Most Recent Isaca CGEIT Exam Dumps

A due diligence process is the best way to enable a clear understanding of the vendor's capabilities that will be critical to the enterprise's strategy. A due diligence process is a systematic and comprehensive investigation and evaluation of the vendor's background, reputation, performance, quality, reliability, security, compliance, and suitability for the enterprise's needs and expectations. A due diligence process can help the enterprise:

Verify the vendor's claims and credentials, and validate the vendor's references and testimonials

Assess the vendor's financial stability, legal status, and ethical standards

Identify the vendor's strengths, weaknesses, opportunities, and threats

Compare the vendor's offerings, capabilities, and prices with other vendors and market benchmarks

Determine the risks and benefits of engaging with the vendor, and the mitigation and contingency plans

Negotiate the terms and conditions of the contract, service level agreement (SLA), and key performance indicators (KPIs)

According to the CGEIT Review Manual 2022, 'Due diligence is a comprehensive appraisal of a business undertaken by a prospective buyer or partner to establish its assets and liabilities and evaluate its commercial potential.'1

According to the ISACA article on Third-Party Vendor Selection: If Done Right, It's a Win-Win2, ''Once you have identified which processes can be outsourced as well as their inherent risks, you can begin performing due diligence on potential vendors. The level of due diligence should be tailored to the significance of the relationship as well as the potential risks it poses.''

According to the Gartner article on How to Evaluate Technology Vendors in 4 Rigorous Steps1, ''Evaluating vendors requires detailed objectives, criteria, prioritization and monitoring. Here's help. When it comes to choosing a vendor, enterprise tech buyer teams can easily become bogged down in the details and documentation provided by sales teams.''

Risk management is the process of identifying, analyzing, evaluating, and treating the uncertainties that may affect the achievement of objectives. Risk management helps to ensure that decisions are made with an awareness of probability and impact, which means that the likelihood and consequences of potential events are considered and weighed against the benefits and costs of the actions. This can help to optimize the risk-reward balance, enhance the quality and consistency of decision-making, and support the achievement of desired outcomes.Reference:

CGEIT Review Manual 2021, Chapter 2: IT Risk Management, Section 2.1: Risk Management Overview, page 551

CGEIT Review Questions, Answers & Explanations Manual 2021, Question 1, page 152

The Benefits of Risk Management - PMI3

This is because enterprise architecture (EA) is a practice that helps organizations align their IT systems and processes with their business objectives.EA provides a holistic and integrated view of the current and future state of the organization's IT infrastructure, as well as the gaps, issues, and opportunities for improvement1. By using EA, the organization can:

Identify and prioritize the IT investments that support the business strategy, goals, and needs1

Optimize the IT spending and maximize the IT value1

Ensure the IT quality, security, and compliance1

Avoid IT duplication, waste, and inefficiency1

Define IT roles and responsibilities and assign accountability1

EA can help the organization plan for the necessary IT investments in a systematic and structured way, and ensure that they are aligned with the business vision and value.

The other options, risk assessment report, business user satisfaction metrics, and audit findings are not as useful as enterprise architecture (EA) for planning for the necessary IT investments. They are more related to the evaluation and monitoring of the IT performance, rather than the planning and alignment of the IT strategy. They may also provide limited or partial information about the IT infrastructure, rather than a comprehensive and integrated view. They may also depend on external factors or standards that may not be relevant or applicable to the organization's specific context and needs.

Information ownership is the right and responsibility to define, classify, protect, and manage the data assets of an enterprise.When using a cloud-based application, the enterprise should ensure that it retains the ownership and control of its information, and that it complies with the relevant laws and regulations regarding data privacy, security, and sovereignty12.The enterprise should also establish clear policies and agreements with the cloud service provider and the internal and external parties regarding the access, usage, storage, transfer, retention, and disposal of the information12.By considering information ownership, the enterprise can mitigate the risks and challenges of using a cloud-based application, such as data breaches, unauthorized access, vendor lock-in, legal disputes, or reputational damage12.

The other options are not as important as information ownership, as they are secondary or dependent factors.Cloud implementation model is the type of cloud service that the enterprise chooses to use, such as software as a service (SaaS), platform as a service (PaaS), or infrastructure as a service (IaaS)3.Cloud implementation model can affect the cost, performance, scalability, and flexibility of the cloud-based application, but it does not directly affect the ownership and governance of the information3. User experience is the perception and satisfaction of the users when interacting with the cloud-based application. User experience can affect the adoption, engagement, and productivity of the users, but it does not directly affect the ownership and governance of the information. Third-party access rights are the permissions and restrictions that the enterprise grants to external parties to access and use its information through the cloud-based application.Third-party access rights can affect the security and privacy of the information, but they are determined by the information ownership policies and agreements that the enterprise establishes with the cloud service provider and the external parties12.

Privacy requirements should be the most important consideration for a hospital planning to use cloud services and mobile applications, because they involve the protection of sensitive and personal health information (PHI) of the patients and staff.PHI is a type of data that is subject to strict regulations and standards, such as the Health Insurance Portability and Accountability Act (HIPAA) in the US1, the General Data Protection Regulation (GDPR) in the EU2, and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada3. These regulations and standards require the hospital to ensure that PHI is collected, stored, processed, and transmitted in a secure and compliant manner, and that the rights and consent of the data subjects are respected. Using cloud services and mobile applications can pose significant challenges and risks to privacy, such as data breaches, unauthorized access, data loss, data residency, third-party liability, etc. Therefore, the hospital should carefully evaluate the privacy requirements and implications of using cloud services and mobile applications, and adopt appropriate governance, policies, controls, and measures to safeguard PHI in the cloud environment.