Isaca CGEIT - Certified in the Governance of Enterprise IT Exam

The CIO is responsible for the overall IT governance and ensuring that IT supports the business objectives and strategy. The CIO should also ensure that IT staff have the necessary skills and competencies to perform their roles effectively and efficiently. The CIO should address the root cause of the service disruption and take corrective actions to prevent recurrence. References := CGEIT Review Manual, 27th Edition, Domain 1: Governance of Enterprise IT, page 17-18.

A key governance consideration for the IT steering committee when evaluating vendors to provide mobile device management (MDM) services is to ensure that the service level targets align with the business requirements. Service level targets are the measurable and agreed-upon levels of performance and quality that the vendor is expected to deliver for the MDM services. These targets should reflect the business needs and expectations of the organization, such as availability, reliability, security, scalability, and functionality of the MDM services. Service level targets should also be realistic, achievable, and verifiable, and should be specified in the service level agreements (SLAs) that are part of the contract with the vendor. By ensuring that the service level targets align with the business requirements, the IT steering committee can facilitate the selection of a suitable and reliable vendor that can provide effective and efficient MDM services for the organization. References: CGEIT Exam Content Outline | ISACA1, CGEIT Review Manual (Digital Version), Mobile Device Management (MDM) - Gartner2, How to Set Service Level Targets for Your IT Support Team

Security awareness training is the best way to ensure employees understand how to protect sensitive corporate data on their mobile devices, as it can educate them on the risks, policies, and best practices of BYOD and MDM. Security awareness training can also help employees recognize and avoid common threats, such as phishing, malware, and data leakage. Security procedures, BYOD policy, and NDAs are also important, but they are not sufficient to ensure employees have the knowledge and skills to secure their mobile devices. Security procedures and BYOD policy need to be communicated and enforced effectively, and NDAs only protect the legal rights of the organization, not the actual data on the devices. References := The Ultimate Guide to BYOD Security: Definition & More - Digital Guardian; What is BYOD? | IBM; How to have secure remote working with a BYOD policy; 5 Best Practices in BYOD Policy for Small Business - Scalefusion; BYOD Reignited: How To Get It Right This Time - Forbes.

 An IT value delivery framework primarily helps an enterprise optimize value to the enterprise, because it provides a systematic and holistic approach to planning, building, and delivering IT solutions that meet the business needs and objectives. An IT value delivery framework helps to align IT strategy with business strategy, ensure effective governance and management of IT resources and processes, measure and monitor IT performance and outcomes, and continuously improve IT value creation and delivery1. An IT value delivery framework also helps to balance the benefits, costs, and risks of IT investments, and to ensure that IT delivers value to the enterprise in terms of efficiency, effectiveness, agility, innovation, and customer satisfaction2.

References := IT Governance: Definition, Frameworks, and Best Practices - InvGate, What is Value-Based Delivery? | Blog | Digital.ai.

The BEST method for the IT strategy committee to evaluate how well the IT department supports the business strategy is to use IT balanced scorecard reporting. An IT balanced scorecard (BSC) is a strategic management tool that translates the IT vision and mission intomeasurable objectives, indicators, targets, and initiatives across four perspectives: financial, customer, internal process, and learning and growth1. An IT balanced scorecard reporting is a process of collecting, analyzing, and communicating the performance data and results of the IT department based on the IT BSC framework2. An IT balanced scorecard reporting can help to:

Align the IT objectives and activities with the business strategy and expectations3

Monitor and evaluate the efficiency, effectiveness, and value of the IT department

Identify the strengths, weaknesses, opportunities, and threats of the IT department

Communicate and demonstrate the contribution and impact of the IT department to the business outcomes

Therefore, an IT balanced scorecard reporting is the most suitable method for the IT strategy committee to assess how well the IT department supports the business strategy.

