Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 271:

  Which of the following would be MOST useful in developing IT strategic plans aligned with technological needs?

  A. Business impact analysis (BIA)
  B. Business case
  C. Enterprise architecture (EA)
  D. Benchmark analysis
  C. Enterprise architecture (EA)

  ---

  Enterprise architecture (EA) is the most useful in developing IT strategic plans aligned with technological needs because it provides a holistic view of the current and desired state of the organization, including its business processes, information systems, data, applications, infrastructure, and security. EA helps to align the organization's vision, strategy, and goals with its IT capabilities and resources. EA also helps to identify the gaps, risks, and opportunities for improvement in the existing IT environment and to design and implement the optimal IT solutions that can support the business needs and objectives. EA can help to ensure that the IT strategic plans are consistent, coherent, and feasible. A business impact analysis (BIA) is a tool that helps to assess the potential impact of a disruption or change on the business objectives, processes, and functions. A BIA can help to prioritize the criticality of the IT resources and determine the acceptable level of risk and recovery time. A BIA can provide a basis for deciding how to allocate the budget, reduce the requirements, or contract external resources. However, a BIA is not sufficient for developing IT strategic plans aligned with technological needs because it does not provide a comprehensive view of the current and future IT architecture and its alignment with the business strategy. A business case is a document that describes the rationale and justification for initiating a project or investment. A business case can help to evaluate the costs, benefits, risks, and alternatives of different IT options and to communicate the value proposition to the stakeholders. However, a business case is not enough for developing IT strategic plans aligned with technological needs because it does not provide a holistic view of the current and future IT architecture and its alignment with the business strategy. A benchmark analysis is a process of comparing the performance, quality, or practices of an organization with those of its peers or competitors. A benchmark analysis can help to identify the best practices, standards, or trends in the industry and to measure the gap between the current and desired state of an organization. However, a benchmark analysis is not adequate for developing IT strategic plans aligned with technological needs because it does not provide a holistic view of the current and future IT architecture and its alignment with the business strategy. References: Implement Agile IT Strategic Planning with Enterprise Architecture, The Benefits of Enterprise Architecture in Organizational Transformation, Business Impact Analysis, Business Case, [Benchmark Analysis]

• Question 272:

  A large retail chain realizes that while there has not been any loss of data, IT security has not been a priority and should become a key goal for the enterprise. What should be the FIRST high-level initiative for a newly created IT strategy committee in order to support this business goal?

  A. Identifying gaps in information asset protection
  B. Defining data archiving and retrieval policies
  C. Recruiting and training qualified IT security staff
  D. Modernizing internal IT security practices
  A. Identifying gaps in information asset protection

  ---

  Identifying gaps in information asset protection should be the first high-level initiative for a newly created IT strategy committee in order to support the business goal of making IT security a priority. This initiative would help to assess the current state of IT security, identify the risks and vulnerabilities that may compromise the confidentiality, integrity, and availability of information assets, and determine the actions and resources needed to address them. The other options are not as high-level, as they are more related to the implementation or execution of IT security, rather than the planning or direction of it. References: CGEIT Review Manual (Digital Version), Chapter 1: Governance of Enterprise IT, Section 1.3: Strategic Management, Subsection 1.3.2: Strategic Management Process, Page 23 : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.2: IT Risk Management Process, Page 156 : CGEIT Review Manual (Digital Version), Chapter 5: Resource Optimization, Section 5.3: Security Resource Management, Subsection 5.3.1: Security Resource Management Overview, Page 192 : What is CGEIT? A certification for seasoned IT governance professionals

• Question 273:

  When considering an IT change that would enable a potential new line of business, the FIRST strategic step for IT governance would be to ensure agreement among the stakeholders regarding:

  A. objectives to achieve goals
  B. metrics to measure effectiveness
  C. a vision for the future state
  D. a change response plan
  C. a vision for the future state

  ---

  When considering an IT change that would enable a potential new line of business, the first strategic step for IT governance would be to ensure agreement among the stakeholders regarding a vision for the future state, because this would provide a clear direction and purpose for the change, and align the IT strategy with the business strategy. A vision statement should describe the desired outcomes and benefits of the change, and reflect the enterprise's mission, values, and goals. References: ISACA, CGEIT Review Manual, 7th Edition, 2019, page 23-24.

• Question 274:

  IT senior management is concerned that IT service levels consistently fall below those outlined in the service level agreement (SLA). Which of the following would BEST enable the CIO to build a corrective action plan?

