Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 361:

  When deciding to develop a system with sensitive data, which of the following is MOST important to include in a business case?

  A. A risk assessment to determine the appropriate controls
  B. Updated enterprise architecture (EA)
  C. Skills gap analysis
  D. The additional cost of encrypting sensitive data
  A. A risk assessment to determine the appropriate controls

  ---

  When deciding to develop a system with sensitive data, the MOST important thing to include in a business case is a risk assessment to determine the appropriate controls. A business case is a document that provides the rationale and justification for initiating a project or investment. It includes information such as the objectives, scope, benefits, costs, risks, assumptions, and success criteria of the proposed project or investment. A risk assessment is a process of identifying, analyzing, and evaluating the potential threats and impacts that could affect the project or investment. A risk assessment can help to: Identify the sources and types of risks associated with developing a system with sensitive data, such as data breaches, data loss, data corruption, unauthorized access, compliance violations, etc. Analyze the likelihood and severity of the risks occurring and their consequences on the project or investment. Evaluate the current and planned controls to mitigate or prevent the risks, such as encryption, access control, data backup, data activity monitoring, etc. Prioritize the risks and controls based on their importance and urgency Communicate and document the risks and controls to stakeholders and decision-makers. Therefore, a risk assessment to determine the appropriate controls is essential for developing a business case for a system with sensitive data, as it can help to demonstrate the feasibility, viability, and desirability of the project or investment. The other options are not as important as option A. While it is useful to have an updated enterprise architecture (EA), a skills gap analysis, and the additional cost of encrypting sensitive data, these are more operational and tactical aspects that can be determined later in the implementation phase. They are not critical for developing a business case for a system with sensitive data, which should focus more on the strategic direction and value proposition of the project or investment. References: How to Write a Business Case - ProjectManager.com Business Case Development - Project Management Institute What is Risk Assessment? Definition and Examples | ASQ Data Security: How to Secure Sensitive Data - DATAVERSITY Risk Analysis: Definition and Examples | ASQ Data access control and data activity monitoring - IBM Cloud ... Risk Evaluation: Definition and Examples | ASQ Risk Communication: Definition and Examples | ASQ

• Question 362:

  An enterprise has decided to implement an enterprise resource planning (ERP) system to achieve operating and cost efficiencies through global IT standardization. The business units are resistant because they are used to operating autonomously. The CEO has instructed the CIO to move quickly with the implementation to force acceptance with business unit leaders. Which of the following should be the ClO's FIRST step?

  A. Build a governance framework for identifying non-standard processes.
  B. Request funding from the CEO to hire ERP consultants.
  C. Ask the CEO to be the sponsor of the program
  D. Engage a reluctant business unit to conduct a proof-of-concept pilot.
  C. Ask the CEO to be the sponsor of the program

  ---

  The CIO's first step should be to ask the CEO to be the sponsor of the program, as this can help overcome the resistance from the business units and ensure the support and commitment of the top management. The CEO's sponsorship can also help communicate the vision, goals, and benefits of the ERP system to the enterprise, as well as allocate the necessary resources and budget for the implementation. The CEO's sponsorship can also help resolve any conflicts or issues that may arise during the implementation, as well as monitor and evaluate the progress and outcomes of the program. Building a governance framework for identifying non-standard processes, requesting funding from the CEO to hire ERP consultants, and engaging a reluctant business unit to conduct a proof-of-concept pilot are possible steps to take after asking the CEO to be the sponsor of the program, but they are not the first step. Building a governance framework can help define and implementthe policies, standards, and procedures for IT standardization, as well as the roles, responsibilities, and authorities of the IT stakeholders. Requesting funding can help secure the financial resources needed to hire external experts or vendors that can provide guidance and assistance for the ERP implementation. Engaging a reluctant business unit can help demonstrate the feasibility and value of the ERP system, as well as gain feedback and buy-in from the end users. However, these steps may not be effective or successful without the CEO's sponsorship and leadership.

• Question 363:

  To enable the development of required IT skill sets for the enterprise, it is MOST important to define skill requirements based on:

  A. training needs.
  B. one set of skills applicable to all IT staff.
  C. a best practices framework.
  D. each role within the IT department.
  D. each role within the IT department.

  ---

  To enable the development of required IT skill sets for the enterprise, it is most important to define skill requirements based on each role within the IT department, because different roles may have different responsibilities, tasks, and expectations that require specific skills and competencies. By defining skill requirements based on each role, the enterprise can ensure that the IT staff have the appropriate knowledge, abilities, and experience to perform their roles effectively and efficiently, and to support the enterprise's goals and objectives. According to ISACA's CGEIT Domain 2: IT Resources, "the enterprise should identify the skills required for each IT role and assess the current and future skill gaps." Furthermore, according to ISACA's article on IT Skills Gap, "the skills gap is not a one- size-fits-all problem. It varies by industry, organization and department/role." Therefore, defining skill requirements based on each role within the IT department is the best way to enable the development of required IT skill sets for the enterprise. References: IT Skills Gap: Trends, Implications and Best Practices - ISACA IT Governance: Definitions, Frameworks and Planning - ProjectManager What is IT governance? A formal way to align IT and business strategy | CIO CGEIT Domain 2: IT Resources

• Question 364:

  An enterprise has decided to create its first mobile application. The IT director is concerned about the potential impact of this initiative. Which of the following is the MOST important input for managing the risk associated with this initiative?

