Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 501:

  An IT steering committee is concerned that enterprise technologies have grown stagnant and are outdated. Which of the following is the BEST strategy to invest in modern technology?

  A. Decrease spending on steady state and increase spending on modernization and enhancements.
  B. Redefine the target architecture to define new technologies that can be incorporated into the infrastructure.
  C. Create a new investment category for innovation that becomes a new way for tracking investment decisions.
  D. Update the IT human resource management plan to require training and development for emerging technologies.
  C. Create a new investment category for innovation that becomes a new way for tracking investment decisions.

  ---

  One of the challenges of IT governance is to balance the competing demands of maintaining the existing IT systems and services (steady state) and investing in new technologies and capabilities (modernization and enhancements) that can support the business objectives and strategies. A common strategy to invest in modern technology is to create a new investment category for innovation that becomes a new way for tracking investment decisions. This category can be used to allocate funds for exploring and experimenting with emerging technologies that have the potential to create value for the enterprise, such as artificial intelligence, blockchain, internet of things, mobility, and drones. By creating a separate category for innovation, the IT steering committee can ensure that the enterprise does not fall behind in adopting new technologies, and that the IT portfolio is aligned with the changing business needs and opportunities. References: The CFO and IT: Technology investment strategies | Deloitte Insights Global Technology Governance Report 2021 | World Economic Forum What is IT Governance and Why Your Organization Needs It Today How CIOs Can Get IT Governance Right in an Agile World | ICF

• Question 502:

  An enterprise is determining the objectives for an IT training improvement initiative from a governance prosected. it would be MOST important to ensure that:

  A. policies and processes address both enterprise requirements and professional growth
  B. courses of instruction that will maximize employee productivity are identified
  C. several different training strategies are created for final approval by the CIO
  D. IT employees are surveyed and interviewed to identify development needs
  A. policies and processes address both enterprise requirements and professional growth

  ---

  An enterprise is determining the objectives for an IT training improvement initiative from a governance perspective. Governance is the process of decision-making and implementation that involves various actors and structures, both formal and informal. Governance aims to achieve good governance, which is characterized by participation, consensus, accountability, transparency, responsiveness, effectiveness, efficiency, equity, inclusion, and rule of law. Therefore, it would be most important to ensure that the policies and processes for IT training address both the enterprise requirements and the professional growth of the IT employees. This would ensure that the IT training is aligned with the strategic goals and priorities of the enterprise, as well as the needs and expectations of the IT staff. It would also foster a culture of learning and development that enhances the performance, quality, and value of IT services. The other options are not the most important objectives for an IT training improvement initiative from a governance perspective. Identifying courses of instruction that will maximize employee productivity, creating several different training strategies for final approval by the CIO, and surveying and interviewing IT employees to identify development needs are all useful steps or methods for designing and implementing an IT training improvement initiative, but they are not the ultimate objectives or outcomes. They are subordinate or instrumental to the main objective of addressing both the enterprise requirements and the professional growth of the IT employees through policies and processes that reflect good governance principle. References: 3: https://topworkplaces.com/improving-training-and-development-strategies/ 4: https://shrm.org/ResourcesAndTools/hr-topics/organizational-and-employee- development/Pages/Key-Steps-for-Better-Training-Development-Programs.aspx 5: https://www.forbes.com/sites/forbeshumanresourcescouncil/2021/07/13/12-ways-to- implement-successful-employee-training-initiatives/ 1: https://link.springer.com/article/10.1007/s40647-017-0197-4 2: https://www.unescap.org/sites/default/files/good-governance.pdf

• Question 503:

  Establishing a uniform definition for likelihood and impact through risk management standards PRIMARILY addresses which of the following concerns?

  A. Inconsistent categories of vulnerabilities
  B. Conflicting interpretations of risk levels
  C. Inconsistent data classification
  D. Lack of strategic IT alignment
  B. Conflicting interpretations of risk levels

  ---

  Establishing a uniform definition for likelihood and impact through risk management standards primarily addresses the concern of conflicting interpretations of risk levels. This is because likelihood and impact are two key factors that determine the level of risk associated with a threat or event. Different stakeholders may have different perceptions and expectations of what constitutes a high, medium, or low likelihood or impact, which can lead to inconsistent or inaccurate risk assessment and management. By defining and applying a common set of criteria and scales for likelihood and impact, risk management standards can help to ensure a consistent and objective evaluation and communication of risk levels across the organization

• Question 504:

  Which of the following should be the PRIMARY consideration for an enterprise when prioritizing IT projects?

  A. Technical capability of the enterprise to execute the projects
  B. Process owner expectations based on operational benefits
  C. Results of IT performance benchmarks against competitors
  D. Impact on the business due to expected project outcomes
  D. Impact on the business due to expected project outcomes

  ---

  When prioritizing IT projects, the primary consideration for an enterprise should be the impact on the business due to expected project outcomes, because this would align the IT investments with the enterprise's strategic objectives and value creation. The impact on the business can be assessed by using criteria such as return on investment (ROI), net present value (NPV), risk exposure, customer satisfaction, and competitive advantag. References: ISACA, CGEIT Review Manual, 7th Edition, 2019, page 31-32.

• Question 505:

  Which of the following provides the BEST evidence of effective IT governance?

