Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 561:

  The board and senior management of a new enterprise recently met to formalize an IT governance framework. The board of directors' FIRST step in implementing IT governance is to ensure that:

  A. an IT balanced scorecard is implemented.
  B. a portfolio of IT-enabled investments is developed.
  C. IT roles and responsibilities are established.
  D. IT policies and procedures are defined.
  C. IT roles and responsibilities are established.

  ---

  The first step in implementing IT governance is to ensure that IT roles and responsibilities are established. This means that the board of directors should define the authority, accountability, and decision rights of the key stakeholders involved in IT governance, such as the board itself, senior management, business units, IT function, and external parties. By doing so, the board can ensure that IT governance is aligned with the enterprise governance and strategy, and that IT performance and value delivery are monitored and evaluated. Establishing IT roles and responsibilities is also a prerequisite for defining IT policies and procedures, developing a portfolio of IT-enabled investments, and implementing an IT balanced scorecard. References: CGEIT Exam Content Outline, Domain 1: Framework for the Governance of Enterprise IT1; COBIT 5: Enabling Processes, chapter 4, section 4.1.12; Improve IT Governance to Drive Business Results

• Question 562:

  A CEO determines the enterprise is lagging behind its competitors in consumer mobile offerings, and mandates an aggressive rollout of several new mobile services within the next 12 months. To ensure the IT organization is capable of supporting this business objective, what should the CIO do FIRST?

  A. Request an assessment of current in-house mobile technology skills.
  B. Create a sense of urgency with the IT team that mobile knowledge is mandatory.
  C. Procure contractors with experience in mobile application development.
  D. Task direct reports with creating training plans for their teams.
  A. Request an assessment of current in-house mobile technology skills.

  ---

  The first thing the CIO should do to ensure the IT organization is capable of supporting the CEO's mandate of rolling out several new mobile services within the next 12 months is to request an assessment of current in-house mobile technology skills. This is because an assessment of current in-house mobile technology skills can help to evaluate the existing level of knowledge, experience, and competence of the IT staff in developing, deploying, and maintaining mobile applications and services. An assessment of current in-house mobiletechnology skills can also help to identify any gaps, needs, or opportunities for improvement or enhancement of the IT staff's mobile technology skills. Creating a sense of urgency with the IT team that mobile knowledge is mandatory is not the first thing the CIO should do, as it is a motivational factor rather than a governance factor. Creating a sense of urgency with the IT team can help to communicate the importance and priority of the CEO's mandate, as well as inspire and encourage the IT staff to learn and adopt mobile technology skills. However, creating a sense of urgency with the IT team does not provide a comprehensive analysis or improvement plan for the IT organization's mobile technology capabilities. Procuring contractors with experience in mobile application development is not the first thing the CIO should do, as it is an implementation factor rather than a governance factor. Procuring contractors with experience in mobile application development can help to supplement or complement the in-house IT staff's mobile technology skills, as well as accelerate or facilitate the delivery and quality of the new mobile services. However, procuring contractors with experience in mobile application development does not address the long-term sustainability or scalability of the IT organization's mobile technology capabilities. Tasking direct reports with creating training plans for their teams is not the first thing the CIO should do, as it is a subsequent step after requesting an assessment of current in- house mobile technology skills. Tasking direct reports with creating training plans for their teams can help to design and implement effective and customized learning programs and activities for the IT staff to acquire or enhance their mobile technology skills. However, tasking direct reports with creating training plans for their teams requires a clear understanding of the current state and the desired state of the IT staff's mobile technology skills. References: Top 15 In-Demand Technology Skills (Plus Definition), Mobile Development section. How to Develop Mobile Technology Skills | Career Trend, Step 1 section. How To Build A Mobile App Development Team - Forbes, Introduction section.

• Question 563:

  Which of the following would be the BEST way to facilitate the successful adoption of a new technology across the enterprise?

  A. Ensure the use of a business case
  B. Review business goals.
  C. Establish an IT balanced scorecard.
  D. Highlight the risk the new technology will address.
  A. Ensure the use of a business case

  ---

  The best way to facilitate the successful adoption of a new technology across the enterprise is to ensure the use of a business case, because this would help to justify the need, benefits, and value of the new technology, and to gain the support and commitment of the stakeholders. A business case should include the objectives, scope, requirements, costs, risks, and expected outcomes of the new technology, and how it aligns with the enterprise's vision, mission, goals, and strategy. A business case should also provide a clear roadmap and plan for implementing and managing the new technology, and for measuring and evaluating its performance and impact.

