[Q320-Q339] CGEIT認定で究極のガイド [2026年更新]

Share

CGEIT認定で究極のガイド [2026年更新]

CGEIT練習試験と学習ガイドは厳密検証された


ISACA CGEIT(企業ITのガバナンスの認定)認定試験は、ITガバナンスの分野で働く専門家のための世界的に認められた資格です。CGEIT認定は、企業のITのガバナンスを管理、サポート、および推進する個人の能力を示します。試験は4つのドメインをカバーしており、ITのガバナンス、戦略的管理、利益の実現、およびリスク最適化が含まれています。この認定は、彼らの組織でITガバナンス、リスク管理、およびコンプライアンスに責任を持つ個人に適しています。

 

質問 # 320
Which of the following responsibilities should be retained within an enterprise when outsourcing a project management office (PMO) function?

  • A. Managing projects
  • B. Selecting projects
  • C. Tracking project cost
  • D. Defining project methodology

正解:B

解説:
The responsibility that should be retained within an enterprise when outsourcing a project management office (PMO) function is selecting projects. This is because selecting projects is a strategic decision that involves aligning the project portfolio with the enterprise goals, vision, and mission. Selecting projects also requires understanding the business needs, priorities, and value proposition of each project, as well as the available resources, risks, and opportunities. These are aspects that the enterprise should have more knowledge and authority over than the outsourced PMO provider. Outsourcing the project selection process may result in a loss of control, alignment, and accountability for the enterprise. Therefore, selecting projects is a responsibility that should be retained within an enterprise when outsourcing a PMO function.


質問 # 321
CORRECT TEXT
Fill in the blank with an appropriate phrase.
_______are activities that are dangerous to complete and manage such as construction, electrical work, or manufacturing.

正解:

解説:
Pure risks


質問 # 322
Which of the following should be the FIRST step for executive management to take in communicating what is considered acceptable use with regard to personally owned devices for company business?

  • A. Develop and disseminate an applicable policy.
  • B. Post awareness messages throughout the facility.
  • C. Provide training on how to protect data on personal devices.
  • D. Require employees to read and sign a disclaimer.

正解:A

解説:
The first step for executive management to take in communicating what is considered acceptable use with regard to personally owned devices for company business is to develop and disseminate an applicable policy.
A policy is a written set of rules and guidelines that defines the scope, objectives, roles, and responsibilities of the BYOD program. A policy also specifies the security, privacy, and usage requirements and expectations for the employees and the organization. A policy helps to establish a clear and consistent understanding of what is acceptable and unacceptable when using personal devices for work purposes, and what are the consequences of non-compliance. A policy also helps to mitigate the potential risks and challenges associated with BYOD, such as data breaches, device loss or theft, malware infections, legal liabilities, and support issues. A policy should be developed in consultation with relevant stakeholders, such as IT, HR, legal, and business units, and disseminated to all employees through various channels, such as email, intranet, training sessions, and awareness campaigns. References: BYOD Policies for Organizations (4 Examples) - Dashlane1, Mobile Device Security-Bring Your Own Device (BYOD): Draft SP 1800-22 ...2, Personally Owned Device Policy
- FBI


質問 # 323
An enterprise's executive team has recently released a new IT strategy and related objectives. Which of the following would be the MOST effective way for the CIO to ensure IT personnel are supporting the new strategy's objectives?

  • A. Incorporate IT objectives into individual performance evaluations.
  • B. Measure progress towards IT objectives and communicate the results to IT staff.
  • C. Develop communication materials to promote the new IT strategy and objectives.
  • D. Require IT managers to assign activities aligned to the IT objectives.

正解:D


質問 # 324
You work as a project manager for BlueWell Inc. Your project is using a new material to construct a large warehouse in your city. This new material is cheaper than traditional building materials, but it takes some time to learn how to use the material properly. You have communicated to the project stakeholders that you will be able to save costs by using the new material, but you will need a few extra weeks to complete training to use the materials. This risk response of learning how to use the new materials can also be known as what term?

