Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 571:

  A newly hired IT director of a large international enterprise has been asked to provide periodic updates regarding IT risk to the board. Which of the following is the MOST effective way to initially address this request?

  A. Include a complete IT risk register in the monthly letter given to each board member.
  B. Include key IT risks in a dashboard submitted to the board quarterly.
  C. Submit a register of all IT audit findings to board members monthly.
  D. Schedule quarterly meetings to discuss all open IT risks.
  B. Include key IT risks in a dashboard submitted to the board quarterly.

  ---

  According to the ISACA paper on Tactics for Effectively Communicating Cybersecurity Risk to Boards of Directors, the most effective way to initially address the request of providing periodic updates regarding IT risk to the board is to include key IT risks in a dashboard submitted to the board quarterly. A dashboard is a visual tool that can help the board members quickly understand the current status and trends of IT risk, as well as the actions taken or planned to mitigate them. A dashboard should be concise, clear, consistent and relevant, and should highlight the most significant IT risks that could impact the enterprise's objectives and performance. A dashboard should also align with the enterprise's risk appetite and tolerance, and provide recommendationsfor improvement or escalation. The other options are not as effective as a dashboard, as they may be too detailed, too frequent, too narrow or too reactive for the board's needs.

• Question 572:

  An internal audit revealed a widespread perception that the enterprise's IT governance reporting lacks transparency. Which of the following should the CIO do FIRST?

  A. Add stakeholder transparency metrics to the balanced scorecard
  B. Develop a communication and awareness strategy
  C. Meet with key stakeholders to understand their concerns
  D. Adopt an industry-recognized template to standardize reports.
  C. Meet with key stakeholders to understand their concerns

  ---

  The CIO should first meet with key stakeholders to understand their concerns about the IT governance reporting transparency. This will help the CIO to identify the root causes of the perception, the expectations and needs of the stakeholders, and the gaps and issues in the current reporting process. Meeting with key stakeholders will also help to build trust and rapport, and to solicit feedback and suggestions for improvement. The CIO can then use this information to develop a communication and awareness strategy, adopt a standard template, and add transparency metrics to the balanced scorecard. These actions will help to enhance the transparency, consistency, and quality of the IT governance reporting, and to address the stakeholder concerns effectively. References: How Boards Realise IT Governance Transparency: A Study Into Current Practice of the COBIT EDM05 Process, Page 1.

• Question 573:

  Which of the following is the PRIMARY benefit of communicating the IT strategy across the enterprise?

  A. On-time and on-budget delivery of strategic projects
  B. Improvement in IT balanced scorecard performance
  C. Optimization of IT investment in supporting business objectives
  D. Reduced organizational resistance during strategy execution
  D. Reduced organizational resistance during strategy execution

  ---

  According to the web search results, the primary benefit of communicating the IT strategy across the enterprise is to reduce organizational resistance during strategy execution. This is because communication can help to create a shared understanding and vision of the IT strategy, and to foster trust and commitment among the stakeholders. Communication can also help to address the concerns and expectations of different groups, and to overcome the barriers and challenges that may arise during the implementation of the IT strategy. The other options are less important than option D, as they are not directly related to communication, but rather to other factors such as project management, performance measurement, and investment optimization. References: How to Communicate Your Company's Strategy Effectively

• Question 574:

  When evaluating the process for acquiring third-party IT resources, management identified several suppliers with repeated downtime issues impacting the enterprise. Which of the following is the BEST approach to help ensure future service delivery in accordance with business objectives?

  A. Establish key performance indicators (KPls)
  B. Appoint a procurement oversight committee
  C. Establish key risk indicators (KRIs).
  D. Implement contract monitoring.
  D. Implement contract monitoring.

  ---

  The best approach to help ensure future service delivery in accordance with business objectives is to implement contract monitoring, because this would enable the enterprise to measure and evaluate the performance and compliance of the third-party IT suppliers, and identify and resolve any issues or gaps that may affect the service quality, availability, and reliability. Contract monitoring should involve defining and tracking key performance indicators (KPIs), key risk indicators (KRIs), service level agreements (SLAs), and contractual obligations, and applying corrective actions or penalties when necessary. References: ISACA, CGEIT Review Manual, 7th Edition, 2019, page 67- 68.

• Question 575:

  When developing a framework to implement IT governance, which of the following BEST contributes to the successful implementation?

  A. Practical and enforceable policies
  B. Automated compliance tracking
  C. Comprehensive and timely audit reviews
  D. Periodic peer reviews
  A. Practical and enforceable policies