  A. Assessing the impact of the SLA failure
  B. Conducting an IT performance evaluation
  C. Reviewing the IT staff training plan
  D. Performing a root cause analysis
  D. Performing a root cause analysis

  ---

  According to the CGEIT exam guide, a root cause analysis (RCA) is a systematic process of identifying and analyzing the factors that cause an undesirable event or condition. It helps to determine the underlying causes of problems and issues, and to prevent their recurrence. A root cause analysis is the best way to enable the CIO to build a corrective action plan, as it provides a clear understanding of the reasons why IT service levels consistently fall below those outlined in the SLA, and suggests possible solutions and improvements. The other options are not sufficient to build a corrective action plan, as they do not address the root causes of the SLA failure. References: CGEIT Exam Candidate Guide, page 15. CGEIT Certification, Root Cause Analysis

• Question 275:

  Which of the following is the BEST indication that enterprise value is being derived from IT?

  A. IT strategy supports continuous improvement initiatives
  B. Metrics are established for IT performance.
  C. Rate of return for projects is achieved.
  D. IT services enable business strategy.
  D. IT services enable business strategy.

  ---

  Enterprise value is being derived from IT when IT services enable business strategy, meaning that IT supports and enhances the enterprise's vision, mission, goals and objectives. IT services enable business strategy by aligning with the enterprise's needs and expectations, delivering value to the stakeholders and customers, and facilitating innovation and transformation. According to the COBIT 5 framework, one of the principles of governance of enterprise IT (GEIT) is "meeting stakeholder needs", which implies that enterprises exist to create value for their stakeholders by maintaining a balance between the realization of benefits, optimization of risk and use of resources. Therefore, IT services should be designed, delivered and monitored in a way that contributes to the creation of value for the enterprise.

• Question 276:

  An enterprise has a large backlog of IT projects. The current strategy is to execute projects as they are submitted, but executive management does not believe this method is optimal. Which of the following is the MOST important action to address this concern?

  A. Implement stage-gating to determine the value of each project.
  B. Establish a performance dashboard that determines business value.
  C. Implement a methodology to prioritize projects based on resource availability.
  D. Create a combined business/IT committee to determine project prioritization.
  C. Implement a methodology to prioritize projects based on resource availability.

  ---

  The most important action to address the concern of executive management about the current strategy of executing projects as they are submitted is to create a combined business/IT committee to determine project prioritization. This action will help to ensure that the IT projects are aligned with the enterprise's objectives, strategies, and values, and that they deliver the highest value and impact to the business and the customers. A combined business/IT committee can also facilitate the communication, collaboration, and coordination among the stakeholders involved in the IT projects, and resolve any conflicts or issues that may arise. A combined business/IT committee can use various project prioritization methods, such as scoring models, prioritization matrices, payback periods, or portfolio dashboards, to evaluate and rank the IT projects based on criteria such as business value, urgency, feasibility, risk, and resource availability

• Question 277:

  Which of the following is the BEST way to maximize the value of an enterprise's information asset base?

  A. Seek additional opportunities to leverage existing information assets.
  B. Facilitate widespread user access to all information assets
  C. Regularly purge information assets to minimize maintenance costs
  D. Implement an automated information management platform
  A. Seek additional opportunities to leverage existing information assets.

