Isaca Updated CGEIT Exam Questions and Answers by hailey

The main goal of the IT strategy committee after establishing stakeholder desired outcomes should be to ensure IT risk alignment with enterprise risk. IT risk alignment means that the IT risk management program is consistent and integrated with the enterprise risk management (ERM) program, and that the IT risks are identified, assessed, and treated in relation to the enterprise’s objectives, strategies, and risk appetite. IT risk alignment can help the enterprise achieve the following benefits1:

Enhance the value delivery of IT to the business

Improve the decision making and prioritization of IT investments and initiatives

Reduce the likelihood and impact of IT-related incidents and losses

Increase the resilience and agility of IT in responding to changes and disruptions

Strengthen the governance and accountability of IT performance and compliance

To ensure IT risk alignment with enterprise risk, the IT strategy committee should perform the following tasks2:

Define the scope, objectives, and criteria for IT risk management

Establish the roles and responsibilities for IT risk management

Align the IT risk management framework and processes with the ERM framework and processes

Communicate and collaborate with the ERM function and other stakeholders on IT risk issues

Monitor and review the effectiveness and maturity of IT risk management

The other options are not the main goal of the IT strategy committee after establishing stakeholder desired outcomes. Identifying business data that requires protection, performing a risk analysis on key IT processes, and implementing controls to address high risk areas are steps that are part of the IT risk management process, but they are not specific to ensuring IT risk alignment with enterprise risk. These steps should be done by the IT risk management function or team, under the guidance and oversight of the IT strategy committee.

The MOST important thing for the IT steering committee to consider before deciding on a policy to anonymize personal data in enterprise systems is the regulatory requirements. Anonymization is the process of protecting private or sensitive information by erasing or encrypting identifiers that connect an individual to stored data1. However, different jurisdictions may have different definitions, standards, and rules for anonymization and data protection2. For example, the EU’s General Data Protection Regulation (GDPR) outlines a specific set of rules that protect user data and create transparency1. The GDPR permits companies to collect anonymized data without consent, use it for any purpose, and store it for an indefinite time—as long as companies remove all identifiers from the data1. However, if the data is not fully anonymized and can be re-identified by using de-anonymization methods, then the GDPR still applies and requires consent, purpose limitation, and data minimization2. Therefore, the IT steering committee should consider the regulatory requirements of the applicable legislation in both the home and host countries before deciding on a policy to anonymize personal data in enterprise systems. This can help to ensure compliance, avoid fines or penalties, and protect the reputation and trust of the business.

This should be the IT steering committee’s primary concern, as moving to an external cloud service provider may introduce new or different risks to the enterprise, such as data security,privacy, compliance, availability, performance, vendor lock-in, and service level agreements12. The IT steering committee should update the business risk profile to reflect the current and potential risks associated with the cloud service provider, and to ensure that they are aligned with the enterprise’s risk appetite and tolerance12. The IT steering committee should also monitor and manage the risks throughout the cloud service lifecycle, and implement appropriate controls and mitigation strategies to protect the enterprise’s assets and interests12. The other options are not as important as updating the business risk profile, as they are not directly related to the strategic decision to reduce operating costs for the next year. Calculating the cost of the current solution, changing the IT steering committee charter, and revising the business’s balanced scorecard are possible actions that may be taken after updating the business risk profile, based on the identified risks and their levels3.

 According to the CGEIT exam guide, the organization’s risk profile is a representation of the current and potential risks that the organization faces, as well as the likelihood and impact of those risks. The risk profile helps to inform the risk management strategy, policies and processes, as well as the risk appetite and tolerance of the organization. When an enterprise enters into a new market that brings additional regulatory compliance requirements, the first thing that should be done is to update the organization’s risk profile to reflect the new sources, types and levels of risk that the enterprise may encounter. This will help to identify and assess the compliance risks, as well as to plan and implement appropriate risk responses and controls. The other options are not the first things that should be done, as they are more related to the execution and monitoring of compliance, rather than the identification and assessment of compliance risks. References: CGEIT Exam Candidate Guide, page 15. CGEIT Certification, How to Develop a Risk Profile