CGEIT Exam Dumps - Certified in the Governance of Enterprise IT Exam

The first thing that the enterprise should do after learning of a new regulation that may impact delivery of one of its core technology services is to assess the risk associated with the new regulation. A risk assessment is a process of identifying, analyzing, and evaluating the potential threats and impacts of a risk event on the enterprise’s objectives, processes, and resources1. A risk assessment can help the enterprise understand the nature, scope, and severity of the new regulation, as well as its compliance requirements, costs, and benefits. A risk assessment can also help the enterprise prioritize and implement the appropriate risk responses, such as avoiding, reducing, transferring, or accepting the risk2. According to COBIT 5, one of the seven enablers of IT governance is risk management, which includes assessing IT-related risks and aligning them with enterprise risks3. The risk assessment is also part of the IT governance domain 3: Risk Management4.

The other options are not the first things that the enterprise should do after learning of a new regulation. Updating the risk management framework is a step that may be done after assessing the risk associated with the new regulation, as it involves reviewing and improving the policies, procedures, and practices for managing IT risks in the enterprise. Determining whether the board wants to comply with the regulation is a step that may be done after assessing the risk associated with the new regulation, as it involves consulting with the board and other stakeholders on the strategic and ethical implications of complying or not complying with the regulation. Requesting an action plan from the risk team is a step that may be done after assessing the risk associated with the new regulation, as it involves defining and executing the tasks and activities for achieving compliance and mitigating risk.

The best way for an IT governance board to establish standards of behavior for the adoption of artificial intelligence (AI) is to direct the creation and approval of an ethical use policy. An ethical use policy is a document that defines the principles, values, and guidelines for the responsible and ethical design, development, and deployment of AI systems and applications within the enterprise. An ethical use policy can help to ensure that AI is aligned with the enterprise’s mission, vision, goals, and values, and that it respects the rights, dignity, and interests of all stakeholders, including customers, employees, partners, regulators, and society at large. An ethical use policy can also help to address the potential risks, challenges, and impacts of AI on various aspects such as privacy, security, fairness, accountability, transparency, trustworthiness, human dignity, human agency, social good, etc. According to ISACA’s article on Developing an Artificial Intelligence Governance Framework1, “an ethical use policy is essential for any enterprise that wants to adopt AI in a responsible and sustainable manner. An ethical use policy can help to establish trust and confidence in AI among the stakeholders and customers, and to avoid or mitigate any negative consequences or harms that may arise from AI.” Furthermore, according to ISACA’s article on Governance of Responsible AI: From EthicalGuidelines to Legal Frameworks2, “an ethical use policy can provide a common framework and language for the governance of AI across different domains, sectors, and regions. An ethical use policy can also facilitate the compliance with existing laws and regulations that may apply to AI.” Therefore, directing the creation and approval of an ethical use policy is the best way for an IT governance board to establish standards of behavior for the adoption of AI.

According to the CGEIT exam guide, the main focus of IT policies is to provide business value by aligning IT with business objectives and strategies, ensuring effective and efficient use of IT resources, and delivering IT-enabled capabilities that meet stakeholder needs and expectations. IT policies should also support the optimization of operational benefits, the enhancement of organizational capability, and the limitation of IT costs, but these are not the main focus of IT policies. References: CGEIT Exam Candidate Guide, page 13. CGEIT Certification

IT governance is the process of ensuring that IT supports the business objectives and strategies of the enterprise, and that IT investments and resources are aligned with the enterprise’s needs and priorities. When individual business units design their own IT solutions without consulting the IT department, they may create solutions that are not compatible with the existing enterprise goals, such as customer satisfaction, operational efficiency, regulatory compliance, or innovation. This can result in duplication of efforts, waste of resources, increased complexity, security risks, or missed opportunities. Therefore, it is important for IT governance to establish a clear vision, strategy, and framework for IT that guides the business units in developing andimplementing IT solutions that support the enterprise goals. Some examples of IT governance frameworks are COBIT1, ITIL2, and ISO/IEC 385003. References :=

COBIT | ISACA

ITIL | AXELOS

ISO/IEC 38500:2015(en), Information technology — Governance of IT for the organization

