Free Practice Questions for Isaca CGEIT Exam

Data loss prevention (DLP) is a set of tools and processes that aim to prevent the unauthorized disclosure, misuse, or theft of sensitive data. DLP can help to minimize the potential mishandling of customer personal information in a system located in a country with strict privacy regulations by detecting and blocking any attempts to access, copy, or transfer the data without proper authorization or consent. References := CGEIT Review Manual, Chapter 4: Risk Optimization, Section 4.2: IT Risk Management Processes, Subsection 4.2.3: Risk Response, Page 155.

When deciding to develop a system with sensitive data, the MOST important thing to include in a business case is a risk assessment to determine the appropriate controls. A business case is a document that provides the rationale and justification for initiating a project or investment1. It includes information such as the objectives, scope, benefits, costs, risks, assumptions, and success criteria of the proposed project or investment2. A risk assessment is a process of identifying, analyzing, and evaluating the potential threats and impacts that could affect the project or investment3. A risk assessment can help to:

Identify the sources and types of risks associated with developing a system with sensitive data, such as data breaches, data loss, data corruption, unauthorized access, compliance violations, etc.4

Analyze the likelihood and severity of the risks occurring and their consequences on the project or investment5

Evaluate the current and planned controls to mitigate or prevent the risks, such as encryption, access control, data backup, data activity monitoring, etc.

Prioritize the risks and controls based on their importance and urgency

Communicate and document the risks and controls to stakeholders and decision-makers

Therefore, a risk assessment to determine the appropriate controls is essential for developing a business case for a system with sensitive data, as it can help to demonstrate the feasibility, viability, and desirability of the project or investment.

The other options are not as important as option A. While it is useful to have an updated enterprise architecture (EA), a skills gap analysis, and the additional cost of encrypting sensitive data, these are more operational and tactical aspects that can be determined later in the implementation phase. They are not critical for developing a business case for a system with sensitive data, which should focus more on the strategic direction and value proposition of the project or investment. References :=

How to Write a Business Case - ProjectManager.com2

Business Case Development - Project Management Institute1

What is Risk Assessment? Definition & Examples | ASQ3

Data Security: How to Secure Sensitive Data - DATAVERSITY4

Risk Analysis: Definition & Examples | ASQ5

Data access control and data activity monitoring - IBM Cloud …

Risk Evaluation: Definition & Examples | ASQ

Risk Communication: Definition & Examples | ASQ

 The first step to address the issue of inconsistent enforcement of the enterprise’s mobile device acceptable use policy is to review the relevance of the existing policy. A mobile device acceptable use policy is a document that defines the rules and guidelines for using mobile devices, such as smartphones, tablets, and laptops, in the enterprise environment. The policy should cover aspects such as device ownership, security, privacy, compliance, and acceptable and unacceptable behaviors1. A review of the existing policy can help to identify any gaps, inconsistencies, or ambiguities that may cause confusion or non-compliance among the users. The review can also help to ensure that the policy reflects the current business needs, objectives, and risks of the enterprise, as well as the best practices and standards for mobile device management2. By reviewing the relevance of the existing policy, the enterprise can update and improve the policy to make it more clear, comprehensive, and effective. References:

Acceptable Use Policy for Mobile Security for Businesses | Interplay

The essential guide to establishing a mobile device policy - Hexnode Blogs

The most critical activity for reducing the impact caused by IT staff turnover is to document processes and procedures, as this can help preserve the knowledge and experience of the existing IT staff, as well as facilitate the training and orientation of the new IT staff. Documenting processes and procedures can also help standardize and improve the quality and efficiency of IT operations, services, and projects, as well as ensure compliance with regulations and policies. Documenting processes and procedures can also help define and clarify the roles and responsibilities of the IT staff, as well as the expectations and requirements of the business units.

Outsourcing the IT operation, increasing compensation for IT staff, and hiring temporary staff are possible activities for addressing the IT staff turnover issue, but they are not the most critical activity. Outsourcing the IT operation may reduce the dependency on internal IT staff, but it may also introduce new risks and challenges for IT governance and management, such as vendor selection, contract negotiation, service level agreement (SLA) monitoring, and data security. Increasing compensation for IT staff may improve the retention and motivation of the existing IT staff, but it may also increase the operational costs and budget constraints of the IT department. Hiring temporary staff may fill the gaps or shortages in IT skills or resources, but it may also affect the continuity and consistency of IT service delivery, as well as the integration and collaboration of IT teams.

