Free Isaca CGEIT Practice Exam with Questions & Answers | Set: 14

 The business manager has the primary responsibility to define the requirements for IT service levels for the enterprise, as they are the ones who understand the business needs, objectives, and expectations from the IT services. The business manager should communicate these requirements to the IT service provider, who should then design, deliver, and monitor the IT services according to the agreed service levels. The help desk, the CIO, and the business continuity vendor are not primarily responsible for defining the IT service level requirements, although they may have roles in supporting, implementing, or ensuring them. References := CGEIT Review Manual, 27th Edition, Domain 1: Governance of Enterprise IT, page 20-21.

 A quantitative risk assessment method uses numerical values and mathematical models to estimate the likelihood and consequences of risks. This reduces the subjectivity and bias that may arise from qualitative methods that rely on personal judgment and experience. A quantitative method also allows for more objective comparison and prioritization of risks based on their impact and probability. References :=

Quantitative Risk Analysis (Definition, Benefits and Steps) - Indeed

Risk Assessment and Analysis Methods: Qualitative and Quantitative - ISACA

The impact of information exposure is the most important factor for an enterprise to review when classifying information assets, because it helps to determine the level of sensitivity and protection that the information assets require. Information assets are classified according to their confidentiality, integrity, and availability, which reflect the potential harm or loss that could result from unauthorized disclosure, modification, or destruction of the information assets. The impact of information exposure can be assessed in terms of financial, reputational, legal, operational, or strategic consequences for the enterprise and its stakeholders. The impact of information exposure can also vary depending on the context, scope, and duration of the exposure. Therefore, by reviewing the impact of information exposure, an enterprise can assign appropriate labels and controls to its information assets, and ensure that they are handled and stored securely and appropriately. References := Information classification according to ISO27001, Information Asset and Security Classification Procedure, Information Classification Standard.

This is because stakeholder analysis is a process of identifying and prioritizing the people or groups who have an interest, influence, or impact on the enterprise’s objectives and activities. Stakeholder analysis can help to understand the business expectations, needs, preferences, and concerns of different stakeholders, as well as their roles and responsibilities in the governance program. Stakeholder analysis can also help to engage and communicate with stakeholders effectively, and to align the governance program with the business strategy and value creation.

Some of the sources that support this answer are:

1: This source explains the importance and benefits of stakeholder analysis for IT governance, and provides some tips and tools for conducting it. It suggests that stakeholder analysis can help to ensure that IT governance meets stakeholder needs, delivers value, and supports business objectives.

2: This source defines stakeholder analysis and describes its steps and techniques. It also provides some examples of stakeholder analysis templates and matrices that can be used for IT governance projects.

3: This source discusses how stakeholder analysis can be used in the TOGAF framework for enterprise architecture. It states that stakeholder analysis should be used during Phase A (Architecture Vision) to identify the key players in the engagement, and also be updated throughout each phase; different stakeholders may be uncovered as the engagement progresses through into Opportunities & Solutions, Migration Planning, and Architecture Change Management.

4: This source presents a chapter on enterprise governance of IT processes from a book titled “Enterprise Governance of Information Technology: Achieving Alignment and Value, Featuring COBIT 5”. It mentions that stakeholder analysis is one of the key activities for defining the IT governance framework, as it helps to identify the relevant stakeholders and their expectations, roles, and responsibilities.

An enterprise that wishes to establish key risk indicators (KRIs) in an effort to better manage IT risk should first identify the enterprise risk appetite, because this would help to define the level of risk that the enterprise is willing and able to accept in pursuit of its objectives and value creation. The enterprise risk appetite should consider the external and internal factors that influence the IT environment, such as market trends, customer demands, innovation opportunities, regulatory requirements, and business strategies12. The KRIs should align with the enterprise risk appetite, and measure the potential impact and likelihood of the risks that may affect the IT performance and outcomes12. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 75-76.

