Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 421:

  Which of the following is MOST important to include in the customer dimension of an IT balanced scorecard?

  A. Business value creation
  B. Stakeholder satisfaction
  C. Maintenance of IT operations
  D. Support for corporate customers
  B. Stakeholder satisfaction

  ---

  According to the web search results, the customer dimension of an IT balanced scorecard is the perspective that measures how well the IT department meets the needs and expectations of its internal and external customers, such as business units, end users, suppliers, and partners. The customer dimension helps the IT department to align its services and products with the customer requirements and preferences, and to deliver value and satisfaction to the customers. The most important measure to include in the customer dimension of an IT balanced scorecard is stakeholder satisfaction, which is the degree to which the customers are satisfied with the quality, performance, and outcomes of the IT services and products. Stakeholder satisfaction reflects the customer perception and feedback of the IT department, and influences the customer loyalty, retention, and advocacy. Stakeholder satisfaction can be measured by various methods, such as surveys, interviews, focus groups, complaints, compliments, and referrals. The other options are not as important as stakeholder satisfaction to include in the customer dimension of an IT balanced scorecard. Business value creation is a measure that belongs to the financial dimension of an IT balanced scorecard, as it evaluates how much value the IT department contributes to the business strategy and objectives. Maintenance of IT operations is a measure that belongs to the internal process dimension of an IT balanced scorecard, as it assesses how well the IT department manages and improves its core processes and activities. Support for corporate customers is a measure that belongs to the learning and growth dimension of an IT balanced scorecard, as it indicates how well the IT department develops and enhances its capabilities and competencies to support its customers. References: 1: The customer perspective within the Balanced Scorecard 2: The Balanced Scorecard Customer Perspective 3: Customer Satisfaction: A Guide for Measuring Customer Satisfaction - Qualtrics 4: How to Measure Customer Satisfaction: Do You Overlook these 4 Key Customer Satisfaction Measurements? | Qualtrics 5: The financial perspective within the Balanced Scorecard : The internal process perspective within the Balanced Scorecard : The learning and growth perspective within the Balanced Scorecard

• Question 422:

  Which of the following is the MOST significant challenge faced by an enterprise when establishing information stewardship?

  A. Lack of documented policies and procedures
  B. Information requirements of regulatory authorities
  C. Insufficient knowledge of IT practices and controls
  D. Lack of role clarity and specific responsibilities
  D. Lack of role clarity and specific responsibilities

  ---

  The most significant challenge faced by an enterprise when establishing information stewardship is the lack of role clarity and specific responsibilities, as this can lead to confusion, duplication, inconsistency, or omission of tasks and activities related to information governance. Information stewardship is the role of providing day-to-day operational support using data, such as defining and implementing data policies, standards, and procedures; monitoring and reporting on data compliance and performance; and collaborating with other stakeholders to ensure data quality, integrity, and security. Information stewardship requires clear and consistent definition of the scope, objectives, and expectations of the role, as well as the roles and responsibilities of the information stewards and their relationship with other data owners, users, or scientists. Withoutrole clarity and specific responsibilities, information stewardship may not be effective or efficient in achieving the desired outcomes or benefits of information governance. Lack of documented policies and procedures, information requirements of regulatory authorities, and insufficient knowledge of IT practices and controls are also challenges faced by an enterprise when establishing information stewardship, but they are not the most significant challenge. Lack of documented policies and procedures is a challenge that can affect the standardization and improvement of information governance processes and activities, as well as the communication and enforcement of data rules and expectations. Information requirements of regulatory authorities are a challenge that can affect the compliance and accountability of information governance, as well as the protection and privacy of data. Insufficient knowledge of IT practices and controls is a challenge that can affect the technical skills and capabilities of information stewards, as well as their ability to use or integrate data systems or tools. References: What is an Information Steward? | Informatica; What is an Information Steward, and Why You Should Care; What is an Information Steward, and Why You Should Care?.

• Question 423:

  An enterprise's board of directors has determined that IT is not sufficiently supporting its corporate objectives, and has established a committee to address this problem. Which of the following should be the committees FIRST action?

  A. Implement a continuous improvement plan.
  B. Specify IT human resource performance measures.
  C. Create an IT strategic plan.
  D. Develop a service level management plan.
  C. Create an IT strategic plan.