The value of an enterprise’s information asset base is the amount of benefits or advantages that the enterprise can derive from its information assets, such as data, documents, records, and reports. Information assets are valuable and sensitive resources that need to be protected, managed, and used effectively and efficiently to support and achieve the enterprise’s objectives and goals1. To maximize the value of an enterprise’s information asset base, the best way is to seek additional opportunities to leverage existing information assets. This means finding new or innovative ways to use or reuse the information assets to create more value for the enterprise, such as improving performance, quality, customer satisfaction, innovation, or competitive advantage23. For example, an enterprise can leverage its existing information assets by analyzing them to generate insights, combining them to create new products or services, sharing them with partners or stakeholders to enhance collaboration, or monetizing them to generate revenue23.

The other options are not the best ways to maximize the value of an enterprise’s information asset base. Facilitating widespread user access to all information assets may increase the availability and utilization of the information assets, but it may also compromise their confidentiality and integrity. Not all information assets are appropriate or relevant for all users, and some may contain sensitive or confidential data that need to be restricted or protected1 . Therefore, facilitating widespread user access to all information assets may not maximize their value, but rather increase their risk. Regularly purging information assets to minimize maintenance costs may reduce the storage and management expenses of the information assets, but it may also eliminate their potential value or usefulness. Not all information assets are obsolete or redundant, and some may have long-term or strategic value for the enterprise1 . Therefore, regularly purging information assets to minimize maintenance costs may not maximize their value, but rather decrease their availability. Implementing an automated information management platform may improve the efficiency and effectiveness of the information asset management process, but it may not necessarily increase the value of the information asset base. An automated information management platform is a tool or system that helps to collect, store, process, analyze, and distribute information assets. However, it does not guarantee that the information assets are used or leveraged in optimal ways to create more value for the enterprise23. Therefore, implementing an automated information management platformmay not maximize the value of the information asset base, but rather facilitate its management. References:

2: https://www.gartner.com/smarterwithgartner/why-and-how-to-value-your-information-as-an-asset

1: https://www.cio.com/article/202183/what-is-data-governance-a-best-practices-framework-for-managing-data-assets.html

3: https://www.gartner.com/en/publications/infonomics

https://advisera.com/27001academy/blog/2014/05/12/information-classification-according-to-iso-27001/

https://www.isaca.org/resources/isaca-journal/issues/2017/volume-3/it-asset-valuation-risk-assessment-and-control-implementation-model

https://www.ibm.com/topics/information-management-systems

 The FIRST step when defining responsibilities for ownership of information and systems is to require an inventory of information assets. An information asset is any data, device, or other component of the environment that supports information-related activities1. An inventory of information assets is a comprehensive list of all the information assets that an organization owns, controls, or uses2. By creating an inventory of information assets, an organization can:

Identify the types, locations, formats, and volumes of information assets3

Determine the value, sensitivity, and criticality of information assets4

Assign ownership and accountability for information assets5

Establish appropriate security controls and protection measures for information assets6

Monitor and audit the usage and lifecycle of information assets7

The other options are not as important as option D. While it is important to require an information risk assessment, identify systems that are outsourced, and ensure information is classified, these are subsequent steps that depend on the availability and accuracy of the inventory of information assets. Without an inventory of information assets, it would be difficult to perform a risk assessment, identify outsourced systems, or classify information according to its value and sensitivity. References :=

Information Asset - an overview | ScienceDirect Topics1

Information Asset Inventory - NIST CSRC2

How to Create an Information Asset Inventory - Infosec Resources3

Information Asset Valuation: A Methodology - ISACA4

Data Ownership: Considerations for Risk Management - ISACA5

Information Asset Protection - NIST CSRC6

Information Asset Management - NIST CSRC7

This is a barrier to strategic alignment of business and IT, as it creates inconsistency and fragmentation in the IT governance process across the enterprise. Strategic alignment of business and IT is the degree of fit and integration among business strategy, IT strategy, business infrastructure, and IT infrastructure1. It helps to ensure that IT supports and enables the achievement of the enterprise’s goals and objectives, and delivers value to the stakeholders1. To achieve strategic alignment, an enterprise needs to have a coherent and coordinated IT governance process that aligns IT with business goals, optimizes IT investments and resources, manages IT risks and opportunities, and measures IT performance and benefits1. However, if each business unit has its own steering committee for IT investment and prioritization, this may result in conflicting or competing IT priorities, duplication or waste of IT resources, lack of communication or collaboration among IT stakeholders, or misalignment of IT services and capabilities with business needs and expectations1. Therefore, each business unit having its own steering committee for IT investment and prioritization is a barrier to strategic alignment of business and IT.

