Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 231:

  An enterprise is developing several consumer-based services using emerging technologies involving sensitive personal data. The CIO is under pressure to ensure the enterprise is first to market, but security scan results have not been adequately addressed. Reviewing which of the following will enable the CIO to make the BEST decision for the customers?

  A. Acceptable use policy
  B. Risk register
  C. Ethics standards
  D. Change management policy
  B. Risk register

  ---

  A risk register is a tool that records and tracks the risks associated with a project or an activity, such as developing consumer-based services using emerging technologies involving sensitive personal data. A risk register typically includes information such as the risk description, category, impact, probability, status, response strategy, and owner. Reviewing the risk register will enable the CIO to make the best decision for the customers, as it will help them to identify, assess, and prioritize the risks that may affect the security, privacy, and quality of the services, and to determine the appropriate actions to mitigate or avoid them. The other options are not as relevant, as they do not provide specific information about the risks involved in the project or activity. References: CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.2: IT Risk Management Process, Page 156 : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.3: IT Risk Management Techniques and Tools, Page 158 : Capability Maturity Model and Risk Register Integration1

• Question 232:

  Senior management wants to expand offshoring to include IT services as other types of business offshoring have already resulted in significant financial benefits for the enterprise. The CIO is currently midway through a successful five-year strategy that relies heavily on internal IT resources. What should the CIO do NEXT?

  A. Reevaluate the offshoring strategy.
  B. Abandon the current IT strategy.
  C. Continue with the existing IT strategy.
  D. Reevaluate the current IT strategy.
  D. Reevaluate the current IT strategy.

  ---

  The CIO should reevaluate the current IT strategy in light of the senior management's decision to expand offshoring to include IT services. This means that the CIO should assess the impact of offshoring on the existing IT objectives, plans, resources, capabilities, risks, and performance. The CIO should also consider the potential benefits and challenges of offshoring IT services,such as cost reduction, access to talent, quality assurance, communication, coordination, and security. The CIO should then revise the current IT strategy to align with the enterprise's offshoring strategy and goals, and communicate the changes to the relevant stakeholders

• Question 233:

  Which of the following is a CIO's BEST approach to ensure IT executes against an approved strategy?

  A. Ask project management to define the IT activities for accomplishing the strategy.
  B. Request IT senior leaders to collectively plan tactics for execution
  C. Have IT leaders independently develop goals for their teams.
  D. Provide specific direction for execution of the tasks across IT.
  B. Request IT senior leaders to collectively plan tactics for execution

  ---

  The best approach for a CIO to ensure IT executes against an approved strategy is to request IT senior leaders to collectively plan tactics for execution. This collaborative approach leverages the expertise and insights of senior IT leaders to develop a cohesive and aligned plan that supports the strategic objectives. Collective planning fosters ownership and commitment among leaders, ensuring that execution tactics are well- coordinated and aligned with the overall IT strategy. While asking project management to define activities, having leaders independently develop team goals, and providing specific task direction are important, the collective planning by IT senior leaders ensures a strategic and unified approach to execution.

• Question 234:

  Enterprise leadership is concerned with the potential for discrimination against certain demographic groups resulting from the use of machine learning models What should be done FIRST to address this concern?

  A. Obtain stakeholders' input regarding the ethics associated with machine learning
  B. Revise the code of conduct to discourage bias within automated processes
  C. Develop a machine learning policy articulating guidelines for machine learning use
  D. Assess recent case law related to the enterprise's machine learning business strategy
  A. Obtain stakeholders' input regarding the ethics associated with machine learning

  ---

  The first step to address the concern of discrimination against certain demographic groups resulting from the use of machine learning models is to obtain stakeholders' input regarding the ethics associated with machine learning. This is because stakeholders are the ones who are affected by or have an interest in the outcomes of machine learning models, and their input can help identify the ethical values, principles, and standards that should guide the development and use of machine learning models. Stakeholders' input can also help ensure that the machine learning models are aligned with the enterprise's mission, vision, and goals, as well as the legal and regulatory requirements. According to COBIT 5, one of the seven enablers of IT governance is stakeholders. The Ethics and Governance of Artificial Intelligence project also emphasizes the importance of engaging with diverse stakeholders to ensure that AI systems are fair,accountable, transparent, and human- centric. References: 1: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, ISACA, page 312: Algorithms and Justice - Berkman Klein Center

