Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 331:

  Which of the following is the MOST important input for the development of a human resources strategy to address IT skill gaps?

  A. Training budget allocated for IT staff
  B. Training effectiveness reports
  C. Technology direction of the enterprise
  D. A recent IT skills matrix
  C. Technology direction of the enterprise

  ---

  The most important input for the development of a human resources strategy to address IT skill gaps is the technology direction of the enterprise, because this would help to identify the current and future IT capabilities and competencies that are required to support the enterprise's vision, mission, goals, and objectives. The technology direction of the enterprise should consider the external and internal factors that influence the IT environment, such as market trends, customer demands, innovation opportunities, regulatory requirements, and business strategies. The human resources strategy should align the IT staff development and retention plans with the technology direction of the enterprise, and ensure that the IT staff have the relevant skills, knowledge, and experience to deliver value and performance to the enterprise. References: ISACA, CGEIT Review Manual, 7th Edition, 2019, page 25-26.

• Question 332:

  A CIO is planning to implement an enterprise resource planning (ERP) system at the request of the business. Of the following, who is accountable for providing sponsorship for the IT-enabled change across the enterprise?

  A. CEO
  B. Human resource (HR) director
  C. IT strategy committee
  D. CIO
  A. CEO

  ---

  According to the web search results, the CEO is accountable for providing sponsorship for the IT-enabled change across the enterprise. The CEO is the highest-ranking executive in the organization, and has the authority and responsibility to lead the strategic direction and vision of the enterprise. The CEO also has the power and influence to allocate resources, prioritize initiatives, resolve conflicts, and communicate with stakeholders. Therefore, the CEO is the best person to provide sponsorship for the ERP implementation, which is a major and complex IT-enabled change that affects the entire enterprise. The other options are not as accountable as the CEO for providing sponsorship for the IT- enabled change across the enterprise. The HR director is responsible for managing the human resources functions of the organization, such as recruitment, training, compensation, and performance management. The HR director may support the ERP implementation by facilitating change management, employee engagement, and organizational development, but does not have the same level of authority and accountability as the CEO. The IT strategy committee is a group of senior executives from different business units that provide guidance and oversight for the IT strategy and governance of the organization. The IT strategy committee may advise and approve the ERP implementation, but does not have the same level of leadership and visibility as the CEO. The CIO is responsible for managing the IT functions of the organization, such as planning, implementing, and operating the IT systems and services. The CIO may lead and execute the ERP implementation, but does not have the same level of responsibility and influence as the CEO. References: 1: What Is A Project Sponsor and Do You Need One When Implementing ERP? 2: Building a Successful ERP Implementation Team | NetSuite 3: What Does an HR Director Do? | Indeed.com 4: What Is an IT Strategy Committee? | Bizfluent : What is a CIO? Everything you need to know about the Chief Information Officer explained | ZDNet

• Question 333:

  Which of the following has the GREATEST influence on data quality assurance?

  A. Data stewardship
  B. Data encryption
  C. Data classification
  D. Data modeling
  A. Data stewardship

  ---

  Data stewardship is the process of defining, implementing, and enforcing policies, standards, roles, and responsibilities for the quality, security, privacy, and usage of data within an enterprise. Data stewardship has the greatest influence on data quality assurance, as it ensures that the data is accurate, complete, consistent, timely, and fit for its intended purpose. Data stewardship also helps to identify and resolve data quality issues, monitor and measure data quality performance, and improve data quality over time. The other options are not as influential as data stewardship, as they are specific aspects or techniques of data management, but not comprehensive processes. Data encryption is the process of transforming data into an unreadable format to protect it from unauthorized access or modification. Data encryption can enhance data security and privacy, but it does not directly affect data quality assurance. Data classification is the process of categorizing data based on its value, sensitivity, and risk to the enterprise. Data classification can help to apply appropriate controls and policies for data protection and compliance, but it does not directly affect data quality assurance. Data modeling is the process of creating a representation of the structure, relationships, and meaning of data within a specific domain or context. Data modeling can help to design and optimize databases and applications that use data, but it does not directly affect data quality assurance.

• Question 334:

  Following the rollout of an enterprise IT software solution that hosts sensitive data it was discovered that the application's role-based access control was not functioning as specified. Which of the following is the BEST way to prevent reoccurrence in the future?

