Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 311:

  Acceptance of an enterprise's newly implemented IT governance initiatives has been resisted by a functional group requesting more autonomy over technology choices. Which of the following is MOST important to accommodate this need for autonomy?

  A. Continuous improvement processes
  B. Documentation of key management practices
  C. An exception management process
  D. A change control process
  C. An exception management process

  ---

  An exception management process is a method for documenting and approving an exception to compliance with established IT governance policies, standards, and practices. An exception management process can accommodate the need for autonomy over technology choices by allowing a functional group to request and justify a deviation from the IT governance requirements, based on the business needs, risks, costs, and benefits. An exception management process can also help to ensure that the exceptions are reviewed and approved by the appropriate authorities, that the exceptions are monitored and reported, and that the exceptions are aligned with the IT strategy and objectives. References: Exception Management Process Flow. IT/Information Security Exception Request Process. Strategies, Governance, Policies, Standards and Resources.

• Question 312:

  When establishing a methodology for business cases, it would be MOST beneficial for an enterprise to include procedures for:

  A. updating the business case throughout its life cycle.
  B. addressing required changes outside the business case.
  C. identifying metrics post-implementation to measure project success.
  D. entering the business case into the enterprise architecture (EA).
  A. updating the business case throughout its life cycle.

  ---

  This is because a business case is a document that provides the justification and rationale for initiating, continuing, or terminating a project or program. It describes the business problem or opportunity, the objectives and benefits, the costs and risks, the alternatives and assumptions, and the expected outcomes and value of the proposed solution. A business case is not a static document, but rather a dynamic one that should be updated throughout the life cycle of the project or program, as new information, changes, and feedback emerge. Updating the business case throughout its life cycle can help to ensure that the project or program remains aligned with the business strategy and goals, as well as to monitor and evaluate its performance and value delivery. Some of the sources that support this answer are: 1: This source provides a comprehensive guide on how to write a business case, including its purpose, structure, content, and format. It also explains why it is important to update the business case throughout the project or program life cycle, as it can help to track progress, measure benefits, manage risks, and communicate results. 2: This source discusses the benefits and challenges of updating the business case during the project or program execution. It suggests that updating the business case can help to validate assumptions, verify feasibility, adjust scope, and justify changes. It also provides some tips and best practices for updating the business case effectively and efficiently. 3: This source defines what a business case is and how it can be used to support IT governance and decision-making. It states that a business case should be updated regularly throughout the project or program life cycle, as it can help to ensure alignment with the enterprise architecture (EA), assess risks and opportunities, and demonstrate value realization.

• Question 313:

  A business case indicates an enterprise would reduce costs by implementing a bring your own device (BYOD) program allowing employees to use personal devices for email. Which of the following should be the FIRST governance action?

  A. Assess the enterprise architecture (EA).
  B. Update the network infrastructure.
  C. Update the BYOD policy.
  D. Assess the BYOD risk.
  D. Assess the BYOD risk.

  ---

  The first governance action for implementing a BYOD program should be to assess the BYOD risk. This is because BYOD introduces various security, legal, and operational risks to the enterprise, such as data loss or leakage, unauthorized access, malware infection, compliance violation, device management, and user privacy. Assessing the BYOD risk can help to identify and evaluate the potential threats, vulnerabilities, and impacts of allowing employees to use personal devices for email. Assessing the BYOD risk can also help to determine the appropriate controls and mitigation strategies to reduce the risk to an acceptable level. Assessing the enterprise architecture (EA) is not the first governance action, as it is a subsequent step after assessing the BYOD risk. EA is a framework that defines the structure, components, relationships, and principles of the enterprise's IT environment. Assessing the EA can help to ensure that the BYOD program aligns with the enterprise's vision, strategy, goals, and standards. However, assessing the EA does not address the specific risks associated with BYOD. Updating the network infrastructure is not the first governance action, as it is an implementation step after assessing the BYOD risk and EA. Updating the network infrastructure can help to enhance the performance, reliability, scalability, and security of the network that supports the BYOD program. However, updating the network infrastructure does not provide a comprehensive risk assessment or governance framework for BYOD. Updating the BYOD policy is not the first governance action, as it is a result of assessing the BYOD risk and EA. A BYOD policy is a document that defines the rules, guidelines, and responsibilities for employees who use personal devices for email. Updating the BYOD policy can help to communicate the expectations and requirements for BYOD users and enforce compliance and accountability. However, updating the BYOD policy does not provide a thorough risk analysis or architectural alignment for BYOD. References: BYOD Best Practices - JumpCloud, Assessing your needs section. End user device security for Bring-Your-Own-Device (BYOD) deployment models - ITSM.70.003 - Canadian Centre for Cyber Security, 1 Introduction section. BYOD Policy Best Practices: The Ultimate Checklist - Scalefusion, Introduction section. The Ultimate Guide to BYOD Security: Definition and More - Digital Guardian, The Challenges of BYOD Security section.

