Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 371:

  Who is PRIMARILY accountable for delivering the benefits of an IT-enabled investment program to the enterprise?

  A. Program manager
  B. IT steering committee chair
  C. CIO
  D. Business sponsor
  D. Business sponsor

  ---

  According to the CGEIT certification guide, the business sponsor is primarily accountable for delivering the benefits of an IT-enabled investment program to the enterprise. The business sponsor is the person who has the authority and responsibility to initiate, influence and approve the business objectives and requirements of the program. The business sponsor also ensures that the program aligns with the enterprise strategy and delivers value to the enterprise. The program manager, the IT steering committee chair and the CIO are responsible for supporting the business sponsor in delivering the benefits, but they are not primarily accountable for them. References: CGEIT certification guide, domain 4: Benefits Realization, section 4.1: Benefits Governance, page 137. CGEIT certification guide, domain 4: Benefits Realization, section 4.2: Benefits Delivery Life Cycle, page 140.

• Question 372:

  Which of the following is the GREATEST expected strategic organizational benefit from the standardization of technical platforms?

  A. Reduces IT operational training costs
  B. Reduces response time
  C. Optimizes infrastructure investments
  D. Meets regulatory compliance requirements
  C. Optimizes infrastructure investments

  ---

  Standardization of technical platforms can help optimize infrastructure investments by reducing complexity, increasing interoperability, and enabling economies of scale. References: According to the CGEIT Review Manual 2022, one of the benefits of standardization is that it "optimizes infrastructure investments by reducing complexity and increasing interoperability and scalability." According to the Oracle article on the EA Roadmap to Rationalize, Standardize, and Consolidate IT Assets, standardized technology "yields measurable cost savings through reduced software licenses and the elimination of redundant systems and skill sets."1

• Question 373:

  Which of the following is the MOST valuable input when quantifying the loss associated with a major risk event?

  A. Key risk indicators (KRIs)
  B. IT environment threat modeling
  C. Business impact analysis (BIA) report
  D. Recovery time objectives (RTOs)
  C. Business impact analysis (BIA) report

  ---

  A business impact analysis (BIA) report is the most valuable input when quantifying the loss associated with a major risk event. A BIA report is a document that identifies and evaluates thepotential effects of disruptions to critical business functions and processes. A BIA report can help estimate the financial, operational, reputational, and legal impacts of a risk event, as well as the recovery time and resources needed to resume normal operations. A BIA report can also help prioritize the recovery strategies and objectives based on the criticality and urgency of the business functions and processes. The other options are not the most valuable input when quantifying the loss associated with a major risk event. Key risk indicators (KRIs) are metrics that provide an early warning of potential threats to the organization's objectives and performance. KRIs can help monitor and measure the risk exposure and effectiveness of risk management activities, but they do not directly quantify the loss associated with a risk event. IT environment threat modeling is a technique that identifies and analyzes the possible vulnerabilities and attack vectors in an IT system or network. Threat modeling can help improve the security and resilience of IT assets and services, but it does not directly quantify the loss associated with a risk event. Recovery time objectives (RTOs) are the maximum acceptable time frames for restoring business functions and processes after a disruption. RTOs can help determine the recovery priorities and strategies, but they do not directly quantify the loss associated with a risk event. For more information on BIA and quantifying loss, you can refer to these web sources: What is Business Impact Analysis? Definition, Benefits and Examples Quantifying Loss Associated with Major Risk Event - Exam-Answer Quantifying the Qualitative Technology Risk Assessment - ISACA

• Question 374:

  A CEO wants to establish a governance framework to facilitate the alignment of IT and business strategies. Which of the following should be a KEY requirement of this framework?

