Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 481:

  Two large financial institutions with different corporate cultures are engaged in a merger. From a governance perspective, which of the following should be the GREATEST concern?

  A. Technology infrastructure
  B. Risk appetite
  C. Combined cost of operations
  D. Enterprise architecture (EA) integration
  B. Risk appetite

  ---

  Risk appetite is the greatest concern from a governance perspective when two large financial institutions with different corporate cultures are engaged in a merger, because it reflects the amount and type of risk that the organizations are willing to pursue, retain, or take in order to achieve their strategic objectives. Risk appetite is influenced by various factors, such as organizational culture, values, beliefs, and behaviors, as well as external factors, such as market conditions, regulations, and stakeholder expectations. Therefore, if the two merging organizations have different risk appetites, this may create challenges and conflicts in aligning their strategies, policies, processes, and systems. It may also affect their performance, compliance, reputation, and value creation. Therefore, it is important to assess and harmonize the risk appetites of the two organizations and ensure that they are consistent with their merged vision, goals, and needs. References: Good Governance Institute Board guidance on riskappetite, Risk Appetite: A Conversation of Governance, Organisations must define their IT risk appetite and tolerance

• Question 482:

  Which of the following BEST supports enterprise decision making for IT resource allocation?

  A. IT-related regulatory requirements
  B. Enterprise IT strategy
  C. Enterprise IT risk assessment
  D. IT balanced scorecard
  B. Enterprise IT strategy

  ---

  An enterprise IT strategy is a plan that defines the vision, mission, goals, and objectives of the IT function in relation to the business needs and expectations of the enterprise. An enterprise IT strategy also outlines the principles, policies, standards, and frameworks that guide the IT governance, management, and operations. An enterprise IT strategy best supports enterprise decision making for IT resource allocation, as it helps to align the IT resources with the business priorities and strategies, and to optimize the value and performance of the IT function and its services. An enterprise IT strategy also helps to identify and prioritize the IT initiatives and investments that can deliver the desired outcomes and benefits for the enterprise, and to allocatethe appropriate resources for their execution and delivery. An enterprise IT strategy also helps to monitor and evaluate the results and impacts of the IT resource allocation decisions, and to provide feedback and improvement opportunities. References: CGEIT Exam Content Outline | ISACA, CGEIT Review Manual (Digital Version), What is an IT Strategy? - Definition from Techopedia, How to create an effective IT strategy | The Enterprisers Project

• Question 483:

  Which of the following BEST helps to ensure that IT standards will be consistently applied across the enterprise?

  A. Enterprise risk management (ERM) reviews.
  B. Mandatory systems development training.
  C. Business case reviews by the steering committee.
  D. Established enterprise architecture (EA) practices.
  D. Established enterprise architecture (EA) practices.

• Question 484:

  Which of the following MOST effectively prevents an IT system from becoming technologically obsolete before its planned return on investment (ROi)?

  A. Requesting periodic third-party assessments of the system throughout its life
  B. Obtaining long-term support commitments from the system platform vendors)
  C. Obtaining independent assurance that the system will conform to future business requirements
  D. Ensuring that the system is maintained in compliance with enterprise architecture (EA) standards
  D. Ensuring that the system is maintained in compliance with enterprise architecture (EA) standards

  ---

  Ensuring that the system is maintained in compliance with enterprise architecture (EA) standards is the most effective way to prevent an IT system from becoming technologically obsolete before its planned return on investment (ROI), because it ensures that the system is aligned with the current and future business needs, goals, and strategies of the organization. Enterprise architecture (EA) standards define the principles, guidelines, and best practices for designing, developing, and managing IT systems in a consistent, coherent, and integrated manner across the organization. By following EA standards, IT leaders can ensure that the system is compatible with the existing and emerging technologies, platforms, and frameworks that support the business processes and functions. EA standards also help IT leaders to monitor and evaluate the performance, quality, security, and reliability of the system, and to identify and address anygaps, issues, or risks that may affect its functionality or value. EA standards also facilitate the communication and collaboration among different stakeholders involved in the system lifecycle, such as business users, IT staff, vendors, and auditors. By maintaining the system in compliance with EA standards, IT leaders can ensure that the system delivers the expected benefits and value to the organization and achieves its planned ROI. References: ISO/IEC/IEEE 42020:2019(en), Software, systems and enterprise ? Architecture processes, Sample: Enterprise Architecture Standards - CIO Portal, Obsolescence management for IT leaders - Information Age

• Question 485:

  Which of the following would be an IT steering committee's BEST course of action upon learning business units have been independently procuring cloud services?

