Free Isaca CGEIT Practice Exam with Questions & Answers

Before any strategic direction can be set for AI initiatives,assessing the current AI capabilities and infrastructureis essential. This foundational step provides a baseline of where the organization currently stands, what assets or skills it possesses, and what gaps may exist.

Subsequent actions, such as developing use cases, forming teams, or crafting policies, rely heavily on this understanding. Without a proper assessment, strategic decisions may be misaligned with the organization’s actual readiness or capabilities.

 The first thing that should be done to reduce the complexity of the IT landscape is to conduct strategic planning with business units. Strategic planning is the process of defining the vision, mission, goals, and objectives of the enterprise and how they will be achieved. It also involves aligning the IT strategy with the business strategy and ensuring that they support each other. By conducting strategic planning with business units, the enterprise can identify and prioritize the IT needs and expectations of each business unit, as well as the commonalities and synergies among them. This can help to reduce the complexity of the IT landscape by eliminating duplicate technologies, resolving conflicting priorities, and creating a coherent and consistent IT architecture that meets the business requirements and delivers value. The other options are not as effective as conducting strategic planning with business units for reducing the complexity of the IT landscape. Promoting automation tools used by the business units may improve efficiency and productivity, but it does not address the underlying issues of duplication and conflict. Migrating all in-house systems to an external cloud environment may reduce costs and increase scalability, but it does not ensure alignment and integration of IT systems across business units. Standardizing technology architecture on common products may simplify IT operations and maintenance, but it does not consider the specific needs and preferences of each business unit.

Implementing appropriate controlsis the most critical leadership responsibility when deploying mobile technologies. Controls cover access, encryption, monitoring, and loss prevention—addressing core risks such as data leakage and unauthorized access.

Acceptable use and policy alignment are necessary, butcontrols ensure security and compliance in practice.

The best group to evaluate recommendations to address the use of antiquated technologies throughout the enterprise is the Enterprise Architecture (EA) review board. This group is responsible for overseeing the architectural framework and ensuring that IT systems and technologies align with the enterprise's strategic objectives. The EA review board has the expertise to assess the impact of current technologies on the business and recommend modernization strategies that align with the enterprise architecture. While business process improvement workgroups, audit committees, and risk management committees play important roles, the EA review board is specifically equipped to address technological shortcomings and alignment with business goals.

Monitoring the adoption of a new IT strategy requires measurable indicators that track progress and alignment with strategic objectives. The CGEIT Review Manual 8th Edition highlights that key performance indicators (KPIs) are the primary tool for monitoring strategy implementation, as they measure performance against defined goals.

Extract from CGEIT Review Manual 8th Edition (Domain 4: Strategic Management):"Key performance indicators (KPIs) are essential for monitoring the implementation and adoption of an IT strategy. KPIs provide measurable data on progress toward strategic objectives, enabling the IT steering committee to assess effectiveness and make informed adjustments." (Approximate reference: Domain 4, Section on Strategy Monitoring)

Establishing KPIs (option B) allows the IT steering committee to track the strategy’s success, identify gaps, and ensure alignment with enterprise goals, making it the best approach for monitoring adoption.

Why not the other options?

A. Implement service level agreements (SLAs): SLAs are operational agreements for service delivery, not strategic monitoring tools.

C. Schedule ongoing audit reviews: Audits provide assurance but are periodic and not designed for ongoing strategy monitoring.

D. Establish key risk indicators (KRIs): KRIs focus on risk exposure, not on measuring strategy adoption or performance.

Comprehensive and Detailed Explanation:

The CGEIT Review Manual 8th Edition, in its Governance of Enterprise IT domain, addresses data governance to ensure proper management and protection of data, including third-party data. Establishing data ownership with clear accountabilities ensures that specific individuals or roles are responsible for overseeing third-party data, preventing unauthorized use through defined policies and controls. For example, a data owner can enforce access restrictions and monitor usage. The manual likely references COBIT 2019’s APO14-Managed Data, which emphasizes data ownership for governance.

Option A: Communicate consequences is reactive and less effective than proactive ownership.

Option B: Encrypt data in transit addresses security but not unauthorized internal use.

Option D: Retention periods manage data lifecycle but don’t directly prevent misuse.

Double Verification: The answer aligns with COBIT’s APO14 and the CGEIT domain’s focus on data governance. Data ownership is a core ISACA principle for data protection.

ISACA CGEIT Review Manual 8th Edition, Domain 1: Governance of Enterprise IT (focus on data governance).

