CGEIT Exam Dumps - Certified in the Governance of Enterprise IT Exam

The impact of information exposure is the most important factor for an enterprise to review when classifying information assets, because it helps to determine the level of sensitivity and protection that the information assets require. Information assets are classified according to their confidentiality, integrity, and availability, which reflect the potential harm or loss that could result from unauthorized disclosure, modification, or destruction of the information assets. The impact of information exposure can be assessed in terms of financial, reputational, legal, operational, or strategic consequences for the enterprise and its stakeholders. The impact of information exposure can also vary depending on the context, scope, and duration of the exposure. Therefore, by reviewing the impact of information exposure, an enterprise can assign appropriate labels and controls to its information assets, and ensure that they are handled and stored securely and appropriately. References := Information classification according to ISO 27001, Information Asset and Security Classification Procedure, Information Classification Standard.

Internal audit is an independent and objective function that provides assurance and consulting services to the enterprise on the effectiveness and efficiency of its governance, risk management, and control processes1. By including internal audit as a stakeholder, the enterprise can benefit from its knowledge, expertise, and perspective on IT-related issues and risks, such as IT strategy alignment, IT performance measurement, IT value delivery, IT resource management, IT risk management, and IT compliance2. Internal audit can also provide input on the design, implementation, and evaluation of the IT governance framework, policies, standards, and procedures, as well as recommend improvements and best practices2. Therefore, internal audit provides input on relevant issues and control processes, which is the most important reason to include it as a stakeholder when establishing clear roles for the governance of IT.

The other options are not as important or accurate as option D. Internal audit does not have knowledge and technical expertise to advise on IT infrastructure, as this is not its primary role or responsibility. Internal audit is not accountable for the overall enterprise governance of IT, as this is the responsibility of the board of directors and senior management3. Internal audit does not implement controls over IT risks and security, as this is the responsibility of the IT function and other business units4.

As part of the implementation of IT governance, the board of an enterprise should establish an IT strategy committee to provide input to and ensure alignment of the enterprise and IT strategies, because this would enable the board to oversee and direct the IT function in a way that supports the enterprise’s vision, mission, goals, and objectives. The IT strategy committee should consist of board members and senior executives who have a stake in the IT performance and value delivery, and who can communicate and coordinate with other board committees and business units. The IT strategy committee should also review and approve the IT strategic plan, monitor the IT performance and outcomes, and ensure the alignment of IT resources and capabilities with the enterprise’s needs and expectations1 . References := ISACA, CGEIT Review Manual, 7th Edition, 2019, page 19-20.

The BEST time for the enterprise to plan for the event of contract termination is when developing the initial contract. Contract termination is the process of ending a contractual relationship between two parties, either by mutual agreement or by exercising a right to terminate under the contract terms1. Contract termination can have significant impacts and implications for both parties, such as loss of revenue, loss of service, loss of data, legal disputes, reputational damage, etc.2 Therefore, it is important to plan for the event of contract termination in advance, and include appropriate provisions and mechanisms in the contract to ensure a smooth and orderly exit3.

Some of the benefits of planning for contract termination when developing the initial contract are4:

• It clarifies the expectations and obligations of both parties in case of contract termination, such as the notice period, the termination fees, the transition services, the data return or destruction, etc.
• It reduces the risks and costs associated with contract termination, such as service disruption, data loss, litigation, penalties, etc.
• It enables faster and more effective resolution of contract termination issues, such as dispute resolution, arbitration, mediation, etc.
• It fosters a positive and professional relationship between the parties, even in case of contract termination, by avoiding surprises, conflicts, or misunderstandings.

Therefore, planning for contract termination when developing the initial contract is the best time for the enterprise to ensure a successful and beneficial outsourcing engagement.

Negotiating service level agreements (SLAs) is the best way for an organization to minimize the difference between expected and delivered services when acquiring resources, because SLAs define the scope, quality, availability, performance, and security of the services that the provider will deliver to the customer. SLAs also specify the roles and responsibilities, escalation procedures, and penalties for non-compliance of both parties. By negotiating SLAs, the organization can ensure that its expectations and requirements are clearly communicated and agreed upon by the provider, and that there are mechanisms to measure and monitor the service delivery and outcomes. Negotiating SLAs also helps to prevent or resolve any disputes or issues that may arise from the service provision, and to ensure that the organization receives the value and benefits that it expects from the provider. One of the sources that supports this answer is Service-level Agreement: 3 Types And Templates - Contract Lawyers, which states that “A service-level agreement is important because it: Protects both parties: The SLA sets standards for the service, ensuring both the service provider and end user are on the same page with expectations.”

Increasing the maturity of IT process from being ad hoc to being repeatable means that the process is documented and followed consistently, resulting in more predictable and reliable outcomes. According to the capability maturity model for the IT governance process, a repeatable level indicates that “required outcomes are more frequently achieved” 1. References: CGEIT Domain 1: Framework for the Governance of Enterprise IT

Total cost of ownership (TCO) is the purchase price of an asset plus the costs of operation over its lifespan1. TCO includes hardware and software acquisition, management and support, communications, end-user expenses and the opportunity cost of downtime, training and other productivity losses2. By considering TCO in investment decisions, an enterprise can avoid unexpected costs and optimize the value of its IT assets3. A policy to consider TCO in investment decisions can help the enterprise to plan ahead for the lease or purchase of IT infrastructure and software licenses, and avoid cost overruns due to lease extensions or other factors. References :=

• CGEIT Review Manual (Digital Version), Chapter 4: Value Optimization, Section 4.2: IT Value Delivery, Subsection 4.2.3: IT Resource Management, Page 123
• CGEIT Review Manual (Print Version), Chapter 4: Value Optimization, Section 4.2: IT Value Delivery, Subsection 4.2.3: IT Resource Management, Page 123
• How to Calculate Total Cost of Ownership for Software - GetApp4
• Total Cost of Ownership: How It’s Calculated With Example - Investopedia1

 IT goals and objectives are the desired outcomes and targets that IT aims to achieve in support of the business strategy and objectives. IT goals and objectives should be defined first before establishing IT key risk indicators (KRIs), because they provide the direction and scope for the IT risk management process. KRIs are metrics that measure and monitor the level and trend of risk exposure, and help to identify and manage potential threats or opportunities that could affect the achievement of IT goals and objectives1. Therefore, by defining IT goals and objectives first, an enterprise can ensure that its KRIs are relevant, aligned, and consistent with its IT strategy and value delivery2. References := Key Risk Indicators (KRIs) - ISACA, Integrating KRIs and KPIs for Effective Technology Risk Management - ISACA.