Which of the following should be the FIRST step for executive management to take in communicating what is considered acceptable use with regard to personally owned devices for company business?
Correct Answer: B
The first step for executive management to take in communicating what is considered acceptable use with regard to personally owned devices for company business is to develop and disseminate an applicable policy. A policy is a written set of rules and guidelines that defines the scope, objectives, roles, and responsibilities of the BYOD program. A policy also specifies the security, privacy, and usage requirements and expectations for the employees and the organization. A policy helps to establish a clear and consistent understanding of what is acceptable and unacceptable when using personal devices for work purposes, and what are the consequences of non-compliance. A policy also helps to mitigate the potential risks and challenges associated with BYOD, such as data breaches, device loss or theft, malware infections, legal liabilities, and support issues. A policy should be developed in consultation with relevant stakeholders, such as IT, HR, legal, and business units, and disseminated to all employees through various channels, such as email, intranet, training sessions, and awareness campaigns. Reference: BYOD Policies for Organizations (4 Examples) - Dashlane1, Mobile Device Security-Bring Your Own Device (BYOD): Draft SP 1800-22 ...2, Personally Owned Device Policy - FBI
Question 87
Supply chain management has established a supplier policy requiring multiple technology suppliers. What is the BEST way to ensure the success of this policy?
Correct Answer: D
Aligning EA and procurement strategies is the best way to ensure the success of the supplier policy that requires multiple technology suppliers. EA provides a holistic view of the current and future state of the enterprise's IT architecture, including its business processes, applications, data, infrastructure, and security. Procurement strategies define how the enterprise will acquire the necessary IT resources, services, and solutions from external suppliers. By aligning EA and procurement strategies, the enterprise can ensure that the supplier selection and management are consistent with the enterprise's vision, goals, and requirements, and that the suppliers can deliver value, quality, and innovation to the enterprise. References: CGEIT Domain 2: IT Resources
Question 88
A project sponsor has circumvented the request for proposal (RFP) selection process. Which of the following is the MOST likely reason for this control gap?
Correct Answer: C
According to the web search results, a request for proposal (RFP) is a formal document that solicits proposals from potential vendors for a product or service. The RFP process is intended toensure a fair, transparent and objective selection of the best vendor that meets the requirements and expectations of the project sponsor and the enterprise. The RFP process typically involves the following steps1: Planning and preparation: Define the scope, objectives, budget, timeline and evaluation criteria of the project. Identify the stakeholders and decision makers involved in the RFP process. Research the market and potential vendors. Develop the RFP document that outlines the project details, requirements, expectations and instructions for the vendors. Issuing and advertising: Distribute the RFP document to the potential vendors, either directly or through public channels. Provide a deadline for submitting proposals and a contact person for inquiries. Advertise the RFP opportunity to attract more qualified vendors. Receiving and reviewing: Receive the proposals from the vendors by the deadline. Review and evaluate the proposals based on the predefined criteria, such as technical capabilities, experience, references, pricing, etc. Shortlist the most suitable vendors for further consideration. Negotiating and awarding: Conduct negotiations with the shortlisted vendors to clarify any questions, concerns or issues. Discuss the terms and conditions of the contract, such as scope, deliverables, schedule, payment, etc. Select the best vendor that offers the most value and benefit to the project and the enterprise. Award the contract to the chosen vendor and notify the other vendors of the decision. Managing and monitoring: Manage and monitor the performance and progress of the vendor throughout the project lifecycle. Ensure that the vendor meets the contractual obligations and delivers quality results on time and within budget. Provide feedback and support to the vendor as needed. Resolve any conflicts or disputes that may arise. A project sponsor who circumvents the RFP selection process violates the established policies and procedures of the enterprise, as well as undermines the integrity and credibility of the RFP process. The most likely reason for this control gap is a lack of accountability for policy adherence, which means that there is no clear assignment of roles and responsibilities for following and enforcing the policies, or no effective mechanisms for monitoring and reporting policy compliance, or no adequate consequences for policy violations. A lack of accountability for policy adherence can lead to poor governance, increased risk, reduced value and damaged reputation for both the project sponsor and the enterprise23. Therefore, it is essential to establish and maintain a strong culture of accountability for policy adherence within the enterprise, as well as to implement appropriate controls and measures to ensure compliance with policies. References: The RFP process: The Ultimate Step-by-Step Guide, Criteria and Methodology for GRC Platform Selection, The Ultimate RFP Guide: Steps, Guidelines & Template, Guidebook: Crafting a Driven Request for Proposals (RFP)
Question 89
Which of the following is the BEST indication of an effective information governance model?
Correct Answer: A
An effective information governance model is best indicated when senior management ensures that quality goals are defined for information. This top-down approach demonstrates a commitment to managing information as a strategic asset, with clear quality objectives that align with business goals. It ensures accountability and sets the tone for information governance practices across the organization. While the roles of the CIO, enterprise architects, and process owners are important, the involvement of senior management in defining quality goals is a key indicator of an effective governance model.
Question 90
An enterprise can BEST assess the benefits of a new IT project through its life cycle by:
Correct Answer: B
A business case is a document that outlines the rationale, objectives, benefits, costs, risks and alternatives of a proposed IT project. A business case should be reviewed periodically throughout the project life cycle to ensure that the project is still aligned with the enterprise's strategy and goals, and that the expected benefits are still achievable and realistic. A periodic review of the business case can also help to identify any changes or issues that may affect the project's scope, schedule, budget or quality, and to take corrective actions accordingly. Reference: ISACA, CGEIT Review Manual, 7th Edition, 2019, page 77. A guide to measuring benefits effectively. Cost-Benefit Analysis: A Quick Guide with Examples and Templates.
