Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 451:

  Which of the following should be the FIRST consideration for an enterprise faced with a pandemic situation resulting in a mandatory remote work environment?

  A. Reviewing and testing disaster recovery plans (DRPs)
  B. Ensuring staff has the necessary technology to be productive
  C. Ensuring remote work policies are updated and communicated
  D. Revising IT performance monitoring metrics
  B. Ensuring staff has the necessary technology to be productive

  ---

  The first consideration for an enterprise faced with a pandemic situation resulting in a mandatory remote work environment should be ensuring staff has the necessary technology to be productive, because this would enable the enterprise to maintain its business continuity and resilience, and to minimize the disruption and loss of the IT services and capabilities. The necessary technology may include hardware, software, network, security, and communication tools that support the remote work activities and requirements of the staff. The enterprise should also provide guidance and training to the staff on how to use the technology effectively and securely. The other options are not the first consideration, because they are either dependent on or secondary to the availability and functionality of the technology.

• Question 452:

  Which of the following roles is directly responsible for information quality?

  A. Information custodian
  B. Information steward
  C. Information analyst
  D. Information owner
  B. Information steward

  ---

  This is because an information steward is a person or group who is accountable for the quality, integrity, and usability of the information assets within a specific domain or function. The responsibilities of an information steward include the following: Defining and enforcing data quality standards, policies, and procedures Monitoring and measuring data quality performance and outcomes Identifying and resolving data quality issues and errors Collaborating with data owners, custodians, analysts, and users to ensure data quality alignment and improvement. Educating and training data stakeholders on data quality best practices and tools. An information steward plays a key role in ensuring that the information assets are accurate, complete, consistent, reliable, and fit for purpose. The other options, information custodian, information analyst, and information owner are not directly responsible for information quality. They are more involved in the creation, storage, access, and use of information assets, rather than their quality. They may also have different perspectives and interests than the information steward regarding the information quality. For example, the information custodian may focus on the security and availability of information assets, while the information analyst may focus on the analysis and interpretation of information assets. The information owner may focus on the value and benefits of information assets. Therefore, they may not have the same authority or responsibility as the information steward for ensuring information quality. References: What Is an Information Steward? | Informatica, Data Roles: Data Owner vs Data Steward vs Data Custodian

• Question 453:

  After shifting from lease to purchase of IT infrastructure and software licenses, an enterprise has to pay for unexpected lease extensions causing significant cost overruns. The BEST direction for the IT steering committee would be to establish;

  A. an end-of-life program to remove aging infrastructure from the environment.
  B. budget cuts to compensate for the cost overruns.
  C. a program to annually review financial policy on overruns.
  D. a policy to consider total cost of ownership (TCO) in investment decisions.
  D. a policy to consider total cost of ownership (TCO) in investment decisions.

  ---

  Total cost of ownership (TCO) is the purchase price of an asset plus the costs of operation over its lifespan. TCO includes hardware and software acquisition, management and support, communications, end-user expenses and the opportunity cost of downtime, training and other productivity losses. By considering TCO in investment decisions, an enterprise can avoid unexpected costs and optimize the value of its IT assets. A policy to consider TCO in investment decisions can help the enterprise to plan ahead for the lease or purchase of ITinfrastructure and software licenses, and avoid cost overruns due to lease extensions or other factors. References: CGEIT Review Manual (Digital Version), Chapter 4: Value Optimization, Section 4. 2: IT Value Delivery, Subsection 4.2.3: IT Resource Management, Page 123 CGEIT Review Manual (Print Version), Chapter 4: Value Optimization, Section 4.2: IT Value Delivery, Subsection 4.2. 3: IT Resource Management, Page 123 How to Calculate Total Cost of Ownership for Software - GetApp Total Cost of Ownership: How It's Calculated With Example - Investopedia

• Question 454:

  IT maturity models measure:

  A. performance.
  B. value.
  C. capabilities.
  D. outcome.
  C. capabilities.

  ---

  IT maturity models measure the capabilities of an IT organization, which means the ability to perform certain activities or tasks effectively and efficiently. IT maturity models assess the current state of the IT organization in terms of people, processes, and technology, and compare it with the desired or optimal state. IT maturity models also help to identify the gaps and opportunities for improvement, and to prioritize and plan the actions to achieve higher levels of maturity. IT maturity models can be used for various purposes, such as benchmarking, strategic planning, performance management, risk management, and quality assurance. References: CGEIT Exam Content Outline | ISACA, CGEIT Review Manual (Digital Version), Use an IT maturity model - IBM Garage Practices, IT Maturity Models, Scorecards and Assessments | Smartsheet

• Question 455:

  Which of the following should be the MOST essential consideration when outsourcing IT services?