  A. Defined resourcing levels
  B. A defined enterprise architecture (EA)
  C. An outsourcing strategy
  D. A service delivery Strategy
  B. A defined enterprise architecture (EA)

  ---

  A defined enterprise architecture (EA) is a key requirement of a governance framework to facilitate the alignment of IT and business strategies. An EA is a blueprint that describes the current and future state of the organization's structure, processes, information, and technology, as well as the principles and standards that guide their design and evolution. An EA helps to align IT and business strategies by providing a common vision, language, and framework for the organization, and by ensuring that the IT investments and initiatives support the business goals and objectives. An EA also helps to optimize the performance, efficiency, and effectiveness of the IT function and its services, and to manage the risks and changes associated with IT. An EA can be developed and maintained using various methodologies and frameworks, such as TOGAF, Zachman, or FEAF. References: CGEIT Exam Content Outline | ISACA1, CGEIT Review Manual (Digital Version), What is enterprise architecture? A framework for transformation | CIO2, Enterprise Architecture: Definition, Benefits and Examples3

• Question 375:

  A chief technology officer (CTO) wants to ensure IT governance practices adequately address risk management specific to mobile applications. To create the appropriate risk policies for IT, it is MOST important for the CTO to:

  A. understand the enterprise's risk tolerance.
  B. create an IT risk scorecard.
  C. map the business goals to IT risk processes.
  D. identify the mobile technical requirements.
  A. understand the enterprise's risk tolerance.

  ---

  Understanding the enterprise's risk tolerance is the most important step for the CTO to create the appropriate risk policies for IT, as it would help to define the acceptable level of risk exposure and the risk appetite for mobile applications. Risk tolerance is the degree of uncertainty that an enterprise is willing to accept in pursuit of its objectives, and it reflects the enterprise's culture, strategy, and stakeholder expectations. Risk policies for IT should be aligned with the enterprise's risk tolerance, as well as its mission, vision, and goals. The other options are not as important, as they are more related to the implementation or measurement of risk management, rather than the establishment of risk policies. References: : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.1: IT Risk Management Overview, Page 153 : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.2: IT Risk Management Process, Page 156 : Proactive IT Risk Management in an Era of Emerging Technologies

• Question 376:

  Which of the following is the PRIMARY purpose of an effective set of key risk indicators (KRIs)?

  A. Identifying possible future adverse impacts on the enterprise
  B. Evaluating existing technology for risk monitoring capabilities
  C. Establishing executive level buy-in of the risk program
  D. Quantifying the productivity of the risk management team
  A. Identifying possible future adverse impacts on the enterprise

  ---

  The PRIMARY purpose of an effective set of key risk indicators (KRIs) is to identify possible future adverse impacts on the enterprise. KRIs are metrics or indicators used by organizations to identify, assess, and monitor potential risks. KRIs show how risky a decision, activity, strategy, or plan may be for a business or company. KRIs can be used to monitor operational, technological, financial and staff processes, such as security breaches, economic downturn and staff turnover rate. KRIs are like alarms that alert businesses of changes in the level of risk exposure1. By identifying possible future adverse impacts on the enterprise, KRIs can help to: Prevent or mitigate the negative consequences of risks, such as financial loss, operational disruption, reputational damage, legal liability, etc. Enhance the decision-making and planning processes by providing relevant and timely information on risks Align the risk management activities with the business objectives and expectations Communicate and report the risk status and performance to stakeholders and regulators Therefore, identifying possible future adverse impacts on the enterprise is the primary purpose of an effective set of KRIs. 1: Key Risk Indicators: Examples and Definitions - SolveXia

• Question 377:

  A health tech enterprise wants to ensure that its in-house developed mobile app for users complies with data privacy regulations. Which of the following should be identified FIRST when creating an inventory of information systems and data related to the mobile app?

  A. Data maintained by vendors
  B. Vendors and outsourced systems
  C. Application and data owners
  D. Information classification scheme
  C. Application and data owners

  ---

  This should be identified first when creating an inventory of information systems and data related to the mobile app, as they are the individuals or groups who have the authority and responsibility to define, classify, protect, and manage the data assets of the enterprise. By identifying the application and data owners, the enterprise can ensure that the data is properly accounted for, categorized, and secured according to its value, sensitivity, and risk. Application and data owners can also establish data policies, standards, and procedures, as well as monitor and report on data quality, usage, and compliance. Identifying the application and data owners is a prerequisite for identifying the other options, such as data maintained by vendors, vendors and outsourced systems, and information classification scheme, as these depend on the accurate identification and assignment of data ownership roles and responsibilities.