  • A. Cost-benefits analysis
  • B. Team development
  • C. Cost of conformance to quality
  • D. Benchmarking

正解:C


質問 # 325
Which of the following aspects of the transition from X-rays to digital images would be BEST addressed by implementing information security policy and procedures?

  • A. Establishing data retention procedures
  • B. Minimizing the impact of hospital operation disruptions on patient care
  • C. Training technicians on acceptable use policy
  • D. Protecting personal health information

正解:D

解説:
The aspect of the transition from X-rays to digital images that would be best addressed by implementing information security policy and procedures is protecting personal health information. This is because personal health information is a type of sensitive data that contains confidential and private information about patients, such as their medical history, diagnosis, treatment, and identity. Personal health information is subject to various legal and ethical obligations and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) in the US1, that require its protection from unauthorized access, disclosure, modification, or destruction. Information security policy and procedures can help to define the rules, guidelines, and responsibilities for ensuring the confidentiality, integrity, and availability of personal health information in digital form.
Establishing data retention procedures is not the best answer, as it is only one component of information security policy and procedures. Data retention procedures specify how long and where digital images should be stored, archived, or deleted, based on the business, legal, and regulatory requirements. Data retention procedures can help to optimize the storage capacity, performance, and cost of digital images, as well as comply with the applicable laws and regulations. However, data retention procedures do not address the full scope of information security policy and procedures.
Training technicians on acceptable use policy is not the best answer, as it is only one aspect of information security policy and procedures. Acceptable use policy defines what are the permitted and prohibited behaviors and actions for using digital images and related IT resources. Training technicians on acceptable use policy can help to educate them on the security risks and best practices for handling digital images, as well as enforce compliance and accountability. However, training technicians on acceptable use policy does not cover the entire range of information security policy and procedures.
Minimizing the impact of hospital operation disruptions on patient care is not the best answer, as it is a business continuity objective rather than an information security objective. Business continuity refers to the ability of an organization to maintain or resume its critical functions and processes in the event of a disruption or disaster. Minimizing the impact of hospital operation disruptions on patient care can help to ensure the safety, quality, and efficiency of health services delivery. However, minimizing the impact of hospital operation disruptions on patient care is not directly related to information security policy and procedures.
References := HIPAA Privacy Rule | HHS.gov, Introduction section. Information Security Policy: Definition
& Examples - NetApp, What Is an Information Security Policy? section. Data Retention Policy: Definition & Best Practices - NetApp, What Is a Data Retention Policy? section. Acceptable Use Policy: Definition & Best Practices - NetApp, What Is an Acceptable Use Policy? section. [Business Continuity Management:
Definition & Best Practices - NetApp], What Is Business Continuity Management? section.


質問 # 326
A global financial institution has decided to integrate data from branch locations into a common database to address regulatory reporting requirements. Analysis of data flows and the full data life cycle should be conducted at which level?

  • A. Department level
  • B. Branch level
  • C. Transaction level
  • D. Enterprise level

正解:C


質問 # 327
A chief technology officer (CTO) wants to ensure IT governance practices adequately address risk management specific to mobile applications. To create the appropriate risk policies for IT, it is MOST important for the CTO to:

  • A. identify the mobile technical requirements.
  • B. map the business goals to IT risk processes.
  • C. understand the enterprise's risk tolerance.
  • D. create an IT risk scorecard.