  A. Identification of core and non-core business processes.
  B. Compliance with enterprise architecture (EA).
  C. Alignment with existing human resources (HR) policies and practices.
  D. Adoption of a diverse vendor selection process.
  A. Identification of core and non-core business processes.

• Question 456:

  Which of the following is the MOST important attribute of an information steward?

  A. The information steward manages the systems that process the relevant data.
  B. The information steward has expertise in managing data quality systems.
  C. The information steward is closely aligned with the business function.
  D. The information steward is part of the information architecture group.
  C. The information steward is closely aligned with the business function.

  ---

  An information steward is a person who is responsible for ensuring the quality, accuracy, consistency, and usability of the data in an organization. An information steward works with the business users and stakeholders to understand their data needs, requirements, and expectations, and to define and implement the data policies, standards, and rules that govern the data lifecycle. An information steward also monitors and reports on the data quality issues and trends, and initiates and coordinates the data improvement actions and projects. The most important attribute of an information steward is to be closely aligned with the business function, because this can help to ensure that the data supports the business goals and objectives, that the data meets the business expectations and requirements, that the data is relevant and useful for the business decisions and actions, and that the data is aligned with the business processes and workflows. The information steward does not necessarily manage the systems that process the relevant data, as this may be done by other IT roles, such as data engineers, data analysts, or data administrators. The information steward does not need to have expertise in managing data quality systems, as this may be a technical skill that can be acquired or supported by other IT roles or tools. The information steward does not need to be part of the information architecture group, as this may be a separate function that focuses on designing and maintaining the data structures, models, and standards. References: Information Steward settings option descriptions - SAP Online Help. What is an Information Steward, and Why You Should Care?. 6 Key Responsibilities of the Invaluable Data Steward - Dun and Bradstreet.

• Question 457:

  An enterprise wants to address the human factors of social engineering risk within the organization. From a governance perspective, which of the following is the BEST way to mitigate this risk?

  A. Distribute the social media information security policy to staff.
  B. Mandate annual security awareness training.
  C. Restrict access to social media.
  D. Mandate security requirements be included in employee contracts.
  B. Mandate annual security awareness training.

  ---

  This is the best way to mitigate the human factors of social engineering risk within the organization from a governance perspective, as it helps to educate and empower the employees to recognize and prevent social engineering attacks. Social engineering attacks are malicious attacks that use deception and manipulation to exploit human behavior and trick people into revealing sensitive information, clicking malicious links, or opening malicious files. These attacks can cause serious damage to the organization, such as financial loss, data breach, reputation harm, or legal liability. Therefore, it is essential to address the human factors of social engineering risk, which are the psychological and emotional vulnerabilities that make people susceptible to these attacks, such as curiosity, greed, fear, urgency, or trust. By mandating annual security awareness training, the organization can raise the level of knowledge and awareness among the employees about the common types, techniques, and indicators of social engineering attacks, as well as the best practices and policies to avoid them. Security awareness training can also help to foster a culture of security and responsibility among the employees, and to reinforce their role and accountability in protecting the organization's assets and interests. The other options are not as effective as mandating annual security awareness training, as they do not address the human factors of social engineering risk directly. Distributing the social media information security policy to staff may help to inform them about the rules and expectations for using social media platforms, but it does not ensure that they understand or follow them. Restricting access to social media may help to reduce the exposure to potential social engineering attacks, but it does not prevent them from occurring through other channels or mediums. Mandating security requirements be included in employee contracts may help to enforce compliance and deter violations, but it does not prevent them from happening due to ignorance or negligence.

• Question 458:

  Which of the following will BEST enable an enterprise to convey IT governance direction and objectives?

