Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 241:

  Which of the following MUST be established before implementing an information architecture that restricts access to data based on sensitivity?

  A. Risk and control frameworks
  B. Probability and impact analysis
  C. Classification and ownership D. Security and privacy policies
  C. Classification and ownership D. Security and privacy policies

  ---

  Before implementing an information architecture that restricts access to data based on sensitivity, the enterprise must establish the classification and ownership of the data. Classification is the process of tagging data according to its type, sensitivity, and value to the organization if altered, stolen, or destroyed. It helps the organization understand the risk and impact of data breaches and comply with relevant regulations. Ownership is the process of assigning roles andresponsibilities for data creation, maintenance, protection, and disposal. It helps the organization ensure accountability and governance of data throughout its lifecycle

• Question 242:

  Which of the following is the MOST important consideration regarding IT measures as part of an IT strategic plan?

  A. Data collection for the metrics is automated.
  B. The metrics can be traced to enterprise goals.
  C. Minimum target levels are realistic.
  D. Thresholds align to key risk indicators (KRIs).
  B. The metrics can be traced to enterprise goals.

  ---

  The most important consideration regarding IT measures as part of an IT strategic plan is that the metrics can be traced to enterprise goals. This alignment ensures that IT initiatives and performance metrics directly contribute to achieving the broader objectives of the organization, demonstrating the value of IT in supporting strategic outcomes. While data collection automation, realistic minimum target levels, and thresholds aligned to KRIs are important attributes of effective metrics, the ability to trace metrics back to enterprise goals is fundamental to ensuring strategic alignment and justifying IT investments.

• Question 243:

  A large financial institution is considering outsourcing customer call center operations which will allow the chosen vendor to access systems from offshore locations. Which of the following represents the GREATEST risk?

  A. Inconsistent customer service and reporting
  B. Loss of data confidentiality
  C. Lack of network availability
  D. Inadequate business continuity planning
  B. Loss of data confidentiality

  ---

  Loss of data confidentiality represents the greatest risk for a large financial institution that is considering outsourcing customer call center operations, as it would expose sensitive customer and business information to unauthorized access, disclosure, or misuse by the chosen vendor or other third parties. Data confidentiality is especially important for financial institutions, as they deal with personal, financial, and transactional data that are subject to strict regulatory and legal requirements, such as the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standard (PCI DSS). A breach of data confidentiality could result in reputational damage, customer dissatisfaction, legal liability, and financial loss for the financial institution. The other options are not as great, as they are more related to the operational or performance aspects of outsourcing, rather than the security or compliance aspects of it. References: : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.1: IT Risk Management Overview, Page 153 : CGEIT Review Manual (Digital Version), Chapter 5: Resource Optimization, Section 5.3: Security Resource Management, Subsection 5.3.1: Security Resource Management Overview, Page 192 : Offshore bank call centers face risks around privacy, resilience amid COVID-191 : Call Center Outsourcing Risks and How to Mitigate Them

• Question 244:

  The MOST important aspect of an IT governance framework to ensure that IT supports repeatable business processes is:

  A. earned value management.
  B. quality management,
  C. resource management.
  D. risk management
  B. quality management,

  ---

  Quality management is the most important aspect of an IT governance framework to ensure that IT supports repeatable business processes, as it involves defining, implementing, and monitoring quality standards, policies, and procedures for IT products and services. Quality management also ensures that IT processes are aligned with the enterprise requirements, objectives, and expectations, and that they deliver consistent and reliable outcomes. References: CGEIT Exam Content Outline, Domain 1, Subtopic C: Technology Governance, Task 2: Ensure that IT processes are defined, implemented, monitored and continually improved in alignment with the enterprise governance framework.

• Question 245:

  Which of the following is the BEST indicator for measuring performance when implementing DevSecOps in an enterprise?

  A. Mean time to repair
  B. Percentage of automated tests
  C. Deployments per day
  D. Number of defects released per day
  B. Percentage of automated tests

  ---

  Percentage of automated testsis a key indicator in DevSecOps because it reflects the integration of security and quality into the development lifecycle. Automation is a cornerstone of DevSecOps, enabling continuous integration and deployment with embedded testing and security validation. While mean time to repair and deployment frequency are valuable,automation directly supports the goals of security, speed, and reliability in DevSecOps. CGEIT Review Manual: Domain 3 ?Benefits Realization COBIT 2019: BAI03 (Manage Solutions Identification and Build), DSS05 (Manage Security Services).

• Question 246:

  An IT strategy committee wants to ensure that a risk program is successfully implemented throughout the enterprise. Which of the following would BEST support this goal?

  A. A risk management framework
  B. Mandatory risk awareness courses for staff
  C. A risk recognition and reporting policy
  D. Commitment from senior management
  D. Commitment from senior management

  ---

  This is because a risk program is a strategic initiative that requires the support and involvement of the top leaders of the enterprise. Senior management can demonstrate their commitment to the risk program by: Providing clear direction and guidance on the objectives, scope, and approach of the risk program Allocating sufficient resources, budget, and authority to the risk program team Communicating the importance and benefits of the risk program to all stakeholders Encouraging a culture of risk awareness and accountability across the enterprise Reviewing and approving the risk program deliverables and outcomes Rewarding and recognizing the achievements and contributions of the risk program team and participants A risk management framework (A) is a tool that helps to define and implement the risk program, but it does not ensure its success without senior management commitment. Mandatory risk awareness courses for staff (B) are a way to increase the knowledge and skills of the staff regarding risk management, but they do not guarantee their engagement and participation in the risk program without senior management endorsement. A risk recognition and reporting policy is a document that establishes the rules and procedures for identifying and communicatingrisks, but it does not ensure its compliance and effectiveness without senior management oversight.

