Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 431:

  An enterprise's decision to move to a virtualized architecture will have the GREATEST impact on:

  A. system life cycle management.
  B. asset classification.
  C. vendor management
  D. vulnerability management.
  C. vendor management

  ---

  Moving to a virtualized architecture will have the greatest impact on vendor management, as it will require the enterprise to select, contract, and monitor the performance of the cloud or virtualization service providers. Vendor management is essential for ensuring that the virtualized architecture meets the enterprise's requirements, standards, and expectations, as well as for managing the risks, costs, and benefits of the virtualization strategy. Vendor management also involves negotiating and enforcing service level agreements (SLAs), ensuring compliance with regulations and policies, and resolving any issues or disputes that may arise with the vendors. System life cycle management, asset classification, and vulnerability management are also important aspects of IT governance, but they are not as significantly affected by moving to a virtualized architecture as vendor management. System life cycle management is the process of planning, developing, testing, deploying, maintaining, and retiring IT systems. Asset classification is the process of identifying, categorizing, and labeling IT assets based on their value, sensitivity, and criticality. Vulnerability management is the process of identifying, assessing, prioritizing, and mitigating IT vulnerabilities that may pose a threat to the enterprise's security or operations. These processes may need to be adapted or updated to accommodate the virtualized architecture, but they are not fundamentally changed by it. References: Steps to Meet Cloud and Virtualized Architecture Governance; Crafting the optimal model for the IT architecture organization; Enterprise Architecture Governance ?Why It Is Important (Part 2); What is IT governance? A formal way to align IT and business strategy.

• Question 432:

  The CIO in a large enterprise is seeking assurance that significant IT risk is being proactively monitored and does not exceed agreed risk tolerance levels. The BEST way to provide this ongoing assurance is to require the development of: A. an IT risk appetite statement.

  B. a risk management policy.

  C. key risk indicators (KRIs).

  D. a risk register.

  Correct Answer. C
  C

  ---

  According to the CGEIT certification guide, key risk indicators (KRIs) are the best way to provide ongoing assurance that significant IT risk is being proactively monitored and does not exceed agreed risk tolerance levels. KRIs are metrics that measure the likelihood or impact of potential or actual risks, and provide early warning signals of increasing risk exposures. KRIs can help IT management to track and report the status and trends of IT risks, and to trigger timely responses and actions when the risk levels approach or exceed the predefined thresholds. The other options are less suitable than option C, as they do not provide ongoing assurance or proactive monitoring of IT risk. An IT risk appetite statement is a document that expresses the amount and type of risk that an organization is willing to take in order to meet their strategic objectives. A risk management policy is a document that defines the principles, framework, and processes for managing risks in an organization. A risk register is a tool that records and tracks the identified risks, their causes, impacts, likelihood, responses, and owners. References: CGEIT certification guide, domain 3: Risk Optimization, section 3.4: Risk Monitoring and Assurance, page 98. Key Risk Indicators (KRIs) - Definition from KWHS Risk Appetite - an overview | ScienceDirect Topics Risk Management Policy - an overview | ScienceDirect Topics Risk Register - an overview | ScienceDirect Topics

• Question 433:

  Which of the following should be considered FIRST when assessing the implications of new external regulations on IT compliance?

  A. IT policies and procedures that need revision
  B. Resource burden for implementation
  C. Gaps in skills and experience of IT employees
  D. Impact on contracts with service providers
  A. IT policies and procedures that need revision

  ---

  When assessing the implications of new external regulations on IT compliance, the first consideration should be the IT policies and procedures that need revision. This initial focus ensures that the foundational guidelines governing IT operations are aligned with the new regulatory requirements, forming the basis for compliance. While the resource burden for implementation, gaps in skills and experience of IT employees, and the impact on contracts with service providers are important considerations, they follow the primary step of ensuring that IT policies and procedures are in compliance with new regulations.

• Question 434:

  Which of the following groups should approve the implementation of new technology?

  A. IT steering committee
  B. IT audit department
  C. Portfolio management office
  D. Program management office
  A. IT steering committee

  ---

  An IT steering committee is a group of senior executives who are responsible for directing, reviewing, and approving IT strategic plans, overseeing major initiatives, and allocating resources. They are the most appropriate group to approve the implementation of new technology, as they can ensure that it aligns with the organization's vision, mission, goals, and objectives. They can also evaluate the business case, risks, benefits, and alternatives of the new technology and provide guidance and support to the IT team. According to one of the web search results1, "the steering committee establishes IT priorities for the business as a whole." References: What is an IT Steering Committee? ?BMC Software | Blogs

• Question 435:

  Which of the following is an ADVANTAGE of using strategy mapping?