• Question 314:

  Which of the following is MOST important for an IT strategy committee to ensure before initiating the development of an IT strategic plan?

  A. Committee members are apprised of business needs
  B. A risk assessment has been conducted.
  C. Committee members are independent from business units.
  D. IT initiatives are fully supported by the business.
  A. Committee members are apprised of business needs

  ---

  According to the CGEIT exam guide, the IT strategy committee should ensure that the IT strategic plan is aligned with the business needs and goals of the enterprise. Therefore, before initiating the development of an IT strategic plan, the committee members should be apprised of the business needs and understand the expectations and requirements of the stakeholders. References: CGEIT Exam Candidate Guide, page 13. CGEIT Certification

• Question 315:

  Establishing a uniform definition for likelihood and impact BEST enables an enterprise to:

  A. reduce variance in the assessment of risk.
  B. develop key risk indicators (KRIs).
  C. prioritize threat assessment.
  D. reduce risk appetite and tolerance levels.
  A. reduce variance in the assessment of risk.

  ---

  Establishing a uniform definition for likelihood and impact best enables an enterprise to reduce variance in the assessment of risk. This means that the enterprise can have a consistent and comparable way of measuring and evaluating the probability and consequence of potential events that may affect its objectives, operations, and performance. A uniform definition of likelihood and impact can help to avoid confusion, ambiguity, or bias in the risk assessment process, as well as to improve the quality and reliability of the risk data and analysis. Some references for establishing a uniform definition for likelihood and impact are: Risk Assessment: Likelihood and Impact, which provides a guide on how to conduct a risk assessment using a clear formula that involves likelihood and impact. Risk = Likelihood x Impact, which explains how to calculate the total amount of risk exposure using likelihood and impact. How Analysis, Likelihood, and Impact Models Work Together, which describes how to use different models to express the chance, consequence, and score of a risk.

• Question 316:

  A board of directors wants to ensure the enterprise is responsive to changes in its environment that would directly impact critical business processes. Which of the following will BEST facilitate meeting this objective?

  A. Scheduling frequent threat analyses
  B. Monitoring key risk indicators (KRIs)
  C. Regularly reviewing the enterprise risk appetite
  D. Implementing a competitive intelligence tool
  B. Monitoring key risk indicators (KRIs)

  ---

  Key risk indicators (KRIs) are metrics that predict potential risks that can negatively impact businesses. They provide a way to quantify and monitor each risk. Think of them as change-related metrics that act as an early warning risk detection system to help companies effectively monitor, manage and mitigate risks. By monitoring KRIs, the board of directors can ensure the enterprise is responsive to changes in its environment that would directly impact critical business processes, such as market fluctuations, customer preferences, regulatory compliance, operational efficiency, or cyber threats. Monitoring KRIs can help the board of directors to identify and assess the current and emerging risks, to evaluate the effectiveness and performance of the risk management strategies and controls, to communicate and report the risk status and issues, and to take timely and appropriate actions to prevent or reduce the impact of the risks. References: How to Develop Key Risk Indicators (KRIs) to Fortify Your Business. ThePower of KRIs in Enterprise Risk Management (ERM). KRI (Key Risk Indicator): Understanding KRI and why is it important?. Key Risk Indicators (KRIs).

• Question 317:

  When developing effective metrics for the measurement of solution delivery, it is MOST important to:

  A. establish project controls and monitoring objectives.
  B. perform an objective analysis of the project roadmap.
  C. establish the objectives and expected benefits.
  D. specify quantitative measures for solution delivery.
  C. establish the objectives and expected benefits.

  ---

  Establishing the objectives and expected benefits is the most important step when developing effective metrics for the measurement of solution delivery, because it defines the purpose, scope, and value of the solution and how it aligns with the business goals and needs. By establishing the objectives and expected benefits, IT leaders can identify the key performance indicators (KPIs) that will measure the progress, quality, and outcomes of the solution delivery. KPIs are specific, measurable, achievable, relevant, and time-bound metrics that track and evaluate the performance of the solution delivery against the objectives and expected benefits. KPIs can also help IT leaders to communicate the value proposition of the solution to the stakeholders, monitor and manage the risks and issues that may affect the solution delivery, and ensure that the solution meets or exceeds the expectations of the customers and users. References: Automation: metrics that measure success, 4 Types of Key Performance Metrics To Track (With Examples), A guide to measuring benefits effectively

• Question 318:

  Which of the following is the GREATEST impact to an enterprise that has ineffective information architecture?