  A. Ensure supplier contracts include penalties if solutions do not meet functional requirements
  B. Ensure the evaluation process requires independent assessment of solutions prior to implementation
  C. Ensure supplier contracts include a provision for the right to audit on an annual basis
  D. Ensure procurement processes require the identification of alternate vendors to ensure business continuity.
  B. Ensure the evaluation process requires independent assessment of solutions prior to implementation

  ---

  An independent assessment is a review by a third party of an authorization decision, a product, a service, or a system to verify its quality, functionality, compliance, or performance. An independent assessment can help identify and mitigate potential risks, errors, or defects before they cause problems or failures. An independent assessment can also provide an objective and unbiased opinion on the suitability and effectiveness of a solution for a specific purpose or context. By requiring an independent assessment of solutions prior to implementation, the enterprise can ensure that the solutions meet the functional requirements and specifications, as well as the security and privacy standards and policies. This can prevent issues such as the malfunctioning of role-based access control, which could compromise the confidentiality, integrity, and availability of sensitive data. An independent assessment can also help evaluate the compatibility and interoperability of solutions with existing systems and processes, and provide recommendations for improvement or optimization. Some examples of independent assessment methods are: Independent verification and validation (IVandV): A process that checks whether a system meets its defined requirements and specifications, and whether it fulfills its intended purpose and functions. Independent technical review (ITR): A process that evaluates the technical aspects of a system, such as its design, architecture, performance, reliability, security, usability, maintainability, and scalability. Independent security assessment (ISA): A process that assesses the security posture of a system, such as its vulnerability to threats, its compliance with security standards and regulations, its implementation of security controls and measures, and its response to security incidents.

• Question 335:

  Business management is seeking assurance from the CIO that IT has a plan in place for early identification of potential issues that could impact the delivery of a new application. Which of the following is the BEST way to increase the chances of a successful delivery?

  A. Implement a release and deployment plan
  B. Ask the application owner to update the risk register
  C. Create a baseline configuration of the new application
  D. Perform user acceptance testing (UAT)
  A. Implement a release and deployment plan

  ---

  A release and deployment plan outlines structured activities to transition new applications into production. It includes monitoring, testing, fallback procedures, and risk identification mechanisms--helping identify and address potential issues early. While UAT and risk updates are helpful, and configurations ensure consistency, a formal release and deployment plan is the most comprehensive tool for early issue detection and delivery assurance. CGEIT Review Manual: Domain 3 ?Benefits Realization COBIT 2019: BAI07 (Manage Change Acceptance and Transitioning).

• Question 336:

  What is the BEST way for IT to achieve compliance with regulatory requirements?

  A. Enforce IT policies and procedures.
  B. Create an IT project portfolio.
  C. Review an IT performance dashboard.
  D. Report on IT audit findings and action plans.
  A. Enforce IT policies and procedures.

  ---

  The best way for IT to achieve compliance with regulatory requirements is to enforce IT policies and procedures that align with the compliance standards and guidelines. IT policies andprocedures are the documents that define the roles, responsibilities, rules, and expectations for the IT function and its activities. They help to ensure that the IT systems and processes are secure, reliable, efficient, and consistent with the business objectives and legal obligations. By enforcing IT policies and procedures, IT can demonstrate its compliance with regulatory requirements and avoid violations, penalties, or reputational damage. The other options are not as effective as enforcing IT policies and procedures for achieving compliance with regulatory requirements. Creating an IT project portfolio is a good practice for managing IT investments and resources, but it does not guarantee compliance with regulatory requirements. Reviewing an IT performance dashboard is a useful technique for monitoring and measuring IT performance and value delivery, but it does not ensure compliance with regulatory requirements. Reporting on IT audit findings and action plans is a necessary step for improving IT governance and control processes, but it does not achieve compliance with regulatory requirements. References: What is IT Compliance? - Checklist, Guidelines and More | Proofpoint US, 6 Common IT Compliance Standards (A Guide to the Basics), Here's Why Regulatory Compliance is Important - Reciprocity

• Question 337:

  An enterprise is implementing a new IT governance program. Which of the following is the BEST way to increase the likelihood of its success?

  A. The IT steering committee approves the implementation efforts.
  B. The CIO communicates why IT governance is important to the enterprise.
  C. Implementation follows an IT audit recommendation.
  D. The CIO issues a mandate for adherence to the program.
  B. The CIO communicates why IT governance is important to the enterprise.

  ---

  The CIO communicating why IT governance is important to the enterprise is the best way to increase the likelihood of its success, as it helps to create awareness, understanding, and buy-in from the stakeholders and staff involved in the IT governance program. The CIO can also communicate the benefits, objectives, and expectations of the IT governance program, and how italigns with the enterprise strategy and vision. References: CGEIT Exam Content Outline, Domain 1, Subtopic A: Governance Framework, Task 3: Ensure that stakeholder needs, conditions and options are evaluated to determine balanced, agreed-on enterprise objectives to be achieved; setting direction through prioritization and decision making; and monitoring performance and compliance against agreed-on direction and objectives.

• Question 338:

  Which of the following BEST supports an IT staff restructure as part of an annual IT strategy review with senior management?