• Question 235:

  When determining the desired maturity levels for IT governance processes, it is MOST important to:

  A. Focus on existing strengths as key drivers for the target levels
  B. Ensure target levels are in line with external competitor benchmarks
  C. Agree on target levels in response to need
  D. Ensure that maturity can be achieved at the lowest cost
  C. Agree on target levels in response to need

  ---

  The correct approach is toagree on target maturity levels in response to need--this ensures that the maturity level supports enterprise objectives, risk appetite, and strategic priorities. The maturity should be fit-for-purpose, rather than arbitrarily benchmarked or driven solely by cost or strengths. While competitor benchmarks and cost considerations can provide insight, they are secondary to ensuring that the governance processes meetspecific business and governance needs. CGEIT Review Manual: Domain 1 ?Governance of Enterprise IT:";Target capability levels should be based on enterprise strategy, goals, and risk appetite, and not only on industry averages or cost." COBIT 2019 Design Guide: Tailoring Governance System Design ?;Target capability levels should be derived from governance and management objectives prioritized based on enterprise needs."

• Question 236:

  Despite an adequate training budget. IT staff are not keeping skills current with emerging technologies critical to the business. Which of the following is the BEST way for the enterprise to address this situation?

  A. Provide incentives for IT staff to attend outside conferences and training
  B. Create a standard-setting center of excellence for IT.
  C. Require human resources (HR) to recruit new talent using an established IT skills matrix.
  D. Establish an agreed-upon skills development plan with each employee
  D. Establish an agreed-upon skills development plan with each employee

  ---

  The best way to address the issue of IT staff not keeping their skills current, despite an adequate training budget, is to establish an agreed-upon skills development plan with each employee. This personalized approach ensures that training and development activities are directly aligned with both the organization's needs and the individual's career goals, thereby increasing the likelihood of participation and the application of new skills. While providing incentives and creating centers of excellence can be supportive, a tailored development plan directly engages each staff member in their growth, ensuring relevance and commitment.

• Question 237:

  A CIO is planning to interview enterprise stakeholders to assess whether the IT strategic plan is continuing to support enterprise business objectives. The CIO would be MOST effective by starting the interview process with:

  A. the executive team.
  B. the internal auditors.
  C. senior IT managers.
  D. business process owners.
  A. the executive team.

  ---

  The executive team consists of the senior leaders of the enterprise, such as the CEO, CFO, COO, etc. They are responsible for setting the vision, mission, goals, and strategy of the enterprise, andfor overseeing its performance and governance. The CIO is part of the executive team and should align the IT strategic plan with the enterprise business objectives. Therefore, the CIO would be most effective by starting the interview process with the executive team, as they can provide the most relevant and authoritative input on the enterprise's direction, priorities, challenges, and expectations. The executive team can also help the CIO gain support and approval for the IT strategic plan from other stakeholders, such as the internal auditors, senior IT managers, and business process owners. References: ISACA, Reporting Cybersecurity Risk to the Board of Directors, page81. ISACA, Performance Measurement Metrics for IT Governance, page 1

• Question 238:

  An enterprise incurred penalties for noncompliance with privacy regulations. Which of the following is MOST important to ensure appropriate ownership of access controls to address this deficiency?

