CGEIT Exam Dumps - Certified in the Governance of Enterprise IT Exam

An enterprise code of ethics is a set of principles and values that guide the behavior and decision-making of the organization and its members. It can help to incorporate desired organizational behaviors into the IT governance framework by establishing a common understanding and expectation of what is acceptable and unacceptable, and by promoting a culture of integrity, accountability, and responsibility. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 17.

When considering an IT change that would enable a potential new line of business, the first strategic step for IT governance would be to ensure agreement among the stakeholders regarding a vision for the future state, because this would provide a clear direction and purpose for the change, and align the IT strategy with the business strategy. A vision statement should describe the desired outcomes and benefits of the change, and reflect the enterprise’s mission, values, and goals12. References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 23-24.

According to the ISACA paper on Tactics for Effectively Communicating Cybersecurity Risk to Boards of Directors1, the most effective way to initially address the request of providing periodic updates regarding IT risk to the board is to include key IT risks in a dashboard submitted to the board quarterly. A dashboard is a visual tool that can help the board members quickly understand the current status and trends of IT risk, as well as the actions taken or planned to mitigate them. A dashboard should be concise, clear, consistent and relevant, and should highlight the most significant IT risks that could impact the enterprise’s objectives and performance. A dashboard should also align with the enterprise’s risk appetite and tolerance, and provide recommendations for improvement or escalation. The other options are not as effective as a dashboard, as they may be too detailed, too frequent, too narrow or too reactive for the board’s needs.

 According to the CGEIT exam guide, the success of IT investments is measured by the extent to which they deliver the expected benefits to the enterprise and its stakeholders. Therefore, the percentage of IT investments that meet expected benefits is the best metric to indicate the success of IT investments. This metric reflects the alignment of IT with business objectives and strategies, as well as the effectiveness and efficiency of IT processes and services. The other metrics are not directly related to the success of IT investments, but rather to the management and governance of IT. References: CGEIT Exam Candidate Guide, page 13. CGEIT Certification, Performance Measurement Metrics for IT Governance

After defining the ethical standards for an ethics program, the next step for the enterprise should be to establish a training and awareness program focused on ethics. A training and awareness program can help to communicate the ethical standards to all employees and stakeholders, and educate them on the importance, benefits, and expectations of ethical behavior. A training and awareness program can also help to foster a culture of ethics within the enterprise, and encourage employees to apply the ethical standards in their daily work and decision making. According to ISACA’s article on Ethics in IT1, “training is essential to ensure that all staff understand what is expected of them and how to apply ethical principles in their work.” Furthermore, according to ISACA’s CGEIT Domain 1: Framework for the Governance of Enterprise IT2, “training and awareness are key enablers for embedding an appropriate culture throughout the enterprise.” Therefore, establishing a training and awareness program focused on ethics is the best way to implement the ethical standards defined by the enterprise.

The risk profile of the enterprise is the most important thing to consider first when conducting a risk assessment in support of a new regulatory requirement, as it reflects the overall exposure and tolerance of the enterprise to various types of risks, such as strategic, operational, financial, or compliance risks. The risk profile of the enterprise can help determine the scope, objectives, and criteria of the risk assessment, as well as the prioritization and allocation of resources and efforts for risk identification, analysis, evaluation, and treatment. The risk profile of the enterprise can also help align the risk assessment with the enterprise’s strategy, goals, and values, as well as ensure consistency and integration with other risk management activities or processes.

Disruption to normal business operations, readiness of IT systems to address the risk, and cost burden to achieve compliance are also important things to consider when conducting a risk assessment in support of a new regulatory requirement, but they are not the first thing to consider. Disruption to normal business operations is a potential consequence or impact of the risk on the enterprise’s performance, productivity, or continuity. Disruption to normal business operations can be assessed and measured during the risk analysis or evaluation stage of the risk assessment, as well as mitigated or reduced during the risk treatment or response stage. Readiness of IT systems to address the risk is a factor that affects the capability or maturity of the enterprise’s IT infrastructure, applications, or services to comply with or support the new regulatory requirement. Readiness of IT systems to address the risk can be assessed and improved during the risk treatment or response stage of the risk assessment, as well as monitored and reported during the risk communication or review stage. Cost burden to achieve compliance is a factor that affects the feasibility or affordability of the enterprise’s actions or investments to comply with or support the new regulatory requirement. Cost burden to achieve compliance can be estimated and optimized during the risk treatment or response stage of the risk assessment, as well as balanced with the benefits or value of compliance.

The CIO should first establish a business case for the BYOD program, because a business case is a document that outlines the rationale, objectives, benefits, costs, risks, and feasibility of a proposed project or initiative1. A business case can help the CIO to justify the need and value of the BYOD program to the senior management and stakeholders, and to secure the necessary funding and resources for its implementation. A business case can also help the CIO to define the scope, requirements, and success criteria of the BYOD program, and to align it with the enterprise’s strategy, goals, and governance framework2. According to ISACA’s CGEIT Domain 2: IT Resources3, “the enterprise should have a clear business case for each IT investment decision that includes expected benefits, costs, risks and alignment with strategic objectives.” Furthermore, according to ISACA’s article on BYOD, “a business case is essential for any BYOD initiative as it helps to determine whether the benefits outweigh the costs and risks.” Therefore, establishing a business case is the best first step for the CIO who is considering introducing a BYOD program.

According to the CGEIT exam guide, the risk appetite is the amount and type of risk that an enterprise is willing to accept in pursuit of its objectives. It is a key element of the IT governance framework and should be defined by senior management before developing and managing digital applications for a new enterprise. The risk appetite provides the basis for establishing the risk management strategy, policies and processes, as well as the risk culture and awareness of the enterprise. References: CGEIT Exam Candidate Guide, page 15. CGEIT Certification