• Question 564:

  A company is considering selling products online, and the CIO has been asked to advise the board of directors of potential problems with this strategy. Which of the following is the ClO's BEST course of action?

  A. Review the security framework.
  B. Conduct a return on investment (ROI) analysis.
  C. Review the enterprise architecture (EA).
  D. Perform a risk assessment.
  D. Perform a risk assessment.

  ---

  A risk assessment is a process of identifying, analyzing, and evaluating the potential risks that may affect the achievement of an objective, such as selling products online. A risk assessment can help the CIO to advise the board of directors of the possible threats, vulnerabilities, and impacts that may arise from the online sales strategy, such as cyberattacks, data breaches, fraud, legal compliance, customer satisfaction, and reputation. A risk assessment can also help the CIO to recommend the appropriate risk response measures, such as avoiding, reducing, transferring, or accepting the risks. The other options are not as effective, as they do not address the potential problems with the online sales strategy in a holistic and systematic way. Reviewing the security framework may help to ensure that the online sales platform is secure and resilient, but it does not consider other aspects of risk, such as business, legal, or operational. Conducting a return on investment (ROI) analysis may help to estimate the financial benefits and costs of the online sales strategy, but it does not account for the uncertainties and variabilities of risk. Reviewing the enterprise architecture (EA) may help to align the online sales strategy with the business goals and capabilities, but it does not assess the likelihood and consequences of risk.

• Question 565:

  An IT team is having difficulty meeting new demands placed on the department as a result of a major and radical shift in enterprise business strategy. Which of the following is the ClO's BEST course of action to address this situation?

  A. Utilize third parties for non-value-added processes.
  B. Align the business strategy with the IT strategy.
  C. Review the current IT strategy.
  D. Review the IT risk appetite.
  B. Align the business strategy with the IT strategy.

  ---

  According to the CGEIT exam content outline, one of the subtopics under the domain of Governance of Enterprise IT is "Governance Strategy Alignment with Enterprise Objectives". This subtopic covers the process of ensuring that the IT strategy is aligned with the business strategy and supports the achievement of enterprise goals and objectives. Therefore, the best course of action for the CIO in this situation is to align the business strategy with the IT strategy, which would help the IT team to meet the new demands and deliver value to the enterprise. References: 1: CGEIT Exam Content Outline | ISACA

• Question 566:

  Which of the following should be the ClO's GREATEST consideration when making changes to the IT strategy'?

  A. Has the impact to the enterprise architecture (EA) been assessed?
  B. Has the investment portfolio been revised?
  C. Have key stakeholders been consulted?
  D. Have IT risk metrics been adjusted?
  C. Have key stakeholders been consulted?

  ---

  The CIO's greatest consideration when making changes to the IT strategy should be whether key stakeholders have been consulted, because they are the ones who are affected by and involved in the IT strategy. Key stakeholders include the business functions, customers, suppliers, partners, regulators, and employees who depend on or contribute to the IT value delivery. Consulting key stakeholders helps to ensure that the IT strategy is aligned with the business strategy and objectives, and that it meets the needs and expectations of the stakeholders. Consulting key stakeholders also helps to solicit feedback and suggestions for improvement, and to gain buy-in and support for the IT strategy. Consulting key stakeholders also helps to identify and manage any risks, issues, or opportunities that may arise from the IT strategy changes. References: IT Strategy: What is it?, How to create an effective IT strategy in 2022, IT Strategy Stakeholder Engagement, IT Strategy: A 3-step Plan.

• Question 567:

  An enterprise has lost an unencrypted backup tape of archived customer data. A data breach report is not mandatory in the relevant jurisdiction. From an ethical standpoint, what should the enterprise do NEXT?

  A. Initiate disciplinary proceedings against relevant employees.
  B. Mandate a review of backup tape inventory procedures.
  C. Communicate the breach to customers.
  D. Require an evaluation of storage facility vendors.
  C. Communicate the breach to customers.

