Isaca CGEIT Online Practice Questions and Exam Preparation

Isaca CGEIT Online Questions & Answers

• Question 581:

  Which of the following would be the BEST way to facilitate the adoption of strong IT governance practices throughout a multi-divisional enterprise?

  A. Ensuring each divisional policy is consistent with corporate policy
  B. Ensuring divisional governance fosters continuous improvement processes
  C. Mandating data standardization across the distributed enterprise
  D. Documenting and communicating key management practices across divisions
  D. Documenting and communicating key management practices across divisions

  ---

  Documenting and communicating key management practices across divisions is the best way to facilitate the adoption of strong IT governance practices throughout a multi- divisional enterprise. This can help to ensure that all divisions are aware of and aligned with the corporate IT governance framework, policies, and standards. It can also promote collaboration, coordination, and consistency among the divisions, as well as transparency, accountability, and trust. According to one of the web search results, "communication is a critical success factor for IT governance implementation" and "effective communication can help to create a shared understanding of IT governance objectives, roles, responsibilities, and benefits among stakeholders." Ensuring each divisional policy is consistent with corporate policy, ensuring divisional governance fosters continuous improvement processes, and mandating data standardization across the distributed enterprise are not the best ways to facilitate the adoption of strong IT governance practices throughout a multi-divisional enterprise. They are more likely to be part of the implementation or improvement of IT governance practices, rather than the facilitation of them. They may also encounter resistance or challenges from the divisions due to different business needs, cultures, or preferences. References: IT Governance Practices For Improving Strategic And Operational ...

• Question 582:

  Which of the following is the PRIMARY consideration when developing an information asset management program?

  A. Operational requirements
  B. Industry best practice
  C. Cost benefit
  D. Regulatory requirements
  D. Regulatory requirements

  ---

  Regulatory requirements are the rules and standards that an organization must follow to comply with the laws and regulations that apply to its industry, sector, or jurisdiction. Regulatory requirements can affect how an organization manages its information assets, such as data, documents, records, and reports. Information assets are valuable and sensitive resources that need to be protected from unauthorized access, use, disclosure, modification, or destruction. Regulatory requirements can specify how information assets should be classified, labeled, handled, stored, transmitted, retained, disposed, and audited. Failing to comply with regulatory requirements can result in legal penalties, reputational damage, financial losses, or operational disruptions for the organization. Therefore, regulatory requirements are the primary consideration when developing an information asset management program. The other options are not the primary consideration when developing an information asset management program, although they may be relevant or important factors. Operational requirements are the needs and expectations of the organization and its stakeholders for how information assets should support its business processes and objectives. Industry best practice are the methods and techniques that have proven to be effective and efficient in managing information assets in a similar context or domain. Cost benefit is the analysis of the advantages and disadvantages of investing in an information asset management program in terms of resources, time, and money. These options are all secondary or subordinate to regulatory requirements, because they do not have the same legal or mandatory force. An organization can choose to adapt or modify its operational requirements, industry best practice, or cost benefit analysis based on its situation and preferences, but it cannot ignore or violate its regulatory requirements without consequences. References: 1: https://www.cio.com/article/202183/what-is-data-governance-a-best-practices- framework-for-managing-data-assets.html 5: https://www.isaca.org/resources/isaca-journal/issues/2023/volume-2/what-is-best- practice-in-information-security 4: https://www.gartner.com/en/information-technology/glossary/operational-requirements 2: https://advisera.com/27001academy/blog/2014/05/12/information-classification- according-to-iso-27001/ 3: https://www.csoonline.com/article/570281/csos-ultimate-guide-to-security-and-privacy- laws-regulations-and-compliance.html 6: https://www.investopedia.com/terms/c/cost-benefitanalysis.asp

• Question 583:

  A large enterprise is implementing an information security policy exception process. The BEST way to ensure that security risk is properly addressed is to:

  A. confirm process owners' acceptance of residual risk.
  B. perform an internal and external network penetration test.
  C. obtain IT security approval on security policy exceptions.
  D. benchmark policy against industry best practice.
  A. confirm process owners' acceptance of residual risk.

  ---

  The best way to ensure that security risk is properly addressed when implementing an information security policy exception process is to confirm process owners' acceptance of residual risk. Residual risk is the risk that remains after applying controls or mitigating measures to reduce the original risk. Process owners are the individuals or groups that are responsible for the design, execution, and performance of a business process. By confirming process owners' acceptance of residual risk, the enterprise can ensure that the security risk associated with the policy exception is understood, acknowledged, and agreed upon by the relevant stakeholders. This can also help to assign accountability and liability for the potential consequences of the policy exception, as well as to monitor and review the risk level and the effectiveness of the controls or mitigating measures. The other options are not as effective as confirming process owners' acceptance of residual risk for ensuring that security risk is properly addressed when implementing an information security policy exception process. Performing an internal and external network penetration test is a useful technique for identifying and exploiting vulnerabilities in the network infrastructure, but it does not address the specific security risk related to the policy exception. Obtaining IT security approval on security policy exceptions is a necessary step for validating and authorizing the policy exception, but it does not ensure that the process owners are aware of and accept the residual risk. Benchmarking policy against industry best practice is a good practice for comparing and improving the policy quality and performance, but it does not address the security risk associated with the policy exception.

