Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 201:

  An IT governance committee realizes there are antiquated technologies in use throughout the enterprise. Which of the following is the BEST group to evaluate the recommendations to address these shortcomings?

  A. Enterprise architecture (EA) review board
  B. Business process improvement workgroup
  C. Audit committee
  D. Risk management committee
  A. Enterprise architecture (EA) review board

  ---

  The best group to evaluate recommendations to address the use of antiquated technologies throughout the enterprise is the Enterprise Architecture (EA) review board. This group is responsible for overseeing the architectural framework and ensuring that IT systems and technologies align with the enterprise's strategic objectives. The EA review board has the expertise to assess the impact of current technologies on the business and recommend modernization strategies that align with the enterprise architecture. While business process improvement workgroups, audit committees, and risk management committees play important roles, the EA review board is specifically equipped to address technological shortcomings and alignment with business goals.

• Question 202:

  To ensure IT risk is managed in a consistent manner, it is MOST important for IT governance to establish a:

  A. risk management committee to identify IT-related risks.
  B. risk management framework.
  C. balanced scorecard that includes IT risks.
  D. risk management reporting tool to ensure compliance.
  B. risk management framework.

  ---

  A risk management framework is a set of principles, policies, roles, responsibilities, and processes that guide, direct, and control the identification, analysis, evaluation, and treatment of IT risks. A risk management framework can help ensure that IT risk is managed in a consistent manner by: Providing a clear and coherent structure for managing IT risks across the organization Aligning IT risks with the enterprise objectives, strategy, and risk appetite Defining the roles and responsibilities of the IT risk owners, managers, and stakeholders Establishing the criteria and methods for assessing, prioritizing, and reporting IT risks Setting the standards and expectations for implementing and monitoring IT risk controls and responses Ensuring the accountability and transparency of IT risk decisions and outcomes References: According to the CGEIT Review Manual 2022, "A risk management framework is a set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the enterprise." According to the ISACA article on Understanding Cyber Risk Metrics and Reporting, "A risk management framework provides a consistent approach to identifying, analyzing, evaluating and treating information-related risks. It also communicates the acceptable levels of risk." According to the NIST article on Staging Cybersecurity Risks for Enterprise Risk Management and Governance, "A cybersecurity risk management framework is an essential tool for organizations to use in understanding their cybersecurity risks in relation to their overall organizational risks."

• Question 203:

  A CIO has recently been made aware of a new regulatory requirement that may affect IT- enabled business activities. Which of the following should be the CIO s FIRST step in deciding the appropriate response to the new requirement?

  A. Revise initiatives that are active to reflect the new requirements.
  B. Confirm there are adequate resources to mitigate compliance requirements.
  C. Consult with legal and risk experts to understand the requirements.
  D. Consult with the board for guidance on the new requirements
  C. Consult with legal and risk experts to understand the requirements.

  ---

  The CIO's first step in deciding the appropriate response to the new regulatory requirement should be to consult with legal and risk experts to understand the requirements. This step is important because the legal and risk experts can provide the CIO with the relevant and accurate information about the new regulation, such as its scope, objectives, implications, and deadlines. The legal and risk experts can also advise the CIO on the potential risks and impacts of non-compliance, as well as the best practices and strategies for compliance . The other options are not the first step in deciding the appropriate response to the new regulatory requirement, but rather subsequent steps that depend on the outcome of the consultation with the legal and risk experts. Revising initiatives that are active to reflect the new requirements is a step that occurs after the CIO has understood the requirements and assessed their impact on the current IT-enabled business activities. Confirming there are adequate resources to mitigate compliance requirements is a step that occurs after the CIO has identified and prioritized theactions and tasks needed to achieve compliance. Consulting with the board for guidance on the new requirements is a step that occurs after the CIO has developed and proposed a feasible and effective compliance plan. References: How to Respond to Regulatory Changes - Smartsheet : Regulatory Change Management: A Guide for Compliance Teams | LogicGate

• Question 204:

  Which of the following should a new CIO do FIRST to ensure information assets are effectively governed?