• Question 378:

  The board of directors of a large organization has directed IT senior management to improve IT governance within the organization. IT senior management's MOST important course of action should be to:

  A. understand the driver that led to a desire to change.
  B. assess the current slate of IT governance within the organization.
  C. review IT strategy and direction.
  D. analyze IT service levels and performance.
  A. understand the driver that led to a desire to change.

  ---

  The most important course of action for IT senior management to improve IT governance within the organization is to understand the driver that led to a desire to change. IT governance is the process of ensuring that IT supports and enables the achievement of the enterprise's goals and objectives, and delivers value to the stakeholders. IT governance is influenced by various internal and external factors, such as business strategy, customer expectations, regulatory requirements, industry standards, best practices, and emerging technologies. Therefore, before initiating any improvement initiatives, IT senior management should first identify and analyze the driver that prompted the board of directors to request a change in IT governance. This will help them to understand the current situation, the desired state, the gap between them, and the rationale and urgency for improvement. By understanding the driver that led to a desire to change, IT senior management can also align their improvement efforts with the board's vision and expectations, communicate the benefits and challenges of change, and gain their support and commitment. References: CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 1: Governance of Enterprise IT, Section 1.1: IT Governance Frameworks and Principles, Page 9-10. What is CGEIT? A certification for seasoned IT governance professionals.

• Question 379:

  Which of the following is MOST important for IT governance to have in place to ensure the enterprise can maintain operations during extensive system downtime?

  A. Fault-tolerant hardware
  B. An incident response plan
  C. A crisis communications plan
  D. A business continuity plan (BCP)
  D. A business continuity plan (BCP)

  ---

  A business continuity plan (BCP) is the most important element for IT governance to have in place to ensure the enterprise can maintain operations during extensive system downtime. A BCP consists of the processes and procedures an organization needs to ensure its critical business processes continue operating during a disaster. A BCP should include methods to ensure uninterrupted delivery of critical IT services, identify the resources needed, and outline manual workarounds. It should also contain policies, standards, procedures, and tools for responding to and preventing major incidents, as well as the IT architecture of the organization2. A BCP should be reviewed regularly and updated as needed. References: Business continuity planning (BCP) - Learning Center, IT Business Continuity | DisasterRecovery.org, IT Governance Blog: free business continuity plan template

• Question 380:

  An enterprise plans to migrate its applications and data to an external cloud environment. Which of the following should be the ClO's PRIMARY focus before the migration?

  A. Reviewing the information governance framework
  B. Selecting best-of-breed cloud offerings
  C. Updates the enterprise architecture (EA) repository
  D. Conducting IT staff training to manage cloud workloads
  A. Reviewing the information governance framework

  ---

  Reviewing the information governance framework should be the CIO's primary focus before the migration, because it will help the CIO to ensure that the enterprise's data and applications are secure, compliant, and aligned with the business objectives and policies in the cloud environment. The information governance framework defines the roles, responsibilities, processes, standards, and metrics for managing information assets across the enterprise. It also covers aspects such as data classification, data quality, data protection, data retention, data sovereignty, and data privacy. By reviewing the information governance framework, the CIO can identify the requirements, risks, and gaps that need to be addressed before moving to the cloud. The other options are not as important as reviewing the information governance framework, because they are either dependent on or secondary to it. Selecting best-of-breed cloud offerings is a tactical decision that should be based on the information governance framework and the enterprise architecture. Updating the enterprise architecture repository is a good practice, but not a primary focus before the migration. It can be done after the migration to reflect the changes in the IT landscape. Conducting IT staff training to manage cloud workloads is a necessary step, but not a primary focus before the migration. It can be done in parallel with or after the migration to ensure that the IT staff have the skills and knowledge to operate and optimize the cloud environment. References: Migration environment planning checklist, Practical Guide to Cloud Governance, Governance or compliance strategy