by IT
  D. To inform business units of IT department achievements
  B. To promote transparency to stakeholders

  ---

  IT strategic planning processes need to be adequately documented and communicated for several reasons, but the most important one is to promote transparency to stakeholders. Transparency means being open, honest, and accountable for the actions and decisions of the IT department. Transparency helps to build trust, credibility, and confidence among the stakeholders, such as senior management, business units, customers, suppliers, regulators, and employees. By documenting and communicating the IT strategic planning processes, the IT department can demonstrate how it aligns its goals and objectives with the business strategy, how it prioritizes and executes its projects and initiatives, how it measures and reports its performance and outcomes, and how it manages its risks and challenges. Documenting and communicating the IT strategic planning processes also enables the IT department to solicit feedback and input from the stakeholders, and to address any issues or concerns that may arise. The other options are not as important as promoting transparency to stakeholders. Justifying spending on IT projects is a benefit of documenting and communicating the IT strategic planning processes, but it is not the primary reason. Ensuring other departments are aligned with the direction set by IT is a result of documenting and communicating the IT strategic planning processes, but it is not the main purpose. Informing business units of IT department achievements is a part of documenting and communicating the IT strategic planning processes, but it is not the most important reason. References: 1: Creating an IT Strategy Communications Plan: 5 Keys to Success 2: IT Strategy Template for a Successful Strategic Plan | Gartner 3: 14 Ways To Document Communications Processes For Faster ... - Forbes

• Question 200:

  Which of the following is the BEST method to monitor IT governance effectiveness?

  A. Service level management
  B. Balanced scorecard
  C. Risk control self-assessment (CSA)
  D. SWOT analysis
  B. Balanced scorecard

  ---

  A balanced scorecard is a strategic management tool that measures and monitors the performance of an organization against its vision, mission, goals, and objectives. It uses four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard can help evaluate the effectiveness of IT governance by aligning IT activities with business strategies, assessing IT value delivery, identifying IT strengths and weaknesses, and facilitating continuous improvement. References: CGEIT Exam Content Outline, Domain 1: Governance of Enterprise IT, Subdomain B: Strategic Management, Task 3: Establish and maintain a framework for the governance of enterprise IT to enable the achievement of enterprise objectives.