Isaca Updated CGEIT Exam Questions and Answers by leighton

The best way to ensure that security risk is properly addressed when implementing an information security policy exception process is to confirm process owners’ acceptance of residual risk. Residual risk is the risk that remains after applying controls or mitigating measures to reduce the original risk1. Process owners are the individuals or groups that are responsible for the design, execution, and performance of a business process2. By confirming process owners’ acceptance of residual risk, the enterprise can ensure that the security risk associated with the policy exception is understood, acknowledged, and agreed upon by the relevant stakeholders. This can also help to assign accountability and liability for the potential consequences of the policy exception, as well as to monitor and review the risk level and the effectiveness of the controls or mitigating measures. The other options are not as effective as confirming process owners’ acceptance of residual risk for ensuring that security risk is properly addressed when implementing an information security policy exception process. Performing an internal and external network penetration test is a useful technique for identifying and exploiting vulnerabilities in the network infrastructure, but it does not address the specific security risk related to the policy exception. Obtaining IT security approval on security policy exceptions is a necessary step for validating and authorizing the policy exception, but it does not ensure that the process owners are aware of and accept the residual risk. Benchmarking policy against industry best practice is a good practice for comparing and improving the policy quality and performance, but it does not address the security risk associated with the policy exception.

In EGIT, effective governance intervention starts with understanding the drivers and context behind a performance gap before prescribing corrective actions. COBIT implementation and transformation guidance emphasizes beginning by understanding the enterprise context, current ways of working, and performance gaps—in other words, diagnosing why outcomes are deteriorating. Engaging regional leadership first helps uncover root causes such as market conditions, regulatory constraints, execution capability, demand changes, benefit overstatement, or misalignment between regional priorities and enterprise strategy.

Only after this diagnosis should governance decide which controls to strengthen (e.g., independent business-case assurance, portfolio reprioritization, benefits tracking, or selection-method updates). Option A (independent review) can be a strong follow-on control, but doing it first may miss systemic causes (e.g., governance culture, incentives, delivery capacity). Option D is also a likely next step, but benefit calculations and selection-method review should be based on an informed understanding of what is failing. Option C (suspending funding and reassigning managers) is an extreme action that can increase delivery risk and does not address underlying governance design issues.

========

A data protection impact assessment (DPIA) is designed to identify and mitigate risks to data privacy. The CGEIT Review Manual 8th Edition states that the primary objective of a DPIA is to analyze how business processes affect data privacy, particularly for personal data.

Extract from CGEIT Review Manual 8th Edition (Domain 3: Risk Optimization):"The primary objective of a data protection impact assessment is to identify and analyze how business processes, systems, or projects may impact the privacy of personal data. This helps ensure compliance with data protection regulations and mitigates privacy risks." (Approximate reference: Domain 3, Section on Data Privacy and Compliance)

Identifying and analyzing how data privacy might be affected by business processes (option A) is the core purpose of a DPIA, aligning with regulatory requirements like GDPR.

Why not the other options?

B. To evaluate the quality and integrity of personal data stored in an enterprise: Data quality is a separate concern, not the focus of a DPIA.

C. To estimate the value created by personal data as it progresses through its life cycle: Value estimation is a business analysis, not a DPIA objective.

D. To ensure key business processes and related data interfaces are documented: Documentation may be a byproduct, but it is not the primary objective.

The best group to evaluate recommendations to address the use of antiquated technologies throughout the enterprise is the Enterprise Architecture (EA) review board. This group is responsible for overseeing the architectural framework and ensuring that IT systems and technologies align with the enterprise's strategic objectives. The EA review board has the expertise to assess the impact of current technologies on the business and recommend modernization strategies that align with the enterprise architecture. While business process improvement workgroups, audit committees, and risk management committees play important roles, the EA review board is specifically equipped to address technological shortcomings and alignment with business goals.