  A. Established IT key performance indicators (KPIs)
  B. IT staff training program requirements
  C. External IT staffing benchmarks
  D. An updated business case for IT resourcing
  D. An updated business case for IT resourcing

  ---

  An updated business case for IT resourcing is a document that provides the rationale and justification for the proposed changes in the IT staff structure, such as the number, roles, skills, and costs of the IT personnel. An updated business case for IT resourcing should align with the IT strategy and objectives, as well as the business needs and expectations. An updated business case for IT resourcing should also include the benefits, risks, and impacts of the IT staff restructure, as well as the alternatives and recommendations. The other options are not as effective as an updated business case for IT resourcing to support an IT staff restructure. Established IT key performance indicators (KPIs) are measures that evaluate the performance and outcomes of the IT department, such as service quality, customer satisfaction, project delivery, and innovation. Established IT KPIs are important for monitoring and reporting the IT results and achievements, but they do not necessarily support an IT staff restructure, unless they are linked to the proposed changes in the IT staff structure. IT staff training program requirements are specifications that define the learning needs and objectives of the IT personnel, such as skills development, knowledge enhancement, and career advancement. IT staff training program requirements are beneficial for improving the capabilities and competencies of the IT staff, but they do not directly support an IT staff restructure, unless they are aligned with the new roles and responsibilities of the IT personnel. External IT staffing benchmarks are standards or best practices that compare the IT staff structure of other organizations or industries, such as staffing ratios, skill levels, or salary ranges. External IT staffing benchmarks are useful for assessing and improving the competitiveness and efficiency of the IT department, but they do not adequately support an IT staff restructure, unless they are customized and adapted to the specific context and situation of the organization. References: 1: How to Write a Business Case: 4 Steps to a Perfect Business Case Template - ProjectManager.com 2: How to Write a Business Case 4 Steps to a Perfect Business Case Template | Workfront 3: 18 Key Performance Indicator (KPI) Examples Defined - ClearPoint Strategy 4: How to Create an Effective Training Program: 8 Steps to Success - Convergence Training Blog 5: How to Benchmark Your Staffing Levels - HR Daily Advisor

• Question 339:

  Which of the following should be the MOST important consideration when defining an information architecture?

  A. Frequency and quantity of information updates
  B. Information to justify business cases
  C. Incorporation of emerging technologies
  D. Access to and exchange of information
  D. Access to and exchange of information

  ---

  The most important consideration when defining an information architecture is access to and exchange of information. Information architecture (IA) is the process of guiding users through the site by organising and arranging all the relevant content in a clear, intuitive way. The main purpose of IA is to help users find information and complete tasks. To do this, IA needs to consider how users access and exchange information within the digital product or service, and how to make it easy, fast, and satisfying for them. Access to and exchange of information involves aspects such as: Navigation systems: How users browse or move through information. Navigation systems should be consistent, predictable, and visible, and should provide feedback and orientation cues to the users. Search systems: How users look for information. Search systems should be accurate, relevant, and comprehensive, and should support different types of queries and filters. Labelling systems: How information is represented and classified. Labelling systems should use clear, concise, and meaningful words that match the users' expectations and vocabulary. Information structure: How information is organised into categories, hierarchies, and relationships. Information structure should reflect the users' mental models and tasks, and should avoid unnecessary complexity or ambiguity. By considering access to and exchange of information when defining an IA, the organization can ensure that the information assets are usable, findable, and accessible to the users, and that they support the user experience and the business goals. References: Information Architecture Basics | Usability.gov1, What is information architecture? - UX Design Institute2, Navigation Design Basics: Tips and Best Practices - Adobe XD Ideas3, Search System Design: Best Practices and Tips- Adobe XD Ideas4, Labeling Systems: An Introduction to Information Architecture - Boxes ..., Information Architecture 101: Techniques and Best Practices - Adobe ...

• Question 340:

  When reporting key risk indicators (KRIs) to the board, what information BEST enables risk-based decision-making?

  A. Risk appetite, risk threshold, and risk tolerance
  B. Classification of current business risk
  C. Emerging industry risk trends and benchmarks
  D. Costs and resource needs related to risk mitigation measures
  A. Risk appetite, risk threshold, and risk tolerance

  ---

  Key risk indicators (KRIs) are designed to provide measurable and actionable insights about the risk environment. For the board to make informed risk-based decisions, it is essential to understand the enterprise's risk appetite (what level of risk the organization is willing to take), risk threshold (the limits within which the risks are acceptable), and risk tolerance (the degree of variability the enterprise is willing to endure). These parameters frame the organization's decision-making boundaries and enable the board to align risk responses with strategic objectives. References: COBIT 2019 and CGEIT Study Guide.