Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 391:

  An enterprise's information security function is making changes to its data retention and backup policies. Which of the following presents the GREATEST risk?

  A. Business data owners were not consulted.
  B. The new policies Increase the cost of data backups.
  C. Data backups will be hosted at third-party locations.
  D. The retention period for data backups is Increased.
  A. Business data owners were not consulted.

  ---

  Business data owners were not consulted is the answer that presents the greatest risk, as it implies that the information security function did not consider the needs, expectations, and requirements of the stakeholders who are responsible for the data. Business data owners should be involved in the development and implementation of data retention and backup policies, as they can provide input on the value, sensitivity, and classification of the data, as well as the legal and regulatory obligations for data preservation and protection. Without consulting the business data owners, the information security function may create policies that are inconsistent, ineffective, or detrimental to the enterprise's objectives and operations.

• Question 392:

  An enterprise's board of directors is concerned about the ongoing costs of a large inventory of Internet of Things (IoT) devices. Which of the following should the CIO do FIRST?

  A. Implement performance measures for each IoT device
  B. Suggest replacing IoT devices that are too expensive
  C. Assess the benefits of IoT capabilities
  D. Reduce the budget for IoT capability to meet stakeholder expectations
  C. Assess the benefits of IoT capabilities

  ---

  Before taking cost-cutting actions, theCIO should assess the benefits of IoT capabilitiesto understand whether the investments are delivering value. This evaluation provides the context needed to justify current costs or to make informed decisions about optimization. Jumping to budget cuts or replacements without understanding valuecould undermine strategic benefits. CGEIT Review Manual: Domain 3 ?Benefits Realization COBIT 2019: EDM02 (Ensure Benefits Delivery), APO06 (Manage Budget and Costs).

• Question 393:

  The MAIN responsibility of the board of directors regarding the management of enterprise risk is to:

  A. ensure a risk process exists which addresses the risk appetite.
  B. sustain investment in staff training regarding IT risk.
  C. promote a benefits-driven culture throughout the enterprise.
  D. maintain awareness of IT risk to the business.
  A. ensure a risk process exists which addresses the risk appetite.

  ---

  The main responsibility of the board of directors regarding the management of enterprise risk is to ensure a risk process exists which addresses the risk appetite, because this would help the board to oversee and direct the enterprise's risk management activities and ensure that they are aligned with the enterprise's strategic objectives and value creation. The risk process should include identifying, assessing, responding, monitoring, and reporting the risks that may affect the enterprise's performance and outcomes, and ensuring that the risks are within the acceptable level that the enterprise is willing and able to tolerate. The other options are not the main responsibility of the board of directors, because they are either part of or dependent on the risk process.

• Question 394:

  An enterprise has identified potential environmental disasters that could occur in the area where its data center is located. Which of the following should be done NEXT?

  A. Implement an early warning detection and notification system.
  B. Assess the likelihood and impact on the data center.
  C. Relocate the data center to minimize the threat.
  D. Assess how the data center is protected against the threat.
  B. Assess the likelihood and impact on the data center.

  ---

  An enterprise that has identified potential environmental disasters that could occur in the area where its data center is located should next assess the likelihood and impact on the data center, because this would help to evaluate the level of risk and prioritize the appropriate risk response strategies. The likelihood and impact assessment should consider the frequency, severity, duration, and scope of the potential disasters, and the potential consequences for the data center's availability, integrity, confidentiality, and performance. References: ISACA, CGEIT Review Manual, 7th Edition, 2019, page 75- 76.

• Question 395:

  The BEST way for a CIO to monitor the alignment between the business and IT strategy is to regularly review

  A. key risk indicators (KRIs)
  B. IT services supporting business processes
  C. the balanced scorecard
  D. the risk register
  C. the balanced scorecard

  ---

  The best way for a CIO to monitor the alignment between the business and IT strategy is to regularly review the balanced scorecard. The balanced scorecard is a strategic management tool that helps to measure and communicate the performance of an organization in relation to its vision, mission, goals, and objectives. The balanced scorecard uses four perspectives: financial, customer, internal process, and learning and growth, to evaluate how well the organization is achieving its desired outcomes and creating value for its stakeholders. The balanced scorecard can also help to align the IT strategy with the business strategy by linking the IT objectives, initiatives, and measures with the business objectives, initiatives, and measures across the four perspectives. By reviewing the balanced scorecard regularly, the CIO can monitor the progress and results of the IT strategy, identify the gaps and issues that need to be addressed, and ensure that the IT strategy is supporting and enabling the business strategy. According to COBIT 5, one of the seven enablers of IT governance is performance management, which includes using the balanced scorecard to align IT-related goals and metrics with enterprise goals and metrics. The balanced scorecard is also part of the IT governance domain: Performance Measurement. The other options are not the best ways for a CIO to monitor the alignment between the business and IT strategy. Key risk indicators (KRIs) are metrics that indicate the level of risk exposure or potential impact of a risk event on an organization. KRIs can help to monitor and manage IT risks, but they do not necessarily reflect the alignment of IT strategy with business strategy. IT services supporting business processes are the activities and functions that IT provides to enable and facilitate the execution of business processes. Reviewing IT services can help to evaluate the quality and efficiency of IT delivery, but they do not capture the strategic alignment of IT with business. The risk register is a document that records and tracks the identified risks, their causes, impacts, probabilities, responses, owners, and statuses. The risk register can help to document and communicate IT risks, but it does not measure or report the alignment of IT strategy with business strategy. References: 1: Balanced Scorecard Basics - Balanced Scorecard Institute 2: Aligning Business Strategy with Information Technology Strategy - ISACA 3: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, ISACA, page 31 4: CGEIT Review Manual 2023, ISACA, page 197. : Key Risk Indicators - ISACA : What are IT Services? Definition and Examples - BMC Software : Risk Register - ISACA

• Question 396:

  An enterprise is considering outsourcing non-core IT processes Which of the following should be the FIRST step?