• Question 247:

  Which of the following is the BEST way for a CIO to ensure that the work of IT employees is aligned with approved IT directives?

  A. Mandate technical training related to the IT objectives.
  B. Have business leaders present their departments' objectives.
  C. Include relevant IT goals in individual performance objectives.
  D. Request a progress review of IT objectives by internal audit.
  C. Include relevant IT goals in individual performance objectives.

  ---

  The best way for a CIO to ensure that the work of IT employees is aligned with approved IT directives is to include relevant IT goals in individual performance objectives. This means that the CIO should communicate the IT vision, mission, strategy and objectives to the IT staff and link them to their personal and professional development plans. By doing so, the CIO can motivate the IT employees to work toward the desired outcomes, monitor their progress and performance, provide feedback and recognition, and address any issues or gaps. Including relevant IT goals in individual performance objectives can also help to align the IT employees with the business needs and expectations, foster a culture of accountability and collaboration, and improve the quality and value of IT services. References: How to Align Employee Performance With Organizational Goals, The Importance And Challenges Of Employee Alignment

• Question 248:

  An enterprise has a zero-tolerance policy regarding security. This policy is causing a large number of email attachments to be blocked and is a disruption to enterprise. Which of the following should be the FIRST governance step to address this email issue?

  A. Direct the development of an email usage policy.
  B. Obtain senior management input based on identified risk.
  C. Recommend business sign-off on the zero-tolerance policy.
  D. Introduce an exception process.
  B. Obtain senior management input based on identified risk.

  ---

  According to the CGEIT certification guide, the first governance step to address the email issue caused by the zero-tolerance policy regarding security is to obtain senior management inputbased on identified risk. This is because senior management is ultimately responsible for setting the risk appetite and tolerance of the enterprise, and for balancing the security and business needs. The zero-tolerance policy may be too restrictive and may not align with the enterprise's risk profile and objectives. Therefore, senior management input is needed to review and adjust the policy according to the risk assessment and analysis1. The other options are less appropriate as the first governance step, as they do not involve senior management input or risk-based decision making. References: CGEIT certification guide, domain 3: Risk Optimization, section 3.1: Risk Governance, page 87.

• Question 249:

  Which of the following BEST enables an enterprise to determine whether a current program for IT infrastructure migration to the cloud is continuing to provide benefits?

  A. Key performance indicators (KPls)
  B. Total cost of ownership (TCO)
  C. Key risk indicators (KRIS)
  D. Net present value (NPV)
  A. Key performance indicators (KPls)

  ---

  Key performance indicators (KPIs) are metrics that measure the performance of a project, program, or investment against a set of targets, objectives, or benchmarks. KPIs can help an enterprise to determine whether a current program for IT infrastructure migration to the cloud is continuing to provide benefits by tracking the progress, efficiency, quality, and outcomes of the program. KPIs can also help to identify any gaps, issues, or risks that may affect the program's success and enable timely corrective actions. Total cost of ownership (TCO) is the purchase price of an asset plus the costs of operation over its life span. TCO can help an enterprise to compare the costs and benefits of different IT infrastructure options, such as cloud versus on-premise, but it does not measure the ongoing performance or benefits of a chosen option. Key risk indicators (KRIs) are metrics that monitor and predict potential risks that may negatively impact an enterprise's objectives or operations. KRIs can help an enterprise to identify and mitigate any risks associated with IT infrastructure migration to the cloud, such as security breaches, data loss, or service disruptions, but they do not measure the benefits or value of the program. Net present value (NPV) is the difference between the present value of cash inflows and the present value of cash outflows over a period of time. NPV is used to evaluate the profitability or return on investment of a project or investment by discounting the future cash flows to their present value. NPV can help an enterprise to decide whether to undertake an IT infrastructuremigration to the cloud based on its expected net value, but it does not measure the actual performance or benefits of the program. References: Total Cost of Ownership: How It's Calculated With Example - Investopedia Key Risk Indicators (KRIs) - National Treasury How to Develop Key Risk Indicators (KRIs) to Fortify Your Business | AuditBoard How to Develop Effective Key Risk Indicators - Secureframe Net Present Value (NPV) - Definition, Examples, How to Do NPV Analysis NPV Formula - Learn How Net Present Value Really Works, Examples

• Question 250:

  Which of the following is the GREATEST benefit of using a quantitative risk assessment method?

  A. It uses resources more efficiently
  B. It can be used to assess risks against non-tangible assets
  C. It reduces subjectivity
  D. It helps in prioritizing risk response action plans
  C. It reduces subjectivity

  ---

  A quantitative risk assessment method uses numerical values and mathematical models to estimate the likelihood and consequences of risks. This reduces the subjectivity and bias that may arise from qualitative methods that rely on personal judgment and experience. A quantitative method also allows for more objective comparison and prioritization of risks based on their impact and probability. References: Quantitative Risk Analysis (Definition, Benefits and Steps) - Indeed Risk Assessment and Analysis Methods: Qualitative and Quantitative - ISACA