Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 541:

  An independent consultant has been hired to conduct an ad hoc audit of an enterprise's information security office with results reported to the IT governance committee and the board Which of the following is MOST important to provide to the consultant before the audit begins?

  A. Acceptance of the audit risks and opportunities
  B. The scope and stakeholders of the audit
  C. The organizational structure of the security office
  D. The policies and framework used by the security office
  B. The scope and stakeholders of the audit

  ---

  The scope and stakeholders of the audit are the most important information to provide to the consultant before the audit begins, because they define the objectives, boundaries, and expectations of the audit. The scope and stakeholders of the audit are also part of the IT governance domain: Framework for the Governance of Enterprise IT. References: 1: CGEIT Review Manual 2023, ISACA, page 23.

• Question 542:

  A newly appointed CIO has issued a new IT strategic plan. Which of the following is the MOST effective way for the CIO to ensure the IT management team is held accountable for the delivery of the plan?

  A. Update the IT balanced scorecard with key objectives.
  B. Enforce disciplinary action for managers if the plan is not delivered.
  C. Revise the managers' performance goals to include key objectives.
  D. Provide management training on IT Strategic Objectives
  C. Revise the managers' performance goals to include key objectives.

  ---

  The most effective way for the CIO to ensure the IT management team is held accountable for the delivery of the plan is to revise the managers' performance goals to include key objectives that are aligned with the IT strategic plan. This way, the managers will have clear and measurable targets that reflect their contribution to the IT strategy and vision. The CIO can also monitor and evaluate the managers' progress and performance based on these goals, and provide feedback, recognition, or improvement actions as needed. The other options are not the most effective way for the CIO to ensure the IT management team is held accountable for the delivery of the plan. Updating the IT balanced scorecard with key objectives is a good practice, but it does not directly link the objectives to the managers' individual responsibilities and incentives. Enforcing disciplinary action for managers if the plan is not delivered is a negative and punitive approach, which may demotivate and discourage the managers from pursuing the plan. Providing management training on IT strategic objectives is a helpful initiative, but it does not specify how the managers will be assessed and rewarded for achieving the objectives. For more information on IT strategic planning and accountability, you can refer to these web sources: IT Strategic Planning: A Step-by-Step Guide How to Hold Your Team Accountable IT Governance - CIO Wiki

• Question 543:

  Best practice states that IT governance MUST:

  A. enforce consistent policy across the enterprise.
  B. be applied in the same manner throughout the enterprise.
  C. apply consistent target levels of maturity to processes.
  D. be a component of enterprise governance.
  D. be a component of enterprise governance.

  ---

  IT governance must be a component of enterprise governance, as it ensures that IT supports and enables the achievement of the enterprise goals and objectives. IT governance is the responsibility of the board of directors and executive management, and it is an integral part of enterprise governance. IT governance also aligns IT with the enterprise strategy, deliversvalue from IT investments, manages IT risks and resources, and measures IT performance. References: CGEIT Exam Content Outline, Domain 1, Subtopic A: Governance Framework, Task 1: Ensure the definition, establishment, and management of a framework for the governance of enterprise IT in alignment with the mission, vision and values of the enterprise.

• Question 544:

  A project sponsor has circumvented the request for proposal (RFP) selection process. Which of the following is the MOST likely reason for this control gap?

  A. Inadequate stage-gate reviews
  B. Inadequate board oversight
  C. Lack of accountability for policy adherence
  D. Lack of a legal and regulatory review process
  C. Lack of accountability for policy adherence