  A. Require cancellation of cloud-based application services not vetted by IT leadership.
  B. Include business unit leadership in the enterprise architecture (EA) review board.
  C. Limit cloud-based application service usage to open source solutions.
  D. Define a procurement strategy based on business unit needs.
  D. Define a procurement strategy based on business unit needs.

  ---

  Upon learning that business units have been independently procuring cloud services, the IT steering committee's best course of action is to define a procurement strategy based on business unit needs. This approach ensures that cloud service procurement aligns with the enterprise's overall IT strategy and governance policies while still addressing the specific requirements of individual business units. It fosters collaboration between IT and business units, ensuring that cloud services are vetted for compliance, security, and interoperability. Requiring cancellation, including business unit leadership in the EA review board, or limiting usage to open-source solutions may address aspects of the issue but do not provide a comprehensive strategy that aligns business needs with IT governance.

• Question 486:

  Which of the following is the PRIMARY consideration for an enterprise when deciding whether to adopt a qualitative risk assessment method?

  A. The method identifies areas to immediately address vulnerabilities
  B. The method provides specific objective measurements of exposure
  C. The method enables an analysis of recommended controls
  D. The method provides a platform for all departments to contribute to the risk assessment
  D. The method provides a platform for all departments to contribute to the risk assessment

  ---

  The primary consideration for an enterprise when deciding whether to adopt a qualitative risk assessment method is: The level of detail and accuracy required for the risk assessment. Qualitative risk assessment is a method that uses scenarios, subjectivity, and knowledge to evaluate risks. It does not provide specific objective measurements of exposure, but rather a relative ranking or rating of risks based on their likelihood and impact. Qualitative risk assessment is suitable for situations where the data is scarce, uncertain, or incomplete, or where the risk assessment needs to be done quickly and easily. However, qualitative risk assessment may also be biased, inconsistent, or inaccurate, as it depends on the judgment and experience of the risk assessors. Therefore, an enterprise should consider the level of detail and accuracy required for the risk assessment before choosing a qualitative method. If the enterprise needs more precise and reliable estimates of risk exposure, it may opt for a quantitative method instead. The other options are not the primary consideration for an enterprise when deciding whether to adopt a qualitative risk assessment method. The method identifies areas to immediately address vulnerabilities, enables an analysis of recommended controls, and provides a platform for all departments to contribute to the risk assessment are all possible benefits or outcomes of using a qualitative risk assessment method, but they are not the main factor that influences the decision to use it. They may also apply to other methods of risk assessment, such as quantitative or hybrid methods.

• Question 487:

  An enterprise has an ongoing issue of corporate applications not delivering the expected benefits due to missing key functionality. As a result, many groups are using spreadsheets and databases instead of approved enterprise applications to store and manipulate information. Which of the following will BEST improve the success rate of future IT initiatives?

  A. Engage the business user community in acceptance testing Of acquired applications.
  B. Engage stakeholders to identify and validate business requirements.
  C. Establish a process for risk and value management.
  D. Prohibit the use of non-approved alternate software solutions.
  B. Engage stakeholders to identify and validate business requirements.

  ---

  Engaging stakeholders to identify and validate business requirements is the best way to improve the success rate of future IT initiatives. Stakeholders are the individuals or groups who have an interest or influence in the IT initiatives, such as business users, customers, managers, sponsors, etc. Engaging stakeholders can help: Understand the needs, expectations, and priorities of the stakeholders, and ensure that they are aligned with the business objectives and strategy Define and document the business requirements that specify what the IT initiatives should deliver in terms of functionality, quality, performance, and value Validate and verify that the business requirements are clear, complete, consistent, feasible, and testable Communicate and manage any changes or issues that may affect the business requirements or the IT initiatives Engaging stakeholders to identify and validate business requirements can help avoid missing key functionality in the corporate applications, and ensure that they meet the stakeholder's needs and expectations. This can also reduce the reliance on spreadsheets and databases as alternative software solutions, and increase the user satisfaction and adoption of the enterprise applications. The other options are not the best way to improve the success rate of future IT initiatives. Engaging the business user community in acceptance testing of acquired applications is a good practice, but it is not sufficient to ensure that the applications have the key functionality that meets the business requirements. Acceptance testing is done at the end of the IT initiative lifecycle, after the applications have been developed or acquired. If the business requirements were not properly identified and validated at the beginning of the IT initiative lifecycle, acceptance testing may reveal significant gaps or defects that may be costly or difficult to fix. Establishing a process for risk and value management is a useful technique, but it does not directly address the issue of missing key functionality in the corporate applications. Risk and value management involves identifying, assessing, prioritizing, and treating the risks and benefits associated with IT initiatives. However, without clear and valid business requirements, risk and value management may not be effective or accurate. Prohibiting the use of non-approved alternate software solutions is a restrictive measure, but it does not solve the problem of missing key functionality in the corporate applications. Prohibiting the use of spreadsheets and databases may force the users to use the enterprise applications, but it may also create dissatisfaction, frustration, or resistance among them. Moreover, it may prevent them from performing their tasks efficiently or effectively if the enterprise applications do not meet their needs. For more information on engaging stakeholders to identify and validate business requirements, you can refer to these web sources: Stakeholder Engagement - ISACA Business Requirements - ISACA Requirements Validation - ISACA