正解:C

解説:
Understanding the enterprise's risk tolerance is the most important step for the CTO to create the appropriate risk policies for IT, as it would help to define the acceptable level of risk exposure and the risk appetite for mobile applications. Risk tolerance is the degree of uncertainty that an enterprise is willing to accept in pursuit of its objectives, and it reflects the enterprise's culture, strategy, and stakeholder expectations. Risk policies for IT should be aligned with the enterprise's risk tolerance, as well as its mission, vision, and goals. The other options are not as important, as they are more related to the implementation or measurement of risk management, rather than the establishment of risk policies. References: : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.1: IT Risk Management Overview, Page 153 : CGEIT Review Manual (Digital Version), Chapter 4: Risk Optimization, Section 4.3: IT Risk Management, Subsection 4.3.2: IT Risk Management Process, Page 156 : Proactive IT Risk Management in an Era of Emerging Technologies


質問 # 328
Which of the following should be the FIRST consideration for an enterprise faced with a pandemic situation resulting in a mandatory remote work environment?

  • A. Ensuring remote work policies are updated and communicated
  • B. Ensuring staff has the necessary technology to be productive
  • C. Revising IT performance monitoring metrics
  • D. Reviewing and testing disaster recovery plans (DRPs)

正解:B

解説:
The first consideration for an enterprise faced with a pandemic situation resulting in a mandatory remote work environment should be ensuring staff has the necessary technology to be productive, because this would enable the enterprise to maintain its business continuity and resilience, and to minimize the disruption and loss of the IT services and capabilities. The necessary technology may include hardware, software, network, security, and communication tools that support the remote work activities and requirements of the staff12. The enterprise should also provide guidance and training to the staff on how to use the technology effectively and securely12. The other options are not the first consideration, because they are either dependent on or secondary to the availability and functionality of the technology.


質問 # 329
Senior management is reviewing the results of a recent security incident with significant business impact.
Which of the following findings should be of GREATEST concern?

  • A. Response decisions were made without consulting the appropriate authority.
  • B. Significant gaps are present in the incident documentation.
  • C. Response efforts had to be outsourced due to insufficient internal resources.
  • D. The incident was not logged in the ticketing system.

正解:B


質問 # 330
A global financial enterprise has been experiencing a substantial number of information security incidents that have directly affected its business reputation. Which of the following should be the IT governance board's FIRST course of action?

  • A. Require revisions to how security incidents are managed by the IT department.
  • B. Request an IT security assessment to identify the main security gaps.
  • C. Execute an IT maturity assessment of the security process.
  • D. Mandate an update to the enterprise's IT security policy.

正解:B

解説:
Requesting an IT security assessment to identify the main security gaps is the IT governance board's first course of action, as it helps to understand the root causes and the extent of the information security incidents that have affected the enterprise's business reputation. An IT security assessment can also provide recommendations and best practices for improving the security posture and reducing the risks of future incidents12. Reference:= CGEIT Exam Content Outline, Domain 4, Subtopic B: IT Risk Management, Task 1: Ensure that an IT risk management framework exists to identify, analyze, mitigate, manage, monitor, and communicate IT-related business risk, and that the framework for IT risk management is in alignment with the enterprise risk management (ERM) framework.


質問 # 331
When selecting a cloud provider, which of the following provides the MOST comprehensive information regarding the current status and effectiveness of the provider's controls?

  • A. Globally recognized certification
  • B. Third-party audit report
  • C. Maturity assessment
  • D. Control self-assessment (CSA)

正解:B

解説:
A third-party audit report is the most comprehensive source of information regarding the current status and effectiveness of a cloud provider's controls. A third-party audit report is an independent and objective assessment of the cloud provider's security, compliance, and performance by a qualified and reputable auditor. A third-party audit report can provide assurance to the cloud customers that the cloud provider has implemented adequate and effective controls to meet the industry standards and best practices, as well as the contractual obligations and customer expectations12.
A globally recognized certification is a credential that demonstrates that a cloud provider has met certain criteria or standards for security, quality, or performance. A globally recognized certification can provide some level of confidence to the cloud customers that the cloud provider has achieved a minimum level of compliance or competence, but it may not provide enough details or evidence about the current status and effectiveness of the cloud provider's controls3.
A control self-assessment (CSA) is a process that enables a cloud provider to evaluate its own controls internally, without involving an external auditor. A CSA can help a cloud provider to identify and address any gaps or weaknesses in its controls, as well as to monitor and improve its performance. However, a CSA may not provide sufficient assurance to the cloud customers, as it may lack objectivity, transparency, and validity4.
A maturity assessment is a process that measures the level of maturity or capability of a cloud provider's processes or practices. A maturity assessment can help a cloud provider to benchmark its performance against industry standards or best practices, as well as to identify areas for improvement or innovation. However, a maturity assessment may not provide enough information about the current status and effectiveness of the cloud provider's controls, as it may focus more on the process rather than the outcome5.
References: 1: Cloud Security Auditing: Challenges and Emerging Approaches - IEEE Journals & Magazine1 2: Cloud Security Audit: What You Need to Know | CloudHealth by VMware2 3: Cloud Security Certifications: What You Need to Know | CloudHealth by VMware3 4: Control Self-Assessment - ISACA4 5:
Maturity Assessment - ISACA