  A. Enterprise architecture (EA)
  B. IT risk scorecard
  C. Enterprise risk appetite
  D. Business requirements
  A. Enterprise architecture (EA)

  ---

  Enterprise architecture (EA) is the most important input for managing the risk associated with creating a mobile application, because it provides a holistic view of the current and future state of the enterprise's IT environment, including its goals, principles, standards, policies, processes, technologies, and systems. EA helps to identify the gaps, dependencies, constraints, and opportunities for the mobile application initiative, and to align it with the enterprise's strategic objectives and business requirements. EA also helps to assess the impact of the mobile application on the existing IT infrastructure, security, performance, and compliance. By using EA as an input for IT risk management, the enterprise can ensure that the mobile application is designed, developed, deployed, and maintained in a consistent, coherent, and optimal way that minimizes the potential risks and maximizes the expected benefits. The other options are not the most important input for managing the risk associated with creating a mobile application, but rather some of the outputs or outcomes of IT risk management. An IT risk scorecard is a tool that measures and reports the performance of IT risk management activities and controls. An enterprise risk appetite is a statement that defines the level and type of risk that an enterprise is willing to accept or avoid in pursuit of its objectives. Business requirements are the specifications that describe what the mobile application should do and how it should meet the needs and expectations of the users and stakeholders. References: ISACA, CGEIT Review Manual, 27th Edition, 2020, page 15; Enterprise Architecture as Business Capabilities Architecture

• Question 365:

  An IT manager is trying to determine optimal IT service levels. Which of the following should be the PRIMARY consideration?

  A. Internal rate of return
  B. Recovery time objective (RTO)
  C. Cost-benefit analysis
  D. Resource utilization analysis
  C. Cost-benefit analysis

  ---

  The primary consideration for determining optimal IT service levels is cost-benefit analysis. Cost-benefit analysis is a technique that compares the costs and benefits of providing a certain level of IT service to the business and the stakeholders. It helps to identify the optimal balance between the value and the cost of IT service delivery, and to justify the investment and resources required for achieving the desired service level objectives. Cost-benefit analysis can also help to evaluate alternative options, prioritize improvement initiatives, and measure the return on investment of IT service management. The other options are not as relevant as cost-benefit analysis, as they do not consider both the costs and benefits of IT service levels. Internal rate of return is a financial metric that measures the profitability of an investment, but it does not account for the non-financial benefits or risks of IT service delivery. Recovery time objective is a parameter that specifies the maximum acceptable time for restoring an IT service after a disruption, but it does not reflect the cost or value of achieving that time. Resource utilization analysis is a technique that monitors and optimizes the usage and allocation of IT resources, but it does not assess the impact or outcome of IT service delivery on the business and the stakeholders. References: Cost-Benefit Analysis in IT Service Management. Internal Rate of Return (IRR). Recovery Time Objective (RTO). Resource Utilization Analysis.

• Question 366:

  An organization is evaluating vendors to provide mobile device management (MDM) services. Which of the following is a KEY governance consideration for the IT steering committee?

  A. Service level targets align with business requirements.
  B. Employee-owned devices will be covered by the service.
  C. The MDM services are delivered via a cloud.
  D. Technology-owned devices will be covered by the service
  A. Service level targets align with business requirements.

  ---

  A key governance consideration for the IT steering committee when evaluating vendors to provide mobile device management (MDM) services is to ensure that the service level targets align with the business requirements. Service level targets are the measurable and agreed-upon levels of performance and quality that the vendor is expected to deliver for the MDM services. These targets should reflect the business needs and expectations of the organization, such as availability, reliability, security, scalability, and functionality of the MDM services. Service level targets should also be realistic, achievable, and verifiable, and should be specified in the service level agreements (SLAs) that are part of the contract with the vendor. By ensuring that the service level targets align with the business requirements, the IT steering committee can facilitate the selection of a suitable and reliable vendor that can provide effective and efficient MDM services for the organization. References: CGEIT Exam Content Outline | ISACA, CGEIT Review Manual (Digital Version), Mobile Device Management (MDM) - Gartner, How to Set Service Level Targets for Your IT Support Team

• Question 367:

  An enterprise plans to implement a business intelligence (Bl) tool with data sources from various enterprise applications. Which of the following is the GREATEST challenge to implementation?