This should be the committee’s first action, as it will help to define how the IT function supports and enables the overall business strategy and objectives of the enterprise1. An IT strategic plan is a document that outlines the vision, mission, goals, and initiatives of the IT function, as well as the resources, processes, and metrics required to achieve them1. By creating an IT strategic plan, the committee can align IT with business needs and expectations, optimize IT investments andresources, manage IT risks and opportunities, and deliver value to the stakeholders1. Creating an IT strategic plan can also help to communicate and demonstrate the role and contribution of IT to the enterprise’s success, and to gain the support and commitment of the board of directors and senior management1.

The other options are not as important or effective as creating an IT strategic plan, as they are either specific solutions or outcomes of the IT strategic plan, but not comprehensive steps. Implementing a continuous improvement plan may help to enhance the quality and efficiency of IT services and processes, but it may not address the root cause or causes of IT not sufficiently supporting the corporate objectives, which could be related to other factors, such as strategy alignment, value delivery, resource management, or risk optimization2. Specifying IT human resource performance measures may help to evaluate and improve the skills and productivity of IT staff, but it may not address the root cause or causes of IT not sufficiently supporting the corporate objectives, which could be related to other factors, such as stakeholder engagement, communication, collaboration, or feedback3. Developing a service level management plan may help to define and monitor the expectations and agreements for IT service delivery between IT providers and customers, but it may not address the root cause or causes of IT not sufficiently supporting the corporate objectives, which could be related to other factors, such as business requirements, customer satisfaction, innovation, or agility.

An enterprise that wishes to establish key risk indicators (KRIs) in an effort to better manage IT risk should first identify the enterprise risk appetite, because this would help to define the level of risk that the enterprise is willing and able to accept in pursuit of its objectives and value creation. The enterprise risk appetite should consider the external and internal factors that influence the IT environment, such as market trends, customer demands, innovation opportunities, regulatory requirements, and business strategies12. The KRIs should align with the enterprise risk appetite, and measure the potential impact and likelihood of the risks that may affect the IT performance and outcomes12. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 75-76.

 The FIRST step when defining responsibilities for ownership of information and systems is to require an inventory of information assets. An information asset is any data, device, or other component of the environment that supports information-related activities1. An inventory of information assets is a comprehensive list of all the information assets that an organization owns, controls, or uses2. By creating an inventory of information assets, an organization can:

Identify the types, locations, formats, and volumes of information assets3

Determine the value, sensitivity, and criticality of information assets4

Assign ownership and accountability for information assets5

Establish appropriate security controls and protection measures for information assets6

Monitor and audit the usage and lifecycle of information assets7

The other options are not as important as option D. While it is important to require an information risk assessment, identify systems that are outsourced, and ensure information is classified, these are subsequent steps that depend on the availability and accuracy of the inventory of information assets. Without an inventory of information assets, it would be difficult to perform a risk assessment, identify outsourced systems, or classify information according to its value and sensitivity. References :=

Information Asset - an overview | ScienceDirect Topics1

Information Asset Inventory - NIST CSRC2

How to Create an Information Asset Inventory - Infosec Resources3

Information Asset Valuation: A Methodology - ISACA4

Data Ownership: Considerations for Risk Management - ISACA5

Information Asset Protection - NIST CSRC6

Information Asset Management - NIST CSRC7

The first step in updating an IT strategic plan is to identify changes in enterprise goals. An IT strategic plan is a document that defines how the IT function supports the overall business strategy and objectives of an enterprise1. It should be aligned with and driven by the enterprise goals, which may change over time due to internal or external factors, such as market conditions, customer demands, competitor actions, regulatory requirements, or organizational changes2. Therefore, before updating the IT strategic plan, it is essential to identify and understand the changes in enterprise goals and their implications for IT. This will help to ensure that the IT strategic plan remains relevant, realistic, and effective in delivering value to the enterprise. References: CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 2: IT Resources, Section 2.1: IT Strategy Development and Maintenance, Subsection 2.1.1: IT Strategy Development Process, Page 55-56. What is an IT Strategic Plan?.