Isaca Updated CGEIT Exam Questions and Answers by laila

When deciding to develop a system with sensitive data, the MOST important thing to include in a business case is a risk assessment to determine the appropriate controls. A business case is a document that provides the rationale and justification for initiating a project or investment1. It includes information such as the objectives, scope, benefits, costs, risks, assumptions, and success criteria of the proposed project or investment2. A risk assessment is a process of identifying, analyzing, and evaluating the potential threats and impacts that could affect the project or investment3. A risk assessment can help to:

Identify the sources and types of risks associated with developing a system with sensitive data, such as data breaches, data loss, data corruption, unauthorized access, compliance violations, etc.4

Analyze the likelihood and severity of the risks occurring and their consequences on the project or investment5

Evaluate the current and planned controls to mitigate or prevent the risks, such as encryption, access control, data backup, data activity monitoring, etc.

Prioritize the risks and controls based on their importance and urgency

Communicate and document the risks and controls to stakeholders and decision-makers

Therefore, a risk assessment to determine the appropriate controls is essential for developing a business case for a system with sensitive data, as it can help to demonstrate the feasibility, viability, and desirability of the project or investment.

The other options are not as important as option A. While it is useful to have an updated enterprise architecture (EA), a skills gap analysis, and the additional cost of encrypting sensitive data, these are more operational and tactical aspects that can be determined later in the implementation phase. They are not critical for developing a business case for a system with sensitive data, which should focus more on the strategic direction and value proposition of the project or investment. References :=

How to Write a Business Case - ProjectManager.com2

Business Case Development - Project Management Institute1

What is Risk Assessment? Definition & Examples | ASQ3

Data Security: How to Secure Sensitive Data - DATAVERSITY4

Risk Analysis: Definition & Examples | ASQ5

Data access control and data activity monitoring - IBM Cloud …

Risk Evaluation: Definition & Examples | ASQ

Risk Communication: Definition & Examples | ASQ

 The best way for the CIO to ensure that the IT objectives are delivered effectively by IT staff is to include the IT objectives in staff performance plans. Staff performance plans are documents that define the expectations, responsibilities, and goals for individual employees, as well as the criteria and methods for evaluating their performance1. By including the IT objectives in staff performance plans, the CIO can align the IT staff’s work with the business objectives, communicate the desired outcomes and behaviors, motivate and empower the IT staff, monitor and measure their progress and achievements, and provide feedback and recognition1. This will help to create a culture of accountability, excellence, and continuous improvement among the IT staff, and ensure that they contribute to the value creation and delivery of IT2. References: Performance Management. What is CGEIT? A certification for seasoned IT governance professionals.

A gap analysis is the process of comparing the current state and the desired state of an organization or a system, and identifying the gaps or differences between them1. A gap analysis can help to determine the actions and resources needed to bridge the gaps and achieve the desired outcomes2. In the context of an IT infrastructure integration after a major acquisition, a gap analysis can help to:

Assess the compatibility and interoperability of the IT systems, applications, data, and processes of both companies3

Identify the gaps, risks, issues, and opportunities related to the IT infrastructure integration4

Prioritize and plan the IT infrastructure integration activities and projects5

Align the IT infrastructure integration with the business goals and objectives of the acquisition

Therefore, conducting a gap analysis should be done NEXT after deciding that both companies will be using the parent company’s IT infrastructure.

The other options are not as important as option C. While it is important to update the enterprise architecture (EA), perform a business impact analysis (BIA), and develop a communication plan to support the merger, these are subsequent steps that can be done after conducting a gap analysis. A gap analysis can provide valuable inputs and insights for these steps, such as the current and target EA, the potential impacts of the IT infrastructure integration on the business operations and stakeholders, and the communication needs and channels for the IT infrastructure integration. References :=

What is Gap Analysis? Definition, Methodology & Examples | ASQ1

Gap Analysis: How to Bridge the Gap Between Performance and …2

How to Make a Successful IT Integration Strategy for Mergers and …4

M&A: The Six Phases of IT Integration - Interlink Cloud Blog3

Post-Merger Integration: M&A Integration Process Guide - DealRoom5

Success Factors for Integrating IT Systems After a Merger | CIO

The next step that the enterprise should do after performing a business impact analysis (BIA) considering a number of risk scenarios is to assess risk mitigation strategies. A risk mitigation strategy is a plan of action that aims to reduce the likelihood or impact of a risk event, or to transfer or accept the risk1. Assessing risk mitigation strategies involves evaluating the costs, benefits, feasibility, and effectiveness of various options for addressing the risks identified in the BIA. Assessing risk mitigation strategies can help the enterprise prioritize and implement the most appropriate and efficient solutions for protecting its critical business processes and resources from potential disruptions2. According to the Business Continuity Planning Process Diagram, assessing risk mitigation strategies is the fourth step in the business continuity planning process, following the BIA3.

The other options are not the next steps that the enterprise should do after performing a BIA. Performing a risk controls gap analysis is a step that precedes the BIA, as it helps to identify the existing controls and their effectiveness in preventing or reducing the risks4. Updating the disaster recovery plan (DRP) is a step that follows after assessing risk mitigation strategies, as it involves documenting the procedures and resources for restoring the critical business functions and IT systems in case of a disaster5. Verifying compliance with relevant legislation is a step that is done throughout the business continuity planning process, as it ensures that the enterprise meets the legal and regulatory requirements for its industry and location6. References := 1: Risk Mitigation Strategies - ISACA72: How to Conduct aComprehensive Business Impact Analysis: A Step-by-Step Guide33: Business Continuity Planning Process Diagram - ISACA84: Business Impact Analysis: Definition and How To Conduct One15: The Complete Guide to Business Impact Analysis with Templates - Creately46: How To Conduct Business Impact Analysis in 8 Easy Steps - G25