Establishing a uniform definition for likelihood and impact BEST enables an enterprise to:

A. reduce risk appetite and tolerance levels.

B. develop key risk indicators (KRIs).

C. reduce variance in the assessment of risk.

D. prioritize threat assessment.

Which of the following provides the BEST assurance on the effectiveness of IT service management processes?

A. Compliance with internal controls

B. Key risk indicators (KRIs)

C. Continuous monitoring

D. Performance of incident response

When assessing the impact of a new regulatory requirement, which of the following should be the FIRST course of action?

A. Update affected IT policies.

B. Implement new regulatory requirements.

C. Assess the budget impact of the new regulation.

D. Map the regulation to business processes.

From a governance perspective, which of the following is MOST important to enhance in an enterprise undergoing rapid development of a cloud technology?

A. Change management processes to capture organizational and project changes.

B. Data restructuring plan to ensure the architecture supports future changes.

C. IT project dashboard reporting to capture new risk, threats, and scenarios.

D. Configuration management processes to ensure availability goals are maintained.

Which of the following should be the PRIMARY basis for establishing categories within an information classification scheme?

A. Information security policy

B. Business impact

C. Information architecture

D. Industry standards

The CEO of an organization is concerned that there are inconsistencies in the way information assets are classified across the enterprise. Which of the following is be the BEST way for the CIO to address these concerns?

A. Require enterprise risk assessments.

B. Implement enterprise data governance.

C. Identify data owners across the enterprise.

D. Include data assets in the IT inventory.

Which of the following groups would be MOST appropriate to decide whether to proceed with an IT-enabled investment at the individual program level?

A. Business sponsors

B. Program management office

C. IT steering committee

D. Board of directors

The approval of an enterprise risk management framework is the role of the:

A. chief information officer.

B. chief risk officer.

C. IT steering committee

D. board of directors.

An enterprise has been focused on establishing an IT risk management framework. Which of the following should be the PRIMARY motivation behind this objective?

A. Increasing the enterprise’s risk tolerance level and risk appetite.

B. Engaging executives in examining IT risk when developing policies.

C. Promoting responsibility throughout the enterprise for managing IT risk.

D. Maintaining a complete and accurate risk registry to better manage IT risk.

Which of the following is MOST critical to have in place before management can establish an IT risk assessment and response approach?

A. A portfolio of IT investments

B. Defined roles and responsibilities

C. Historic data on risk events

D. A balanced scorecard

Supply chain management has established a supplier policy requiring multiple technology suppliers. What is the BEST way to ensure the success of this policy?

A. Implement a master service agreement.

B. Align enterprise architecture (EA) and procurement strategies.

C. Identify and select suppliers based on cost.

D. Align the vendor selection process with the security policy.

A large enterprise has decided to use an emerging technology that needs to be integrated with the current IT infrastructure. Which of the following is the BEST way to prevent adverse effects to the enterprise resulting from the new technology?

A. Develop key risk indicators (KRIs).

B. Develop key performance indicators (KPIs).

C. Implement service level agreements (SLAs).

D. Update the risk appetite statement.

An IT governance committee wants to ensure there is a clear description of the "data owner" in the enterprise data policy. Which of the following would BEST define the owner of data stored in an external cloud?

A. The contract manager who monitors the security of the cloud provider

B. The vendor who submits the data to the organization via online forms

C. The business leader who is most impacted by the loss of data

D. The risk manager who is responsible for protecting data stored in the cloud

Which of the following is MOST important to consider when planning to implement a cloud-based application for sharing documents with internal and external parties?

A. Information ownership

B. Cloud implementation model

C. User experience

D. Third-party access rights

The CIO of a financial services company is tasked with ensuring IT processes are in compliance with recently instituted regulatory changes. The FIRST course of action should be to:

A. create an IT balanced scorecard

B. identify the penalties for noncompliance

C. perform a current state assessment

D. align IT project portfolio with regulatory requirements

An enterprise has decided to execute a risk self-assessment to identify improvement opportunities for current IT services. Which of the following is MOST important to address in the assessment?

A. IT capability and performance measures

B. Mapping of business objectives to IT risk

C. Residual IT risk

D. Related business risk

Which of the following is MOST important to document for a business ethics program?

A. Violation response matrix

B. Whistle-blower protection protocols

C. Guiding principles and best practices

D. Employee awareness and training content

Which of the following should be done FIRST when defining responsibilities for ownership of information and systems?