The other options are not as good as option C. While it is useful to conduct a capability maturity assessment, a customer survey analysis, or an IT controls assurance program, these are not comprehensive enough to evaluate how well the IT department supports the business strategy. They are rather focused on specific aspects of the IT department, such as its processes, services, or controls. They do not necessarily cover all four perspectives of the IT BSC framework, which provide a holistic view of the IT performance and alignment with the business strategy. References :=

The IT Balanced Scorecard (BSC) Explained - BMC Software1

What Is a Balanced Scorecard (BSC), How Is it Used in Business?2

How to Align Your Business Strategy with Your Technology Strategy …3

How to Measure Your Strategic Plan’s Success - dummies

SWOT Analysis: What It Is and When to Use It - Business News Daily

How to Communicate Strategy Effectively - ClearPoint Strategy

 Information ownership is the right and responsibility to define, classify, protect, and manage the data assets of an enterprise. When using a cloud-based application, the enterprise should ensure that it retains the ownership and control of its information, and that it complies with the relevant laws and regulations regarding data privacy, security, and sovereignty12. The enterprise should also establish clear policies and agreements with the cloud service provider and the internal and external parties regarding the access, usage, storage, transfer, retention, and disposal of the information12. By considering information ownership, the enterprise can mitigate the risks and challenges of using a cloud-based application, such as data breaches, unauthorized access, vendor lock-in, legal disputes, or reputational damage12.

The other options are not as important as information ownership, as they are secondary or dependent factors. Cloud implementation model is the type of cloud service that the enterprise chooses to use, such as software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS)3. Cloud implementation model can affect the cost, performance, scalability, and flexibility of the cloud-based application, but it does not directly affect the ownership and governance of the information3. User experience is the perception and satisfaction of the users when interacting with the cloud-based application. User experience can affect the adoption, engagement, and productivity of the users, but it does not directly affect the ownership and governance of the information. Third-party access rights are the permissions and restrictions that the enterprise grants to external parties to access and use its information through the cloud-based application. Third-party access rights can affect the security and privacy of the information, but they are determined by the information ownership policies and agreements that the enterprise establishes with the cloud service provider and the external parties12.

The main goal of the IT strategy committee after establishing stakeholder desired outcomes should be to ensure IT risk alignment with enterprise risk. IT risk alignment means that the IT risk management program is consistent and integrated with the enterprise risk management (ERM) program, and that the IT risks are identified, assessed, and treated in relation to the enterprise’s objectives, strategies, and risk appetite. IT risk alignment can help the enterprise achieve the following benefits1:

Enhance the value delivery of IT to the business

Improve the decision making and prioritization of IT investments and initiatives

Reduce the likelihood and impact of IT-related incidents and losses

Increase the resilience and agility of IT in responding to changes and disruptions

Strengthen the governance and accountability of IT performance and compliance

To ensure IT risk alignment with enterprise risk, the IT strategy committee should perform the following tasks2:

Define the scope, objectives, and criteria for IT risk management

Establish the roles and responsibilities for IT risk management

Align the IT risk management framework and processes with the ERM framework and processes

Communicate and collaborate with the ERM function and other stakeholders on IT risk issues

Monitor and review the effectiveness and maturity of IT risk management

The other options are not the main goal of the IT strategy committee after establishing stakeholder desired outcomes. Identifying business data that requires protection, performing a risk analysis on key IT processes, and implementing controls to address high risk areas are steps that are part of the IT risk management process, but they are not specific to ensuring IT risk alignment with enterprise risk. These steps should be done by the IT risk management function or team, under the guidance and oversight of the IT strategy committee.

An enterprise is determining the objectives for an IT training improvement initiative from a governance perspective. Governance is the process of decision-making and implementation that involves various actors and structures, both formal and informal1. Governance aims to achieve good governance, which is characterized by participation, consensus, accountability, transparency, responsiveness, effectiveness, efficiency, equity, inclusion, and rule of law2. Therefore, it would be most important to ensure that the policies and processes for IT training address both the enterprise requirements and the professional growth of the IT employees. This would ensure that the IT training is aligned with the strategic goals and priorities of the enterprise, as well as the needs and expectations of the IT staff. It would also foster a culture of learning and development that enhances the performance, quality, and value of IT services345. The other options are not the most important objectives for an IT training improvement initiative from a governance perspective. Identifying courses of instruction that will maximize employee productivity, creating several different training strategies for final approval by the CIO, and surveying and interviewing IT employees to identify development needs are all useful steps or methods for designing and implementing an IT training improvement initiative, but they are not the ultimate objectives or outcomes. They are subordinate or instrumental to the main objective of addressing both the enterprise requirements and the professional growth of the IT employees through policies and processes that reflect good governance principles345. References:

3: https://topworkplaces.com/improving-training-and-development-strategies/

4: https://shrm.org/ResourcesAndTools/hr-topics/organizational-and-employee-development/Pages/Key-Steps-for-Better-Training-Development-Programs.aspx