  ---

  According to the web search results, a request for proposal (RFP) is a formal document that solicits proposals from potential vendors for a product or service. The RFP process is intended toensure a fair, transparent and objective selection of the best vendor that meets the requirements and expectations of the project sponsor and the enterprise. The RFP process typically involves the following steps: Planning and preparation: Define the scope, objectives, budget, timeline and evaluation criteria of the project. Identify the stakeholders and decision makers involved in the RFP process. Research the market and potential vendors. Develop the RFP document that outlines the project details, requirements, expectations and instructions for the vendors. Issuing and advertising: Distribute the RFP document to the potential vendors, either directly or through public channels. Provide a deadline for submitting proposals and a contact person for inquiries. Advertise the RFP opportunity to attract more qualified vendors. Receiving and reviewing: Receive the proposals from the vendors by the deadline. Review and evaluate the proposals based on the predefined criteria, such as technical capabilities, experience, references, pricing, etc. Shortlist the most suitable vendors for further consideration. Negotiating and awarding: Conduct negotiations with the shortlisted vendors to clarify any questions, concerns or issues. Discuss the terms and conditions of the contract, such as scope, deliverables, schedule, payment, etc. Select the best vendor that offers the most value and benefit to the project and the enterprise. Award the contract to the chosen vendor and notify the other vendors of the decision. Managing and monitoring: Manage and monitor the performance and progress of the vendor throughout the project lifecycle. Ensure that the vendor meets the contractual obligations and delivers quality results on time and within budget. Provide feedback and support to the vendor as needed. Resolve any conflicts or disputes that may arise. A project sponsor who circumvents the RFP selection process violates the established policies and procedures of the enterprise, as well as undermines the integrity and credibility of the RFP process. The most likely reason for this control gap is a lack of accountability for policy adherence, which means that there is no clear assignment of roles and responsibilities for following and enforcing the policies, or no effective mechanisms for monitoring and reporting policy compliance, or no adequate consequences for policy violations. A lack of accountability for policy adherence can lead to poor governance, increased risk, reduced value and damaged reputation for both the project sponsor and the enterprise. Therefore, it is essential to establish and maintain a strong culture of accountability for policy adherence within the enterprise, as well as to implement appropriate controls and measures to ensure compliance with policies. References: The RFP process: The Ultimate Step-by-Step Guide, Criteria and Methodology for GRC Platform Selection, The Ultimate RFP Guide: Steps, Guidelines and Template, Guidebook: Crafting a Driven Request for Proposals (RFP)

• Question 545:

  An IT steering committee has received a report that supports the economic and service benefits of moving infrastructure hosting to an external cloud provider. Business leadership is very concerned about the security risk and potential loss of customer data. What is the BEST way for the committee to address these concerns?

  A. Mandate there will be no customer data at rest stored on cloud servers used by the vendor.
  B. Include compliance with the enterprise's data governance policy in the contract.
  C. Ensure reporting and penalty clauses are included in the contract for any loss of data.
  D. Require an encrypted connection between the cloud and enterprise servers.
  B. Include compliance with the enterprise's data governance policy in the contract.

  ---

  According to the CGEIT exam guide, data governance is the set of processes that ensure that important data assets are formally managed throughout the enterprise. Data governance ensures that data can be trusted and that people can be made accountable for any adverse event that happens because of low data quality. It is about putting people in charge of fixing and preventing issues with data so that the enterprise can become more efficient. Data governance also describes an evolutionary process for a company, altering the company's way of thinking and setting up the processes to handle information so that it may be utilized by the entire organization. When moving infrastructure hosting to an external cloud provider, it is essential to include compliance with the enterprise's data governance policy in the contract. This will ensure that the cloud provider follows the same standards and practices as the enterprise regarding data quality, security, privacy, availability, integrity and reliability. This will also help to mitigate the risk of data breaches, loss or misuse, and to protect the reputation and trust of the enterprise and its customers. References: CGEIT Exam Candidate Guide, page 16. CGEIT Certification, Building Cloud Governance From the Basics

• Question 546:

  An enterprise has identified a number of plausible risk scenarios that could result in economic loss associated with major IT investments. Which of the following is the BEST method to assess the risk?

  A. Cost-benefit analysis
  B. Qualitative analysis
  C. Business impact analysis (BIA)
  D. Quantitative analysis
  D. Quantitative analysis

  ---

  Quantitative analysis is the best method to assess the risk of plausible scenarios that could result in economic loss associated with major IT investments, because it tries to assign objective numerical or measurable values to the components of the risk assessment and to the assessment of potential loss. Quantitative analysis can help estimate the probability and impact of risk events, calculate the expected monetary value (EMV) of risk, and compare the costs and benefits of different risk responses. Quantitative analysis can also provide a more accurate and objective basis for decision making than qualitative analysis, which is scenario-based and relies on subjective judgments. References: Risk Assessment and Analysis Methods: Qualitative and Quantitative - ISACA12: 6 Types of Risk Assessment Methodologies + How to Choose - Drata

• Question 547:

  Which of the following provides the BEST assurance on the effectiveness of IT service management processes?