A. Require an inventory of information assets.

B. Identify systems that are outsourced.

C. Require an information risk assessment.

D. Ensure information is classified.

An enterprise's decision to move to a virtualized architecture will have the GREATEST impact on:

A. system life cycle management

B. vendor management

C. vulnerability management

D. asset classification

Which of the following is the PRIMARY benefit of communicating the IT strategy across the enterprise?

A. Optimization of IT investment in supporting business objectives

B. On-time and on-budget delivery of strategic projects

C. Reduced organizational resistance during strategy execution

D. Improvement in IT balanced scorecard performance

Which of the following should a new CIO do FIRST to ensure information assets are effectively governed?

A. Review information classification procedures.

B. Perform an information gap analysis.

C. Evaluate information access methods.

D. Quantify the business value of information assets

When preparing a new IT strategic plan for board approval, the MOST important consideration is to ensure the plan identifies:

A. specific resourcing requirements for identified IT projects.

B. frameworks that will be aligned to IT programs.

C. roles and responsibilities that link to IT objectives.

D. implications of the strategy on the procurement process.

When defining an enterprise governance framework, the PRIMARY determination of the degree to which the framework is principle-based or policy-based is:

A. enterprise architecture framework.

B. organizational decision-making style.

C. IT process maturity.

D. organizational structure.

When selecting a vendor to provide services associated with a critical application, which of the following is the MOST important consideration with respect to business continuity planning (BCP)?

A. Testing the vendor’s BCP and analyzing the results

B. Obtaining independent audit reports of the vendor’s BCP

C. Evaluating whether the vendor’s BCP aligns with the enterprise’s BCP

D. Procuring a copy of the vendor’s BCP during the contracting process

An enterprise is evaluating a Software-as-a-Service (SaaS) solution to support a core business process. There is no outsourcing governance or vendor management in place. The CEO's FIRST course of action should be to:

A. establish a contract with the SaaS solution provider.

B. instruct management to use the standard procurement process.

C. ensure the service level agreements (SLAs) for service providers are defined.

D. ensure the roles and responsibilities to manage service providers are defined.

An enterprise has committed to the implementation of a new IT governance model. The BEST way to begin this implementation is to:

A. prioritize how much and where to invest in IT.

B. identify the role of IT in supporting the business.

C. define policies for data, applications, and organization of infrastructure.

D. identify IT services that currently support the enterprise’s capability.

To successfully implement enterprise IT governance, which of the following should be the MAIN focus of IT policies?

A. Optimizing operational benefits

B. Enhancing organizational capability

C. Limiting IT costs

D. Providing business value

Which of the following is the BEST way to demonstrate that IT strategy supports a new enterprise strategy?

A. Review and update the portfolio management process.

B. Monitor new key risk indicators (KRIs).

C. Measure return on IT investments against balanced scorecards.

D. Map IT programs to business goals.

An IT governance committee is defining a risk management policy for a portfolio of IT-enabled investments. Which of the following should be the PRIMARY consideration when developing the policy?

A. Risk appetite of the enterprise

B. Risk management framework

C. Value obtained with minimum risk

D. Possible investment failures

The PRIMARY focus of a committee tasked with evaluating an IT project portfolio should be to ensure:

A. a consistent estimation methodology is leveraged.

B. the enterprise strategy is updated.

C. consistent selection criteria are applied.

D. an industry standard capability maturity model is used.

Once the strategic vision has been established, which of the following would be the BEST activity for supporting the implementation of performance measures?

A. Document policy requirements.

B. Document strengths, weaknesses, opportunities, and threats.

C. Identify key performance indicators (KPIs).

D. Monitor service level performance.

Enterprise leadership is concerned with the potential for discrimination against certain demographic groups resulting from the use of machine learning models.
What should be done FIRST to address this concern?

A. Revise the code of conduct to discourage bias within automated processes.

B. Obtain stakeholders’ input regarding the ethics associated with machine learning.

C. Develop a machine learning policy articulating guidelines for machine learning use.

D. Assess recent case law related to the enterprise’s machine learning business strategy.

When conducting a risk assessment in support of a new regulatory requirement, the IT risk committee should FIRST consider the:

A. cost burden to achieve compliance.

B. disruption to normal business operations.

C. readiness of IT systems to address the risk.

D. risk profile of the enterprise.

To develop appropriate measures to improve organizational performance, the measures MUST be:

A. accepted by and meaningful to the stakeholders

B. approved by the IT steering committee

C. a result of benchmarking and comparative analysis

D. based on existing and validated data sources

An enterprise decides to accept the IT risk of a subsidiary located in another country even though it exceeds the enterprise's risk appetite. Which of the following would be the BEST justification for this decision?

