Professional Documents
Culture Documents
GOVERNANCE OF ENTERPRISE
IT STUDY GUIDE: INCLUDES
THE LATEST PRACTICE
QUESTIONS AND ANSWERS
By
Daniel L. Patton
Introduction
In this book, we’ll cover these main areas:
ISACA CGEIT is the only governance certification that can give you the
mind-set to access, design, implement and manage enterprise IT governance
systems aligned with your overall business goals. It is globally accepted and
recognized and is framework agnostic. It addresses an overarching
governance posture that associates with multiple relevant frameworks,
standards, bodies of knowledge, and models that are relevant and valuable to
your overall governance system. The CGEIT exam offers concise job practice
areas addressing new trends, technologies and changing business needs that
are designed to keep you at the top of your game and improve business
performance. This update can not only help you and your career but can also
enable you to think strategically, plan proactively and optimize resources,
deliver business value, and mitigate risk and streamline operations including
and especially during times of crisis. CGEIT recognizes a range of
professionals for their knowledge and application of enterprise IT governance
principles and practices. To earn the CGEIT designation, you must meet the
following requirements.
- Of course, you have to pass the exam. We'll talk about that in in
more detail later in this book.
- Submit your application, you have to do that within five years of
passing the exam with verified evidence of a minimum of at least
five or more years of experience in an advisory or oversight role
supporting the governance of IT-related contribution to an
enterprise. Currently there's a waiver for the one-year requirement
related to domain one, and that may be obtained by holding a
COBIT 2019 design and implementation certificate. I recommend
that you first review the exam content outline for any certification
of interest to ensure that your work experience qualifies, then
review any other specific requirements as well.
- ISACA sets forth a code of professional ethics to guide the
professional and personal conduct of its members and certification
holders. Members and those certified are required to abide by
ISACA’s code of professional ethics.
- To maintain your CGEIT, you must earn and report a minimum of
120 CPE hours every three year reporting cycle and at least 20
hours annually. This reporting is due by the end of each calendar
year and is required to renew through the following year.
2020 CHANGES
Let's take a look at some of the changes that we see with the new CGEIT
exam. The new CGEIT domains address new trends, emerging technologies,
changing business needs, accounting for the latest governance industry
practices. The first we'll talk are the exam preparation materials. The CGEIT
review manual eighth edition and CGEIT review questions, answers and
explanations manual fifth edition have been revised and updated to reflect the
2020 outline.
Exam Essentials
The CGEIT certification Working Group oversees the development of this
exam, ensuring that the job practice is properly tested. There'll be 150
multiple choice questions. And there's one best answer from four options A,
B, C, or D. You'll have four hours or 240 minutes to take the exam, which
allows for a little over a minute and a half per question. CGEIT certification
exams can now be taken via online Remote Proctor or at an in person testing
center. You'll schedule your exam for any available date, time or location
within the 365-day eligibility period. If you're within 48 hours of your
scheduled testing appointment, you must take the exam or forfeit the
registration fee. Please note that the payment is required before you schedule
the exam. And it's about $575 per members and $764 for non-members.
Scores are reported as a scaled score. This is a conversion of your raw score
on the exam to a common scale from 200 to 800. And to pass, you must
receive a score of 450 or higher, which represents a minimum consistent
standard knowledge is established by ISACA CGEIT certification. You can
find more information on this and register for the exam at the official ISACA
website.
Answer: D
Answer: A
Answer: C
Answer: D
A.training needs.
B. a best practices framework.
C. each of the IT department's roles
D. a set of skills for all IT staff
Answer: C
7. Which of the following would be the most concerning in terms of risk
management process effectiveness?
Answer: C
Answer: A
9. Which of the following factors has the most impact on data quality
assurance?
A. Data encryption
B. Data stewardship
C. Data modelling
D. Data classification
Answer: B
10. Which of the following would be the most effective way to ensuring that
an IT governance framework is accepted?
A. Using subject matter experts
B. Using industry-accepted practices
C. Regulatory compliance
D. Taking into account the impact of enterprise culture
Answer: D
Answer: C
12. Which of the following has the most serious consequences for a company
with a poor information architecture?
Answer: A
A. Data ownership
B. Information's criticality
C. Keeping the enterprise architecture (EA) up to date
D. The right mix of business rewards and risk
Answer: D
14. Which of the following aspects of business ethics is the most important?
Answer: D
15. A CIO just got a final audit report indicating that the enterprise's mobile
device acceptable usage policy is being applied inconsistently across all
business divisions. Which of the following should be the first step in
resolving the problem?
Answer: D
Answer: B
A. IT risk appetite
B. Enterprise project management framework
C. Information systems architecture
D. IT investment portfolio
Answer: B
Answer: C
20. An IT manager is trying to figure out what the best IT service levels are.
Which of the following should be the most important factor to consider?
Answer: D
21. A company is considering enacting a policy that would make personal
data in enterprise systems anonymous. Which of the following is the MOST
critical factor for the IT steering committee to examine before making a
decision?
