Certified in the Governance of Enterprise IT CGEIT Exam Questions
Which of the following should be the PRIMARY consideration for an enterprise when prioritizing IT projects?
Correct Answer: B
Which of the following is MOST critical to support IT governance cultural changes within an organization?
Correct Answer: C
The MOST critical factor to support IT governance cultural changes within an organization is demonstrated management commitment. IT governance is the process of ensuring that IT supports the achievement of the organization’s goals and objectives, and delivers value to its stakeholders1. IT governance involves aligning the IT strategy, policies, processes, and resources with the business strategy, needs, and expectations2. However, implementing and sustaining IT governance requires a significant amount of change in the organization, such as introducing new technologies, standards, roles, and responsibilities3. Therefore, demonstrated management commitment is essential for supporting IT governance cultural changes within an organization, as it can:
Provide the direction and mandate for the IT governance initiative on an ongoing basis
Communicate the vision, mission, goals, and objectives of the IT function to all stakeholders
Allocate the necessary resources and capabilities to enable the IT governance processes and activities
Monitor and evaluate the performance and outcomes of the IT function and provide feedback and recognition
Foster a positive and collaborative culture that values IT as a strategic partner and enabler of the business
The other options are not as critical as option C. While it is important to have established IT monitoring and measuring, regularly scheduled governance training, and IT governance process manuals, these are not sufficient to support IT governance cultural changes within an organization. They are rather means to achieve the end goal of implementing and sustaining IT governance. They do not necessarily reflect the level of commitment, involvement, and support from the management toward IT governance.
To enable the development of required IT skill sets for the enterprise, it is MOST important to define skill requirements based on:
Correct Answer: D
To enable the development of required IT skill sets for the enterprise, it is most important to define skill requirements based on each role within the IT department, because different roles may have different responsibilities, tasks, and expectations that require specific skills and competencies. By defining skill requirements based on each role, the enterprise can ensure that the IT staff have the appropriate knowledge, abilities, and experience to perform their roles effectively and efficiently, and to support the enterprise’s goals and objectives. According to ISACA’s CGEIT Domain 2: IT Resources1, “the enterprise should identify the skills required for each IT role and assess the current and future skill gaps.” Furthermore, according to ISACA’s article on IT Skills Gap2, “the skills gap is not a one-size-fits-all problem. It varies by industry, organization and department/role.” Therefore, defining skill requirements based on each role within the IT department is the best way to enable the development of required IT skill sets for the enterprise. References:
IT Skills Gap: Trends, Implications and Best Practices - ISACA
IT Governance: Definitions, Frameworks and Planning - ProjectManager
What is IT governance? A formal way to align IT & business strategy | CIO
CGEIT Domain 2: IT Resources
Which of the following should be done FIRST when defining responsibilities for ownership of information and systems?
Correct Answer: D
The FIRST step when defining responsibilities for ownership of information and systems is to require an inventory of information assets. An information asset is any data, device, or other component of the environment that supports information-related activities1. An inventory of information assets is a comprehensive list of all the information assets that an organization owns, controls, or uses2. By creating an inventory of information assets, an organization can:
Identify the types, locations, formats, and volumes of information assets3
Determine the value, sensitivity, and criticality of information assets4
Assign ownership and accountability for information assets5
Establish appropriate security controls and protection measures for information assets6
Monitor and audit the usage and lifecycle of information assets7
The other options are not as important as option D. While it is important to require an information risk assessment, identify systems that are outsourced, and ensure information is classified, these are subsequent steps that depend on the availability and accuracy of the inventory of information assets. Without an inventory of information assets, it would be difficult to perform a risk assessment, identify outsourced systems, or classify information according to its value and sensitivity. References :=
Information Asset - an overview | ScienceDirect Topics1
Information Asset Inventory - NIST CSRC2
How to Create an Information Asset Inventory - Infosec Resources3
Information Asset Valuation: A Methodology - ISACA4
Data Ownership: Considerations for Risk Management - ISACA5
Information Asset Protection - NIST CSRC6
Information Asset Management - NIST CSRC7
Senior management is reviewing the results of a recent security incident with significant business impact. Which of the following findings should be of GREATEST concern?
Correct Answer: C
The finding that should be of greatest concern to senior management is that response decisions were made without consulting the appropriate authority. This is because response decisions are critical actions that can affect the outcome and impact of a security incident, and they should be made by the designated authority who has the responsibility and accountability for the incident response. According to CISA, the Department of Justice, through the FBI and the NCIJTF, is thelead agency for threat response during a significant incident, with DHS’s investigative agencies—the Secret Service and ICE/HSI - playing a crucial role in criminal investigations1. If response decisions are made without consulting the appropriate authority, it may result in:
Legal or regulatory violations: The response actions may not comply with the applicable laws or regulations, such as data breach notification, evidence preservation, or privacy protection. This may expose the organization to legal or regulatory penalties, lawsuits, or reputational damage.
Ineffective or counterproductive actions: The response actions may not be aligned with the incident response plan, best practices, or standard operating procedures. This may cause more harm than good, such as escalating the incident, destroying evidence, or compromising recovery efforts.
Lack of coordination and communication: The response actions may not be coordinated or communicated with the relevant stakeholders, such as senior management, legal counsel, public relations, or external partners. This may lead to confusion, inconsistency, or mistrust among the parties involved in the incident response.
Therefore, senior management should be most concerned about the finding that response decisions were made without consulting the appropriate authority, and they should take corrective actions to prevent this from happening again in the future. References: Cybersecurity Incident Response | CISA1