A. Local market common practices

B. Risk framework alignment

C. Technical gaps among subsidiaries

D. Compliance with local regulations

The PRIMARY reason a CIO and IT senior management should stay aware of the business environment is to:

A. measure efficiency of IT resources.

B. revisit prioritization of IT projects.

C. re-assess the IT investment portfolio.

D. adjust IT strategy as needed.

The PRIMARY objective of promoting business ethics within the IT enterprise should be to ensure:

A. legal and regulatory compliance.

B. corporate social responsibility.

C. employees act more responsibly.

D. trust among internal and external stakeholders.

A retail enterprise wants to leverage emerging technologies to create a new sales channel for its customers. However, IT has little experience with these technologies and is unsure if the proposed schedule can be met. Which of the following will BEST help to determine IT's ability to meet this need?

A. Conducting a resource gap assessment

B. Defining business benefits realization metrics

C. Reviewing the resource management policy

D. Developing a target state enterprise architecture

Which of the following BEST demonstrates the effectiveness of enterprise IT governance?

A. Business objectives are achieved

B. Business objectives are defined

C. IT processes are measured

D. An IT balanced scorecard is used

The FIRST step in aligning resource management to the enterprise's IT strategic plan would be to:

A. develop a responsible, accountable, consulted, and informed (RACI) chart

B. assign appropriate roles and responsibilities

C. identify outsourcing opportunities

D. perform a gap analysis

What information is MOST important to include when reporting key risk indicators to the board of directors?

A. The effect of emerging risk trends on current risk exposure

B. Risk appetite, risk threshold and risk tolerance

C. Classification of current business risk

D. Costs and resource needs related to risk mitigation measures

In a successful enterprise that is profitable in its marketplace and consistently growing in size, the non-IT workforce has grown by 50% in the last two years. The demand for IT staff in the marketplace is more than the supply, and the enterprise is losing staff to rival organizations. Due to the rapid growth, IT has struggled to keep up with the enterprise, and IT procedures and associated job roles are not well-defined. The MOST critical activity for reducing the impact caused by IT staff turnover is to:

A. outsource the IT operation.

B. increase compensation for IT staff.

C. hire temporary staff.

D. document processes and procedures.

Which of the following roles should be responsible for data normalization when it is found that a new system includes duplicates of data items?

A. Business system owner

B. Database administrator (DBA)

C. Application manager

D. Data steward

Which of the following has PRIMARY responsibility to define the requirements for IT service levels for the enterprise?

A. The help desk

B. The business continuity vendor

C. The business manager

D. The CIO

To ensure that the process of developing a business case for IT-enabled investments continually supports benefits realization, the benefits expected from investment programs must be actively managed through:

A. the system development life cycle.

B. the economic life cycle.

C. obsolescence planning.

D. project life cycle.

Which of the following should be the MOST important consideration when designing an implementation plan for IT governance?

A. Roles and responsibilities

B. Risk tolerance levels

C. Organization culture

D. Principle and policies

Which of the following is the MOST valuable input when quantifying the loss associated with a major risk event?

A. Key risk indicators (KRIs)

B. Recovery time objectives (RTOs)

C. IT environment threat modeling

D. Business impact analysis (BIA) report

An analysis of an organization's security breach is complete. The results indicate that the quality of the code used for updates to its primary customer-facing software has been declining and security flaws were introduced. The FIRST IT governance action to correct this problem should be to review:

A. the incident response plan.

B. the change management control framework.

C. compliance with the user testing process.

D. the qualifications of developers to write secure code.

Which of the following roles has PRIMARY accountability for the security related to data assets?

A. Security architect

B. Database administrator

C. Data owner

D. Data analyst

A health tech enterprise wants to ensure that its in-house developed mobile app for users complies with data privacy regulations. Which of the following should be identified FIRST when creating an inventory of information systems and data related to the mobile app?

A. Vendors and outsourced systems

B. Data maintained by vendors

C. Information classification scheme

D. Application and data owners