Isaca Updated CGEIT Exam Questions and Answers by mckenzie

Effective culture change is the process of transforming the values, beliefs, behaviors, and norms of the organization and its stakeholders to support the strategic alignment of business and IT goals. Effective culture change can enable the implementation of IT governance by:

• Creating a shared vision and understanding of the purpose, benefits, and expectations of IT governance
• Engaging and empowering the stakeholders to participate and collaborate in IT governance activities and decisions
• Fostering a culture of trust, transparency, accountability, and responsibility for IT governance outcomes
• Encouraging a culture of innovation, learning, and improvement for IT governance processes and practices
• Aligning the incentives and rewards with the IT governance objectives and performance

References:

• According to the CGEIT Review Manual 2022, "Culture is a key enabler for effective IT governance. Culture influences how people behave, communicate, collaborate, and make decisions. Culture also affects how people perceive, value, and use IT. Therefore, culture change is often necessary to implement IT governance successfully."1
• According to the ISACA article on Culture Change: A Critical Success Factor for Effective IT Governance2, “Culture change is not an easy task; it requires strong leadership, clear communication, stakeholder involvement, and continuous monitoring and feedback. However, culture change can also bring significant benefits for IT governance, such as improved alignment, engagement, performance, and value creation.”
• According to the CIO article on How to create a culture of innovation in IT3, “Creating a culture of innovation in IT requires more than hiring talented people and acquiring the latest technologies. It also requires a shift in mindset, behavior, and structure that fosters creativity, collaboration, experimentation, and learning.”

 Including the update of documentation within the change management framework is the best way to prevent the recurrence of similar findings in the future. This is because the change management framework is a systematic and structured approach to managing changes in IT systems, applications, processes, and procedures. By incorporating the update of documentation as part of the change management process, the IT department can ensure that any changes are properly documented and communicated to the relevant stakeholders, and that the documentation is always aligned with the actual practices. This will help to avoid any discrepancies or inconsistencies between the procedures and what is actually done by system administrators, and thus reduce the risk of audit findings or non-compliance issues. Assigning the responsibility for periodic revisions and changes to process owners, requiring each IT employee to confirm compliance with IT procedures on an annual basis, and establishing high-level procedures to minimize process changes are all possible measures to improve the documentation quality, but they are not as effective or efficient as including the update of documentation within the change management framework. They may not address the root cause of the problem, which is the lack of coordination and integration between the documentation and the change management activities. References := Change Management Best Practices for IT Teams - Smartsheet, IT Documentation: Purpose and Best Practices - Helpjuice, IT Documentation Best Practices | IT Glue

The best way for an enterprise to address new legal and regulatory requirements applicable to IT is to treat them as a risk to be assessed before developing a response. This approach involves identifying the potential impact of the new requirements on the organization, evaluating the likelihood and consequences of non-compliance, and then developing a prioritized response plan based on this risk assessment. This method ensures a measured and proportional response that aligns with the organization's risk appetite and strategic objectives. While benchmarking, adopting a zero-tolerance approach, and using cost-benefit analysis are useful, they should be part of a broader risk-based strategy to address compliance effectively.

 The next course of action in response to the CIO’s concern is to assess the risk associated with the device. This means that the CIO should evaluate the potential impact and likelihood of security threats posed by the device, such as data leakage, unauthorized access, malware infection, or privacy violation. The CIO should also consider the benefits and drawbacks of allowing or banning such devices, such as productivity, innovation, user satisfaction, or compliance. A risk assessment can help the CIO to make an informed decision based on facts and evidence, rather than assumptions or emotions. A risk assessment can also provide a basis for defining a risk mitigation strategy, updating the acceptable use policy, or researching competitor usage of similar devices. References := 10 security risks of wearables | CSO Online, Wearable Devices are on the Rise, Presenting New Security Risks, Common privacy and security vulnerabilities in wearable devices, Wearables Device Data Security & Protection | Voler Systems