Which of the following should be the FIRST step in updating an IT strategic plan?

A. Identify changes in enterprise goals.

B. Review IT performance objectives and indicators.

C. Evaluate IT capabilities and resources.

D. Revise the enterprise architecture (EA).

Who is PRIMARILY accountable for delivering the benefits of an IT-enabled investment program to the enterprise?

A. Business sponsor

B. IT steering committee chair

C. CIO

D. Program manager

When considering an IT change that would enable a potential new line of business, the FIRST strategic step for IT governance would be to ensure agreement among the stakeholders regarding:

A. a vision for the future state

B. a change response plan

C. metrics to measure effectiveness

D. objectives to achieve goals

When developing a business case for an enterprise resource planning (ERP) implementation, which of the following, if overlooked, causes the GREATEST impact to the enterprise?

A. Salvage value of legacy hardware

B. IT best practices

C. Interdependent systems

D. Vendor selection

Which of the following is the PRIMARY purpose of information governance?

A. To ensure regulatory compliance is maintained while optimizing the utilization of information

B. To set direction for information management capabilities through prioritization and decision making

C. To develop control procedures that help ensure information is adequately protected throughout its life cycle

D. To monitor the processes that deliver and enhance the value of information assets

Despite an adequate training budget, IT staff are not keeping skills current with emerging technologies critical to the enterprise. The BEST way for the enterprise to address this situation would be to:

A. establish an agreed-upon skills development plan with each employee.

B. allow staff to attend technology conferences.

C. create a standard-setting center of excellence.

D. assign human resources (HR) to develop an IT skills matrix.

An enterprise has decided to execute a risk self-assessment to identify improvement opportunities for current IT services. Which of the following is MOST important to address in the assessment?

A. IT capability and performance measures

B. Mapping of business objectives to IT risk

C. Residual IT risk

D. Related business risk

Which of the following is the BEST method to confirm whether a pilot project was successful?

A. Evaluate whether the pilot project achieved planned schedule and cost.

B. Review the metrics recorded in the IT balanced scorecard.

C. Assess the results of the pilot project against the expected performance outcomes.

D. Determine whether the pilot aligns with the as-is enterprise architecture (EA).

A recent benchmarking analysis has indicated an IT organization is retaining more data and spending significantly more on data retention than its competitors.
Which of the following would BEST ensure the optimization of retention costs?

A. Requiring that all business cases contain data deletion and retention plans

B. Revalidating the organization’s risk tolerance and re-aligning the retention policy

C. Redefining the retention policy to align with industry best practices

D. Moving all high-risk and medium-risk data backups to cloud storage

Following a merger of two major corporations, the new strategic goal is `One business function. One IT system.` Which of the following should be the FIRST step to achieve this goal?

A. Form a combined IT steering committee.

B. Document requirements for each business function.

C. Create a standard enterprise architecture.

D. Define service level agreements with each business function.

An enterprise is planning to outsource data processing for personally identifiable information (PII). When is the MOST appropriate time to define the requirements for security and privacy of information?

A. During the initial vendor selection process

B. After an assessment of the current information architecture

C. When issuing requests for proposals (RFPs)

D. When developing service level agreements (SLAs)

When evaluating the process for acquiring third-party IT resources, management identified several suppliers with repeated downtime issues impacting the enterprise. Which of the following is the BEST approach to help ensure future service delivery in accordance with business objectives?

A. Establish key risk indicators (KRIs)

B. Implement contract monitoring

C. Establish key performance indicators (KPIs)

D. Appoint a procurement oversight committee

Which of the following should be the PRIMARY goal of implementing service level agreements (SLAs) with an outsourcing vendor?

A. Establishing penalties for not meeting service levels

B. Complying with regulatory requirements

C. Achieving operational objectives

D. Gaining a competitive advantage

A major data leakage incident at an enterprise has resulted in a mandate to strengthen and enforce current data governance practices. Which of the following should be done FIRST to achieve this objective?