  ---

  Practical and enforceable policies are the best way to contribute to the successful implementation of a framework to implement IT governance, as they provide clear and consistent guidance and direction for IT activities, processes, and decisions. Practical and enforceable policies are based on the enterprise's strategy, goals, and values, as well as the relevant regulations and standards. Practical and enforceable policies also define the roles, responsibilities, and authorities of the IT stakeholders, as well as the mechanisms for monitoring, measuring, and reporting on IT performance and compliance. Practical and enforceable policies can help ensure that IT governance is effective, efficient, and aligned with the business needs and expectations. Automated compliance tracking, comprehensive and timely audit reviews, and periodic peer reviews are also useful ways to support the implementation of a framework to implement IT governance, but they are not the best way. Automated compliance tracking is a process that uses software tools or systems to collect, analyze, and report on IT compliance data, such as policies, standards, controls, risks, incidents, or issues. Automated compliance tracking can help reduce the time and effort required for IT compliance management, as well as improve the accuracy and reliability of IT compliance information. Comprehensive and timely audit reviews are assessments that evaluate the adequacy and effectiveness of IT governance, management, and operations. Comprehensive and timely audit reviews can help identify and address any weaknesses or gaps in IT governance, as well as provide recommendations for improvement. Periodic peer reviews are evaluations that compare the IT governance practices of an enterprise with those of its peers or competitors. Periodic peer reviews can help benchmark and improve the IT governance performance of an enterprise, as well as identify best practices or opportunities for innovation. References: IT Governance: Definitions, Frameworks and Planning - ProjectManager; What is IT governance? A formal way to align IT and business strategy; What is IT Governance (ITG) and why does it matter? - IFS Blog; IT Governance Framework CIO Wiki; What is IT Governance? How to Implement | Electric.

• Question 576:

  An organization has decided to integrate IT risk with the enterprise risk management (ERM) framework. The FIRST step to enable this integration is to establish: A. a common risk management taxonomy.

  B. a common risk organization.

  C. common key risk indicators (KRIs).

  D. common risk mitigation strategies.

  Correct Answer. A
  A

  ---

  A common risk management taxonomy is a set of terms and definitions that are used consistently across the enterprise to describe, measure, and report on risks. A common risk management taxonomy is essential for integrating IT risk with the ERM framework, as it enables a common understanding of risk concepts, categories, and levels among different stakeholders and functions. A common risk management taxonomy also facilitates the aggregation and comparison of risks across the enterprise, and supports the alignment of risk appetite and tolerance with business objectives. References: 1: Integrated Enterprise IT Risk Management (ERM) Programs - CohnReznick 2: Introducing Risk Taxonomy - ISACA

• Question 577:

  Within a governance structure for risk management, which of the following activities should be performed by the second line of defense?

  A. Conducting internal and external audits
  B. Implementing controls to manage risk
  C. Monitoring risk and controls
  D. Identifying and assessing risk
  C. Monitoring risk and controls

  ---

  Within a governance structure for risk management, the second line of defense is primarily responsible for monitoring risk and controls. This function involves overseeing the effectiveness of the first line of defense (operational management and control implementation) and ensuring that risk management practices are properly integrated into business processes. It serves as a check on the adequacy and effectiveness of risk management across the organization. While conducting audits is a function of the third line of defense (internal audit), and identifying and assessing risk is often a shared responsibility, the distinct role of the second line is to provide ongoing monitoring and oversight of risk management and control processes.

• Question 578:

  Which of the following is MOST relevant to report to the board of directors regarding the execution of IT strategy?

  A. Service level agreements (SLAs) for outsourced IT initiatives
  B. Total IT spend from all current IT initiatives
  C. Realization of benefits in the business case
  D. IT strategy risk metrics related to critical services and projects
  C. Realization of benefits in the business case

  ---

  Boards are most concerned with whether IT investments aredelivering the expected value and business outcomes. Thus, therealization of benefits in the business caseis the most relevant indicator of IT strategy execution effectiveness. Risk metrics, SLAs, and spending detail are important butdo not directly measure success in achieving strategic outcomes. CGEIT Review Manual: Domain 3 ?Benefits Realization COBIT 2019: EDM02 (Ensure Benefits Delivery).

• Question 579:

  An enterprise has decided to invest in Internet of Things (IoT) technology as part of its strategic plan. Which of the following presents the GREATEST risk to consider as part of the technical risk management process?

  A. Device vulnerabilities
  B. Technology integration
  C. Device performance
  D. Technology obsolescence
  A. Device vulnerabilities

  ---

  Device vulnerabilitiesrepresent the greatest technical risk in IoT implementations. IoT devices often have limited security features, can be difficult to patch, and may be deployed in large numbers--making them a common attack vector. Integration and obsolescence matter, butvulnerabilities directly impact data protection, system integrity, and compliance, posing an immediate and high-priority risk. CGEIT Review Manual: Domain 4 ?Risk Optimization COBIT 2019: DSS05 (Manage Security Services), APO12 (Manage Risk).

• Question 580:

  Which of the following are the MOST important processes for information asset life cycle management?

  A. Procurement management and third-party management
  B. Configuration management and financial management
  C. Vulnerability management and network management
  D. Business continuity management and disaster recovery management
  D. Business continuity management and disaster recovery management

  ---

  Business continuity management (BCM) and disaster recovery management (DRM) are the most important processes for information asset life cycle management, as they ensure the availability, integrity, and security of information assets in the event of a disruption or disaster. BCM and DRM involve identifying the critical information assets, assessing the potential threats and impacts, developing and implementing plans and procedures to prevent, respond to, and recover from incidents, testing and reviewing the plans and procedures regularly, and ensuring the alignment of the plans and procedures with the business objectives and stakeholder expectations. BCM and DRM help protect the information assets from loss, damage, corruption, theft, or unauthorized access, and enable the organization to resume its normal operations as quickly as possible after a disruption or disaster.