  A. Skills and competencies
  B. Principles and policies
  C. Corporate culture
  D. Business processes
  B. Principles and policies

  ---

  Principles and policies are the best way to convey IT governance direction and objectives, as they provide a clear and consistent framework for decision making, behavior, and actions in the organization. Principles are the fundamental statements that guide the IT governance process and reflect the values and beliefs of the organization. Policies are the specific rules and procedures that implement the principles and ensure compliance with the IT governance objectives. Skills and competencies are the abilities and knowledge that enable the IT staff to perform their roles and responsibilities effectively. They are important for achieving IT governance objectives, but they do not convey them directly. Skills and competencies are developed through training, education, and experience. Corporate culture is the shared set of norms, beliefs, and values that influence the behavior and attitudes of the organization's members. Corporate culture can support or hinder IT governance, depending on how well it aligns with the IT governance objectives. Corporate culture is influenced by leadership, communication, and incentives. Business processes are the activities and tasks that deliver value to the organization's customers and stakeholders. Business processes are aligned with the IT governance objectives to ensure efficiency, effectiveness, and quality. Business processes are designed, executed, monitored, and improved using various methods and tools. References: 1: What is IT governance? A formal way to align IT and business strategy | CIO 2: IT Governance: Definition, Frameworks, and Best Practices - InvGate 3: IT Governance Framework in ITSM - KnowledgeHut 4: Corporate governance of information technology - Wikipedia 5: What Is IT Governance? Definition, Practices and Frameworks

• Question 459:

  An enterprise has learned of a new regulation that may impact delivery of one of its core technology services. Which of the following should the done FIRST?

  A. Update the risk management framework
  B. Determine whether the board wants to comply with the regulation
  C. Assess the risk associated with the new regulation
  D. Request an action plan from the risk team
  C. Assess the risk associated with the new regulation

  ---

  The first thing that the enterprise should do after learning of a new regulation that may impact delivery of one of its core technology services is to assess the risk associated with the new regulation. A risk assessment is a process of identifying, analyzing, and evaluating the potential threats and impacts of a risk event on the enterprise's objectives, processes, and resources. A risk assessment can help the enterprise understand the nature, scope, and severity of the new regulation, as well as its compliance requirements, costs, and benefits. A risk assessment can also help the enterprise prioritize and implement the appropriate risk responses, such as avoiding, reducing, transferring, or accepting the risk. According to COBIT 5, one of the seven enablers of IT governance is risk management, which includes assessing IT-related risks and aligning them with enterprise risks. The risk assessment is also part of the IT governance domain: Risk Management. The other options are not the first things that the enterprise should do after learning of a new regulation. Updating the risk management framework is a step that may be done after assessing the risk associated with the new regulation, as it involves reviewing and improving the policies, procedures, and practices for managing IT risks in the enterprise. Determining whether the board wants to comply with the regulation is a step that may be done after assessing the risk associated with the new regulation, as it involves consulting with the board and other stakeholders on the strategic and ethical implications of complying or not complying with the regulation. Requesting an action plan from the risk team is a step that may be done after assessing the risk associated with the new regulation, as it involves defining and executing the tasks and activities for achieving compliance and mitigating risk.

• Question 460:

  Which of the following BEST enables an enterprise to minimize the risks of intellectual property theft and loss of sensitive information when acquiring Internet of Things (IoT) hardware and software components?

  A. Review the data classification policy and relevant documentation
  B. Terminate contracts with suppliers from sanctioned regions of the world
  C. Require nondisclosure agreements (NDAs) from all suppliers
  D. Integrate supply chain cyber risk management processes
  D. Integrate supply chain cyber risk management processes

  ---

  The best way to minimize intellectual property theft and sensitive information loss in IoT acquisitions is to integrate supply chain cyber risk management processes. This holistic approachincludes assessing supplier security posture, monitoring for threats, and ensuring cybersecurity is embedded into procurement, delivery, and operations. NDAs, sanctions, and data classification are supportive, but only supply chain risk management addresses the full lifecycle risks and modern threats in globally sourced IoT ecosystems. CGEIT Review Manual: Domain 4 ?Risk Optimization COBIT 2019: DSS05 (Manage Security Services), APO10 (Manage Suppliers).