  A. Interface issues between enterprise and Bl applications
  B. Large volumes of data fed from enterprise applications
  C. The need for staff to be trained on the new Bl tool
  D. Data definition and mapping sources from applications
  D. Data definition and mapping sources from applications

  ---

  Data definition and mapping sources from applications is the greatest challenge to implementing a business intelligence (BI) tool with data sources from various enterprise applications because it involves ensuring the consistency, accuracy, and quality of data across different systems and formats. Data definition and mapping requires defining common data elements, identifying data sources and targets, establishing data transformation rules, and resolving data conflicts and discrepancies. This is a complex and time-consuming process that requires a high level of coordination and collaboration among different stakeholders and data owners. References: According to ISACA's CGEIT Review Manual 2021, one of the key activities for ensuring effective IT-enabled business innovation is to "define and map data sources from various enterprise applications to the BI tool." According to ISACA's COBIT 2019 Framework, one of the governance objectives for managing data is to "ensure that data are defined consistently across the enterprise and that data quality issues are identified and resolved." According to ISACA's Business Intelligence: Governance and Analytics guide, one of the challenges for BI governance is to "ensure that data are properly defined, mapped, transformed, integrated, and validated across different sources and systems."

• Question 368:

  An enterprise is concerned that ongoing maintenance costs are not being considered when prioritizing IT-enabled business investments. Which of the following should be the enterprise's FIRST course of action?

  A. Implement a balanced scorecard for the IT project portfolio.
  B. Establish a portfolio manager role to monitor and control the IT projects.
  C. Require business cases to have product life cycle information.
  D. Mandate an enterprise architecture (EA) review with business stakeholders.
  C. Require business cases to have product life cycle information.

  ---

  A product life cycle is the length of time from a product first being introduced to consumers until it is removed from the market. It consists of four or five stages, depending on the source: introduction, growth, maturity, decline, and sometimes development. A product life cycle information can help the enterprise to estimate the ongoing maintenance costs of IT- enabled business investments, as well as their expected benefits, risks, and returns. By requiring business cases to have product life cycle information, the enterprise can prioritize IT-enabled business investments based on their long-term value and alignment with the enterprise's objectives. A balanced scorecard is a management system that clarifies the strategy and vision of an organization, translating them into action that can be tracked. It uses four perspectives: financial, customer, internal business process, and knowledge, education, and growth. A balanced scorecard for the IT project portfolio can help the enterprise to measure the performance and value of IT projects, but it does not necessarily consider the ongoing maintenance costs of IT-enabled business investments. A portfolio manager is a specialized project manager who focuses on IT projects. They are responsible for keeping projects within budget, optimizing time management for IT teams, and allocating resources appropriately. Establishing a portfolio manager role to monitor and control the IT projects can help the enterprise to manage its IT project portfolio more effectively, but it does not address the issue of prioritizing IT-enabled business investments based on their ongoing maintenance costs. An enterprise architecture (EA) is a conceptual blueprint that defines the structure and operation of an organization. It describes the current and future state of the organization in terms of its strategy, processes, information systems, and technology infrastructure. Mandating an EA review with business stakeholders can help the enterprise to align its IT- enabled business investments with its strategic goals and ensure compliance with defined security rules, but it does not solve the problem of considering the ongoing maintenance costs of IT-enabled business investments.

• Question 369:

  An enterprise has been focused on establishing an IT risk management framework. Which of the following should be the PRIMARY motivation behind this objective?

  A. Promoting responsibility throughout the enterprise for managing IT risk.
  B. Increasing the enterprise's risk tolerance level and risk appetite.
  C. Engaging executives in examining IT risk when developing policies.
  D. Maintaining a complete and accurate risk registry to belief manage IT risk
  A. Promoting responsibility throughout the enterprise for managing IT risk.

  ---

  The primary motivation behind establishing an IT risk management framework is to promote responsibility throughout the enterprise for managing IT risk. An IT risk management framework is a set of principles, processes, and practices that guide and support the identification, analysis, evaluation, treatment, monitoring, and communication of IT-related risks. An IT risk management framework helps to ensure that IT risks are aligned with the enterprise's objectives, strategies, and risk appetite, and that they are effectively managed by the appropriate stakeholders. An IT risk management framework also helps to foster a culture of risk awareness and accountability within the enterprise

• Question 370:

  A newly appointed CIO has been tasked with the responsibility of developing an effective IT enterprise roadmap that meets business requirements. Which of the following is the BEST way to ensure that the business needs have been taken into consideration?

  A. Involve process owners in requirements gathering.
  B. Implement a balanced scorecard.
  C. Include user acceptance testing (UAT) as part of the resulting IT solutions.
  A. Involve process owners in requirements gathering.

  ---

  Process owners are the individuals or groups who are responsible for the design, execution, and improvement of a business process. Process owners have a deep understanding of the business needs, goals, and challenges that the process aims to address. By involving process owners in requirements gathering, the CIO can ensure that the IT enterprise roadmap meets the business requirements and expectations, and that the IT solutions align with the business processes and outcomes. Process owners can also provide valuable feedback and insights on the feasibility, usability, and effectiveness of the IT solutions, and help to prioritize and validate the IT initiatives and deliverables. References: CGEIT Exam Content Outline | ISACA1, CGEIT Review Manual (Digital Version), Definitive Guide to Developing an IT Strategy and Roadmap - CioPages2, What is a Process Owner? | Lean Six Sigma Group3