CGEIT Reviews Questions

Comprehensive and Detailed Explanation:

The CGEIT Review Manual 8th Edition, in its Risk Optimization domain, addresses the need for proactive detection and response to security incidents to minimize risks. The undetected breach attempt highlights a gap in real-time monitoring and alerting.

Option D: The implementation of an intrusion detection and reporting process is the most important. An intrusion detection system (IDS) monitors network and system activities for unauthorized access, generating alerts for immediate response. This would have ensured the breach attempt was detected and reported in real-time, preventing potential data loss. The manual likely references COBIT 2019’s DSS05-Managed Security Services, which emphasizes intrusion detection as a critical security control.

Option A: Periodic analyses of logs and databases is reactive and may not detect breaches in time, unlike real-time IDS.

Option B: A review of security and risk frameworks is broad and long-term, not addressing the immediate detection gap.

Option C: A comprehensive data management policy focuses on data governance, not real-time breach detection.

Double Verification: The answer aligns with COBIT’s DSS05 and the CGEIT domain’s focus on security incident detection. Intrusion detection is a standard ISACA recommendation for preventing undetected breaches.

ISACA CGEIT Review Manual 8th Edition, Domain 4: Risk Optimization (focus on security incident detection).

COBIT 2019, DSS05-Managed Security Services.

ISACA Glossary (for definitions of intrusion detection), available at

The correct approach is toagree on target maturity levels in response to need—this ensures that the maturity level supports enterprise objectives, risk appetite, and strategic priorities. The maturity should be fit-for-purpose, rather than arbitrarily benchmarked or driven solely by cost or strengths.

While competitor benchmarks and cost considerations can provide insight, they are secondary to ensuring that the governance processes meetspecific business and governance needs.

To help ensure that IT projects related to a new business opportunity deliver the required business outcomes, the best approach is to implement stage-gate reviews that require business sign-off at each critical phase of the project. This process provides structured checkpoints where project progress, alignment with business requirements, and expected outcomes can be evaluated and validated by business stakeholders. This ensures ongoing alignment between IT project execution and business objectives, allowing for timely adjustments as needed. Hiring consultants, developing policies, and focusing on process maturity are supportive actions, but stage-gate reviews with business sign-off directly link project progression to business expectations.

A balanced scorecard is a tool that helps to measure and communicate the value of IT initiatives to the board of directors. It aligns IT objectives with business goals, tracks performance indicators, and shows the contribution of IT to the enterprise value. A balanced scorecard can also help to identify gaps and areas for improvement in IT governance. References := CGEIT Review Manual, 7th Edition, Chapter 3: Benefits Realization, Section 3.3: Value Delivery Frameworks and Mechanisms, pp. 103-105.