  ---

  This should be the committee's first action, as it will help to define how the IT function supports and enables the overall business strategy and objectives of the enterprise. An IT strategic plan is a document that outlines the vision, mission, goals, and initiatives of the IT function, as well as the resources, processes, and metrics required to achieve them. By creating an IT strategic plan, the committee can align IT with business needs and expectations, optimize IT investments andresources, manage IT risks and opportunities, and deliver value to the stakeholders. Creating an IT strategic plan can also help to communicate and demonstrate the role and contribution of IT to the enterprise's success, and to gain the support and commitment of the board of directors and senior management. The other options are not as important or effective as creating an IT strategic plan, as they are either specific solutions or outcomes of the IT strategic plan, but not comprehensive steps. Implementing a continuous improvement plan may help to enhance the quality and efficiency of IT services and processes, but it may not address the root cause or causes of IT not sufficiently supporting the corporate objectives, which could be related to other factors, such as strategy alignment, value delivery, resource management, or risk optimization. Specifying IT human resource performance measures may help to evaluate and improve the skills and productivity of IT staff, but it may not address the root cause or causes of IT not sufficiently supporting the corporate objectives, which could be related to other factors, such as stakeholder engagement, communication, collaboration, or feedback. Developing a service level management plan may help to define and monitor the expectations and agreements for IT service delivery between IT providers and customers, but it may not address the root cause or causes of IT not sufficiently supporting the corporate objectives, which could be related to other factors, such as business requirements, customer satisfaction, innovation, or agility.

• Question 424:

  A business unit is planning to replace an existing IT legacy solution with a hosted Software as a Service (SaaS) solution. However, business management is concerned that stored data will be at risk. Which of the following is the MOST effective way to reduce the risk associated with the SaaS solution?

  A. Research the technology and identify potential security threats.
  B. Include risk-related requirements in the SaaS contract.
  C. Create key risk indicators (KRls) for the SaaS solution.
  D. Redefine the risk appetite and risk tolerance.
  B. Include risk-related requirements in the SaaS contract.

  ---

  According to the web search results, a SaaS contract is a legal agreement between a SaaS provider and a customer that defines the terms and conditions of using the SaaS solution, such as the scope, duration, price, service level, data ownership, security, privacy, compliance, etc. The most effective way to reduce the risk associated with the SaaS solution is to include risk-related requirements in the SaaS contract, such as the following: The SaaS provider should comply with the relevant laws and regulations that apply to the customer's industry and location, such as GDPR, HIPAA, PCI DSS, etc. The SaaS provider should implement adequate security measures and controls to protect the customer's data from unauthorized access, modification, disclosure or loss, such as encryption, authentication, authorization, backup, etc. The SaaS provider should provide regular reports and audits on the security and performance of the SaaS solution, as well as notify the customer of any security incidents or breaches that may affect the customer's data. The SaaS provider should guarantee a certain level of availability and reliability of the SaaS solution, and specify the remedies or penalties for any service downtime or disruption. The SaaS provider should allow the customer to access, export, delete or transfer their data at any time, and ensure that the data are erased or returned to the customer upon termination of the contract. The SaaS provider should indemnify and hold harmless the customer from any claims, damages or liabilities arising from the use of the SaaS solution. Including risk-related requirements in the SaaS contract will help to clarify the roles and responsibilities of both parties, as well as to establish trust and accountability between them. It will also help to mitigate the potential risks and challenges of using a hosted SaaS solution, such as data loss, unauthorized access, compliance violations, service outages, vendor lock-in, etc. The other options are not as effective as including risk-related requirements in the SaaS contract, as they do not address the contractual and legal aspects of using a hosted SaaS solution.

• Question 425:

  An executive management team has determined the need to implement an IT governance framework, beginning with the maturity assessment process. The PRIMARY purpose for maturity assessment is to:

  A. Benchmark IT performance.
  B. Identify gaps in performance.
  C. Support impact analysis.
  D. Identify gaps in capability.
  D. Identify gaps in capability.

• Question 426:

  A recent benchmarking analysis has indicated an IT organization is retaining more data and spending significantly more on data retention than its competitors. Which of the following would BEST ensure the optimization of retention costs?

  A. Requiring that all business cases contain data deletion and retention plans
  B. Revalidating the organization's risk tolerance and re-aligning the retention policy
  C. Moving all high-risk and medium-risk data backups to cloud storage
  D. Redefining the retention policy to align with industry best practices
  B. Revalidating the organization's risk tolerance and re-aligning the retention policy

  ---

  Revalidating the organization's risk tolerance and re-aligning the retention policy is the best option to ensure the optimization of retention costs, because it can help the organization balance the trade-off between the benefits and costs of data retention. By revalidating the risk tolerance, the organization can identify the optimal level of data retention that minimizes the exposure to legal, regulatory, and operational risks, while also reducing the storage and management costs. By realigning the retention policy, the organization can ensure that the data retention practices are consistent with the risk tolerance and reflect the current business needs and objectives. A re-aligned retention policy can also help the organization comply with data retention laws and regulations, avoid unnecessary data hoarding, and improve data quality and accessibility. References: Data Retention Policy 101: Best Practices, Examples and More - Intradyn, Data Retention 101: Policies and Best Practices | Egnyte, Best Practices for Data Retention and Policy Creation Will Optimize Storage Management, Data Retention Policy: Crafting Strategy for Compliance and Access

• Question 427:

  Which of the following is the MOST important input for designing a development program to help IT employees improve their ability to respond to business needs?