  A. Update resource allocation policies
  B. Conduct a cost-benefit analysis for outsourcing.
  C. Issue a formal request for proposal to outsourcing vendors.
  D. Establish service level metrics for outsourced activities
  B. Conduct a cost-benefit analysis for outsourcing.

  ---

  A cost-benefit analysis is a process that compares the costs and benefits of a decision or an action, such as outsourcing non-core IT processes. A cost-benefit analysis can help the enterprise evaluate the feasibility, profitability, and sustainability of outsourcing, as well as identify the potential risks and opportunities. A cost-benefit analysis can also help the enterprise determine the optimal level and scope of outsourcing, and select the most suitable outsourcing partner. A cost-benefit analysis should be the first step before issuing a formal request for proposal, establishing service level metrics, or updating resource allocation policies. References: The Outsourcing Handbook A guide to outsourcing - Deloitte United Kingdom, page 10 Five Tips For Outsourcing Business Processes Effectively In 2021 - Forbes

• Question 397:

  Which of the following roles should be responsible for data normalization when it is found that a new system includes duplicates of data items?

  A. Business system owner
  B. Data steward
  C. Database administrator (DBA)
  D. Application manager
  B. Data steward

  ---

  A data steward is a role that is responsible for data normalization when it is found that a new system includes duplicates of data items, because a data steward is accountable for the quality, integrity, and consistency of the data in the enterprise. A data steward can define and enforce data standards, policies, and rules, and perform data cleansing, validation, and reconciliation activities to ensure that the data is accurate, complete, and reliable.

• Question 398:

  The MOST appropriate method for evaluating the capability of IT governance is through the use of:

  A. a maturity assessment.
  B. benchmarking.
  C. a cost-benefit analysis.
  D. a risk assessment.
  A. a maturity assessment.

  ---

  A maturity assessment is the most appropriate method for evaluating the capability of IT governance because it helps to measure the current state of IT governance processes, identify gaps and areas for improvement, and align IT goals with business objectives. A maturity assessment can also provide a roadmap for achieving higher levels of IT governance maturity and performance. A maturity assessment can use various frameworks and models, such as the Gartner IT Score for CIOs, the Forrester DEX Maturity Model, the Capability Maturity Model, or the Data Governance Maturity Model. References: CGEIT Review Manual, 7th Edition, Chapter 1: Framework for the Governance of Enterprise IT, Section 1.4: GEIT Implementation Approaches, pp. 23-24.

• Question 399:

  Which of the following is the BEST indication that an implementation plan for a new governance initiative will be successful?

  A. Staff have been trained on the new initiative.
  B. External consultants created the plan.
  C. The plan assigns responsibility for completing milestones.
  D. The plan is designed to engage employees across the enterprise.
  D. The plan is designed to engage employees across the enterprise.

  ---

  This is because employee engagement is a key factor for the success of any change initiative, especially one that involves governance. Employee engagement refers to the degree of commitment, involvement, and ownership that employees have toward the organization and its goals. By designing the implementation plan to engage employees across the enterprise, the organization can: Communicate the vision, purpose, and benefits of the new governance initiative to employees Solicit feedback and suggestions from employees on how to implement the new governance initiative effectively Address any concerns or resistance that employees may have toward the new governance initiative Empower and motivate employees to participate in and support the new governance initiative Foster a culture of collaboration, learning, and innovation among employees. Designing the implementation plan to engage employees across the enterprise can help to ensure that the new governance initiative is understood, accepted, and adopted by all stakeholders, and that it delivers the desired outcomes and value. The other options, staff have been trained on the new initiative, external consultants created the plan, and the plan assigns responsibility for completing milestones are not as indicative as the plan is designed to engage employees across the enterprise for the success of the implementation plan for a new governance initiative. They are more related to the execution and management of the implementation plan, rather than its design and alignment. They may also not be sufficient or effective for ensuring the success of the implementation plan, as they may not address the human and behavioral aspects of change, such as awareness, understanding, involvement, commitment, and ownership. References: Employee Engagement: What Is It? | SHRM, How To Engage Employees In Organizational Change | Forbes, Change Management Best Practices: A Comprehensive Guide | Smartsheet

• Question 400:

  Which of the following is the PRIMARY responsibility of a data steward?

  A. Ensuring the appropriate users have access to the right data
  B. Developing policies for data governance
  C. Reporting data analysis to the board
  D. Classifying and labeling organizational data assets
  D. Classifying and labeling organizational data assets

  ---

  One of the primary responsibilities of a data steward is to classify and label organizational data assets, which means to assign categories and tags to the data based on its characteristics, such as type, source, sensitivity, quality, or purpose. Classifying and labeling data helps to organize, manage, and protect the data assets, as well as to facilitate their discovery, access, and usage. Data stewards are also responsible for defining and maintaining the data classification and labeling standards and policies, and ensuring their compliance across the organization. References: What Is a Data Steward? Roles and Responsibilities | Zuar1, Data Stewards: Who They Are and Why Data Stewardship Matters - HubSpot Blog2, Data Steward: Roles, Responsibilities, and Certification3