5: https://www.forbes.com/sites/forbeshumanresourcescouncil/2021/07/13/12-ways-to-implement-successful-employee-training-initiatives/

1: https://link.springer.com/article/10.1007/s40647-017-0197-4

2: https://www.unescap.org/sites/default/files/good-governance.pdf

The first action taken by a newly formed IT governance committee to ensure reports are compliant with regulations and identify key IT risks should be to develop and monitor IT key risk indicator (KRI) triggers. IT KRIs are metrics that measure the likelihood and impact of IT-related risks on the enterprise’s objectives and goals. IT KRI triggers are thresholds or values that indicate when a risk is approaching or exceeding an acceptable level, requiring attention or action from the IT governance committee. Developing and monitoring IT KRI triggers can help the committee to identify, prioritize, and manage IT risks, as well as to ensure compliance with regulations and policies.

Directing the development of a reporting communication plan, training end users on regulation requirements, and implementing a mechanism to ensure reporting escalation are also important actions for the IT governance committee, but they are not the first step. A reporting communication plan is a document that defines the purpose, scope, format, frequency, audience, and distribution of IT reports, as well as the roles and responsibilities of the report creators and recipients. A reporting communication plan can help the committee to communicate effectively and efficiently with the stakeholders about IT performance, issues, and risks. Training end users on regulation requirements is a process that educates the end users on the rules and standards that apply to their use of IT systems and data, as well as the consequences of non-compliance. Training end users can help the committee to raise awareness and ensure adherence to regulations and policies. Implementing a mechanism to ensure reporting escalation is a procedure that defines the criteria, process, and channels for escalating IT reports to higher levels of authority or responsibility when necessary. Implementing a reporting escalation mechanism can help the committee to ensure timely and appropriate response and resolution of IT issues or risks.

References := Integrating KRIs and KPIs for Effective Technology Risk Management; Performance Measurement Metrics for IT Governance; State and Impact of Governance of Enterprise IT in Organizations: Key Findings of an International Study.

 IT governance is the process of ensuring that IT supports and enables the achievement of the enterprise’s goals and objectives, and delivers value to the stakeholders1. Stakeholders are the individuals or groups that have a stake in the success or failure of IT governance, such as board members, senior management, business units, IT function, customers, suppliers, regulators, and society1. By considering stakeholders’ support, an enterprise can ensure that the IT governance framework is aligned with and driven by the stakeholders’ needs, expectations, and interests1. Stakeholders’ support can also help to facilitate the communication, collaboration, and decision-making processes among the IT governance participants, and to gain their commitment and buy-in for the IT governance implementation and improvement1.

The other options are not as important as stakeholders’ support, as they are either specific aspects or outcomes of IT governance, but not comprehensive factors. Information technology risk is the potential for negative consequences due to the use or misuse of IT within an enterprise. Information technology risk can affect the IT governance framework, but it is not the most important factor to consider, as it is only one of the many elements that influence ITgovernance2. Framework development cost is the amount of money and resources required to design and implement the IT governance framework. Framework development cost can affect the IT governance framework, but it is not the most important factor to consider, as it is only one of the many criteria that evaluate IT governance3. Information technology strategy is the plan that defines how the IT function supports and enables the overall business strategy and objectives of an enterprise. Information technology strategy can affect the IT governance framework, but it is not the most important factor to consider, as it is only one of the many components that constitute IT governance

The best way for a CIO to monitor the alignment between the business and IT strategy is to regularly review the balanced scorecard. The balanced scorecard is a strategic management tool that helps to measure and communicate the performance of an organization in relation to its vision, mission, goals, and objectives. The balanced scorecard uses four perspectives: financial, customer, internal process, and learning and growth, to evaluate how well the organization is achieving its desired outcomes and creating value for its stakeholders1. The balanced scorecard can also help to align the IT strategy with the business strategy by linking the IT objectives, initiatives, and measures with the business objectives, initiatives, and measures across the four perspectives2. By reviewing the balanced scorecard regularly, the CIO can monitor the progress and results of the IT strategy, identify the gaps and issues that need to be addressed, and ensure that the IT strategy is supporting and enabling the business strategy. According to COBIT 5, one of the seven enablers of IT governance is performance management, which includes using the balanced scorecard to align IT-related goals and metrics with enterprise goals and metrics3. The balanced scorecard is also part of the IT governance domain 5: Performance Measurement4.