COBIT 2019, APO14-Managed Data.

ISACA Glossary (for definitions of data ownership), available at https://www.isaca.org/resources/glossary.

To measure the value of IT-enabled investments, an enterprise needs to identify its drivers as defined by its business strategy. The business strategy is the document that defines the vision, mission, goals, and objectives of the enterprise and how they will be achieved. It also specifies the value proposition, competitive advantage, and target market of the enterprise. The drivers ofvalue are the factors that influence or determine the value creation and delivery of the enterprise. They can include aspects such as customer satisfaction, revenue growth, cost reduction, innovation, quality, and efficiency. By identifying its drivers as defined by its business strategy, the enterprise can align its IT-enabled investments with its strategic priorities and expectations. It can also establish the criteria, metrics, and indicators for measuring and evaluating the value of IT-enabled investments in terms of their contribution to the business outcomes and performance.

This is because calibrating and scaling delivery of IT services means adjusting and optimizing the IT service portfolio, processes, and resources to meet the changing and diverse needs and expectations of the business1. By following this approach, the large enterprise can:

Align IT services with business strategy, objectives, and priorities1

Enhance IT service quality, efficiency, and effectiveness1

Improve IT service agility, flexibility, and responsiveness1

Reduce IT service costs, risks, and waste1

Increase IT service value, satisfaction, and innovation1

Calibrating and scaling delivery of IT services can help the large enterprise revamp its IT services in a way that supports and enables the business success.

The other options, addressing gaps within the management of IT-related risk, focusing on business innovation through knowledge, expertise, and initiatives, and adhering to on-time and on-budget IT service delivery are not as appropriate as calibrating and scaling delivery of IT services for a large enterprise to follow when revamping its IT services. They are more related to specific aspects or outcomes of IT service management, rather than a holistic and strategic approach. They may also be too narrow or rigid for a large enterprise that needs to adapt and evolve its IT services to the dynamic and complex business environment. They may not address the full scope or potential of IT service improvement and transformation.

Comprehensive and Detailed Explanation:

The CGEIT Review Manual 8th Edition, in its Governance of Enterprise IT domain, addresses ethical governance and policy enforcement. When ethical violations occur, the first step is to conduct a root cause analysis to identify why policies failed (e.g., lack of oversight, inadequate controls) and remediate based on findings. This ensures targeted solutions, such as enhanced monitoring or training. The manual likely references COBIT 2019’s MEA03-Managed Compliance with External Requirements, which includes root cause analysis for governance issues.

Option A: Revise policies is premature without understanding the cause.

Option C: Document CSFs is unrelated to addressing violations.

Option D: Strict penalties may deter but don’t address underlying issues.

Double Verification: The answer aligns with COBIT’s MEA03 and the CGEIT domain’s focus on ethical governance. Root cause analysis is a standard ISACA response to policy failures.

ISACA CGEIT Review Manual 8th Edition, Domain 1: Governance of Enterprise IT (focus on ethical governance).

COBIT 2019, MEA03-Managed Compliance with External Requirements.

ISACA Glossary (for definitions of root cause analysis), available at https://www.isaca.org/resources/glossary.

The best way to ensure that security risk is properly addressed when implementing an information security policy exception process is to confirm process owners’ acceptance of residual risk. Residual risk is the risk that remains after applying controls or mitigating measures to reduce the original risk1. Process owners are the individuals or groups that are responsible for the design, execution, and performance of a business process2. By confirming process owners’ acceptance of residual risk, the enterprise can ensure that the security risk associated with the policy exception is understood, acknowledged, and agreed upon by the relevant stakeholders. This can also help to assign accountability and liability for the potential consequences of the policy exception, as well as to monitor and review the risk level and the effectiveness of the controls or mitigating measures. The other options are not as effective as confirming process owners’ acceptance of residual risk for ensuring that security risk is properly addressed when implementing an information security policy exception process. Performing an internal and external network penetration test is a useful technique for identifying and exploiting vulnerabilities in the network infrastructure, but it does not address the specific security risk related to the policy exception. Obtaining IT security approval on security policy exceptions is a necessary step for validating and authorizing the policy exception, but it does not ensure that the process owners are aware of and accept the residual risk. Benchmarking policy against industry best practice is a good practice for comparing and improving the policy quality and performance, but it does not address the security risk associated with the policy exception.