  A. Performance of incident response
  B. Continuous monitoring
  C. Key risk indicators (KRIs)
  D. Compliance with internal controls
  B. Continuous monitoring

  ---

  Continuous monitoring provides the best assurance on the effectiveness of IT service management processes because it involves collecting, analyzing, and reporting data on the performance, quality, and outcomes of the IT services on an ongoing basis. Continuous monitoring helps to identify and address any issues, gaps, or deviations from the expected standards and goals of the IT service management processes. It also helps to measure and demonstrate the value and impact of the IT services to the customers and stakeholders. Continuous monitoring can also support continuous improvement and innovation of the IT service management processes by providing feedback and insights for decision-making and planning

• Question 548:

  Which of the following is MOST important to include in IT governance reporting to the board of directors?

  A. Critical risks
  B. Technology cost savings
  C. Threat landscape
  D. Security events
  A. Critical risks

  ---

  According to the ISACA paper on IT Governance Reporting, the most important information to include in IT governance reporting to the board of directors is the critical risks that IT faces or poses to the enterprise. Critical risks are those that have a high likelihood and impact, and that could threaten the achievement of the enterprise's strategy, objectives and goals. Critical risks could include cyberattacks, data breaches, regulatory compliance violations, IT project failures, IT service disruptions, IT resource shortages, etc. The board of directors should be aware of the critical risks, as well as the actions taken or planned to mitigate them. The other options are not as important as critical risks, as they are more related to the operational or tactical aspects of IT, rather than the strategic or governance aspects.

• Question 549:

  Which of the following should be the FIRST step for executive management to take in communicating what is considered acceptable use with regard to personally owned devices for company business?

  A. Require employees to read and sign a disclaimer.
  B. Develop and disseminate an applicable policy.
  C. Post awareness messages throughout the facility.
  D. Provide training on how to protect data on personal devices.
  B. Develop and disseminate an applicable policy.

  ---

  The first step for executive management to take in communicating what is considered acceptable use with regard to personally owned devices for company business is to develop and disseminate an applicable policy. A policy is a written set of rules and guidelines that defines the scope, objectives, roles, and responsibilities of the BYOD program. A policy also specifies the security, privacy, and usage requirements and expectations for the employees and the organization. A policy helps to establish a clear and consistent understanding of what is acceptable and unacceptable when using personal devices for work purposes, and what are the consequences of non-compliance. A policy also helps to mitigate the potential risks and challenges associated with BYOD, such as data breaches, device loss or theft, malware infections, legal liabilities, and support issues. A policy should be developed in consultation with relevant stakeholders, such asIT, HR, legal, and business units, and disseminated to all employees through various channels, such as email, intranet, training sessions, and awareness campaigns. References: BYOD Policies for Organizations (4 Examples) - Dashlane1, Mobile Device Securityring Your Own Device (BYOD): Draft SP 1800-22 ...2, Personally Owned Device Policy -- FBI

• Question 550:

  Which of the following is the MOST effective way for a CIO to govern business unit deployment of shadow IT applications in a cloud environment?

  A. Implement controls to block the installation of unapproved applications.
  B. Educate the executive team about the risk associated with shadow IT applications.
  C. Provide training to the help desk to identify shadow IT applications.
  D. Review and update the application implementation process.
  B. Educate the executive team about the risk associated with shadow IT applications.

  ---

  The most effective way for a CIO to govern business unit deployment of shadow IT applications in a cloud environment is to educate the executive team about the risk associated with shadow ITapplications. This is because shadow IT applications are often deployed without the knowledge or approval of the central IT organization, and may pose security, compliance, and performance risks to the enterprise. By raising awareness of these risks among the executive team, the CIO can foster a culture of IT governance and alignment, and encourage the business units to follow the established application implementation process. References: CGEIT Certification | Certified in Governance of Enterprise IT | ISACA, IT Governance: Definitions, Frameworks and Planning - ProjectManager