Answer: D
Answer: B
Answer: D
Answer: C
Answer: C
26. Which of the following is a barrier to business and IT strategic alignment
in an organization with global business units and a centralized financial
control model?
Answer: D
Answer: C
A.Program manager
B. CIO
C. IT steering committee chair
D. Business sponsor
Answer: B
30. Several months ago, a strategic systems project was started. Which of the
following is the BEST reference for the IT steering committee to use when
assessing the project's success?
Answer: D
31. To ensure that information can be traced back to its source and
responsible parties, a company should first:
Answer: C
Answer: A
Answer: B
34. Which of the following provides the BEST assurance that IT service
management methods are effective?
Answer: B
35. When assessing the loss associated with a large risk occurrence, which of
the following is the MOST important input?
Answer: D
Answer: D
A. A mandate for the encryption of all corporate data files at rest that
contain sensitive data
B. A requirement that employees be trained on how to categorise
company data files on a regular basis.
C. Approved cloud-based apps must be scanned for improper
information.
D. If unsuitable content is identified, a procedure for banning access to
cloud-based apps is established.
Answer: A
Answer: A
A. a risk register.
B. a risk management policy.
C. an IT risk appetite statement.
D. key risk indicators (KRIs).
Answer: D
42. Which of the following jobs is PRIMARILY responsible for data asset
security?
A. Data analyst
B. Data owner
C. Database administrator
D. Security architect
Answer: B
Answer: D
Answer: C
45. The CIO of a company discovers that a competitor's payroll server has
been infected with ransomware. What should the CIO do first to prepare for
the prospect of business data being ransomed?
Answer: A
46. An organization has made the strategic choice to cut operating costs for
the coming year, and it is taking advantage of cost savings provided by an
external cloud service provider. Which of the following should be the
primary concern of the IT steering committee?
A. Continuity planning
B. Security architecture
C. Contract management
D. Data management
Answer: C
48. What is the best strategy for an IT governance board to define artificial
intelligence (AI) adoption behaviour standards?
Answer: A
49. An IT governance committee wants to make sure that the enterprise data
policy includes a clear explanation of the "data owner." Which of the
following is the best way to identify who owns data stored in an external
cloud?
A. The risk manager who is in charge of safeguarding cloud-based data
B. The person in charge of a company who is most affected by data
loss
C. The vendor who uses online forms to send data to the organization.
D. The contract manager is in charge of monitoring the cloud
provider's security.
Answer: A
50. Who among the following is best qualified to assess the potential benefits
of an IT-enabled investment?
Answer: A
Answer: B
Answer: B
Answer: B
55. Which of the following should be the first step in the implementation of
IT governance?
Answer: C
56. A company intends to build a business intelligence (BI) solution that will
pull data from a variety of internal applications. Which of the following
presents the most difficult implementation challenge?
A. Enterprise and BI application interface difficulties
B. Sources of data definition and mapping from applications
C. The requirement for staff training on the new BI tool
D. Large volumes of data fed from enterprise applications
Answer: D
Answer: D
Answer: D
Answer: A
60. To guarantee that the process of establishing a business case for IT-
enabled investments continues to support benefits realization, the benefits
expected from investment programs must be actively managed through:
Answer: D
Answer: C
62. Which of the following is the most effective way to ensuring that
enterprise IT governance is followed consistently?
Answer: C
64. In recent years, a large bank has conducted multiple acquisitions that
have resulted in redundant IT applications. The IT steering group has decided
to share data and connect applications in order to fit with the strategic aim of
providing integrated services to customers. In this case, which of the
following would be the MOST important to review?
A. IT strategic plan
B. Enterprise architecture
C. Balanced scorecard measures
D. IT risk register
Answer: B
Answer: B
66. Which of the following traits best describes an IT process that is a good
candidate for outsourcing?
Answer: C
67. Which method is the most effective for implementing good IT risk
management?
Answer: C
68. The board of directors of a company has ordered the CIO to implement
measures to make the IT department more environmentally conscious. Which
of the following should be the CIO's FIRST step in ensuring that IT demands
remain aligned with the board's requirements?
Answer: D
Answer: D
70. Which of the following is the BEST approach for a CIO to improve the
alignment of IT and business security risk management?
Answer: B
A. Resource utilization
B. Residual risk
C. Value delivery
D. Project delivery
Answer: C
72. The MOST essential factor for the associated risk responses after doing a
gap analysis of IT risks and controls capacity is that they are:
Answer: B
73. The CIO is concerned that recent IT-enabled investments haven't taken
advantage of Enterprise Architecture.
Which of the following would be the most helpful in addressing these
challenges and enforcing enterprise architecture leveraging?
A. Adopt a framework for enterprise architecture that is well-known
around the world.
B. Form a team to keep the enterprise architecture up to date on a
regular basis.
C. Publish and train on the enterprise architecture document.
D. At major milestones, a review of the enterprise architecture should
be required.