  ---

  From an ethical standpoint, the enterprise should communicate the breach to customers, because they have a right to know that their personal data has been compromised and may be at risk of identity theft, fraud, or other malicious activity. Even if the data breach report is not mandatory in the relevant jurisdiction, the enterprise has a moral duty to respect the privacy and dignity of its customers, and to be transparent and accountable for its actions. Communicating the breach to customers can also help to preserve the trust and reputation of the enterprise, and to mitigate the potential legal and financial consequences of the breach. According to some data ethics experts, data breaches should be treated as public health issues, and organizations should adopt a proactive and responsible approach to inform and protect their customers. Some examples of data breach communication best practices are: notifying customers as soon as possible, providing clear and accurate information about the nature and extent of the breach, explaining what actions the enterprise is taking to remedy the situation and prevent future incidents, offering assistanceand support to affected customers, such as identity protection services or credit monitoring, and apologizing sincerely and expressing commitment to data ethics. References: Data ethics: What it means and what it takes | McKinsey The Skeleton of a Data Breach: The Ethical and Legal Concerns Data breaches: A public health issue? | TheHill How to Communicate a Data Breach Effectively - IT Governance Blog

• Question 568:

  From a governance perspective, the PRIMARY goal of an IT risk optimization process should be to ensure:

  A. IT risk thresholds are defined in the enterprise architecture (EA).
  B. the IT risk mitigation strategy is approved by management.
  C. IT risk is mapped to the balanced scorecard.
  D. the impact of IT risk to the enterprise is managed.
  D. the impact of IT risk to the enterprise is managed.

  ---

  The primary goal of an IT risk optimization process from a governance perspective is to ensure that the impact of IT risk to the enterprise is managed in alignment with the enterprise risk management (ERM) framework and the enterprise objectives. IT risk optimization is not only about defining thresholds, approving strategies or mapping metrics, but about ensuring that IT risk is effectively mitigated, monitored and communicated to support the achievement of enterprise goals. References: CGEIT Exam Content Outline, Domain 4: Risk Optimization1; Certified in Governance of Enterprise IT (CGEIT) Course, Learning Tree2

• Question 569:

  Which of the following will BEST enable an IT steering committee to monitor the achievement of overall IT objectives on a continuous basis?

  A. Defined service level agreements (SLAs)
  B. Project portfolio dashboards
  C. Key performance indicators (KPIs)
  D. IT user survey results
  C. Key performance indicators (KPIs)

  ---

  Key performance indicators (KPIs) are the best way to enable an IT steering committee to monitor the achievement of overall IT objectives on a continuous basis, as they are metrics that measure the progress and outcomes of IT activities, processes, and projects in relation to the enterprise's vision, strategy, and goals. KPIs can help the IT steering committee to assess and communicate the effectiveness and efficiency of IT operations, services, and initiatives, as well as their contribution to customer satisfaction, business value, and innovation. KPIs can also help the IT steering committee to identify and address any issues or gaps in IT performance or alignment, as well as to evaluate and improve the IT governance and management practices. Performance Measurement Metrics for IT Governance provides an overview of KPIs and their benefits for IT governance. Defined service level agreements (SLAs), project portfolio dashboards, and IT user survey results are also useful ways to monitor the achievement of overall IT objectives, but they are not the best way. Defined SLAs are contracts that specify the scope, standards, and expectations of IT service delivery, as well as the roles, responsibilities, and rights of both the service provider and the service recipient. Defined SLAs can help ensure that the IT services meet the quality and availability requirements of the business units, as well as monitor and measure the service performance and compliance. Project portfolio dashboards are tools that display the status, progress, and performance of IT projects in a graphical or visual way. Project portfolio dashboards can help track and communicate the key information and data about IT projects, such as scope, schedule, budget, risks, or issues. IT user survey results are feedback or opinions collected from the end users of IT systems or services through questionnaires or interviews. IT user survey results can help gauge and improve the user satisfaction and experience with IT systems or services, as well as identify and address any user needs or expectations.

• Question 570:

  An IT department has forwarded a request to the IT strategy committee for funding of a discretionary Investment. The committee's MOST important consideration should be to evaluate:

  A. the technical feasibility of the investment.
  B. the business and technical scope of the investment.
  C. whether the investment supports corporate goals.
  D. whether the investment aligns with the enterprise architecture (EA).
  C. whether the investment supports corporate goals.

  ---

  Discretionary investments are those that are not mandatory or essential for the business, but may provide some benefits or opportunities. The IT strategy committee should evaluate whether the discretionary investment supports the corporate goals and aligns with the business strategy, as this is the most important criterion for IT governance and value creation. The technical feasibility, the business and technical scope, and the alignment with the EA are also important factors, but they are secondary to the strategic alignment and value proposition of the investment. References: ISACA, CGEIT Review Manual, 7th Edition, 2019, p. 92-93; Rethinking traditional technology budgeting processes; Discretionary Investment Management Definition, Benefits and Risks.