  A. Quantify the business value of information assets
  B. Perform an information gap analysis
  C. Review information classification procedures
  D. Evaluate information access methods
  B. Perform an information gap analysis

  ---

  The first thing that a new CIO should do to ensure information assets are effectively governed is to perform an information gap analysis. An information gap analysis is a process of comparing the current state and performance of the information assets with the desired state and expectations of the information governance program. Information assets include data, metadata, documents, and records that have value to the organization and need to be managed andprotected. An information gap analysis can help identify the strengths, weaknesses, opportunities, and threats of the information assets, as well as the gaps, risks, and issues that need to be addressed. An information gap analysis can also provide insights and recommendations for improving and aligning the information assets with the information governance program. According to, an information gap analysis is a key step in developing an information governance strategy that supports the organization's goals and objectives. The other options are not the first things that a new CIO should do to ensure information assets are effectively governed. Quantifying the business value of information assets is a step that may be done after performing an information gap analysis, as it involves measuring and communicating the benefits and costs of the information assets to the organization and its stakeholders. Reviewing information classification procedures is a step that may be done after performing an information gap analysis, as it involves evaluating and updating the policies and practices for categorizing and labeling the information assets according to their sensitivity and criticality. Evaluating information access methods is a step that may be done after performing an information gap analysis, as it involves assessing and improving the mechanisms and controls for granting and restricting access to the information assets.

• Question 205:

  The use of new technology in an enterprise will require specific expertise and updated system development processes. There is concern that IT is not properly sourced. Which of the following should be the FIRST course of action?

  A. Perform a risk assessment on potential outsourcing.
  B. Update the enterprise architecture (EA) with the new technology.
  C. Review the IT balanced scorecard for sourcing opportunities.
  D. Assess the gap between current and required staff competencies.
  D. Assess the gap between current and required staff competencies.

  ---

  The first course of action when the use of new technology in an enterprise will require specific expertise and updated system development processes is to assess the gap between current and required staff competencies. This course of action involves identifying the skills, knowledge, and abilities that are needed to implement and manage the new technology, and comparing them with the existing capabilities of the IT staff. By assessing the gap between current and required staff competencies, the enterprise can determine the extent and nature of the sourcing challenge, and plan for appropriate solutions, such as training, hiring, or outsourcing. According to one source1, "A competency gap analysis is a process of identifying the difference between what is required for a person to perform their role effectively and what they actually possess." The other options are not the first course of action when the use of new technology in an enterprise will require specific expertise and updated system development processes, but rather some of the steps or outcomes that can follow or result from the gap assessment. Performing a risk assessment on potential outsourcing is a step that involves evaluating the benefits and drawbacks of delegating some or all of the IT functions related to the new technology to an external service provider. This step can be done after assessing the gap between current and required staff competencies, and identifying outsourcing as a viable option. Updating the enterprise architecture (EA) with the new technology is a step that involves incorporating the new technology into the holistic view of the enterprise's IT environment, including its goals, principles, standards, policies, processes, technologies, and systems. This step can be done after assessing the gap between current and required staff competencies, and ensuring that the new technology aligns with the enterprise's strategic objectives and business requirements. Reviewing the IT balanced scorecard for sourcing opportunities is an outcome that involves measuring and reporting on the performance and value of IT sourcing activities and outcomes. This outcome can be done after assessing the gapbetween current and required staff competencies, and implementing the chosen sourcing solution. References: What is Competency Gap Analysis? Definition and Examples

• Question 206:

  Which of the following BEST enables the alignment of user access rights with business requirements?

  A. Data classification policy
  B. Maturity model
  C. System design
  D. Data architecture model
  C. System design

  ---

  The alignment of user access rights with business requirements is most effectively achieved throughsystem design. During the design phase, systems are architected to incorporate role-based access controls, least privilege principles, and segregation of duties based on business needs. While data classification and architecture support information management, and maturity models help assess governance capability,system design operationalizes access controls directly in alignment with enterprise roles and responsibilities. This is supported byCOBIT principlesthat emphasize embedding governance requirements into system design and implementation to ensure alignment, value delivery, and risk mitigation. CGEIT Review Manual (based on domain knowledge from Governance of Enterprise IT and COBIT design factors). COBIT 2019 Design Guide: Aligning Governance System Components.

• Question 207:

  The IT program manager does not see the value of conducting risk assessments for a new major IT project. The manager is reluctant to cooperate with internal auditors and the newly formed steering committee. Midway through the project, program requirements were changed because the CEO is a friend of a vendor and wants to implement this vendor's new technology. This decision will cause the current IT program budget to be insufficient and will be shown as overspending.

  After the requirement change request, the IT program manager should FIRST:

  A. obtain confirmation from the business and a decision by the steering committee.
  B. request additional funding from the business owner to cover the additional scope.
  C. report the matter to internal audit as a program deviation to be reviewed.
  D. align IT with the business and agree to the business request.
  A. obtain confirmation from the business and a decision by the steering committee.