• Question 584:

  Which of the following would BEST enable business innovation through IT?

  A. Outsourcing of IT to a strategic business partner
  B. Business participation in IT strategy development
  C. Adoption of a standardized business development life cycle
  D. IT participation in business strategy development
  D. IT participation in business strategy development

  ---

  Business innovation is the process of creating new or improved products, services, processes, or business models that create value for the organization and its customers. IT can enable business innovation by providing the tools, platforms, data, and capabilities that support the generation, implementation, and diffusion of innovative ideas. However, IT alone cannot drive business innovation; it requires a close collaboration and alignment between IT and business. Therefore, IT participation in business strategy development is the best way to enable business innovation through IT, because it can help to ensure that IT understands the business goals and needs, that IT contributes to the identification and evaluation of opportunities and challenges, that IT provides feasible and effective solutions and recommendations, and that IT supports the execution and monitoring of the innovation initiatives. References: How to Drive Business Innovation Through IT. How to Enable Business Innovation with IT. Business Innovation: What It Is and How to Achieve It.

• Question 585:

  Which of the following is the PRIMARY purpose of information governance?

  A. To develop control procedures that help ensure information is adequately protected throughout its life cycle
  B. To monitor the processes that deliver and enhance the value of information assets
  C. To set direction for information management capabilities through prioritization and decision making
  D. To ensure regulatory compliance is maintained while optimizing the utilization of information
  C. To set direction for information management capabilities through prioritization and decision making

  ---

  The PRIMARY purpose of information governance is to set direction for information management capabilities through prioritization and decision making. Information governance is the overall strategy for information at an organization. It balances the risk that information presents with the value that information provides. Information governance helps with legal compliance, operational transparency, and reducing expenditures associated with legal discovery. To achieve this, information governance requires setting direction for information management capabilities through prioritization and decision making. This involves defining and implementing policies and processes for the effective and efficient acquisition, storage, distribution, usage, and disposal of information in alignment with business objectives and regulatory requirements. It also involves ensuring the protection of information quality, integrity, availability, confidentiality, and ownership. By setting direction for information management capabilities through prioritization and decision making, information governance can help to optimize the value and minimize the risk of information assets. References: Information governance - Wikipedia What is Information Governance? Why is it Important?

• Question 586:

  What should be done FIRST when feedback indicates recently implemented software products are not meeting business unit expectations?

  A. Review help desk logs.
  B. Confirm user acceptance testing (UAT) was completed.
  C. Request a gap analysis.
  D. Institute a new software training program
  C. Request a gap analysis.

  ---

  A gap analysis is a method of assessing the differences in performance between a business' information systems or software applications to determine whether business requirements are being met and, if not, what steps should be taken to ensure they are met successfully. A gap analysis typically involves identifying non-compliant processes or activities; assessing their risklevels; determining potential corrective actions that can be taken to address them; and implementing those corrective measures. Once completed, organizations can then measure their progress toward achieving full compliance over time. A gap analysis should be done first when feedback indicates recently implemented software products are not meeting business unit expectations, as it can help identify the root causes of the dissatisfaction, the gaps between the current and desired state of the software products, and the actions needed to close those gaps. A gap analysis can also help align the software products with the business strategy, goals, and expectations, as well as ensure compliance with regulations and policies. Reviewing help desk logs, confirming user acceptance testing (UAT) was completed, and instituting a new software training program are also important steps to take when software products are not meeting expectations, but they are not the first step. Reviewing help desk logs can help gather feedback and identify issues or errors with the software products, but it does not provide a comprehensive analysis of the gaps and solutions. Confirming UAT was completed can help verify that the software products were tested by the end users before implementation, but it does not address the reasons why the feedback was negative after implementation. Instituting a new software training program can help improve the user's skills and knowledge of the software products, but it does not guarantee that the software products will meet their needs and expectations. References: What is Gap Analysis in Compliance | Scytale; How to Perform an IT Gap Analysis - Systems X; IT Gap Analysis ?First Step to ITIL Success | Invensis Learning.

• Question 587:

  An enterprise can BEST assess the benefits of a new IT project through its life cycle by:

  A. calculation of the total cost of ownership.
  B. periodic review of the business case.
  C. periodic measurement of the project slip rate.
  D. calculation of the net present value (NPV).
  B. periodic review of the business case.

