Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 261:

  Which of the following is the BEST way to express the value of financial investments in cybersecurity?

  A. Payback period
  B. Cost-benefit analysis
  C. Net present value (NPV)
  D. Internal rate of return (IRR)
  B. Cost-benefit analysis

  ---

  Cost-benefit analysisis the most effective and practical approach for evaluating the value of cybersecurity investments. It allows comparison of expected benefits (risk reduction, incident cost avoidance, compliance) against the costs (investment, operations). While NPV and IRR are solid financial tools, they are better suited to revenue-generating projects. Cybersecurity's value is often intangible or indirect, making a straightforwardcost- benefit frameworkmore suitable. CGEIT Review Manual: Domain 4 ?Risk Optimization and Business Case Justification COBIT 2019: EDM02 (Ensure Benefits Delivery).

• Question 262:

  Which aspect of information governance BEST enables an enterprise to avoid duplication of records and promote consistency of data?

  A. Data loss prevention (DLP)
  B. Data modeling
  C. Blockchain management
  D. Enterprise architecture (EA)
  B. Data modeling

  ---

  The aspect of information governance that best enables an enterprise to avoid duplication of records and promote consistency of data is data modeling. Data modeling is the process of creating and maintaining a logical representation of the data structures, relationships, and constraints that exist in an enterprise's data sources, such as databases, applications, or systems. Data modeling can help ensure that the data is accurate, complete, and standardized across the enterprise, as well as facilitate the integration, analysis, and sharing of data. Data modeling can also help improve the data quality, security, and governance, as well as support the business processes and decisions that rely on data. What is Data Modeling? Definition and Best Practices provides an overview of data modeling and its benefits.

• Question 263:

  An enterprise is evaluating a possible strategic initiative for which IT would be the main driver. There are several risk scenarios associated with the initiative that have been identified. Which of the following should be done FIRST to facilitate a decision?

  A. Define the risk mitigation strategy.
  B. Assess the impact of each risk.
  C. Establish a baseline for each initiative.
  D. Select qualified personnel to manage the project.
  B. Assess the impact of each risk.

  ---

  Before deciding whether to pursue a strategic initiative, it is important to understand the potential consequences of the risks involved. Assessing the impact of each risk means estimating how likely it is to occur and how severe its effects would be on the enterprise's objectives, performance, reputation, or resources. This can help to prioritize the most critical risks and compare them with the expected benefits of the initiative. According to one of the web search results1, "the impact assessment is a key element of any risk management process. It helps to evaluate the significance of each risk and determine the appropriate response strategy." Defining the risk mitigation strategy, establishing a baseline for each initiative, and selecting qualified personnel to manage the project are important steps, but they are not the first ones. They aremore likely to be part of the implementation or execution phase of the initiative, after it has been approved and funded. References: Risk Impact Assessment and Prioritization

• Question 264:

  The BEST way to decide how to prioritize issues identified in an IT risk and control self- assessment (CSA) is to understand the risk and:

  A. impact to the enterprise.
  B. criticality of IT services affected.
  C. number of IT systems affected.
  D. funds required for remediation.
  A. impact to the enterprise.

  ---

  The BEST way to decide how to prioritize issues identified in an IT risk and control self- assessment (CSA) is to understand the risk and the impact to the enterprise. A CSA is a process of identifying, analyzing, and evaluating the potential threats and impacts that could affect the IT objectives, processes, and resources of an organization. A CSA can help to determine the actions and resources needed to bridge the gaps and achieve the desired outcomes. To prioritize the issues identified in a CSA, it is important to understand the risk and the impact to the enterprise. The risk is the measure of the likelihood and severity of an adverse event occurring and its consequences on the organization. The impact is the measure of the extent and magnitude of the harm or damage that an adverse event can cause to the organization, such as financial loss, operational disruption, reputational damage, legal liability, etc. By understanding the risk and the impact to the enterprise, the issues can be prioritized based on their importance and urgency, and the most appropriate and effective solutions can be implemented.

• Question 265:

  An enterprise has decided to execute a risk self-assessment to identify improvement opportunities for current IT services. Which of the following is MOST important to address in the assessment?