The other options are not barriers to strategic alignment of business and IT, as they are possible enablers or indicators of strategic alignment. Uniform portfolio management is the process of selecting, prioritizing, balancing, and monitoring the IT investments and initiatives that support the enterprise’s strategic objectives and deliver value to the stakeholders2. Uniform portfolio management can help to align IT with business goals, optimize resource allocation, manage risks and dependencies, and measure performance and benefits2. IT being the exclusive provider of IT services to the business units can help to ensure that the IT services are consistent, reliable, secure, and compliant with the enterprise’s standards and policies3. The enterprise’s CIO being a member of the executive committee can help to demonstrate the strategic importance and contribution of IT to the enterprise’s success, as well as facilitate the communication and collaboration between IT and business leaders4.

Quantitative criteria are measurable and objective indicators that can be used to assess the costs, benefits, risks, and value of IT projects1. By using quantitative criteria, an enterprise can compare and prioritize different IT project proposals, justify and secure the required funding and resources, monitor and control the project progress and performance, and evaluate the actual outcomes and impacts of the project after implementation1. Quantitative criteria can also help to demonstrate the alignment of IT projects with the enterprise’s strategic objectives and goals, and to communicate the value proposition of IT projects to the stakeholders1.

The other options are not the primary reason for using quantitative criteria in developing business cases for IT projects, as they are either secondary or unrelated benefits. Benchmarking project success with similar enterprises may help to identify best practices and areas for improvement, but it is not the main purpose of using quantitative criteria. Learning lessons from errors made in past projects may help to avoid repeating mistakes and enhance project quality, but it is not the main purpose of using quantitative criteria. Applying other corporate standards to the development project may help to ensure consistency and compliance, but it is not the main purpose of using quantitative criteria.

 When prioritizing IT projects, the primary consideration for an enterprise should be the impact on the business due to expected project outcomes, because this would align the IT investments with the enterprise’s strategic objectives and value creation. The impact on the business can be assessed by using criteria such as return on investment (ROI), net present value (NPV), risk exposure, customer satisfaction, and competitive advantage12. References:= ISACA, CGEIT Review Manual, 7th Edition, 2019, page 31-32.

 Moving to a virtualized architecture will have the greatest impact on vendor management, as it will require the enterprise to select, contract, and monitor the performance of the cloud or virtualization service providers. Vendor management is essential for ensuring that the virtualized architecture meets the enterprise’s requirements, standards, and expectations, as well as for managing the risks, costs, and benefits of the virtualization strategy. Vendor management also involves negotiating and enforcing service level agreements (SLAs), ensuring compliance with regulations and policies, and resolving any issues or disputes that may arise with the vendors.

System life cycle management, asset classification, and vulnerability management are also important aspects of IT governance, but they are not as significantly affected by moving to a virtualized architecture as vendor management. System life cycle management is the process of planning, developing, testing, deploying, maintaining, and retiring IT systems. Asset classification is the process of identifying, categorizing, and labeling IT assets based on their value, sensitivity, and criticality. Vulnerability management is the process of identifying, assessing, prioritizing, and mitigating IT vulnerabilities that may pose a threat to the enterprise’s security or operations. These processes may need to be adapted or updated to accommodate the virtualized architecture, but they are not fundamentally changed by it.

References := Steps to Meet Cloud and Virtualized Architecture Governance; Crafting the optimal model for the IT architecture organization; Enterprise Architecture Governance – Why It Is Important (Part 2); What is IT governance? A formal way to align IT & business strategy.

Data conversion is the process of transforming data from one format or system to another. It is a critical activity in any data migration or integration project, as it affects the quality, accuracy, and usability of the data. Therefore, IT governance should mandate that data conversion has documented approvals from business process data owners, who are the stakeholders responsible for defining and maintaining the data requirements, standards, and quality for their respective business processes. This ensures that the data conversion meets the business needs and expectations, as well as complies with the relevant policies and regulations. References:

CGEIT Review Manual 2021, Chapter 4: Resource Optimization, Section 4.2: Data Management, page 1651

CGEIT Review Questions, Answers & Explanations Manual 2021, Question 10, page 252

Data Conversion: Definition, Best Practices, and Examples3

Data Governance Roles and Responsibilities4

 Enterprise architecture (EA) is the most important thing to review in this situation, as it provides a holistic view of the current and desired state of the IT applications, data, and infrastructure, as well as the business processes, capabilities, and goals that they support. EA can help identify the redundant IT applications, the data sources and dependencies, the integration requirements and challenges, and the alignment with the strategic initiative of providing integrated services to customers. EA can also help define the roadmap, standards, and governance for achieving the desired state of IT integration.

