CGEIT Exam Dumps - Certified in the Governance of Enterprise IT Exam

Key performance indicators (KPIs) are metrics that help measure the performance of IT service delivery and align it with the business goals and stakeholder expectations. KPIs can help the IT governance committee to monitor, evaluate and improve the availability, quality and efficiency of the web-facing infrastructure. KPIs can also help identify and address any issues or risks that may affect the service level agreements (SLAs) or customer satisfaction. KPIs should be established before implementing other measures such as web operations procedures, business continuity plans (BCPs) or customer survey processes, as they provide the basis for setting objectives, targets and benchmarks for these measures. References: ISACA, Performance Measurement Metrics for IT Governance, page 11. datapine, Top 20 IT KPIs - Explore The Best IT KPI Examples & IT Metrics

The best way for an IT governance board to establish standards of behavior for the adoption of artificial intelligence (AI) is to direct the creation and approval of an ethical use policy. An ethical use policy is a document that defines the principles, values, and guidelines for the responsible and ethical design, development, and deployment of AI systems and applications within the enterprise. An ethical use policy can help to ensure that AI is aligned with the enterprise’s mission, vision, goals, and values, and that it respects the rights, dignity, and interests of all stakeholders, including customers, employees, partners, regulators, and society at large. An ethical use policy can also help to address the potential risks, challenges, and impacts of AI on various aspects such as privacy, security, fairness, accountability, transparency, trustworthiness, human dignity, human agency, social good, etc. According to ISACA’s article on Developing an Artificial Intelligence Governance Framework1, “an ethical use policy is essential for any enterprise that wants to adopt AI in a responsible and sustainable manner. An ethical use policy can help to establish trust and confidence in AI among the stakeholders and customers, and to avoid or mitigate any negative consequences or harms that may arise from AI.” Furthermore, according to ISACA’s article on Governance of Responsible AI: From EthicalGuidelines to Legal Frameworks2, “an ethical use policy can provide a common framework and language for the governance of AI across different domains, sectors, and regions. An ethical use policy can also facilitate the compliance with existing laws and regulations that may apply to AI.” Therefore, directing the creation and approval of an ethical use policy is the best way for an IT governance board to establish standards of behavior for the adoption of AI.

 Business use cases are descriptions of the business processes, scenarios, and interactions that support the achievement of a specific business goal or objective1. By considering the business use cases supporting the digital strategy, the enterprise can ensure that the information architecture is aligned with and driven by the business needs and expectations2. The information architecture can also support the communication, collaboration, and decision-making processes among the stakeholders involved in the digital strategy2.

The other options are not as important as the business use cases supporting the digital strategy, as they are either specific aspects or outcomes of information architecture, but not comprehensive factors. Resource constraints related to implementing the digital strategy are the limitations and challenges that affect the availability and quality of the resources required for executing the digital strategy, such as time, money, people, technology, or data3. Resource constraints can affect the information architecture, but they are not the most important factor to consider, as they are only one of the many criteria that evaluate information architecture3. Changes to the legacy business and data architectures are the modifications and adaptations that are needed to update and improve the existing business and data structures, models, and systems to align with the digital strategy4. Changes to the legacy business and data architectures can affect the information architecture, but they are not the most important factor to consider, as they are only one of the many components that constitute information architecture4. The history of fraud incidents and their root causes are the records and analyses of the previous fraud events and their underlying factors that occurred within or against the enterprise5. The history of fraud incidents and their root causes can affect the information architecture, but they are not the most important factor to consider, as they are only one of the many sources of information that inform information architecture5.

This is a barrier to strategic alignment of business and IT, as it creates inconsistency and fragmentation in the IT governance process across the enterprise. Strategic alignment of business and IT is the degree of fit and integration among business strategy, IT strategy, business infrastructure, and IT infrastructure1. It helps to ensure that IT supports and enables the achievement of the enterprise’s goals and objectives, and delivers value to the stakeholders1. To achieve strategic alignment, an enterprise needs to have a coherent and coordinated IT governance process that aligns IT with business goals, optimizes IT investments and resources, manages IT risks and opportunities, and measures IT performance and benefits1. However, if each business unit has its own steering committee for IT investment and prioritization, this may result in conflicting or competing IT priorities, duplication or waste of IT resources, lack of communication or collaboration among IT stakeholders, or misalignment of IT services and capabilities with business needs and expectations1. Therefore, each business unit having its own steering committee for IT investment and prioritization is a barrier to strategic alignment of business and IT.

