Isaca CGEIT Actual Questions

To address concerns about staff saving sensitive corporate information on publicly available cloud file storage applications, the first step should be to require staff training on data classification policies. Educating employees about the types of data classified as sensitive and the associated handling requirements helps to raise awareness and change behavior. Training should emphasize the importance of protecting sensitive information and the proper use of approved storage solutions. While creating secure storage solutions, blocking access to certain applications, and revising policies are important measures, education and awareness are fundamental first steps to ensure compliance and mitigate risks.

IT strategic planning processes need to be adequately documented and communicated for several reasons, but the most important one is to promote transparency to stakeholders. Transparency means being open, honest, and accountable for the actions and decisions of the IT department. Transparency helps to build trust, credibility, and confidence among the stakeholders, such as senior management, business units, customers, suppliers, regulators, and employees1. By documenting and communicating the IT strategic planning processes, the IT department can demonstrate how it aligns its goals and objectives with the business strategy, how it prioritizes and executes its projects and initiatives, how it measures and reports its performance and outcomes, and how it manages its risks and challenges. Documenting and communicating the IT strategic planning processes also enables the IT department to solicit feedback and input from the stakeholders, and to address any issues or concerns that may arise23.

The other options are not as important as promoting transparency to stakeholders. Justifying spending on IT projects is a benefit of documenting and communicating the IT strategic planning processes, but it is not the primary reason. Ensuring other departments are aligned with the direction set by IT is a result of documenting and communicating the IT strategic planning processes, but it is not the main purpose. Informing business units of IT department achievements is a part of documenting and communicating the IT strategic planning processes, but it is not the most important reason.

References: 1: Creating an IT Strategy Communications Plan: 5 Keys to Success4 2: IT Strategy Template for a Successful Strategic Plan | Gartner1 3: 14 Ways To Document Communications Processes For Faster … - Forbes

Organizational responsibility for IT risk management is a critical factor for the success of the program. Without clear roles and responsibilities, the program may lack accountability, coordination, communication and alignment with the business objectives. The other options are not as concerning as option A, because they do not affect the core of the program. Having risk management-related certifications is desirable, but not mandatory, for the IT risk management team. Monitoring only a few key risk indicators (KRIs) is acceptable, as long as they are relevant and meaningful for the program. Retaining IT risk training records is important, but not essential, for the program effectiveness. References := ISACA, CGEIT Review Manual, 7th Edition, Chapter 3: Benefits Realization, Section 3.2: IT Risk Management, p. 113-114.

Upon learning that business units have been independently procuring cloud services, the IT steering committee's best course of action is to define a procurement strategy based on business unit needs. This approach ensures that cloud service procurement aligns with the enterprise's overall IT strategy and governance policies while still addressing the specific requirements of individual business units. It fosters collaboration between IT and business units, ensuring that cloud services are vetted for compliance, security, and interoperability. Requiring cancellation, including business unit leadership in the EA review board, or limiting usage to open-source solutions may address aspects of the issue but do not provide a comprehensive strategy that aligns business needs with IT governance.