  A. Related business risk
  B. Residual IT risk
  C. Mapping of business objectives to IT risk
  D. IT capability and performance measures
  C. Mapping of business objectives to IT risk

  ---

  Mapping of business objectives to IT risk is the most important factor to address in a risk self-assessment for current IT services, because it helps to align the IT risk management strategy with the business strategy and goals. Mapping of business objectives to IT risk also helps to identify and prioritize the key IT risks that could affect the achievement of the business objectives, and to determine the appropriate risk responses and controls. Mapping of business objectives to IT risk also helps to communicate the value and benefits of IT risk management to the business stakeholders, and to foster a risk-aware culture within the organization. One of the sources that supports this answer is A Comprehensive Guide To Risk And Control Self -Assessment RCSA, which states that "RCSA aims to include the use of risk management techniques, business processes, and cultures in staff work and businesses to achieve objectives."

• Question 266:

  Risk management strategies are PRIMARILY adopted to:

  A. avoid risks for business and IT assets.
  B. take necessary precautions for claims and losses.
  C. achieve acceptable residual risk levels.
  D. achieve compliance with legal requirements.
  C. achieve acceptable residual risk levels.

  ---

  Risk management strategies are primarily adopted to achieve acceptable residual risk levels, which are the levels of risk that remain after applying risk response measures. Risk management strategies are the approaches or methods that an organization uses to identify, assess, and treat its IT-related risks. Risk management strategies can vary depending on the organization's risk appetite, tolerance, and capacity, as well as the nature and impact of the risks. Some common risk management strategies are: avoid, reduce, transfer, share, or accept. The other options are not as primary, as they are more related to the outcomes or objectives of risk management strategies, rather than the purpose or intention of them. References: CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.1: IT Risk Management Overview, Page 153 : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.2: IT Risk Management Process, Page 156 : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.3: IT Risk Management Techniques and Tools, Page 158 : Proactive IT Risk Management in an Era of Emerging Technologies1

• Question 267:

  Which of the following should be the FIRST action taken by a newly formed IT governance committee to ensure reports are compliant with regulations and identify key IT risks?

  A. Direct the development of a reporting communication plan.
  B. Develop and monitor IT key risk indicator (KRI) triggers.
  C. Train end users on regulation requirements.
  D. Implement a mechanism to ensure reporting escalation.
  B. Develop and monitor IT key risk indicator (KRI) triggers.

  ---

  The first action taken by a newly formed IT governance committee to ensure reports are compliant with regulations and identify key IT risks should be to develop and monitor IT key risk indicator (KRI) triggers. IT KRIs are metrics that measure the likelihood and impact of IT-related risks on the enterprise's objectives and goals. IT KRI triggers are thresholds or values that indicate when a risk is approaching or exceeding an acceptable level, requiring attention or action from the IT governance committee. Developing and monitoring IT KRI triggers can help the committee to identify, prioritize, and manage IT risks, as well as to ensure compliance with regulations and policies. Directing the development of a reporting communication plan, training end users on regulation requirements, and implementing a mechanism to ensure reporting escalation are also important actions for the IT governance committee, but they are not the first step. A reporting communication plan is a document that defines the purpose, scope, format, frequency, audience, and distribution of IT reports, as well as the roles and responsibilities of the report creators and recipients. A reporting communication plan can help the committee to communicate effectively and efficiently with the stakeholders about IT performance, issues, and risks. Training end users on regulation requirements is a process that educates the end users on the rules and standards that apply to their use of IT systems and data, as well as the consequences of non-compliance. Training end users can help the committee to raise awareness and ensure adherence to regulations and policies. Implementing a mechanism to ensure reporting escalation is a procedure that defines the criteria, process, and channels for escalating IT reports to higher levels of authority or responsibility when necessary. Implementing a reporting escalation mechanism can help the committee to ensure timely and appropriate response and resolution of IT issues or risks. References: Integrating KRIs and KPIs for Effective Technology Risk Management; Performance Measurement Metrics for IT Governance; State and Impact of Governance of Enterprise IT in Organizations: Key Findings of an International Study.

• Question 268:

  The CIO of an enterprise learns the payroll server of a competitor has been the victim of ransomware. To help plan for the possibility of ransomed corporate data, what should be the ClO's FIRST course of action?

  A. Require development of key risk indicators (KRls).
  B. Develop a policy to address ransomware.
  C. Request a targeted risk assessment.
  D. Back up corporate data to a secure location.
  C. Request a targeted risk assessment.