  A. Granting access to information based on information architecture
  B. Engaging an audit of logical access controls and related security policies
  C. Implementing multi-factor authentication controls
  D. Authenticating access to information assets based on roles or business rules
  A. Granting access to information based on information architecture

  ---

  The most important thing to ensure appropriate ownership of access controls to address the deficiency of noncompliance with privacy regulations is to grant access to information based on information architecture. Information architecture is the design and organization of information and data in a way that supports the business objectives, processes, and requirements. Information architecture can help define the ownership, classification, and protection of information assets, as well as the roles, responsibilities, and rules for accessing and managing them. By granting access to information based on information architecture, the enterprise can ensure that only authorized and legitimate users can access the information that they need, and that the information is handled in accordance with the privacy regulations and policies. Access control is an essential element of security that determines who is allowed to access certain data, apps, and resources--and in what circumstances. A privacy management framework provides steps to meet the ongoing compliance obligations under privacy principles, such as establishing robust and effective privacy practices, procedures and systems. The other options are not the most important things to ensure appropriate ownership of access controls to address the deficiency of noncompliance with privacy regulations. Engaging an audit of logical access controls and related security policies is a step that may be done after grantingaccess to information based on information architecture, as it involves verifying and testing the effectiveness and compliance of the access controls and policies. Implementing multi-factor authentication controls is a step that may be done after granting access to information based on information architecture, as it involves enhancing the security and verification of the user identity and credentials. Authenticating access to information assets based on roles or business rules is a step that may be done after granting access to information based on information architecture, as it involves implementing a specific type of access control mechanism that assigns permissions and restrictions based on predefined roles or business rules.

• Question 239:

  A root-cause analysis indicates a major service disruption due to a lack of competency of newly hired IT system administrators. Who should be accountable for resolving the situation?

  A. HR training director
  B. HR recruitment manager
  C. Chief information officer
  D. (CIO) Business process owner
  C. Chief information officer

  ---

  The CIO is responsible for the overall IT governance and ensuring that IT supports the business objectives and strategy. The CIO should also ensure that IT staff have the necessary skills and competencies to perform their roles effectively and efficiently. The CIO should address the root cause of the service disruption and take corrective actions to prevent recurrence. References: CGEIT Review Manual, 27th Edition, Domain 1: Governance of Enterprise IT, page 17-18.

• Question 240:

  When selecting a cloud provider, which of the following provides the MOST comprehensive information regarding the current status and effectiveness of the provider's controls?

  A. Globally recognized certification
  B. Third-party audit report
  C. Control self-assessment (CSA)
  D. Maturity assessment
  B. Third-party audit report

  ---

  A third-party audit report is the most comprehensive source of information regarding the current status and effectiveness of a cloud provider's controls. A third-party audit report is an independent and objective assessment of the cloud provider's security, compliance, and performance by a qualified and reputable auditor. A third-party audit report can provide assurance to the cloud customers that the cloud provider has implemented adequate and effectivecontrols to meet the industry standards and best practices, as well as the contractual obligations and customer expectations. A globally recognized certification is a credential that demonstrates that a cloud provider has met certain criteria or standards for security, quality, or performance. A globally recognized certification can provide some level of confidence to the cloud customers that the cloud provider has achieved a minimum level of compliance or competence, but it may not provide enough details or evidence about the current status and effectiveness of the cloud provider's controls. A control self-assessment (CSA) is a process that enables a cloud provider to evaluate its own controls internally, without involving an external auditor. A CSA can help a cloud provider to identify and address any gaps or weaknesses in its controls, as well as to monitor and improve its performance. However, a CSA may not provide sufficient assurance to the cloud customers, as it may lack objectivity, transparency, and validity. A maturity assessment is a process that measures the level of maturity or capability of a cloud provider's processes or practices. A maturity assessment can help a cloud provider to benchmark its performance against industry standards or best practices, as well as to identify areas for improvement or innovation. However, a maturity assessment may not provide enough information about the current status and effectiveness of the cloud provider's controls, as it may focus more on the process rather than the outcome5. References: 1: Cloud Security Auditing: Challenges and Emerging Approaches - IEEE Journals and Magazine 2: Cloud Security Audit: What You Need to Know | CloudHealth by VMware 3: Cloud Security Certifications: What You Need to Know | CloudHealth by VMware 4: Control Self-Assessment - ISACA4 5: Maturity Assessment - ISACA