  ---

  A business case is a document that outlines the rationale, objectives, benefits, costs, risks and alternatives of a proposed IT project. A business case should be reviewed periodically throughout the project life cycle to ensure that the project is still aligned with the enterprise's strategy and goals, and that the expected benefits are still achievable and realistic. A periodic review of the business case can also help to identify any changes or issues that may affect the project's scope, schedule, budget or quality, and to take corrective actions accordingly. References: ISACA, CGEIT Review Manual, 7th Edition, 2019, page 77. A guide to measuring benefits effectively. Cost-Benefit Analysis: A Quick Guide with Examples and Templates.

• Question 588:

  Which of the following would provide the MOST useful information to measure the alignment of IT with the enterprise?

  A. Balanced scorecard
  B. Control self-assessment (CSA)
  C. Gap analysis
  D. Audit reports
  A. Balanced scorecard

  ---

  A balanced scorecard is a strategic management tool that measures the alignment of IT with the enterprise by using four perspectives: financial, customer, internal process, and learning and growth. A balanced scorecard helps to translate the enterprise vision and strategy into IT objectives, measures, targets, and initiatives. It also helps to monitor and evaluate the IT performance and value delivery in relation to the enterprise goals and stakeholder expectations. A balanced scorecard provides a comprehensive and balanced view of the IT contribution to the enterprise success. The other options are not as useful as a balanced scorecard for measuring the alignment of IT with the enterprise, because they are either too narrow or too subjective. A control self-assessment (CSA) is a technique that involves the participation of staff in assessing the effectiveness of internal controls and risk management processes. A CSA can provide some insights into the IT alignment with the enterprise, but it is not a systematic or holistic approach. A gap analysis is a method that compares the current state and the desired state of a process or a system and identifies the gaps or discrepancies that need to be addressed. A gap analysis can help to improve the IT alignment with the enterprise, but it is not a measurement tool. Audit reports are documents that present the findings and opinions of an independent auditor on the adequacy and compliance of an audited entity. Audit reports can provide some evidence of the IT alignment with the enterprise, but they are not a comprehensive or consistent measure. References: The art of measurement in enterprise and business architecture, Benchmarking strategic alignment of business and IT strategies, The Importance of Business and IT Alignment, 7 ways to effectively ensure IT-business alignment

• Question 589:

  A board of directors has just received a report indicating that only a small number of IT initiatives have been completed on time and within budget, A third of the projects were cancelled prior to completion, and more than half will cost almost double their original estimates. An analysis has determined that no one is held responsible for the completion of investmentinitiatives, and there is no consistency in execution. Which of the following would BEST help the enterprise address these problems?

  A. Establishing a project governance framework
  B. Assigning business management to an IT investment review board
  C. Establishing an IT risk management plan
  D. Aligning IT investment priorities to the business
  A. Establishing a project governance framework

  ---

  A project governance framework is a set of principles, policies, roles, responsibilities, and processes that guide, direct, and control the initiation, planning, execution, monitoring, and closure of IT projects. A project governance framework can help the enterprise address the problems of poor project performance, lack of accountability, and inconsistency in execution by: Providing a clear and consistent structure for managing IT projects across the enterprise Aligning IT projects with the strategic objectives and priorities of the enterprise Defining the roles and responsibilities of the project stakeholders, including the board of directors, senior management, project sponsors, project managers, project teams, and end-users Establishing the criteria and methods for selecting, prioritizing, approving, and funding IT projects Setting the standards and expectations for project planning, execution, quality, risk management, communication, and reporting Implementing the mechanisms and tools for monitoring, controlling, evaluating, and reviewing IT project performance and outcomes Ensuring the accountability and transparency of IT project decisions and results References: According to the CGEIT Review Manual 2022, "Project governance is a subset of IT governance that provides a framework for managing IT projects. Project governance ensures that IT projects are aligned with business objectives; are delivered on time, within budget, and with acceptable quality; and are managed in a consistent and transparent manner." According to the ISACA article on Project Governance: An Essential Element of Project Management Success, "Project governance is an empowering aspect of the project management office (PMO) infrastructure management. It enables effective decision making by providing clarity on roles and responsibilities; it also provides a framework for escalation management." According to the PMI article on Project Governance: What You Need to Know, "Project governance is a critical element of any project since it provides a framework for accountabilities and responsibilities associated with an organization's capital investments (projects). It is defined as an integrated framework of processes and tools that address matters essential to successful project delivery."

• Question 590:

  When an enterprise plans to deploy mobile device technologies, it is MOST important for leadership to ensure that:

  A. Users agree to an acceptable use policy
  B. Appropriate controls are implemented
  C. The IT policy addresses mobile devices
  D. The project management office (PMO) is engaged
  B. Appropriate controls are implemented

  ---

  Implementing appropriate controlsis the most critical leadership responsibility when deploying mobile technologies. Controls cover access, encryption, monitoring, and loss prevention--addressing core risks such as data leakage and unauthorized access. Acceptable use and policy alignment are necessary, butcontrols ensure security and compliance in practice. CGEIT Review Manual: Domain 4 ?Risk Optimization COBIT 2019: DSS05 (Manage Security Services), APO13 (Manage Security).