  ---

  The first course of action for the CIO of an enterprise to help plan for the possibility of ransomed corporate data should be to request a targeted risk assessment. This is because a targeted risk assessment can help to identify and evaluate the specific threats, vulnerabilities, and impacts of ransomware attacks on the enterprise's data and systems. A targeted risk assessment can also help to determine the likelihood and severity of ransomware incidents, as well as the appropriate controls and mitigation strategies to reduce the risk to an acceptable level. Requiring development of key risk indicators (KRIs) is not the first course of action, as it is a monitoring tool for measuring the risk exposure and performance. KRIs are metrics that provide information on the current level and trend of risk in relation to the risk appetite and tolerance of the enterprise. KRIs can help to track and report the progress and effectiveness of the risk management activities, as well as alert the management of any potential issues or changes that may affect the risk profile. However, requiring development of KRIs does not provide a comprehensive analysis or improvement plan for ransomed corporate data. Developing a policy to address ransomware is not the first course of action, as it is a result of conducting a targeted risk assessment. A policy to address ransomware is a document that defines the rules, guidelines, and responsibilities for preventing, detecting, responding to, and recovering from ransomware attacks. Developing a policy to address ransomware can help to communicate the expectations and requirements for ransomware protection and compliance, as well as enforce accountability and governance for ransomware incidents. However, developing a policy to address ransomware does not provide a detailed assessment or guidance for ransomed corporate data. Backing up corporate data to a secure location is not the first course of action, as it is an implementation step after conducting a targeted risk assessment and developing a policy to address ransomware. Backing up corporate data to a secure location can help to preserve the availability, integrity, and confidentiality of the data in case of a ransomware attack. Backing up corporate data to a secure location can also help to restore the data and resume normal operations after a ransomware attack. However, backing up corporate data to a secure location does not provide a thorough risk analysis or governance framework for ransomed corporate data. References: Ransomware Risk Management: NISTIR 8374, 3 Risk Management Process section. Managing the Risks of Ransomware - SEI Blog, Assess Your Risk section. Ransomware Risk Management - NIST, 4 Ransomware Risk Management Profile section. NIST Releases Tips and Tactics for Dealing With Ransomware, Back Up Your Data section.

• Question 269:

  Six months ago, an enterprise's CIO reorganized IT to improve service delivery to the business. Which of the following would BEST demonstrate the effectiveness of the reorganization?

  A. The number of help desk calls
  B. A balanced scorecard
  C. A survey of IT staff
  D. IT cost reduction
  B. A balanced scorecard

  ---

  A balanced scorecard is a strategic management tool that measures and monitors the performance of an organization against its vision, mission, goals, and objectives. It uses four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard can help demonstrate the effectiveness of the IT reorganization by showing how the IT function has improved in terms of delivering value to the business, satisfying customer needs and expectations, optimizing internal processes and workflows, and enhancing the skills and capabilities of the IT staff. According to one of the web search results, "a balanced scorecard can help evaluate the effectiveness of IT governance by aligning IT activities with business strategies, assessing IT value delivery, identifying IT strengths and weaknesses, and facilitating continuous improvement." The number of help desk calls, a survey of IT staff, and IT cost reduction are not the best indicators of the effectiveness of the IT reorganization. They are more likely to reflect operational or tactical aspects of IT service delivery, rather than strategic or holistic ones. They may also be influenced by other factors that are not related to the IT reorganization, such as user behavior, staff morale, or market conditions. References: Service Delivery for IT and Business | Splunk

• Question 270:

  Which of the following situations provides the BEST justification for considering the adoption of a qualitative risk assessment method?

  A. Determining a quantitative risk score would require complex calculations
  B. It is cost prohibitive to obtain relevant historical quantitative data
  C. There are fewer information assets in the risk register
  D. A higher risk tolerance level has been defined by enterprise leadership
  B. It is cost prohibitive to obtain relevant historical quantitative data

  ---

  Qualitative risk assessmentis most appropriate when reliable quantitative data is unavailable or too costly to gather. In such cases, qualitative methods (like risk matrices or expert judgment) provide valuable input based on impact and likelihood without requiring precise numerical data. This approach is especially useful in new or evolving domains (e.g., cybersecurity or AI) where historical data may be lacking. CGEIT Review Manual: Domain 4 ?Risk Optimization:";Qualitative assessments are suitable when quantitative methods are not feasible due to lack of historical data or high costs associated with obtaining it." COBIT 2019 Focus Area: Risk Management.