  ---

  The IT program manager should first obtain confirmation from the business and a decision by the steering committee before proceeding with the requirement change request. This is because the requirement change request is a major scope change that will affect the program budget, schedule, quality, and risk. The IT program manager needs to ensure that the business owner and the steering committee are aware of the implications and benefits of the change, and that they approve it formally. The IT program manager also needs to follow the established change management process and document the change request and its approval. Requesting additional funding from the business owner to cover the additional scope is not the first step, as it assumes that the change request is already approved and justified. The IT program manager should first seek confirmation and approval from the business owner and the steering committee before asking for more resources. Reporting the matter to internal audit as a program deviation to be reviewed is not the first step, as it implies that the change request is a violation or a problem. The IT program manager should first communicate with the business owner and the steering committee to understand their rationale and expectations for the change request, and to present the impact analysis and alternatives. Aligning IT with the business and agreeing to the business request is not the first step, as it disregards the role and authority of the steering committee. The IT program manager should not accept or reject the change request without consulting with the steering committee, which is responsible for overseeing and governing the program. References: Program Management Best Practices | Smartsheet, Best Practices for Running an Ongoing Program section. Program Management: 8 Tips and Tricks for Success (Update 2023), Tip 2: Defining the control processes section. Program Management Best Practices - Project Management Institute, Comprehend the differences between programs and projects section.

• Question 208:

  Which strategic planning approach would be MOST appropriate for a large enterprise to follow when revamping its IT services?

  A. Addressing gaps within the management of IT-related risk
  B. Focusing on business innovation through knowledge, expertise, and initiatives
  C. Calibrating and scaling delivery Of IT services in line with business requirements
  D. Adhering to on-time and on-budget IT service delivery
  C. Calibrating and scaling delivery Of IT services in line with business requirements

  ---

  This is because calibrating and scaling delivery of IT services means adjusting and optimizing the IT service portfolio, processes, and resources to meet the changing and diverse needs and expectations of the business. By following this approach, the large enterprise can: Align IT services with business strategy, objectives, and priorities. Enhance IT service quality, efficiency, and effectiveness. Improve IT service agility, flexibility, and responsiveness. Reduce IT service costs, risks, and waste. Increase IT service value, satisfaction, and innovation. Calibrating and scaling delivery of IT services can help the large enterprise revamp its IT services in a way that supports and enables the business success. The other options, addressing gaps within the management of IT-related risk, focusing on business innovation through knowledge, expertise, and initiatives, and adhering to on-time and on-budget IT service delivery are not as appropriate as calibrating and scaling delivery of IT services for a large enterprise to follow when revamping its IT services. They are more related to specific aspects or outcomes of IT service management, rather than a holistic and strategic approach. They may also be too narrow or rigid for a large enterprise that needs to adapt and evolve its IT services to the dynamic and complex business environment. They may not address the full scope or potential of IT service improvement and transformation.

• Question 209:

  The use of an IT balanced scorecard enables the realization of business value of IT through:

  A. business value and control mechanisms.
  B. outcome measures and performance drivers.
  C. financial measures and investment management.
  D. vision and alignment with corporate programs.
  B. outcome measures and performance drivers.

  ---

  The use of an IT balanced scorecard enables the realization of business value of IT through outcome measures and performance drivers. Outcome measures are the indicators of the results or consequences of the IT activities, such as customer satisfaction, revenue growth, or market share. Performance drivers are the factors that influence or contribute to the outcome measures, such as process efficiency, quality, or innovation. By using an IT balanced scorecard, the organization can link the outcome measures and performance drivers to the IT objectives, strategies, and actions, and monitor and evaluate how well IT delivers value to the business

• Question 210:

  Which of the following is the PRIMARY reason to monitor data classification efforts?

  A. To identify and minimize data security breaches
  B. To identify deviations in the data that are outside risk thresholds
  C. TO ensure alignment with data protection regulations
  D. To ensure assets are protected appropriately
  B. To identify deviations in the data that are outside risk thresholds

  ---

  The primary reason to monitor data classification efforts is to identify deviations in the data that are outside risk thresholds. This is because data classification is a process of organizing and labeling data according to its type, sensitivity, and value to the organization. Data classification helps to ensure that data is protected and handled appropriately according to its risk level and compliance requirements1. By monitoring data classification efforts, the organization can: Detect and prevent any unauthorized access, modification, or disclosure of sensitive or confidential data. Identify and mitigate any potential threats or vulnerabilities that could affect the availability, integrity, or quality of data. Evaluate and improve the effectiveness and efficiency of data classification policies, procedures, and tools. Ensure alignment and consistency of data classification across different systems, applications, and processes. Report and communicate the status and results of data classification to relevant stakeholders. Monitoring data classification efforts can help the organization to manage and reduce the risks associated with data and to comply with relevant industry-specific regulatory mandates such as SOX, HIPAA, PCI DSS, and GDPR. References: Data Classification: Overview and Best Practices | Ground Labs, What Is Data Classification? The 5 Step Process and Best Practices for Classifying Data | Splunk