The other options are not barriers to strategic alignment of business and IT, as they are possible enablers or indicators of strategic alignment. Uniform portfolio management is the process of selecting, prioritizing, balancing, and monitoring the IT investments and initiatives that support the enterprise’s strategic objectives and deliver value to the stakeholders2. Uniform portfolio management can help to align IT with business goals, optimize resource allocation, manage risks and dependencies, and measure performance and benefits2. IT being the exclusive provider of IT services to the business units can help to ensure that the IT services are consistent, reliable, secure, and compliant with the enterprise’s standards and policies3. The enterprise’s CIO being a member of the executive committee can help to demonstrate the strategic importance and contribution of IT to the enterprise’s success, as well as facilitate the communication and collaboration between IT and business leaders4.

An independent assessment is a review by a third party of an authorization decision, a product, a service, or a system to verify its quality, functionality, compliance, or performance. An independent assessment can help identify and mitigate potential risks, errors, or defects before they cause problems or failures. An independent assessment can also provide an objective and unbiased opinion on the suitability and effectiveness of a solution for a specific purpose or context.

By requiring an independent assessment of solutions prior to implementation, the enterprise can ensure that the solutions meet the functional requirements and specifications, as well as the security and privacy standards and policies. This can prevent issues such as the malfunctioning of role-based access control, which could compromise the confidentiality, integrity, and availability of sensitive data. An independent assessment can also help evaluate the compatibility and interoperability of solutions with existing systems and processes, and provide recommendations for improvement or optimization.

Some examples of independent assessment methods are:

Independent verification and validation (IV&V): A process that checks whether a system meets its defined requirements and specifications, and whether it fulfills its intended purpose and functions.

Independent technical review (ITR): A process that evaluates the technical aspects of a system, such as its design, architecture, performance, reliability, security, usability, maintainability, and scalability.

Independent security assessment (ISA): A process that assesses the security posture of a system, such as its vulnerability to threats, its compliance with security standards and regulations, its implementation of security controls and measures, and its response to security incidents.

The best way to enable the mapping of cost to risk for selecting a disaster recovery site based on available risk data is to perform a business impact analysis (BIA). A BIA is a process of identifying and evaluating the potential effects of various disaster scenarios on the critical business functions and processes of an organization. A BIA can help estimate the financial and operational impacts of losing or disrupting the business functions and processes, such as revenue loss, customer dissatisfaction, regulatory fines, contractual penalties, reputation damage, etc. A BIA can also help determine the recovery time objectives (RTOs) and recovery point objectives (RPOs) for each business function and process, which indicate how quickly and how much data they need to be restored after a disaster. By performing a BIA, the IT steering committee can map the cost of each disaster recovery site option to the risk of each disaster scenario, and compare the trade-offs between different levels of protection and investment1.

The other options are not the best ways to enable the mapping of cost to risk for selecting a disaster recovery site. Key risk indicators (KRIs) are metrics that indicate the level of risk exposure or potential impact of a risk event on an organization. KRIs can help monitor and manage IT risks, but they do not necessarily reflect the cost of different disaster recovery site options. Scenario-based assessment is a method of analyzing and evaluating the likelihood and consequences of various risk scenarios. Scenario-based assessment can help identify and prioritize IT risks, but it does not provide a clear measure of the cost of different disaster recovery site options. Qualitative forecasting is a technique of using expert opinions, judgments, or intuition to predict future outcomes or trends. Qualitative forecasting can help estimate the future demand or growth of IT services, but it does not provide a reliable or objective basis for mapping the cost to risk of different disaster recovery site options.

 Enterprise data governance is a system for defining who within an organization has authority and control over data assets and how those data assets may be used. It encompasses the people, processes, and technologies required to manage and protect data assets1. Enterprise data governance can help address the inconsistencies in data classification by establishing a common framework, standards, and policies for data quality, security, and usage across the enterprise. It can also assign roles and responsibilities for data owners, stewards, and custodians to ensure accountability and compliance234. References:

2: https://www.ibm.com/topics/data-governance

1: https://www.cio.com/article/202183/what-is-data-governance-a-best-practices-framework-for-managing-data-assets.html

3: https://www.sailpoint.com/identity-library/enterprise-data-governance/

4: https://atlan.com/enterprise-data-governance/

Business ethics is the study of appropriate business policies and practices regarding potentially controversial subjects, such as corporate governance, insider trading, bribery, discrimination, corporate social responsibility, fiduciary responsibilities, and much more1. The most important aspect of business ethics is to protect the interests of the stakeholders, who are the individuals or groups that have a stake in the success or failure of a business. Stakeholders include shareholders, customers, employees, suppliers, regulators, and the society at large. By protecting stakeholders’ interests, a business can ensure its long-term viability, reputation, and profitability. References: CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 1: Governance of Enterprise IT, Section 1.1: IT Governance Frameworks and Principles, Subsection 1.1.2: IT Governance Principles, Page 14-15. Business Ethics: Definition, Principles, Why They’re Important.