  A. Cost savings and human resource optimization
  B. Business value and customer satisfaction
  C. IT risk identification and mitigation
  D. Comprehensive IT policies and procedures
  B. Business value and customer satisfaction

  ---

  Effective IT governance is the process of ensuring that IT supports the achievement of the organization's goals and objectives, and delivers value to its stakeholders. IT governance involves aligning the IT strategy, policies, processes, and resources with the business strategy, needs, and expectations. Therefore, the BEST evidence of effective IT governance is business value and customer satisfaction. Business value is the measure of the benefits and outcomes that IT provides to the organization, such as increased revenue, reduced costs, improved efficiency, enhanced innovation, or competitive advantage. Customer satisfaction is the measure of the quality and performance of IT services and products, as perceived by the internal and external customers of the organization, such as employees, partners, suppliers, or end-users. By demonstrating business value and customer satisfaction, IT governance can show that IT is aligned with and supports the business goals and objectives. The other options are not as good as option B. While cost savings and human resource optimization, IT risk identification and mitigation, and comprehensive IT policies and procedures are important aspects of IT governance, they are not sufficient to demonstrateeffective IT governance. They are rather means to achieve the end goal of delivering business value and customer satisfaction. They do not necessarily reflect the extent to which IT supports the achievement of the organization's goals and objectives. References: What is IT Governance? Definition and Examples | ASQ2 What is IT governance? A formal way to align IT and business strategy1 How to Measure the Value of an IT Investment - TechSoup3 Measuring Customer Satisfaction in Information Technology Services - ISACA

• Question 506:

  An enterprise has committed to the implementation of a new IT governance model. The BEST way to begin this implementation is to:

  A. identify IT services that currently support the enterprise's capability.
  B. define policies for data, applications, and organization of infrastructure.
  C. identify the role of IT in supporting the business.
  D. prioritize how much and where to invest in IT.
  C. identify the role of IT in supporting the business.

  ---

  The first step in implementing a new IT governance model is to identify the role of IT in supporting the business, which means clarifying the vision, mission, goals, and strategies of the enterprise and how IT can enable and align with them. This step helps to establish the businessvalue and direction of IT, as well as the expectations and responsibilities of the stakeholders involved. It also helps to define the scope and boundaries of IT governance, and to identify the key issues and challenges that need to be addressed. Identifying the role of IT in supporting the business is a prerequisite for the other steps, such as identifying IT services, defining policies, and prioritizing investments, which are based on the business needs and objectives. References: CGEIT Exam Content Outline | ISACA, CGEIT Review Manual (Digital Version), 5 Steps to Create a Governance Model to Become an IT Genius in Healthcare

• Question 507:

  Which of the following is the FIRST consideration for a CISO when implementing Zero Trust architecture?

  A. Refining relevant business goals.
  B. Limiting the number of privileged accounts.
  C. Selecting a security framework that is relevant to the business.
  D. Defining security projects to address identified control gaps.
  A. Refining relevant business goals.

• Question 508:

  An enterprise's executive team has recently released a new IT strategy and related objectives. Which of the following would be the MOST effective way for the CIO to ensure IT personnel are supporting the new strategy's objectives?

  A. Measure progress towards IT objectives and communicate the results to IT staff.
  B. Incorporate IT objectives into individual performance evaluations.
  C. Develop communication materials to promote the new IT strategy and objectives.
  D. Require IT managers to assign activities aligned to the IT objectives.
  B. Incorporate IT objectives into individual performance evaluations.

  ---

  This way, the CIO can align the IT personnel's work with the new strategy's objectives, communicate the desired outcomes and behaviors, motivate and empower the IT personnel, monitor and measure their progress and achievements, and provide feedback and recognition. Incorporating IT objectives into individual performance evaluations can also create a culture of accountability, excellence, and continuous improvement among the IT personnel, and ensure that they contribute to the value creation and delivery of IT. The other options are not as effective as incorporating IT objectives into individual performance evaluations, as they do not directly link the IT objectives with the IT personnel's performance and incentives. Measuring progress towards IT objectives and communicating the results to IT staff may help to inform them about the status and direction of the new strategy, but it does not ensure that they understand or follow it. Developing communication materials to promote the new IT strategy and objectives may help to raise awareness and interest among the IT staff, but it does not ensure that they adopt or support it. Requiring IT managers to assign activities aligned to the IT objectives may help to implement the new strategy at the operational level, but it does not ensure that the IT staff are engaged or committed to it.

• Question 509:

  An IT audit report indicates that a lack of IT employee risk awareness is creating serious security issues in application design and configuration. Which of the following would be the BEST key risk indicator (KRI) to show progress in IT employee behavior?

  A. Number of IT employees attending security training sessions
  B. Results of application security testing
  C. Number of reported security incidents
  D. Results of application security awareness training quizzes
  D. Results of application security awareness training quizzes

  ---

  The best key risk indicator (KRI) to show progress in IT employee behavior regarding application security issues is the results of application security awareness training quizzes. This KRI measures the level of knowledge and understanding that IT employees have acquired from the security training sessions, and how well they can apply it to their work. This KRI can also help to identify the gaps and weaknesses in the training content and delivery, and suggest areas for improvement. A high score on the quizzes indicates a high level of IT employee risk awareness and a low likelihood of creating serious security issues in application design and configuration

• Question 510:

  Which of the following is MOST likely to have a negative impact on accountability for information risk ownership?

  A. The risk owner is a department manager, and the control owner is a member of the risk owner's staff.
  B. Information risk is assigned to a department, and an individual owner has not been assigned.
  C. The risk owner and the control owner of the information do not work in the same department.
  D. The same person is listed as both the control owner and the risk owner for the information.
  B. Information risk is assigned to a department, and an individual owner has not been assigned.

  ---

  Assigning information risk to a department without designating an individual owner is most likely to have a negative impact on accountability for information risk ownership. This lack of individual accountability can lead to ambiguities in responsibility, making it difficult to ensure that appropriate risk management actions are taken and followed up on. When an individual owner is clearly identified, it establishes direct responsibility and accountability, improving the effectiveness of risk management practices. While the scenarios described in the other options present challenges, the absence of a specific individual owner represents a fundamental weakness in establishing clear accountability for managing information risk.