  A. It provides effective indicators of productivity and growth.
  B. It depicts the maturity levels of processes that support organizational strategy.
  C. It identifies barriers to strategic alignment and links them to specific outcomes.
  D. It depicts the cause-and-effect linked relationships between strategic objectives.
  D. It depicts the cause-and-effect linked relationships between strategic objectives.

  ---

  Strategy mapping is an advantage of using strategy mapping, as it helps to visualize and communicate how the enterprise can create value by achieving its strategic objectives. Strategy mapping also helps to align the IT goals and activities with the enterprise strategy, and to measure and monitor the IT performance and outcomes. References: CGEIT Exam Content Outline, Domain 3, Subtopic A: Performance Management, Task 2: Ensure that IT performance measurement supports IT performance management by providing relevant, complete, reliable, timely and consistent information.

• Question 436:

  IT governance within an enterprise is attempting to drive a cultural shift to enhance compliance with IT security policies. The BEST way to support this objective is to ensure that enterprise IT policies are:

  A. communicated on a regular basis.
  B. acknowledged and signed by each employee.
  C. centrally posted and contain detailed instructions.
  D. integrated into individual performance objectives.
  D. integrated into individual performance objectives.

  ---

  Integrating IT security policies into individual performance objectives is the best way to support the objective of driving a cultural shift to enhance compliance with IT security policies. This is because performance objectives are specific, measurable, achievable, relevant, and time-bound (SMART) goals that define what each employee is expected to accomplish and how they will be evaluated. By integrating IT security policies into performance objectives, the enterprise can: Communicate the importance and value of IT security policies to each employee. Motivate and incentivize employees to comply with IT security policies. Monitor and measure employees' compliance with IT security policies. Provide feedback and recognition to employees who comply with IT security policies. Identify and address any gaps or issues in employees' compliance with IT security policies. Integrating IT security policies into performance objectives can help to create a culture of accountability, responsibility, and awareness for IT security within the enterprise. It can also help to align the individual goals of employees with the organizational goals of IT governance. The other options, communicating IT security policies on a regular basis, acknowledging and signing IT security policies by each employee, and centrally posting. IT security policies with detailed instructions are not as effective as integrating IT security policies into performance objectives for supporting the objective of driving a cultural shift to enhance compliance with IT security policies. They are more related to the dissemination and implementation of IT security policies, rather than their integration and evaluation. They may not have a significant impact on the behavior and attitude of employees towards IT security policies, as they may not provide sufficient motivation, feedback, or recognition for compliance. They may also be perceived as passive, formal, or coercive methods of enforcing IT security policies, rather than active, informal, or collaborative methods of engaging employees in IT security policies. References: Performance Objectives - SMART Goals - BusinessBalls, How toIntegrate Security Into Employee Performance Objectives, IT Security Policy: Key Components and Best Practices for Every Business ...

• Question 437:

  An IT governance committee is reviewing its current risk management policy in light of increased usage of social media within an enterprise. The FIRST task for the governance committee is to:

  A. recommend blocking access to social media.
  B. review current level of social media usage.
  C. initiate an assessment of the impact on the business.
  D. reassess the enterprise's bring your own device (BYOD) policy.
  C. initiate an assessment of the impact on the business.

  ---

  When an IT governance committee is reviewing its current risk management policy due to increased usage of social media within an enterprise, the first task should be to initiate an assessment of the impact on the business. This assessment will provide a comprehensive understanding of how social media usage affects various aspects of the business, including productivity, security, data privacy, and compliance with existing policies and regulations. Understanding the business impact will inform the committee's decisions on any necessary policy adjustments or controls to mitigate potential risks associated with social media usage. While reviewing current usage levels, blocking access, and reassessing BYOD policies are relevant considerations, they should be informed by an initial assessment of the business impact to ensure that any actions taken are aligned with the enterprise's strategic objectives and risk tolerance.