質問 # 332
You work as a project manager for BlueWell Inc. You are about to complete the quantitative risk analysis process for your project. You can use three available tools and techniques to complete this process. Which one of the following is NOT a tool or technique that is appropriate for the quantitative risk analysis process?

  • A. Expert judgment
  • B. Organizational process assets
  • C. Quantitative risk analysis and modeling techniques
  • D. Data gathering and representation techniques

正解:B


質問 # 333
You work as a project manager for BlueWell Inc. You are working on a project and the management wants a rapid and cost-effective means for establishing priorities for planning risk responses in your project.
Which risk management process can satisfy management's objective for your project?

  • A. Quantitative analysis
  • B. Qualitative risk analysis
  • C. Rolling wave planning
  • D. Historical information

正解:B


質問 # 334
Which of the following processes are covered by Service Strategy? Each correct answer represents a complete solution. Choose all that apply.

  • A. Service Portfolio Management
  • B. IT Financial Management
  • C. Supplier Management
  • D. IT Architecture Management
  • E. Demand Management

正解:A、B、C、E


質問 # 335
DRAG DROP
COBIT stands for Control Objectives for Information and Related Technology. COBIT is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996. Drag and drop the correct domain ('Monitor and Evaluate') next to the IT processes defined by COBIT to support CSI.
Select and Place:

正解:

解説:


質問 # 336
The IT strategy formulation process consists of four steps to provide guidance to all who are involved. Which of the following steps are performed in the IT strategy formulation process? Each correct answer represents a complete solution. Choose all that apply.

  • A. Evaluate changes.
  • B. Map out the big picture.
  • C. Decide how to get from here to there.
  • D. Assess process maturity.

正解:A、B、C


質問 # 337
What should be an IT steering committee's FIRST course of action when an enterprise is considering establishing a virtual reality store to sell its products?

  • A. Request a threat assessment.
  • B. Request a cost-benefit analysis.
  • C. Request development of key risk indicators (KRIs).
  • D. Request a resource gap analysis.

正解:B

解説:
When an enterprise is considering establishing a virtual reality store to sell its products, the IT steering committee's first course of action should be to request a cost-benefit analysis. This analysis will evaluate the financial implications, potential returns, and strategic value of the investment, providing a basis for informed decision-making. While resource gap analysis, development of key risk indicators (KRIs), and threat assessment are important considerations, understanding the economic viability through a cost-benefit analysis is fundamental before proceeding with such strategic initiatives.


質問 # 338
An enterprise's decision to move to a virtualized architecture will have the GREATEST impact on:

  • A. vulnerability management.
  • B. system life cycle management.
  • C. vendor management
  • D. asset classification.

正解:A


質問 # 339
......

究極のガイドはCGEIT最新時間限定!今すぐダウンロード!:https://jp.fast2test.com/CGEIT-premium-file.html

2026年最新のな厳密検証されたCGEIT学習合格ガイドでベズトお試しセット:https://drive.google.com/open?id=1XOtbQ4II2vuv4eSs5Ox1ZDuJYHv2Li7t


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어