• Question 488:

  When implementing an IT governance framework, which of the following would BEST ensure acceptance of the framework?

  A. Factoring in the effects of enterprise culture
  B. Using subject matter experts
  C. Using industry-accepted practices
  D. Complying with regulatory requirements
  A. Factoring in the effects of enterprise culture

  ---

  When implementing an IT governance framework, it is important to consider the effects of enterprise culture on the acceptance and adoption of the framework. Enterprise culture is the set of values, beliefs, norms, and behaviors that shape how an organization operates and interacts with its stakeholders. A mismatch between the IT governance framework and the enterprise culture can lead to resistance, conflict, or failure of the framework. Therefore, it is best to factor in the effects of enterprise culture and tailor the framework to suit the specific context and needs of the organization. The other options are not the best way to ensure acceptance of the framework, but rather some of the factors that can influence the design and implementation of the framework. Using subject matter experts, industry- accepted practices, and complying with regulatory requirements can help to ensure the quality, relevance, and compliance of the framework, but they do not necessarily guarantee its acceptance by the organization. References: ISACA, CGEIT Review Manual, 27th Edition, 2020, page 12; Implementing Good Governance Principles for the Public Sector in Information Technology Governance Frameworks

• Question 489:

  An enterprise has decided to utilize a cloud vendor for the first time to provide email as a service, eliminating in-house email capabilities. Which of the following IT strategic actions should be triggered by this decision?

  A. Develop a data protection awareness education training program.
  B. Monitor outgoing email traffic for malware.
  C. Implement a data classification and storage management tool.
  D. Update and communicate data storage and transmission policies.
  D. Update and communicate data storage and transmission policies.

  ---

  Data storage and transmission policies are documents that define the rules and guidelines for how data is stored, accessed, shared, and transmitted within and outside an organization. Data storage and transmission policies can help to ensure the security, privacy, compliance, and quality of the data, as well as to prevent data loss, leakage, or breach. If an enterprise has decided to utilize a cloud vendor for the first time to provide email as a service, eliminating in-house email capabilities, one of the IT strategic actions that should be triggered by this decision is to update and communicate data storage and transmission policies. This is because using a cloud vendor for email as a service may introduce new risks and challenges for data storage and transmission, such as data sovereignty, data ownership, data encryption, data backup, data retention, data deletion, data access control, data audit, data breach notification, etc. Therefore, it is important to update the data storage and transmission policies to reflect the changes in the email environment and the cloud vendor's responsibilities and obligations. It is also important to communicate the updated policies to all relevant stakeholders, such as employees, customers, partners, regulators, etc., to ensure their awareness and compliance. References: Data Storage Policy: Definition and Best Practices. Data Transmission Policy: Definition and Best Practices. Cloud Email Security: Definition and Best Practices. Cloud Data Protection: Definition and Best Practices.

• Question 490:

  An enterprise is trying to increase the maturity of its IT process from being ad hoc to being repeatable. Which of the following is the PRIMARY benefit of this change?

  A. Process optimization is embedded across the organization.
  B. Required outcomes are mapped to business objectives.
  C. Process performance is measured in business terms.
  D. Required outcomes are more frequently achieved.
  D. Required outcomes are more frequently achieved.

  ---

  Increasing the maturity of IT process from being ad hoc to being repeatable means that the process is documented and followed consistently, resulting in more predictable and reliable outcomes. According to the capability maturity model for the IT governance process, a repeatable level indicates that "required outcomes are more frequently achieved" . References: CGEIT Domain 1: Framework for the Governance of Enterprise IT