When an IT governance committee is reviewing its current risk management policy due to increased usage of social media within an enterprise, the first task should be to initiate an assessment of the impact on the business. This assessment will provide a comprehensive understanding of how social media usage affects various aspects of the business, including productivity, security, data privacy, and compliance with existing policies and regulations. Understanding the business impact will inform the committee's decisions on any necessary policy adjustments or controls to mitigate potential risks associated with social media usage. While reviewing current usage levels, blocking access, and reassessing BYOD policies are relevant considerations, they should be informed by an initial assessment of the business impact to ensure that any actions taken are aligned with the enterprise's strategic objectives and risk tolerance.

A periodic service provider audit is a process of conducting an independent and objective assessment of the service provider’s performance, quality, compliance, and security in relation to the agreed service level agreement (SLA) and the enterprise’s expectations and requirements. A periodic service provider audit can help provide quality of service oversight by:

Verifying and validating the service provider’s claims and credentials, and ensuring that they meet the contractual obligations and standards

Identifying and evaluating the strengths, weaknesses, opportunities, and threats of the service provider’s services, processes, and controls

Detecting and reporting any issues, gaps, or risks that may affect the quality of service delivery or the enterprise’s objectives and value

Recommending and implementing corrective and preventive actions to address and resolve the issues, gaps, or risks

Monitoring and measuring the outcomes and effectiveness of the corrective and preventive actions, and ensuring their alignment with the SLA

According to the web search results, the customer dimension of an IT balanced scorecard is the perspective that measures how well the IT department meets the needs and expectations of its internal and external customers, such as business units, end users, suppliers, and partners. The customer dimension helps the IT department to align its services and products with the customer requirements and preferences, and to deliver value and satisfaction to the customers12.

The most important measure to include in the customer dimension of an IT balanced scorecard is stakeholder satisfaction, which is the degree to which the customers are satisfied with the quality, performance, and outcomes of the IT services and products. Stakeholder satisfaction reflects the customer perception and feedback of the IT department, and influences the customer loyalty, retention, and advocacy. Stakeholder satisfaction can be measured by various methods, such as surveys, interviews, focus groups, complaints, compliments, and referrals34.

The other options are not as important as stakeholder satisfaction to include in the customer dimension of an IT balanced scorecard. Business value creation is a measure that belongs to the financial dimension of an IT balanced scorecard, as it evaluates how much value the IT department contributes to the business strategy and objectives5. Maintenance of IT operations is a measure that belongs to the internal process dimension of an IT balanced scorecard, as it assesses how well the IT department manages and improves its core processes and activities. Support for corporate customers is a measure that belongs to the learning and growth dimension of an IT balanced scorecard, as it indicates how well the IT department develops and enhances its capabilities and competencies to support its customers.

Comprehensive and Detailed Explanation:

The CGEIT Review Manual 8th Edition, in its Risk Optimization domain, addresses the need for proactive detection and response to security incidents to minimize risks. The undetected breach attempt highlights a gap in real-time monitoring and alerting.

Option D: The implementation of an intrusion detection and reporting process is the most important. An intrusion detection system (IDS) monitors network and system activities for unauthorized access, generating alerts for immediate response. This would have ensured the breach attempt was detected and reported in real-time, preventing potential data loss. The manual likely references COBIT 2019’s DSS05-Managed Security Services, which emphasizes intrusion detection as a critical security control.

Option A: Periodic analyses of logs and databases is reactive and may not detect breaches in time, unlike real-time IDS.

Option B: A review of security and risk frameworks is broad and long-term, not addressing the immediate detection gap.

Option C: A comprehensive data management policy focuses on data governance, not real-time breach detection.

Double Verification: The answer aligns with COBIT’s DSS05 and the CGEIT domain’s focus on security incident detection. Intrusion detection is a standard ISACA recommendation for preventing undetected breaches.

ISACA CGEIT Review Manual 8th Edition, Domain 4: Risk Optimization (focus on security incident detection).

COBIT 2019, DSS05-Managed Security Services.

ISACA Glossary (for definitions of intrusion detection), available at https://www.isaca.org/resources/glossary.

Assigning information risk to a department without designating an individual owner is most likely to have a negative impact on accountability for information risk ownership. This lack of individual accountability can lead to ambiguities in responsibility, making it difficult to ensure that appropriate risk management actions are taken and followed up on. When an individual owner is clearly identified, it establishes direct responsibility and accountability, improving the effectiveness of risk management practices. While the scenarios described in the other options present challenges, the absence of a specific individual owner represents a fundamental weakness in establishing clear accountability for managing information risk.