Exactprep CGEIT Questions

Business ethics is the study of appropriate business policies and practices regarding potentially controversial subjects, such as corporate governance, insider trading, bribery, discrimination, corporate social responsibility, fiduciary responsibilities, and much more1. The most important aspect of business ethics is to protect the interests of the stakeholders, who are the individuals or groups that have a stake in the success or failure of a business. Stakeholders include shareholders, customers, employees, suppliers, regulators, and the society at large. By protecting stakeholders’ interests, a business can ensure its long-term viability, reputation, and profitability. References: CGEIT Review Manual (Digital Version) or CGEIT Review Manual (Print Version), Chapter 1: Governance of Enterprise IT, Section 1.1: IT Governance Frameworks and Principles, Subsection 1.1.2: IT Governance Principles, Page 14-15. Business Ethics: Definition, Principles, Why They’re Important.

 Moving to a virtualized architecture will have the greatest impact on vendor management, as it will require the enterprise to select, contract, and monitor the performance of the cloud or virtualization service providers. Vendor management is essential for ensuring that the virtualized architecture meets the enterprise’s requirements, standards, and expectations, as well as for managing the risks, costs, and benefits of the virtualization strategy. Vendor management also involves negotiating and enforcing service level agreements (SLAs), ensuring compliance with regulations and policies, and resolving any issues or disputes that may arise with the vendors.

System life cycle management, asset classification, and vulnerability management are also important aspects of IT governance, but they are not as significantly affected by moving to a virtualized architecture as vendor management. System life cycle management is the process of planning, developing, testing, deploying, maintaining, and retiring IT systems. Asset classification is the process of identifying, categorizing, and labeling IT assets based on their value, sensitivity, and criticality. Vulnerability management is the process of identifying, assessing, prioritizing, and mitigating IT vulnerabilities that may pose a threat to the enterprise’s security or operations. These processes may need to be adapted or updated to accommodate the virtualized architecture, but they are not fundamentally changed by it.

References := Steps to Meet Cloud and Virtualized Architecture Governance; Crafting the optimal model for the IT architecture organization; Enterprise Architecture Governance – Why It Is Important (Part 2); What is IT governance? A formal way to align IT & business strategy.

This way, the CIO can align the IT personnel’s work with the new strategy’s objectives, communicate the desired outcomes and behaviors, motivate and empower the IT personnel, monitor and measure their progress and achievements, and provide feedback and recognition1. Incorporating IT objectives into individual performance evaluations can also create a culture of accountability, excellence, and continuous improvement among the IT personnel, and ensure that they contribute to the value creation and delivery of IT2.

The other options are not as effective as incorporating IT objectives into individual performance evaluations, as they do not directly link the IT objectives with the IT personnel’s performance and incentives. Measuring progress towards IT objectives and communicating the results to IT staff may help to inform them about the status and direction of the new strategy, but it does not ensure that they understand or follow it. Developing communication materials to promote the new IT strategy and objectives may help to raise awareness and interest among the IT staff, but it does not ensure that they adopt or support it. Requiring IT managers to assign activities aligned to the IT objectives may help to implement the new strategy at the operational level, but it does not ensure that the IT staff are engaged or committed to it.

The MOST concerning issue for the risk management committee when planning to migrate to cloud-based systems is regulatory compliance. Regulatory compliance refers to the discipline and process of ensuring that a company follows the laws enforced by governing bodies in their geography or rules required by voluntarily adopted industry standards1. For IT regulatory compliance, people and processes monitor corporate systems to detect and prevent violations ofpolicies and procedures established by these governing laws, regulations, and standards1. However, migrating to cloud-based systems can pose significant challenges and risks for regulatory compliance, such as23:

Data protection, privacy, and sovereignty issues, as cloud service providers may store or process data in different jurisdictions with different legal and regulatory frameworks

Loss of control and visibility over data and systems, as cloud service providers may have different security standards, policies, and practices than the enterprise

Shared responsibility and accountability for compliance, as cloud service providers and customers may have different roles and obligations for ensuring compliance

Complexity and variability of compliance requirements, as cloud service providers may offer different levels of compliance certifications and attestations for different services and regions

Therefore, regulatory compliance should be of most concern to the risk management committee when planning to migrate to cloud-based systems. The risk management committee should carefully assess the compliance requirements of the applicable legislation in both the home and host countries, as well as the compliance capabilities and assurances of the cloud service providers. The risk management committee should also establish appropriate controls and mechanisms to monitor and audit the compliance status and performance of the cloud-based systems.