  A. Capability maturity model
  B. Cost-benefit analysis
  C. Skills competency assessment
  D. Annual performance evaluation
  C. Skills competency assessment

  ---

  According to the CGEIT exam guide, a skills competency assessment is a process of identifying and measuring the skills, knowledge and abilities of IT employees. It helps to determine the current and desired levels of proficiency for each skill, as well as the gaps and needs for improvement. A skills competency assessment is the most important input for designing a development program to help IT employees improve their ability to respond to business needs, as it provides a clear picture of the strengths and weaknesses of the IT workforce, and the areas where training, coaching, mentoring or other interventions are required. References: CGEIT Exam Candidate Guide, page 14. CGEIT Certification, Skills Competency Assessment

• Question 428:

  An IT steering committee wants to select a disaster recovery site based on available risk data Which of the following would BE ST enable the mapping of cost to risk?

  A. Key risk indicators (KRIs)
  B. Scenario-based assessment
  C. Business impact analysis (BIA)
  D. Qualitative forecasting
  C. Business impact analysis (BIA)

  ---

  The best way to enable the mapping of cost to risk for selecting a disaster recovery site based on available risk data is to perform a business impact analysis (BIA). A BIA is a process of identifying and evaluating the potential effects of various disaster scenarios on the critical business functions and processes of an organization. A BIA can help estimate the financial and operational impacts of losing or disrupting the business functions and processes, such as revenue loss, customer dissatisfaction, regulatory fines, contractual penalties, reputation damage, etc. A BIA can also help determine the recovery time objectives (RTOs) and recovery point objectives (RPOs) for each business function and process, which indicate how quickly and how much data they need to be restored after a disaster. By performing a BIA, the IT steering committee can map the cost of each disaster recovery site option to the risk of each disaster scenario, and compare the trade-offs between different levels of protection and investment1. The other options are not the best ways to enable the mapping of cost to risk for selecting a disaster recovery site. Key risk indicators (KRIs) are metrics that indicate the level of risk exposure or potential impact of a risk event on an organization. KRIs can help monitor and manage IT risks, but they do not necessarily reflect the cost of different disaster recovery site options. Scenario-based assessment is a method of analyzing and evaluating the likelihood and consequences of various risk scenarios. Scenario-based assessment can help identify and prioritize IT risks, but it does not provide a clear measure of the cost of different disaster recovery site options. Qualitative forecasting is a technique of using expert opinions, judgments, or intuition to predict future outcomes or trends. Qualitative forecasting can help estimate the future demand or growth of IT services, but it does not provide a reliable or objective basis for mapping the cost to risk of different disaster recovery site options.

• Question 429:

  What is the BEST way for a board of directors to improve its ability to identify material changes to the enterprise IT risk profile?

  A. Require management to present a comprehensive list of risks.
  B. Require the implementation of a security incident and event management (SIEM) tool.
  C. Review the key risk indicators (KRIs) on a regular basis.
  D. Focus on key performance indicators (KPIs) that predict future business performance.
  C. Review the key risk indicators (KRIs) on a regular basis.

• Question 430:

  In a large enterprise, which of the following should be responsible for the implementation of an IT balanced scorecard?

  A. Project management office
  B. Chief information officer (CIO)
  C. IT steering committee
  D. Chief risk officer (CRO)
  C. IT steering committee

  ---

  An IT steering committee is a group of senior executives and stakeholders who provide strategic direction, oversight, and guidance for IT initiatives and investments in an enterprise. An IT steering committee should be responsible for the implementation of an IT balanced scorecard, as it can ensure that the scorecard aligns with the enterprise's vision, mission, goals, and strategies, and that it reflects the needs and expectations of the customers and other stakeholders. An IT steering committee can also monitor and evaluate the performance of the IT function based on the scorecard metrics, and provide feedback and recommendations for improvement. An IT steering committee can also facilitate communication and collaboration among the IT function and other business units, and promote a culture of accountability and transparency for IT performance. References: CGEIT Exam Content Outline | ISACA1, CGEIT Review Manual (Digital Version), How to implement the Balanced Scorecard: Best Practices and 10 Tips2, Who Should Manage Your Company's Balanced Scorecard?3