Isaca Updated CGEIT Exam Questions and Answers by alanna

According to the ISACA paper on IT Governance Reporting1, the most important information to include in IT governance reporting to the board of directors is the critical risks that IT faces or poses to the enterprise. Critical risks are those that have a high likelihood and impact, and that could threaten the achievement of the enterprise’s strategy, objectives and goals. Critical risks could include cyberattacks, data breaches, regulatory compliance violations, IT project failures, IT service disruptions, IT resource shortages, etc. The board of directors should be aware of the critical risks, as well as the actions taken or planned to mitigate them. The other options are not as important as critical risks, as they are more related to the operational or tactical aspects of IT, rather than the strategic or governance aspects.

According to the web search results, a SaaS contract is a legal agreement between a SaaS provider and a customer that defines the terms and conditions of using the SaaS solution, such as the scope, duration, price, service level, data ownership, security, privacy, compliance, etc. The most effective way to reduce the risk associated with the SaaS solution is to include risk-related requirements in the SaaS contract, such as the following12:

The SaaS provider should comply with the relevant laws and regulations that apply to the customer’s industry and location, such as GDPR, HIPAA, PCI DSS, etc.

The SaaS provider should implement adequate security measures and controls to protect the customer’s data from unauthorized access, modification, disclosure or loss, such as encryption, authentication, authorization, backup, etc.

The SaaS provider should provide regular reports and audits on the security and performance of the SaaS solution, as well as notify the customer of any security incidents or breaches that may affect the customer’s data.

The SaaS provider should guarantee a certain level of availability and reliability of the SaaS solution, and specify the remedies or penalties for any service downtime or disruption.

The SaaS provider should allow the customer to access, export, delete or transfer their data at any time, and ensure that the data are erased or returned to the customer upon termination of the contract.

The SaaS provider should indemnify and hold harmless the customer from any claims, damages or liabilities arising from the use of the SaaS solution.

Including risk-related requirements in the SaaS contract will help to clarify the roles and responsibilities of both parties, as well as to establish trust and accountability between them. It will also help to mitigate the potential risks and challenges of using a hosted SaaS solution34, such as data loss, unauthorized access, compliance violations, service outages, vendor lock-in, etc. The other options are not as effective as including risk-related requirements in the SaaS contract, as they do not address the contractual and legal aspects of using a hosted SaaS solution.

The most critical activity for reducing the impact caused by IT staff turnover is to document processes and procedures, as this can help preserve the knowledge and experience of the existing IT staff, as well as facilitate the training and orientation of the new IT staff. Documenting processes and procedures can also help standardize and improve the quality and efficiency of IT operations, services, and projects, as well as ensure compliance with regulations and policies. Documenting processes and procedures can also help define and clarify the roles and responsibilities of the IT staff, as well as the expectations and requirements of the business units.

Outsourcing the IT operation, increasing compensation for IT staff, and hiring temporary staff are possible activities for addressing the IT staff turnover issue, but they are not the most critical activity. Outsourcing the IT operation may reduce the dependency on internal IT staff, but it may also introduce new risks and challenges for IT governance and management, such as vendor selection, contract negotiation, service level agreement (SLA) monitoring, and data security. Increasing compensation for IT staff may improve the retention and motivation of the existing IT staff, but it may also increase the operational costs and budget constraints of the IT department. Hiring temporary staff may fill the gaps or shortages in IT skills or resources, but it may also affect the continuity and consistency of IT service delivery, as well as the integration and collaboration of IT teams.

Negotiating service level agreements (SLAs) is the best way for an organization to minimize the difference between expected and delivered services when acquiring resources, because SLAs define the scope, quality, availability, performance, and security of the services that the provider will deliver to the customer. SLAs also specify the roles and responsibilities, escalation procedures, and penalties for non-compliance of both parties. By negotiating SLAs, the organization can ensure that its expectations and requirements are clearly communicated and agreed upon by the provider, and that there are mechanisms to measure and monitor the service delivery and outcomes. Negotiating SLAs also helps to prevent or resolve any disputes or issues that may arise from the service provision, and to ensure that the organization receives the value and benefits that it expects from the provider. One of the sources that supports this answer is Service-level Agreement: 3 Types And Templates - Contract Lawyers, which states that “A service-level agreement is important because it: Protects both parties: The SLA sets standards for the service, ensuring both the service provider and end user are on the same page with expectations.”