Answer: C
74. The CEO of a corporation is worried that risk events that are not directly
related to emergency incidents are not regularly addressed at the C-suite
level. Which of the following is the most effective strategy for the CEO to
ensure that risk events receive adequate time and attention?
Answer: B
76. The volume of false positives in risk reports has overwhelmed the risk
committee. What action would be the most effective in this situation?
Answer: B
78. Which of the following is the MOST EFFECTIVE strategy to deal with
concerns about outsourcing an IT process?
Answer: A
79. Which of the following approaches is the BEST for assisting a company
in preparing for IT-enabled investments?
A. IT process mapping
B. Task management
C. Service level management
D. Enterprise architecture
Answer: A
80. For the first time, the procurement department has asked IT to enable
third-party vendors remote access. Which of the following is the most
effective way for IT to respond to the request?
Answer: D
Answer: C
Answer: B
83. When making changes to the IT strategy, which of the following should
the CIO evaluate FIRST?
Answer: B
Answer: D
Answer: B
88. When a company discovers that a new privacy rule was recently released
to safeguard customers in the case of a data breach involving personally
identifiable information (PII). The first step for the IT risk management team
should be to:
Answer: B
Answer: D
Answer: C
Answer: D
92. Which of the following would a CIO use to present the board of directors
with a holistic view of IT performance?
Answer: D
Answer: D
94. To guarantee that IT risk is managed consistently; IT governance must
establish the following:
Answer: B
95. In the IT investment process, which of the following should come first?
Answer: C
Answer: B
Answer: D
Answer: B
100. The IT risk committee should first consider the following when
conducting a risk assessment in support of a new regulatory requirement:
Answer: A
102. The CIO has been asked to add an Internet of Things (IoT) component
in the IT plan to support the company's digital transformation. Which of the
following should be taken into account first?
Answer: D
103. The IT project management office informed the steering committee that
individual business units are developing system components that might be
used by other business units. Instead, identical components are copied
throughout the organization. Which of the following committee directives
would be the most effective in preventing this duplication?
A. compliance to IT policy
B. application of IT standards
C. maturity of IT processes.
D. value of IT contribution.
Answer: C
Answer: B
Answer: B
107. The BEST reaction to a service provider failing to notify you of a data
security breach is to contractually require which of the following?
108. The PRIMARY aim of adopting service level agreements (SLAs) with
an outsourced vendor should be which of the following?
Answer: B
A. An outsourcing strategy
B. A defined enterprise architecture
C. Defined resourcing levels
D. A service delivery strategy
Answer: B
Answer: D
111. Which of the following would be the best source of information for
prioritizing strategic IT improvement projects?
Answer: B
112. IT senior management has been charged with shifting the current IT
organization paradigm to a service-oriented one to satisfy the growing
demands of a newly established business unit. Which of the following is the
MOST critical factor to consider when planning for long-term IT service
delivery when the IT organization is likely to grow significantly?
Answer: A
Answer: B
114. Which of the following should be defined FIRST before IT key risk
indicators are created?
A. IT resource strategy
B. IT goals and objectives
C. IT key performance indicators
D. IT risk and security framework
Answer: B
115. Which of the following should be done FIRST when evaluating the
impact of a new regulatory requirement?
Answer: A
A. Obtain approval for a staff reduction over the following five years.
B. Provide the business with real-time risk reporting.
C. Promote the IT benefits and the streamlining of processes.
D. Describe the new solution's business value.
Answer: C
Answer: B
Answer: A
A. Cost-benefit analysis
B. Balanced scorecard
C. Resource assessment
D. IT process maturity level
Answer: A
120. Which of the following, if missed, has the most impact on the firm when
establishing a business case for an enterprise resource planning (ERP)
implementation?
A. Vendor selection
B. Interdependent systems
C. IT best practices
D. Salvage value of legacy hardware
Answer: A
122. A recent trend of excessive exceptions to established restrictions has raised concerns among senior
management. Which of the following measures should be taken to address this issue?
Answer: D
A. IT steering committee
B. Program management team
C. Board of directors
D. Project management office
Answer: B
124. Which of the following would be the MOST useful for prioritizing IT
improvement activities in order to achieve targeted business results?
Answer: D
125. Which of the following is the most significant factors to consider while
building an IT governance framework?
Answer: D
126. Which of the following would be the MOST helpful in ensuring timely
reporting of risk incidents and appropriate management responses?
A. Escalation procedures
B. Emergency response team
C. Key personnel interviews
D. Corporate directory
Answer: D
A. level of outsourcing.
B. enterprise architecture.
C. culture.
D. maturity of IT processes.
Answer: B
Answer: D
129. A large retail chain's board of directors wants to know what safeguards
are in place to protect customer credit card data from being stolen. Which of
the following should be established in order to convey helpful information
about an upcoming event?
A. Performance indicators
B. Lag indicators
C. Lead indicators
D. Risk tolerance
Answer: C
A. Risk management
B. Project management
C. Procurement management
D. Portfolio management
Answer: A