Outcome measures are indicators that measure the results or impacts of a strategy, program, or project on the intended beneficiaries or stakeholders1. The primary objective of building outcome measures is to monitor whether the chosen strategy is successful in achieving its goals and objectives, and to evaluate its effectiveness and efficiency2. Outcome measures can also help to communicate the value and benefits of the strategy to the relevant audiences, and to identify areas for improvement or adjustment3. Outcome measures are different from output measures, which measure the activities or products that are delivered by the strategy, but not necessarily their effects or outcomes4. References :=

Outcome Measures - an overview | ScienceDirect Topics

Outcome Measurement | The Australian Institute of Family Studies

Outcome Measurement: A Guide for Nonprofit Organizations | Imagine Canada

Doing Quantitative Research with Outcome Measures

The IT strategy is the document that defines how IT will be used to support and achieve the business objectives of the organization. It aligns the IT investments, resources, and activities with the business priorities and direction. When there is a change in the business objectives, such as a re-prioritization by management, the IT strategy should be updated accordingly to ensure that IT remains relevant and aligned with the new business goals. Updating the IT strategy should be done first before allocating resources to IT processes, because it provides the basis for determining which IT processes are most critical and valuable for the organization. The other options are not the best actions to perform first in this scenario. Performing a maturity assessment, implementing a RACI model, and refining the human resource management plan are all useful activities for improving the IT processes, but they are not directly related to the change in business objectives. They should be done after updating the IT strategy, based on the new strategic direction and priorities. References:

1: https://www.projectpractical.com/human-resource-management-plan-template-free-download/

2: https://open.lib.umn.edu/humanresourcemanagement/chapter/2-2-writing-the-hrm-plan/

3: https://www.isixsigma.com/getting-started/are-you-ready-how-conduct-maturity-assessment/

4: https://www.smartsheet.com/content/organizational-maturity

5: https://www.process.st/maturity-model/

This should be the IT steering committee’s primary concern, as moving to an external cloud service provider may introduce new or different risks to the enterprise, such as data security,privacy, compliance, availability, performance, vendor lock-in, and service level agreements12. The IT steering committee should update the business risk profile to reflect the current and potential risks associated with the cloud service provider, and to ensure that they are aligned with the enterprise’s risk appetite and tolerance12. The IT steering committee should also monitor and manage the risks throughout the cloud service lifecycle, and implement appropriate controls and mitigation strategies to protect the enterprise’s assets and interests12. The other options are not as important as updating the business risk profile, as they are not directly related to the strategic decision to reduce operating costs for the next year. Calculating the cost of the current solution, changing the IT steering committee charter, and revising the business’s balanced scorecard are possible actions that may be taken after updating the business risk profile, based on the identified risks and their levels3.

 The FIRST step when defining responsibilities for ownership of information and systems is to require an inventory of information assets. An information asset is any data, device, or other component of the environment that supports information-related activities1. An inventory of information assets is a comprehensive list of all the information assets that an organization owns, controls, or uses2. By creating an inventory of information assets, an organization can:

Identify the types, locations, formats, and volumes of information assets3

Determine the value, sensitivity, and criticality of information assets4

Assign ownership and accountability for information assets5

Establish appropriate security controls and protection measures for information assets6

Monitor and audit the usage and lifecycle of information assets7

The other options are not as important as option D. While it is important to require an information risk assessment, identify systems that are outsourced, and ensure information is classified, these are subsequent steps that depend on the availability and accuracy of the inventory of information assets. Without an inventory of information assets, it would be difficult to perform a risk assessment, identify outsourced systems, or classify information according to its value and sensitivity. References :=

Information Asset - an overview | ScienceDirect Topics1

Information Asset Inventory - NIST CSRC2

How to Create an Information Asset Inventory - Infosec Resources3

Information Asset Valuation: A Methodology - ISACA4

Data Ownership: Considerations for Risk Management - ISACA5

Information Asset Protection - NIST CSRC6

Information Asset Management - NIST CSRC7