A. Review data logs.

B. Assess data security controls.

C. Verify data owners.

D. Analyze data quality.

Which of the following would provide the BEST input for prioritizing strategic IT improvement initiatives?

A. Business case evaluation

B. Business process analysis

C. Business impact analysis

D. Business dependency assessment

A business unit within an enterprise has directly contracted with a cloud service provider to process sensitive customer information. The CIO later identifies a serious risk of potential data compromise due to the vendor's insufficient segregation of environments and lack of strong access controls. The FIRST course of action should be to:

A. immediately suspend sending of data to the cloud service provider.

B. notify internal audit of the risk.

C. discuss the risk with the vendor to determine mitigation actions.

D. inform the business process owner of the risk.

An enterprise has learned of a new regulation that may impact delivery of one of its core technology services. Which of the following should be done FIRST?

A. Request an action plan from the risk team.

B. Determine whether the board wants to comply with the regulation.

C. Assess the risk associated with the new regulation.

D. Update the risk management framework.

Which of the following is the BEST way to demonstrate that IT strategy supports a new enterprise strategy?

A. Review and update the portfolio management process.

B. Monitor new key risk indicators (KRIs).

C. Measure return on IT investments against balanced scorecards.

D. Map IT programs to business goals.

The CEO of an organization is concerned that there are inconsistencies in the way information assets are classified across the enterprise. Which of the following is be the BEST way for the CIO to address these concerns?

A. Require enterprise risk assessments.

B. Implement enterprise data governance.

C. Identify data owners across the enterprise.

D. Include data assets in the IT inventory.

For a large enterprise, which of the following is the BEST indicator that IT governance has a poor reputation?

A. Regulatory noncompliance

B. Low attendance at strategy committee meetings

C. High turnover of IT staff

D. Data leakage

Senior management finds that too many projects are currently in-progress and all are experiencing expensive project overruns due to lack of resources. Many of the projects also appear to overlap in their objectives and expected outcomes.
Which of the following would BEST streamline the process of evaluating and selecting funding priorities?

A. Portfolio management

B. Value governance

C. Project management

D. Business case development

When selecting a vendor to provide services associated with a critical application, which of the following is the MOST important consideration with respect to business continuity planning (BCP)?

A. Testing the vendor’s BCP and analyzing the results

B. Obtaining independent audit reports of the vendor’s BCP

C. Evaluating whether the vendor’s BCP aligns with the enterprise’s BCP

D. Procuring a copy of the vendor’s BCP during the contracting process

Reviewing which of the following should be the FIRST step when evaluating the possibility of outsourcing an IT system?

A. Outsourcing strategy

B. IT staff skill sets

C. Outsourced business processes

D. Service level agreements (SLAs)

The CIO of a global technology company is considering introducing a bring your own device (BYOD) program. What should the CIO do FIRST?

A. Ensure the infrastructure can meet BYOD requirements.

B. Define a clear and inclusive BYOD policy.

C. Establish a business case.

D. Focus on securing data and access to data.

Maintaining a list of all potential IT initiatives for implementing the business strategy should be the responsibility of the:

A. portfolio management function.

B. individual business units.

C. chief executive officer (CEO).

D. chief operating officer (COO).

Which of the following IT governance practices would BEST support IT and enterprise strategic alignment?

A. An IT communication plan is continuously updated.

B. IT service level agreements (SLAs) are periodically updated.

C. Senior management regularly reviews the IT portfolio.

D. External consultants regularly review the IT portfolio.

A strategic systems project was implemented several months ago. Which of the following is the BEST reference for the IT steering committee as they evaluate its level of success?

A. The project’s business case

B. Stakeholder satisfaction surveys

C. The project’s net present value (NPV)

D. Operating metrics of the new system

Senior management is reviewing the results of a recent security incident with significant business impact. Which of the following findings should be of GREATEST concern?

A. Response efforts had to be outsourced due to insufficient internal resources.

B. Significant gaps are present in the incident documentation.

C. Response decisions were made without consulting the appropriate authority.

D. The incident was not logged in the ticketing system.

An IT team is having difficulty meeting new demands placed on the department as a result of a major and radical shift in enterprise business strategy. Which of the following the CIO's BEST course of action to address this situation?