• Question 438:

  An internal audit of a large financial institution found that financial data is being managed in a way that will negatively impact the enterprise's ability to support regulatory reporting. Which of the following should be the FIRST strategic action in addressing this situation?

  A. Establish a data governance framework.
  B. Assign data responsibilities through a RACI chart.
  C. Review key risk indicators (KRIS) related to data management.
  D. Update data management policies.
  A. Establish a data governance framework.

  ---

  Establishing a data governance framework is the first strategic action in addressing the situation where financial data is being managed in a way that will negatively impact the enterprise's ability to support regulatory reporting. This is because a data governance framework is a structured approach to managing and utilizing data in an organization. It includes policies, procedures, and standards that guide how data is collected, stored, managed, and used. A data governance framework can help to: Improve data quality, accuracy, consistency, and completeness. Ensure data privacy, security, and compliance with regulatory requirements. Align data with business strategy, objectives, and priorities. Enhance data integration, accessibility, and usability. Define data roles and responsibilities and assign accountability. By establishing a data governance framework, the enterprise can address the root cause of the problem, which is the lack of control and oversight over the financial data. A data governance framework can help to ensure that the financial data is properly managed and utilized to support regulatory reporting and other business needs. The other options, assigning data responsibilities through a RACI chart, reviewing key risk indicators (KRIs) related to data management, and updating data management policies are not as effective as establishing a data governance framework for addressing the situation. They are more related to the implementation and execution of the data governance framework, rather than its design. They are also dependent on the existence of a data governance framework, as they require a clear understanding of the data landscape, goals, and standards of the organization.

• Question 439:

  A software company's products have had significant quality issues in recent releases. As a result, market reputation and customer satisfaction ratings have been suffering. What should executive leadership do FIRST to address this concern?

  A. Allocate budget to hire more software and quality assurance specialists
  B. Implement a software development life cycle (SDLC) framework.
  C. Mandate more robust software testing prior to release.
  D. Require a root cause analysis and review results.
  D. Require a root cause analysis and review results.

  ---

  This should be the first thing that executive leadership does to address the concern of quality issues in their software products, as it helps to identify and understand the underlying factors and causes that led to the quality problems. A root cause analysis is a systematic process of investigating a problem or incident by asking a series of questions, such as why, how, what, where, and when, until the root cause or causes are found. By requiring a root cause analysis and reviewing the results, executive leadership can gain insight into the nature and extent of the quality issues, as well as their impact on the market reputation and customer satisfaction ratings. They can also use the results to devise and implement corrective and preventive actions to resolve the quality issues and prevent them from recurring. The other options are not as important or effective as requiring a root cause analysis and reviewing the results, as they are either specific solutions or outcomes of the root cause analysis, but not comprehensive steps. Allocating budget to hire more software and quality assurance specialists may help to improve the software development and testing process, but it may not address the root cause or causes of the quality issues, which could be related to other factors, such as requirements, design, tools, methods, or culture. Implementing a software development life cycle (SDLC) framework may help to standardize and optimize the software development process, but it may not address the root cause or causes of the quality issues, which could be related to other factors, such as communication, collaboration, feedback, or training3. Mandating more robust software testing prior to release may help to detect and fix more defects before launching the software products, but it may not address the root cause or causes of the quality issues, which could be related to other factors, such as scope creep, change management, or quality assurance

• Question 440:

  Which of the following should be the MOST important consideration for a hospital planning to use cloud services and mobile applications?

  A. Privacy requirements
  B. Data classification
  C. Acceptable use policy
  D. Internet connectivity
  A. Privacy requirements

  ---

  Privacy requirements should be the most important consideration for a hospital planning to use cloud services and mobile applications, because they involve the protection of sensitive and personal health information (PHI) of the patients and staff. PHI is a type of data that is subject to strict regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) in the US, the General Data Protection Regulation (GDPR) in the EU, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. These regulations and standards require the hospital to ensure that PHI is collected, stored, processed, and transmitted in a secure and compliant manner, and that the rights and consent of the data subjects are respected. Using cloud services and mobile applications can pose significant challenges and risks to privacy, such as data breaches, unauthorized access, data loss, data residency, third-party liability, etc. Therefore, the hospital should carefully evaluate the privacy requirements and implications of using cloud services and mobile applications, and adoptappropriate governance, policies, controls, and measures to safeguard PHI in the cloud environment.