An enterprise has learned of a new regulation that may impact delivery of one of its core technology services Which of the following should the done FIRST?
Correct Answer: C
The first thing that the enterprise should do after learning of a new regulation that may impact delivery of one of its core technology services is to assess the risk associated with the new regulation. A risk assessment is a process of identifying, analyzing, and evaluating the potential threats and impacts of a risk event on the enterprise's objectives, processes, and resources1. A risk assessment can help the enterprise understand the nature, scope, and severity of the new regulation, as well as its compliance requirements, costs, and benefits. A risk assessment can also help the enterprise prioritize and implement the appropriate risk responses, such as avoiding, reducing, transferring, or accepting the risk2. According to COBIT 5, one of the seven enablers of IT governance is risk management, which includes assessing IT-related risks and aligning them with enterprise risks3. The risk assessment is also part of the IT governance domain 3: Risk Management4. The other options are not the first things that the enterprise should do after learning of a new regulation. Updating the risk management framework is a step that may be done after assessing the risk associated with the new regulation, as it involves reviewing and improving the policies, procedures, and practices for managing IT risks in the enterprise. Determining whether the board wants to comply with the regulation is a step that may be done after assessing the risk associated with the new regulation, as it involves consulting with the board and other stakeholders on the strategic and ethical implications of complying or not complying with the regulation. Requesting an action plan from the risk team is a step that may be done after assessing the risk associated with the new regulation, as it involves defining and executing the tasks and activities for achieving compliance and mitigating risk.
Question 7
Which of the following roles has PRIMARY accountability for the security related to data assets?
Correct Answer: B
The role that has primary accountability for the security related to data assets is the data owner. A data owner is a person who is generally in a senior company position, responsible for the categorization, protection, usage, and quality of one or more data sets1. The data owner must ensure that the information within their domain is correctly maintained across various platforms and business processes, and that it is secured from unauthorized access and misuse2. The data owner also has the authority to grant or revoke access rights to the data, and to define and enforce data security policies and standards3. Therefore, the data owner is the primary accountable role for the security related to data assets. Reference: Data Owners vs. Data Stewards vs. Data Custodians - CPO Magazine2, CISSP domain 2: Asset security - Infosec Resources
Question 8
Which of the following should be considered FIRST when assessing the implications of new external regulations on IT compliance?
Correct Answer: A
When assessing the implications of new external regulations on IT compliance, the first consideration should be the IT policies and procedures that need revision. This initial focus ensures that the foundational guidelines governing IT operations are aligned with the new regulatory requirements, forming the basis for compliance. While the resource burden for implementation, gaps in skills and experience of IT employees, and the impact on contracts with service providers are important considerations, they follow the primary step of ensuring that IT policies and procedures are in compliance with new regulations.
Question 9
Which of the following should be the PRIMARY governance objective for selecting key risk indicators (KRIs) related to legal and regulatory compliance?
Correct Answer: A
Key risk indicators (KRIs) are metrics that measure the likelihood and impact of potential or actual risks. KRIs related to legal and regulatory compliance are designed to help the enterprise monitor and manage the risk of violating laws, regulations, standards, or ethical practices that apply to its operating environment. The primary governance objective for selecting KRIs related to legal and regulatory compliance should be to identify the risk of noncompliance, which means assessing the probability and severity of compliance breaches, as well as the root causes and consequences of such breaches. By identifying the risk of noncompliance, the enterprise can take proactive measures to prevent, mitigate, or remediate compliance issues, and to ensure that its compliance program is effective, efficient, and aligned with its business objectives and strategies. References: CGEIT Exam Content Outline | ISACA1, CGEIT Review Manual (Digital Version), Compliance Metrics and KPIs For Measuring Compliance Effectiveness - RiskOptics2, 11 Key Compliance KPIs + Examples (& Why You Should Track Them ...3
Question 10
Which of the following has the tendency or inclination of outlook that is a troublesome source of error in human sensing?
