Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 321:

  From an IT governance perspective, establishing performance measurements is PRIMARILY the responsibility of:

  A. the IT architecture review board.
  B. senior management.
  C. the board of directors.
  D. enterprise risk management (ERM).
  B. senior management.

  ---

  This is because senior management is responsible for defining and communicating the IT strategy, objectives, and performance expectations for the organization. Senior management is also responsible for establishing and overseeing the IT governance framework, which includes the performance measurement metrics, processes, and tools. Senior management should ensure that the performance measurement metrics are aligned with the business goals and value creation, as well as the IT governance principles and policies. Senior management should also monitor and evaluate the IT performance results and take corrective actions if needed. Some of the sources that support this answer are: 1: This source explains the roles and responsibilities of senior management in IT governance, and how they can use COBIT 5 to implement effective IT governance practices. It states that senior management should define the IT-related goals and objectives, establish the ITgovernance structure and processes, assign roles and responsibilities, and ensure adequate resources and capabilities for IT governance. 2: This source discusses the importance and benefits of IT performance measurement for IT governance, and provides some tips and tools for conducting it. It suggests that senior management should be involved in setting the IT performance measurement criteria, selecting the key performance indicators (KPIs), defining the targets and thresholds, and reviewing and reporting the IT performance outcomes. 3: This source provides a comprehensive guide on how to optimize IT project intake, approval, and prioritization. It mentions that senior management should be responsible for defining the strategic alignment, value delivery, risk optimization, and resource optimization criteria for IT projects, as well as for monitoring and evaluating the IT project portfolio performance.

• Question 322:

  The CEO of an organization is concerned that there are inconsistencies in the way information assets are classified across the enterprise. Which of the following is be the BEST way for the CIO to address these concerns?

  A. Include data assets in the IT inventory.
  B. Identify data owners across the enterprise.
  C. Require enterprise risk assessments.
  D. Implement enterprise data governance.
  D. Implement enterprise data governance.

  ---

  Enterprise data governance is a system for defining who within an organization has authority and control over data assets and how those data assets may be used. It encompasses the people, processes, and technologies required to manage and protect data assets1. Enterprise data governance can help address the inconsistencies in data classification by establishing a common framework, standards, and policies for data quality, security, and usage across the enterprise. It can also assign roles and responsibilities for data owners, stewards, and custodians to ensure accountability and compliance. References: 2: https://www.ibm.com/topics/data-governance 1: https://www.cio.com/article/202183/what-is-data-governance-a-best-practices- framework-for-managing-data-assets.html 3: https://www.sailpoint.com/identity-library/enterprise-data-governance/ 4: https://atlan.com/enterprise-data-governance/

• Question 323:

  An IT steering committee is preparing to review proposals for projects that implement emerging technologies. In anticipation of the review, the committee should FIRST:

  A. determine if the IT staff can support the emerging technologies.
  B. understand how the emerging technologies will influence risk across the enterprise.
  C. require a capacity plan and framework review for the emerging technologies,
  D. require a review of the enterprise risk management framework.
  B. understand how the emerging technologies will influence risk across the enterprise.

  ---

  The first step for the IT steering committee to review proposals for projects that implement emerging technologies is to understand how the emerging technologies will influence risk across the enterprise. Emerging technologies are new or evolving technologies that have the potential to create significant value or disruption for the enterprise, such as artificial intelligence, blockchain, cloud computing, etc. Emerging technologies can also introduce new or increased risks, such as security, privacy, compliance, ethical, operational, strategic, etc. Therefore, the IT steering committee should understand the nature, scope, and impact of these risks, and how they affect the enterprise's risk appetite, tolerance, and profile. By understanding the risk implications of emerging technologies, the IT steering committee can evaluate the proposals more effectively and objectively, and ensure that they align with the enterprise's strategy, goals, and governance framework. According to ISACA's CGEIT Domain 4: Risk Optimization, "the enterprise should identify and assess the risks associated with emerging technologies and their potential impact on the enterprise's objectives and performance." Furthermore, according to ISACA's article on Emerging Tech Risk, "the IT steering committee should have a clear understanding of the risk landscape of emerging technologies and how they affect the enterprise's risk posture and appetite." Therefore, understanding how the emerging technologies will influence risk across the enterprise is the best first step for the IT steering committee to review proposals for projects that implement emerging technologies. References: Emerging Tech Risk - ISACA IT Governance: Definitions, Frameworks and Planning - ProjectManager What is IT governance? A formal way to align IT and business strategy | CIO CGEIT Domain 4: Risk Optimization

• Question 324:

  An analysis of an organization's security breach is complete. The results indicate that the quality of the code used for updates to its primary customer-facing software has been declining and security flaws were introduced. The FIRST IT governance action to correct this problem should be to review:

  A. compliance with the user testing process.
  B. the change management control framework.
  C. the qualifications of developers to write secure code.
  D. the incident response plan.
  B. the change management control framework.

  ---

  The change management control framework is the first IT governance action to correct the problem of declining code quality and security flaws, as it defines and implements the policies, procedures, and standards for managing changes to the IT systems and software. The change management control framework also ensures that changes are authorized, tested, documented, and deployed in a consistent and secure manner. A review of the change management control framework can help to identify and address the root causes of the security breach, and to prevent or mitigate similar incidents in the future. References: CGEIT Exam Content Outline, Domain 1, Subtopic C: Technology Governance, Task 3: Ensure that IT processes are compliant with relevant laws, regulations and contractual requirements.

• Question 325:

  Which of the following should be the PRIMARY input when developing IT strategy?

