Pass the Isaca Isaca Certification COBIT-2019 Questions and answers with CertsForce

 The legal office is a function that provides legal advice and support to an enterprise on various matters related to its information and technology activities. The legal office also ensures that the enterprise complies with the applicable laws, regulations, standards, guidelines, contracts, or agreements that govern its information and technology activities. One of the responsibilities of the legal office is to execute contracts that retain independent legal consultants to review the level of regulatory compliance of a proposed IT solution. This means that the legal office is responsible for negotiating, drafting, signing, and enforcing contracts with external legal experts who can provide independent and objective assessment of the compliance status of an IT solution that an enterprise intends to implement or use. The legal office also ensures that the contracts are aligned with the enterprise’s strategy, objectives, needs, and expectations, as well as with the relevant compliance requirements34 References: 3: COBIT 2019 Framework: Governance and Management Objectives: page 20-21 4: COBIT 2019 Design Guide: page 47-48

According to the COBIT 2019 Design Guide, before designing an enterprise IT governance system, an organization should first review and understand the enterprise’s strategy. The enterprise’s strategy defines the vision, mission, goals and objectives of the organization, and provides the direction and context for IT governance. The enterprise’s strategy also identifies the key stakeholders, their needs and expectations, and the value proposition of IT to the business.1, p. 16-17 References: 1: COBIT 2019 Design Guide: Designing an Information and Technology Governance Solution

The internal audit function is an independent and objective assurance and consulting activity that evaluates and improves the effectiveness of governance, risk management, and control processes in an enterprise. The internal audit function has a role in defining the EGIT target state, which is the desired state of information and technology governance in an enterprise that is aligned with its strategy, objectives, and stakeholder needs. The role of the internal audit function in this process is to provide advice and assist with target-state positioning and gap priorities. This means that the internal audit function can help to identify the current state of information and technology governance in an enterprise, assess the gaps and issues that need to be addressed, determine the target state of information and technology governance that is optimal for the enterprise, and prioritize the actions and initiatives that are required to achieve the target state. The internal audit function can also provide assurance on the design and implementation of the EGIT target state by evaluating its adequacy, effectiveness, efficiency, and compliance.

 The IT design factor is a design factor that describes how an enterprise uses information and technology to achieve its goals and objectives. There are six IT design factors defined in COBIT 2019: strategic; operational; data-driven; compliance-driven; innovation-driven; customer intimacy-driven. Each design factor has different implications for the governance and management of information and technology in terms of focus areas, processes, practices, roles, structures, and metrics. When considering the role of IT design factor, and the design factor value is strategic, one of the management objectives that should be a priority is managed innovation (APO04), which involves identifying new opportunities for using information and technology to create value for the enterprise. This management objective supports the strategic role of IT in enabling business transformation, differentiation, competitiveness, growth, and sustainability. This management objective also involves establishing an innovation culture and process that encourages creativity, experimentation, collaboration, learning, and improvement5 References: 5: COBIT 2019 Design Guide: page 35-36 : COBIT 2019 Process Reference Guide: page 57-59

 According to Capability Maturity Model Integration (CMMI), Level 2 within the five maturity levels for processes best describes the outcome of the process achieving its purpose through the application of a basic, yet complete, set of activities that can be characterized as performed. CMMI is a process improvement approach that provides organizations with the essential elements of effective processes. CMMI defines five maturity levels for processes, from 1 (initial) to 5 (optimizing). Level 2 (managed) means that the process is planned and executed in accordance with policy; employs skilled people who have adequate resources to produce controlled outputs; involves relevant stakeholders; is monitored, controlled, and reviewed; and is evaluated for adherence to its process description.12 References: CMMI for Development, Version 1.3, CMMI Institute - Capability Maturity Model Integration

The information security function within the IT corporate structure is responsible for classifying information using an agreed-upon classification scheme for a new data collection system. According to the COBIT 2019 Implementation Guide, information security is one of the key enablers of IT governance and management, and it includes the processes and practices for ensuring the confidentiality, integrity, and availability of information assets. One of the activities of information security is to define and implement an information classification scheme that categorizes information based on its sensitivity, criticality, and value to the enterprise. This scheme helps to determine the appropriate level of protection and controls for different types of information, especially for new data collection systems that may involve personal or sensitive data. References: : COBIT 2019 Implementation Guide: Implementing and Optimizing an Information and Technology Governance Solution, page 15 1 : COBIT 2019 Design Guide: Designing an Information & Technology Governance Solution, page 62 .

The oversight of technology and innovation processes by the board is critical to ensuring I & T-related decisions are aligned with the enterprise’s strategies and objectives. The board is the highest governing body of the enterprise that provides direction, oversight, and accountability for the enterprise’s performance. Technology and innovation processes are the activities that enable the enterprise to leverage information and technology to create value, achieve strategic goals, and respond to changing business needs. The oversight of technology and innovation processes by the board ensures that I & T-related decisions are consistent with the enterprise’s vision, mission, values, policies, and risk appetite.13 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

 According to the COBIT 2019 Framework: Governance and Management Objectives, one of the good practices with regard to performance management of organizational structures is to ensure that organizational meeting reports/minutes are available and meaningful to ensure transparency. This means that the outcomes and decisions of the meetings are documented and communicated to relevant stakeholders in a timely manner, and that they provide sufficient information to support accountability and learning. Transparency is one of the key principles of effective governance of enterprise I & T.4, p. 32-33 References: 4: COBIT 2019 Framework: Governance and Management Objectives

 The number of confidentiality incidents causing financial loss, business disruption or public embarrassment would be the best metric to enable an enterprise to evaluate an alignment goal specifically related to security of information and privacy. A metric is a quantifiable measure that is used to track and assess the status of a specific process or activity. An alignment goal is an intermediate goal that links the enterprise goals with the governance and management objectives. Security of information and privacy is one of the 17 generic alignment goals defined by COBIT that describes how information and technology can support the protection of sensitive information and personal data. The number of confidentiality incidents causing financial loss, business disruption or public embarrassment is a metric that reflects how well this alignment goal is achieved.12 References: COBIT 2019 Framework: Introduction and Methodology, COBIT 2019 Framework: Governance System

The best starting point when translating enterprise goals into actionable governance and management objectives is prioritized enterprise goals. The enterprise goals are the high-level statements of what an enterprise wants to achieve in terms of its mission, vision, values, strategy, etc. The enterprise goals are aligned with the stakeholder needs that reflect the expectations and requirements of various internal and external parties that have an interest or stake in the enterprise’s information and technology activities. The prioritized enterprise goals are the subset of enterprise goals that have been ranked according to their importance or urgency for the enterprise based on its context and needs. By starting with prioritized enterprise goals when translating them into actionable governance and management objectives, an enterprise can ensure that it focuses on the most critical aspects of its information and technology governance that support its strategy and objectives. This will also help to align its information and technology activities with its stakeholder needs34 References: 3: COBIT 2019 Framework: Introduction and Methodology: page 25-26 4: COBIT 2019 Design Guide: page 35-36