  A. Poor desktop service delivery
  B. Data retention
  C. Redundant systems
  D. Poor business decisions
  D. Poor business decisions

  ---

  Information architecture (IA) is the practice of structuring and presenting the parts of something -- whether that's a website, mobile app, blog post, book, or brick-and-mortar store -- to users so that it's easy to understand. IA can help users find information and complete tasks. An enterprise that has ineffective information architecture may suffer from poor business decisions, because it may not be able to access, analyze, or use the data and information that are relevant, accurate, consistent, and timely for decision making. Poor business decisions can lead to negative consequences, such as losing customers, market share, revenue, or competitive advantage, or facing legal, financial, reputational, or operational risks. Some examples of how ineffective information architecture can impact business decisions are: If the enterprise's website has a confusing or inconsistent navigation system, users may not be able to find the information they need or want, such as product details, prices, reviews, or contactinformation. This can result in lower customer satisfaction, engagement, conversion, and retention. If the enterprise's data is stored in multiple systems or platforms that are not integrated or interoperable, users may not be able to access or share the data across different departments or functions. This can result in data silos, duplication, inconsistency, or incompleteness. If the enterprise's data is not labeled or categorized properly, users may not be able to search or filter the data effectively. This can result in data overload, irrelevance, or obscurity. If the enterprise's data is not governed or managed properly, users may not be able to trust or verify the data quality or integrity. This can result in data errors, inaccuracies, or biases. Therefore, an enterprise that has ineffective information architecture may have poor business decisions as its greatest impact. References: Information Architecture Basics | Usability.gov. The Importance of Information Architecture to UX Design. How Enterprise Architecture Can Help You Eliminate Technical Debt. What Is Information Architecture and Why Does It Matter? -HubSpot Blog. Why Do We Need Information Architecture - Architecture.

• Question 319:

  An enterprise's board of directors can BEST manage enterprise risk by:

  A. mandating board-approved enterprise risk management (ERM) modifications.
  B. requiring the establishment of an enterprise risk management (ERM) framework.
  C. requiring the establishment of an enterprise-wide program management office.
  D. ensuring the cost-effectiveness of the internal control system.
  B. requiring the establishment of an enterprise risk management (ERM) framework.

  ---

  An enterprise's board of directors can best manage enterprise risk by requiring the establishment of an ERM framework. An ERM framework is a methodology that looks at risk management strategically from the perspective of the entire firm or organization. It is a top-down strategy that aims to identify, assess, and prepare for potential losses, dangers, hazards, and other potentialsfor harm that may interfere with an organization's operations and objectives and/or lead to losses. An ERM framework provides structured feedback and guidance to business units, executive management, and board members implementing and managing ERM programs. An ERM framework helps establish a consistent risk management culture, regardless of employee turnover or industry standards. It also often involves making the risk plan of action available to all stakeholders as part of an annual report

• Question 320:

  An enterprise decides to accept the IT risk of a subsidiary located in another country even though it exceeds the enterprise's risk appetite. Which of the following would be the BEST justification for this decision?

  A. Risk framework alignment
  B. Local market common practices
  C. Compliance with local regulations
  D. Technical gaps among subsidiaries
  C. Compliance with local regulations

  ---

  The best justification for the enterprise's decision to accept the IT risk of a subsidiary located in another country even though it exceeds the enterprise's risk appetite would be compliance with local regulations. This is because local regulations may impose different or stricter requirements on the subsidiary's IT operations, such as data protection, cybersecurity, or privacy laws. Compliance with local regulations may be mandatory or beneficial for the subsidiary to operate legally and effectively in the foreign market. Therefore, the enterprise may decide to accept the IT risk of the subsidiary as a trade-off for complying with local regulations and avoiding potential penalties or reputational damage. The other options are less convincing than option C, as they do not provide a strong rationale for accepting the IT risk of the subsidiary. Risk framework alignment is the process of ensuring that the subsidiary's IT risk management practices are consistent and compatible with the enterprise's IT risk management framework. While this may help to improve the communication and coordination of IT risk management across the enterprise, it does not justify accepting the IT risk of the subsidiary that exceeds the enterprise's risk appetite. Local market common practices are the norms and standards that prevail in the foreign market where the subsidiary operates. While these may influence the subsidiary's IT risk management decisions, they do not necessarily override the enterprise's risk appetite or strategy. Technical gaps among subsidiaries are the differences or discrepancies in the IT systems, processes, or capabilities of different subsidiaries within the enterprise. While these may pose challenges or risks for the enterprise's IT governance and performance, they do not explain why the enterprise would accept the IT risk of a subsidiary that exceeds its risk appetite.