Passed Exam Today CGEIT

The best course of action for the CIO in this scenario is to identify business risk appetite and tolerance levels. Risk appetite is the amount and type of risk that an organization is willing to pursue, retain, or take in order to achieve its strategic objectives. Risk tolerance is the acceptable level of variation from the risk appetite. By identifying the business risk appetite and tolerance levels, the CIO can align the IT strategy and operations with the business goals, needs, and expectations, and ensure that the IT risks are managed within the acceptable boundaries. Identifying the business risk appetite and tolerance levels can also help the CIO to communicate and justify the IT decisions and actions to the senior management, board, and stakeholders, and to balance the costs and benefits of IT investments and initiatives. According to CPG 235 – Managing Data Risk, “The adequacy of data controls in ensuring that a regulated entity operates within its risk appetite would normally be assessed as part of introducing new business processes and then on a regular basis thereafter (or following material change to either the process, usage of data, internal controls or external environments).”

 An IT investment portfolio is a collection of IT projects, programs, and services that are funded and implemented by an enterprise to achieve its strategic and operational objectives. An IT investment portfolio should be reviewed first to ensure IT congruence with the new business strategy, as it would help to align the IT investments with the business goals, priorities, and needs. A review of the IT investment portfolio would also help to identify and evaluate the current and planned IT initiatives, assess their costs, benefits, risks, and value, and optimize the allocation of IT resources and capabilities. The other options are not as relevant, as they are more related to the execution or delivery of IT activities, rather than the planning or direction of them. References: : CGEIT Review Manual (Digital Version), Chapter 3: Benefits Realization, Section 3.2: IT Investment Management, Subsection 3.2.1: IT Investment Management Overview, Page 97 : CGEIT Review Manual (Digital Version), Chapter 3: Benefits Realization, Section 3.2: IT Investment Management, Subsection 3.2.4: IT Investment Management Process, Page 104 : The Power of IT Investment Risk Quantification and Visualization: IT Portfolio Management

A policy is a document that defines the rules and guidelines for how an organization conducts its activities and operations. A policy can help to ensure the compliance, consistency, and quality of the organization’s performance and outcomes1. A policy typically consists of several components, such as purpose, scope, terms and definitions, roles and responsibilities, procedures, compliance, and review2.

From a governance perspective, one of the most important components of a policy is roles and responsibilities, because it clarifies who is accountable and responsible for implementing, enforcing, monitoring, and improving the policy. Roles and responsibilities can help to establish the authority, accountability, and communication among different stakeholders involved in the policy, such as the board of directors, senior management, business units, IT staff, customers, regulators, etc. Roles and responsibilities can also help to avoid confusion, duplication, or conflict of work among the stakeholders3 .

The governance of enterprise IT (GEIT) is the system by which the current and future use of IT is directed and controlled by an organization. GEIT aims to ensure that IT supports the organization’s strategy and objectives, delivers value and benefits, manages risks and resources, and measures performance and outcomes. GEIT requires a clear definition of roles and responsibilities for the IT governance policies, processes, structures, and relationships. Some of the common roles and responsibilities involved in GEIT are:

• The board of directors: provides strategic direction, oversight, and approval for IT governance
• The senior management: provides leadership, support, and guidance for IT governance
• The business units: provide input, feedback, and collaboration for IT governance
• The IT function: provides execution, delivery, and improvement for IT governance
• The audit function: provides assurance, evaluation, and recommendation for IT governance
• The external stakeholders: provide requirements, expectations, and compliance for IT governance References: What is a Policy? Definition & Examples. Policy Components: Definition & Examples. Roles & Responsibilities in Policy Development. [Policy Development: Roles & Responsibilities]. [What is IT Governance? Definition & Frameworks]. [IT Governance Roles & Responsibilities]. [Roles & Responsibilities in IT Governance].

 An enterprise acceptable use policy is the most important document to update if a decision is made to ban end user-owned devices in the workplace, as it defines and communicates the rules and guidelines for the appropriate and secure use of IT resources and services by the employees and other authorized users. An enterprise acceptable use policy also helps to protect the enterprise’s data, assets, and reputation from unauthorized or malicious access, disclosure, or damage12. Updating the enterprise acceptable use policy to reflect the ban on end user-owned devices can help to ensure compliance, awareness, and enforcement of the decision. References := CGEIT Exam Content Outline, Domain 1, Subtopic C: Information Governance, Task 2: Ensure that information governance processes are aligned with the enterprise risk management (ERM) processes.