Free Access Isaca CGEIT New Release

The finding that should be of greatest concern to senior management is that response decisions were made without consulting the appropriate authority. This is because response decisions are critical actions that can affect the outcome and impact of a security incident, and they should be made by the designated authority who has the responsibility and accountability for the incident response. According to CISA, the Department of Justice, through the FBI and the NCIJTF, is the lead agency for threat response during a significant incident, with DHS’s investigative agencies—the Secret Service and ICE/HSI - playing a crucial role in criminal investigations1. If response decisions are made without consulting the appropriate authority, it may result in:

• Legal or regulatory violations: The response actions may not comply with the applicable laws or regulations, such as data breach notification, evidence preservation, or privacy protection. This may expose the organization to legal or regulatory penalties, lawsuits, or reputational damage.
• Ineffective or counterproductive actions: The response actions may not be aligned with the incident response plan, best practices, or standard operating procedures. This may cause more harm than good, such as escalating the incident, destroying evidence, or compromising recovery efforts.
• Lack of coordination and communication: The response actions may not be coordinated or communicated with the relevant stakeholders, such as senior management, legal counsel, public relations, or external partners. This may lead to confusion, inconsistency, or mistrust among the parties involved in the incident response.

Therefore, senior management should be most concerned about the finding that response decisions were made without consulting the appropriate authority, and they should take corrective actions to prevent this from happening again in the future. References: Cybersecurity Incident Response | CISA1

Performance indicators are quantitative measures that can be used to evaluate the availability of a system or service. They can include metrics such as uptime, downtime, response time, availability percentage, etc. Balanced scorecard, capability maturity levels, and critical success factors are not directly related to availability objectives, but rather to strategic alignment, process improvement, and goal achievement respectively. References := CGEIT Exam Content Outline, Domain 1: Governance of Enterprise IT, Subdomain A: Governance Framework, Task 5: Establish and monitor key performance indicators (KPIs) and key goal indicators (KGIs) that are aligned with strategic objectives.

Data classification is a process that involves users assigning labels or tags to data based on its sensitivity, value, and protection requirements. Users are the ones who know the data best and are responsible for handling it appropriately. Therefore, users should be provided with clear instructions that are easy to follow and understand, so they can classify data correctly and consistently. This will also help users comply with the data security policies and regulations that apply to the data they work with. References := CGEIT Exam Content Outline, Domain 1: Governance of Enterprise IT, Subtopic B: IT Resources, Task 3: Ensure that processes are in place to maintain the integrity, availability, reliability, performance, scalability and security of IT resources. What is Data Classification? | Best Practices & Data Types | Imperva, User-based classification section. Best practices for data classification - ManageEngine, 6 best practices for data classification section.

The quality assurance process is the set of activities that ensures that the software development process follows the defined standards and meets the customer requirements. The quality assurance process includes planning, designing, executing, and monitoring the tests, as well as reporting and resolving the defects. Evaluating the quality assurance process can help to identify and improve the root causes of software defects, such as inadequate testing techniques, tools, or resources, poor communication or collaboration among stakeholders, or lack of quality control or feedback mechanisms123. References: QA Process: A Complete Guide to QA Stages, Steps, & Tools. What is Software Quality Assurance (SQA): A Guide for Beginners. Software Quality Assurance | Components | Standards | Techniques - EDUCBA.