The other options are not the best ways for a CIO to monitor the alignment between the business and IT strategy. Key risk indicators (KRIs) are metrics that indicate the level of risk exposure or potential impact of a risk event on an organization. KRIs can help to monitor and manage IT risks, but they do not necessarily reflect the alignment of IT strategy with business strategy. IT services supporting business processes are the activities and functions that IT provides to enable and facilitate the execution of business processes. Reviewing IT services can help to evaluate the quality and efficiency of IT delivery, but they do not capture the strategic alignment of IT with business. The risk register is a document that records and tracks the identified risks, their causes, impacts, probabilities, responses, owners, and statuses. The risk register can help to document and communicate IT risks, but it does not measure or report the alignment of IT strategy with business strategy. References := 1: Balanced Scorecard Basics - Balanced Scorecard Institute12: Aligning Business Strategy with Information Technology Strategy - ISACA23: COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, ISACA, page 314: CGEIT Review Manual 2023, ISACA, page 197. : Key Risk Indicators - ISACA3 : What are IT Services? Definition & Examples - BMC Software4 : Risk Register - ISACA

 According to the CGEIT exam guide, the IT resource management plan is a document that describes how the IT resources of an enterprise will be acquired, allocated, monitored and optimized to support the IT strategy, objectives and goals. The IT resource management plan should also address the human resource aspects of IT, such as recruitment, retention, development, motivation and performance of IT personnel. Therefore, the best governance action to address the concern of high turnover of skilled IT personnel is to update the IT resource management plan to reflect the current and future needs and challenges of the IT department. The updated IT resource management plan should include strategies and actions to reduce the turnover rate, such as improving the IT work environment and culture, offering competitive compensation and benefits packages, providing career development and training opportunities, enhancing employee engagement and recognition, and implementing knowledge management and succession planning practices. References: CGEIT Exam Candidate Guide, page 14. CGEIT Certification, IT Resource Management, Employee Turnover Rate: Definition & Calculation

Information ownership is the assignment of roles and responsibilities for data protection to individuals or groups within the organization. Information owners are accountable for ensuring that data is properly classified, secured, and used in accordance with the organization’s policies and standards. Information ownership facilitates governance oversight of data protection measures by providing clear lines of authority and accountability for data assets. References:

ISACA CGEIT Review Manual 2021, page 86: “Information ownership is the assignment of roles and responsibilities for the protection of information to individuals or groups within the enterprise.”

ISACA CGEIT Review Questions, Answers & Explanations Manual 2021, page 11, question 14: “The correct answer is A. Information ownership is the assignment of roles and responsibilitiesfor the protection of information to individuals or groups within the enterprise. Information owners are accountable for ensuring that information is properly classified, secured, and used in accordance with the enterprise’s policies and standards. Information ownership facilitates governance oversight of data protection measures by providing clear lines of authority and accountability for information assets.”

This should be identified first when creating an inventory of information systems and data related to the mobile app, as they are the individuals or groups who have the authority and responsibility to define, classify, protect, and manage the data assets of the enterprise1. By identifying the application and data owners, the enterprise can ensure that the data is properly accounted for, categorized, and secured according to its value, sensitivity, and risk. Application and data owners can also establish data policies, standards, and procedures, as well as monitor and report on data quality, usage, and compliance1. Identifying the application and data owners is a prerequisite for identifying the other options, such as data maintained by vendors, vendors and outsourced systems, and information classification scheme, as these depend on the accurate identification and assignment of data ownership roles and responsibilities.

Data conversion is the process of transforming data from one format or system to another. It is a critical activity in any data migration or integration project, as it affects the quality, accuracy, and usability of the data. Therefore, IT governance should mandate that data conversion has documented approvals from business process data owners, who are the stakeholders responsible for defining and maintaining the data requirements, standards, and quality for their respective business processes. This ensures that the data conversion meets the business needs and expectations, as well as complies with the relevant policies and regulations. References:

CGEIT Review Manual 2021, Chapter 4: Resource Optimization, Section 4.2: Data Management, page 1651

CGEIT Review Questions, Answers & Explanations Manual 2021, Question 10, page 252

Data Conversion: Definition, Best Practices, and Examples3

Data Governance Roles and Responsibilities4