  ---

  The value of an enterprise's information asset base is the amount of benefits or advantages that the enterprise can derive from its information assets, such as data, documents, records, and reports. Information assets are valuable and sensitive resources that need to be protected, managed, and used effectively and efficiently to support and achieve the enterprise's objectives and goals. To maximize the value of an enterprise's information asset base, the best way is to seek additional opportunities to leverage existing information assets. This means finding new or innovative ways to use or reuse the information assets to create more value for the enterprise, such as improving performance, quality, customer satisfaction, innovation, or competitive advantage. For example, an enterprise can leverage its existing information assets by analyzing them to generate insights, combining them to create new products or services, sharing them with partners or stakeholders to enhance collaboration, or monetizing them to generate revenue. The other options are not the best ways to maximize the value of an enterprise's information asset base. Facilitating widespread user access to all information assets may increase the availability and utilization of the information assets, but it may also compromise their confidentiality and integrity. Not all information assets are appropriate or relevant for all users, and some may contain sensitive or confidential data that need to be restricted or protected. Therefore, facilitating widespread user access to all information assets may not maximize their value, but rather increase their risk. Regularly purging information assets to minimize maintenance costs may reduce the storage and management expenses of the information assets, but it may also eliminate their potential value or usefulness. Not all information assets are obsolete or redundant, and some may have longterm or strategic value for the enterprise. Therefore, regularly purging information assets to minimize maintenance costs may not maximize their value, but rather decrease their availability. Implementing an automated information management platform may improve the efficiency and effectiveness of the information asset management process, but it may not necessarily increase the value of the information asset base. An automated information management platform is a tool or system that helps to collect, store, process, analyze, and distribute information assets. However, it does not guarantee that the information assets are used or leveraged in optimal ways to create more value for the enterprise. Therefore, implementing an automated information management platformmay not maximize the value of the information asset base, but rather facilitate its management. References: 2: https://www.gartner.com/smarterwithgartner/why-and-how-to-value-your-information-as- an-asset 1: https://www.cio.com/article/202183/what-is-data-governance-a-best-practices- framework-for-managing-data-assets.html 3: https://www.gartner.com/en/publications/infonomics https://advisera.com/27001academy/blog/2014/05/12/information-classification-according- to-iso-27001/ https://www.isaca.org/resources/isaca-journal/issues/2017/volume-3/it-assetvaluation-risk- assessment-and-control-implementation-model https://www.ibm.com/topics/information-management-systems

• Question 278:

  An enterprise has made the strategic decision to reduce operating costs for the next year and is taking advantage of cost reductions offered by an external cloud service provider. Which of the following should be the IT steering committee's PRIMARY concern?

  A. Revising the business $ balanced store card
  B. Updating the business risk profile
  C. Changing the IT steering committee charter
  D. Calculating the cost of the current solution
  B. Updating the business risk profile

  ---

  A business risk profile is a document that identifies and evaluates the potential risks that can affect the performance, objectives, and strategy of an organization. A business risk profile can help to prioritize and mitigate the risks, as well as to align the risk management activities with the business goals and needs. If an enterprise has made the strategic decision to reduce operating costs for the next year and is taking advantage of cost reductions offered by an external cloud service provider, the IT steering committee's primary concern should be updating the business risk profile. This is because using an external cloud service provider may introduce new or increased risks for the enterprise, such as security, privacy, compliance, availability, performance, or vendor lock-in risks . Updating the business risk profile can help the IT steering committee to assess the impact and likelihood of these risks, to evaluate the effectiveness and adequacy of the existing controls and safeguards, to identify and implement any additional measures or actions to address the gaps or issues, and to monitor and report the risk status and outcomes. References: Business Risk Profile: Definition and Examples. How to Create a Business Risk Profile. A risk assessment model for selecting cloud service providers. Cloud Computing Security for Cloud Service Providers.

• Question 279:

  Which of the following BEST facilitates governance oversight of data protection measures?

  A. Information ownership
  B. Information classification
  C. Information custodianship
  D. Information life cycle management
  A. Information ownership

  ---

  Information ownership is the assignment of roles and responsibilities for data protection to individuals or groups within the organization. Information owners are accountable for ensuring that data is properly classified, secured, and used in accordance with the organization's policies and standards. Information ownership facilitates governance oversight of data protection measures by providing clear lines of authority and accountability for data assets.

• Question 280:

  When a shortfall of IT resources is identified, the FIRST course of action is to;

  A. perform a business impact analysis (BIA).
  B. reallocate the budget to close the gap in resources.
  C. reduce business requirements.
  D. negotiate best pricing for contracted resources.
  A. perform a business impact analysis (BIA).

  ---

  Performing a business impact analysis (BIA) is the first course of action when a shortfall of IT resources is identified because it helps to assess the potential impact of the resource gap on thebusiness processes, objectives, and goals. A BIA can also help to prioritize the criticality of the IT resources, identify the minimum acceptable levels of service, and determine the recovery strategies and resource requirements. A BIA can provide a basis for making informed decisions on how to allocate the available IT resources or acquire additional resources to close the gap. References: According to ISACA's CGEIT Review Manual 2021, one of the key activities for ensuring effective IT resource management is to "perform a business impact analysis (BIA) to identify and prioritize critical IT resources." According to ISACA's COBIT 2019 Framework, one of the governance objectives for managing IT resources is to "ensure that a BIA is performed to determine the required level of availability, continuity and security of IT services and data." According to ISACA's Business Continuity Management guide, one of the steps for developing a business continuity plan is to "conduct a BIA to identify the critical business processes and IT resources that support them."