Isaca Updated CGEIT Exam Questions and Answers by marco

The MOST important thing for the IT steering committee to consider before deciding on a policy to anonymize personal data in enterprise systems is the regulatory requirements. Anonymization is the process of protecting private or sensitive information by erasing or encrypting identifiers that connect an individual to stored data1. However, different jurisdictions may have different definitions, standards, and rules for anonymization and data protection2. For example, the EU’s General Data Protection Regulation (GDPR) outlines a specific set of rules that protect user data and create transparency1. The GDPR permits companies to collect anonymized data without consent, use it for any purpose, and store it for an indefinite time—as long as companies remove all identifiers from the data1. However, if the data is not fully anonymized and can be re-identified by using de-anonymization methods, then the GDPR still applies and requires consent, purpose limitation, and data minimization2. Therefore, the IT steering committee should consider the regulatory requirements of the applicable legislation in both the home and host countries before deciding on a policy to anonymize personal data in enterprise systems. This can help to ensure compliance, avoid fines or penalties, and protect the reputation and trust of the business.

The data owner is the role that is accountable for the confidentiality, integrity, and availability of information within an enterprise, because the data owner is the person who has the authority and responsibility to classify, label, and protect the information assets according to their value and sensitivity1. The data owner also defines the business requirements for the information security and ensures that the data custodian implements the appropriate controls to safeguard the information2. The data owner is also part of the IT governance domain 4: Value Delivery3. References := 1: Data Classification Standard3, page 42: 3 Pillars of Data Security: Confidentiality, Integrity & Availability43: CGEIT Review Manual 2023, ISACA, page 155.

IT maturity models measure the capabilities of an IT organization, which means the ability to perform certain activities or tasks effectively and efficiently. IT maturity models assess the current state of the IT organization in terms of people, processes, and technology, and compare it with the desired or optimal state. IT maturity models also help to identify the gaps and opportunities for improvement, and to prioritize and plan the actions to achieve higher levels of maturity. IT maturity models can be used for various purposes, such as benchmarking, strategic planning, performance management, risk management, and quality assurance. References: CGEIT Exam Content Outline | ISACA1, CGEIT Review Manual (Digital Version), Use an IT maturity model - IBM Garage Practices1, IT Maturity Models, Scorecards & Assessments | Smartsheet2

A data steward is a subject matter expert who is responsible for defining and maintaining the integrity of a specific type of data or data domain1. They help the organization build data glossaries, create and maintain data quality rules, and determine who has access to data1. Data stewards also work closely with any system of record to ensure proper controls are in place and are maintained to ensure the data produced is of high quality2. Therefore, if the IT department has determined that problems with a business report are due to quality issues within a set of data, they should refer the matter to the data steward for resolution. References := CGEIT Review Manual, Chapter 3: Benefits Realization, Section 3.2: IT Value Delivery Processes, Subsection 3.2.4: Data Quality Management, Page 103.