  A. Vision statement
  B. Process and capability maturity
  C. Governance objectives
  D. Balanced scorecard
  A. Vision statement

  ---

  A vision statement should be the primary input when developing IT strategy, because it is a concise and clear expression of the enterprise's desired future state and direction, and it reflects the enterprise's mission, values, and goals. A vision statement can help to guide and inspire the IT function to align its activities and resources with the business needs and expectations, and to deliver value and innovation to the enterprise. A vision statement can also help to communicate and monitor the IT strategy and objectives, and measure the IT performance and outcomes. References: ISACA, CGEIT Review Manual, 7th Edition, 2019, page 23-24.

• Question 326:

  The PRIMARY objective of building outcome measures is to:

  A. monitor whether the chosen strategy is successful
  B. visualize how the strategy will be achieved.
  C. demonstrate commitment to IT governance.
  D. clarify the cause-and-effect relationship of the strategy.
  A. monitor whether the chosen strategy is successful

  ---

  Outcome measures are indicators that measure the results or impacts of a strategy, program, or project on the intended beneficiaries or stakeholders. The primary objective of building outcome measures is to monitor whether the chosen strategy is successful in achieving its goals and objectives, and to evaluate its effectiveness and efficiency. Outcome measures can also help to communicate the value and benefits of the strategy to the relevant audiences, and to identify areas for improvement or adjustment. Outcome measures are different from output measures, which measure the activities or products that are delivered by the strategy, but not necessarily their effects or outcomes. References: Outcome Measures - an overview | ScienceDirect Topics Outcome Measurement | The Australian Institute of Family Studies Outcome Measurement: A Guide for Nonprofit Organizations | Imagine Canada Doing Quantitative Research with Outcome Measures

• Question 327:

  When updating an IT governance framework to support an outsourcing strategy, which of the following is MOST important?

  A. Evaluating the choice of underlying technology platforms used by the service provider
  B. Ensuring the outsource provider's IT function is aligned with its business function
  C. Verifying the vendor has developed standard operation procedures for outsourced functions
  D. Ensuring the effective management of contracts with third-party providers
  D. Ensuring the effective management of contracts with third-party providers

  ---

  When updating an IT governance framework to support an outsourcing strategy, the most important aspect is to ensure the effective management of contracts with third-party providers. Contracts are the legal documents that define the scope, terms, conditions, and expectations of the outsourcing relationship, as well as the roles, responsibilities, and obligations of both parties. Contracts also specify the service level agreements (SLAs), key performance indicators (KPIs), and reporting mechanisms that are used to measure and monitor the quality and performance of the outsourced services. Contracts also provide the mechanisms for resolving disputes, enforcing compliance, and managing changes and risks. Therefore, ensuring the effective management of contracts with third-party providers is essential for achieving the desired outcomes and benefits of outsourcing, as well as for mitigating the potential challenges and issues that may arise from outsourcing. References: Outsourcing Governance Framework, Guidelines on outsourcing arrangements, IT governance -managing the outsourcing relationship

• Question 328:

  An internal auditor conducts an assessment of a two-year-old IT risk management program. Which of the following findings should be of MOST concern to the CIO?

  A. Organizational responsibility for IT risk management is not clearly defined.
  B. None of the members of the IT risk management team have risk management-related certifications.
  C. Only a few key risk indicators (KRIs) identified by the IT risk management team are being monitored and the rest will be on a phased schedule.
  D. IT risk training records are not properly retained in accordance with established schedules
  A. Organizational responsibility for IT risk management is not clearly defined.

  ---

  Organizational responsibility for IT risk management is a critical factor for the success of the program. Without clear roles and responsibilities, the program may lack accountability, coordination, communication and alignment with the business objectives. The other options are not as concerning as option A, because they do not affect the core of the program. Having risk management-related certifications is desirable, but not mandatory, for the IT risk management team. Monitoring only a few key risk indicators (KRIs) is acceptable, as long as they are relevant and meaningful for the program. Retaining IT risk training records is important, but not essential, for the program effectiveness. References: ISACA, CGEIT Review Manual, 7th Edition, Chapter 3: Benefits Realization, Section 3.2: IT Risk Management, p. 113-114.

• Question 329:

  When evaluating benefits realization of IT process performance, the analysis MUST be based on;

  A. key business objectives.
  B. industry standard key performance indicators (KPIs).
  C. portfolio prioritization criteria.
  D. IT risk policies.
  A. key business objectives.

  ---

  When evaluating benefits realization of IT process performance, the analysis must be based on key business objectives, as they define the desired outcomes and value that the IT processes are expected to deliver and support. Key business objectives are derived from the enterprise strategy and vision, and they provide the basis for measuring and monitoring the IT process performance and benefits. References: CGEIT Exam Content Outline, Domain 3, Subtopic B: Performance Measurement and Optimization, Task 1: Establish and monitor IT performance measurement systems to evaluate the extent to which IT delivers on its strategic objectives and desired outcomes.

• Question 330:

  An IT risk assessment for a large healthcare group revealed an increased risk of unauthorized disclosure of information. Which of the following should be established FIRST to address the risk?

  A. Data encryption tools
  B. Data loss prevention tools
  C. Data classification policy
  D. Data retention policy
  C. Data classification policy

  ---

  The first step to address the risk of unauthorized disclosure of information is to establish a data classification policy. A data classification policy defines the categories of data based on their sensitivity and value to the organization, and specifies the appropriate security controls and handling procedures for each category. A data classification policy helps to identify the most critical and confidential data, and to prioritize the protection of such data from unauthorized access, disclosure, modification, or loss. A data classification policy also provides a basis for implementing other measures, such as data encryption tools, data loss prevention tools, and data retention policy, to enhance the security of data. References: Reducing Cybersecurity Security Risk From and to Third Parties; Unauthorized Access: Prevention Best Practices; Security of Enterprise Application Integration