Which of the following categories measures the health of the organization and the working environment of its employees?
Correct Answer: B
Section: Volume C Explanation Explanation/Reference:
Question 107
An IT governance committee wants to ensure there is a clear description of the "data owner" in the enterprise data policy. Which of the following would BEST define the owner of data stored in an external cloud?
Correct Answer: A
The owner of data stored in an external cloud is the business leader who is most impacted by the loss of data. This is because the data owner is the person who has the accountability and authority over a specific dataset, and who is responsible for its security, quality, classification, and access control12. The data owner is usually a senior-level employee or a subject-matter expert who has the knowledge and motivation to ensure that the data is handled correctly and in compliance with policies and regulations2. The data owner is not the same as the data custodian, who is the person who implements the technical and operational measures to protect and manage the data according to the data owner's directives2. Therefore, the risk manager, the contract manager, and the vendor are not the data owners, as they do not have the final say or accountability over the data stored in the external cloud. Reference: What Is a Data Owner? - Firewall Times1, Data Owners vs. Data Stewards vs. Data Custodians - CPO Magazine2
Question 108
Which of the following would provide the MOST useful information to understand the associated risks when implementing a new digital transformation strategy?
Correct Answer: C
Question 109
An enterprise has learned of a new regulation that may impact delivery of one of its core technology services. Which of the following should be done FIRST?
Correct Answer: D
A new regulation introduces a potential risk that must be assessed to understand its impact on the enterprise's operations and compliance obligations. The CGEIT Review Manual 8th Edition stresses that the first step in addressing new risks, such as regulations, is to conduct a risk assessment to evaluate their significance and implications. * Extract from CGEIT Review Manual 8th Edition (Domain 3: Risk Optimization):"When a new regulation is identified, the first step is to assess the associated risk, including its potential impact on operations, compliance requirements, and the likelihood of enforcement. This assessment informs subsequent actions, such as developing mitigation plans or updating governance frameworks." (Approximate reference: Domain 3, Section on Risk Assessment) Assessing the risk associated with the new regulation (option D) provides the enterprise with a clear understanding of the regulation's impact, enabling informed decisions about compliance, mitigation, or strategic adjustments. * Why not the other options? * A. Request an action plan from the risk team: An action plan is premature without first assessing the risk's scope and impact. * B. Determine whether the board wants to comply with the regulation: The board's decision on compliance should be informed by a risk assessment, not precede it. * C. Update the risk management framework: Updating the framework may be necessary later but is not the first step, as the specific risk must be understood first. References: ISACA CGEIT Review Manual 8th Edition, Domain 3: Risk Optimization, Section on Risk Assessment and Regulatory Compliance. ISACA CGEIT Study Guide, Chapter on Risk Management Processes.
Question 110
Which of the following MOST effectively prevents an IT system from becoming technologically obsolete before its planned return on investment (ROi)?
Correct Answer: D
Ensuring that the system is maintained in compliance with enterprise architecture (EA) standards is the most effective way to prevent an IT system from becoming technologically obsolete before its planned return on investment (ROI), because it ensures that the system is aligned with the current and future business needs, goals, and strategies of the organization. Enterprise architecture (EA) standards define the principles, guidelines, and best practices for designing, developing, and managing IT systems in a consistent, coherent, and integrated manner across the organization. By following EA standards, IT leaders can ensure that the system is compatible with the existing and emerging technologies, platforms, and frameworks that support the business processes and functions. EA standards also help IT leaders to monitor and evaluate the performance, quality, security, and reliability of the system, and to identify and address any gaps, issues, or risks that may affect its functionality or value. EA standards also facilitate the communication and collaboration among different stakeholders involved in the system lifecycle, such as business users, IT staff, vendors, and auditors. By maintaining the system in compliance with EA standards, IT leaders can ensure that the system delivers the expected benefits and value to the organization and achieves its planned ROI. Reference:= ISO/IEC/IEEE 42020:2019(en), Software, systems and enterprise ? Architecture processes, Sample: Enterprise Architecture Standards - CIO Portal, Obsolescence management for IT leaders - Information Age