IT risk register, balanced scorecard measures, and IT strategic plan are also important things to review, but they are not as essential as EA in this situation. IT risk register is a document that records the IT risks that may affect the enterprise’s objectives and operations, as well as their likelihood, impact, mitigation strategies, and status. IT risk register can help identify and manage the potential risks associated with IT integration, such as data quality, security, compatibility, performance, and compliance issues. Balanced scorecard measures are a set of metrics that track the performance of IT in relation to the enterprise’s vision, strategy, and goals. Balanced scorecard measures can help evaluate the effectiveness and efficiency of IT integration, as well as its contribution to customer satisfaction, business value, and innovation. IT strategic plan is a document that outlines the vision, mission, objectives, initiatives, and actions of IT to support the enterprise’s strategy and goals. IT strategic plan can help align IT integration with the business needs and expectations, as well as allocate the necessary resources and budget for it.

References := Enterprise Architecture Governance - CIO Wiki; Enterprise Architecture Governance | The Definitive Guide | LeanIX; Enterprise Architecture Governance – Why It Is Important (Part 2); What is IT governance? A formal way to align IT & business strategy.

The BEST method for the IT strategy committee to evaluate how well the IT department supports the business strategy is to use IT balanced scorecard reporting. An IT balanced scorecard (BSC) is a strategic management tool that translates the IT vision and mission intomeasurable objectives, indicators, targets, and initiatives across four perspectives: financial, customer, internal process, and learning and growth1. An IT balanced scorecard reporting is a process of collecting, analyzing, and communicating the performance data and results of the IT department based on the IT BSC framework2. An IT balanced scorecard reporting can help to:

Align the IT objectives and activities with the business strategy and expectations3

Monitor and evaluate the efficiency, effectiveness, and value of the IT department

Identify the strengths, weaknesses, opportunities, and threats of the IT department

Communicate and demonstrate the contribution and impact of the IT department to the business outcomes

Therefore, an IT balanced scorecard reporting is the most suitable method for the IT strategy committee to assess how well the IT department supports the business strategy.

The other options are not as good as option C. While it is useful to conduct a capability maturity assessment, a customer survey analysis, or an IT controls assurance program, these are not comprehensive enough to evaluate how well the IT department supports the business strategy. They are rather focused on specific aspects of the IT department, such as its processes, services, or controls. They do not necessarily cover all four perspectives of the IT BSC framework, which provide a holistic view of the IT performance and alignment with the business strategy. References :=

The IT Balanced Scorecard (BSC) Explained - BMC Software1

What Is a Balanced Scorecard (BSC), How Is it Used in Business?2

How to Align Your Business Strategy with Your Technology Strategy …3

How to Measure Your Strategic Plan’s Success - dummies

SWOT Analysis: What It Is and When to Use It - Business News Daily

How to Communicate Strategy Effectively - ClearPoint Strategy

Business ethics is the study of appropriate business policies and practices regarding potentially controversial subjects, such as corporate governance, insider trading, bribery, discrimination, corporate social responsibility, fiduciary responsibilities, and much more1. The most important aspect of business ethics is to protect the interests of the stakeholders, who are the individuals or groups that have a stake in the success or failure of a business. Stakeholders include shareholders, customers, employees, suppliers, regulators, and the society at large. By protecting stakeholders’ interests, a business can ensure its long-term viability, reputation, and profitability. References: CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 1: Governance of Enterprise IT, Section 1.1: IT Governance Frameworks and Principles, Subsection 1.1.2: IT Governance Principles, Page 14-15. Business Ethics: Definition, Principles, Why They’re Important.

 Enterprise data governance is a system for defining who within an organization has authority and control over data assets and how those data assets may be used. It encompasses the people, processes, and technologies required to manage and protect data assets1. Enterprise data governance can help address the inconsistencies in data classification by establishing a common framework, standards, and policies for data quality, security, and usage across the enterprise. It can also assign roles and responsibilities for data owners, stewards, and custodians to ensure accountability and compliance234. References:

2: https://www.ibm.com/topics/data-governance

1: https://www.cio.com/article/202183/what-is-data-governance-a-best-practices-framework-for-managing-data-assets.html

3: https://www.sailpoint.com/identity-library/enterprise-data-governance/

4: https://atlan.com/enterprise-data-governance/