A. Review the current IT strategy.

B. Utilize third parties for non-value-added processes.

C. Align the business strategy with the IT strategy.

D. Review the IT risk appetite.

To evaluate IT resource management, it is MOST important to define:

A. principles for the IT strategy.

B. responsibilities for executing resource management.

C. applicable key goals.

D. IT resource utilization reporting procedures.

The MOST beneficial aspect of utilizing an IT risk management framework is that it:

A. addresses a lack of data in risk reporting.

B. facilitates the identification of technologies posing the greatest risk to IT.

C. enables a consistent approach to risk management.

D. drives inclusion of the technology function in enterprise risk management.

An enterprise has made the strategic decision to begin a global expansion program which will require opening sales offices in countries across the world. Which of the following should be the FIRST consideration with regard to the IT service desk which will remain centralized?

A. The effect of regional differences on service delivery

B. Identification of IT service desk functions that can be outsourced

C. Availability of adequate resources to provide support for new users

D. Enforcement of a standardized policy across all regions

Which of the following would be the BEST way to facilitate the successful adoption of a new technology across the enterprise?

A. Highlight the risk the new technology will address.

B. Ensure the use of a business case.

C. Establish an IT balanced scorecard.

D. Review business goals.

Which of the following roles should be responsible for data normalization when it is found that a new system includes duplicates of data items?

A. Business system owner

B. Database administrator (DBA)

C. Application manager

D. Data steward

An executive sponsor of a partially completed IT project has learned that the financial assumptions supporting the project have changed. Which of the following governance actions should be taken FIRST?

A. Schedule an interim project review.

B. Request a risk assessment.

C. Re-evaluate the project in the portfolio.

D. Request an update to the business case.

An IT strategy committee wants to ensure that a risk program is successfully implemented throughout the enterprise. Which of the following would BEST support this goal?

A. Commitment from senior management

B. Mandatory risk awareness courses for staff

C. A risk management framework

D. A risk recognition and reporting policy

A data governance strategy has been defined by the IT strategy committee which includes privacy objectives related to access controls, authorized use, and data collection. Which of the following should the committee do NEXT?

A. Mandate the creation of a data privacy policy.

B. Establish a data privacy budget.

C. Perform a data privacy impact assessment.

D. Mandate data privacy training for employees.

In which of the following situations is it MOST appropriate to use a quantitative risk assessment?

A. The risk assessment is needed for an IT project business case

B. The objectivity of the risk assessment is of primary importance

C. The risk assessment needs to be completed in a short period of time

D. There is a lack of accurate and reliable past and present risk data

An enterprise has entered into a new market which brings additional regulatory compliance requirements. To address these new requirements, the enterprise should FIRST:

A. update the organization’s risk profile.

B. have executive management monitor compliance.

C. outsource the compliance process.

D. appoint a compliance officer.

Which of the following is MOST important for an enterprise to review when classifying information assets?

A. Procedures for information handling

B. Requirements for information retention

C. Impact of information exposure

D. Media used for storage and backup

An enterprise has decided to use third-party software for a business process which is hosted and supported by the same third party. The BEST way to provide quality of service oversight would be to establish a process:

A. to qualify service providers.

B. for enterprise architecture updates.

C. for robust change management.

D. for periodic service provider audits.

When conducting a risk assessment in support of a new regulatory requirement, the IT risk committee should FIRST consider the:

A. cost burden to achieve compliance.

B. disruption to normal business operations.

C. readiness of IT systems to address the risk.

D. risk profile of the enterprise.

An enterprise wants to implement an IT governance framework to ensure enterprise expectations of IT are met. Which of the following would be the MOST beneficial outcome of implementing the framework?

A. Optimization of IT performance

B. Development of IT policies

C. Creation of an IT balanced scorecard

D. Establishment of key IT risk indicators

An enterprise incurred penalties for noncompliance with privacy regulations. Which of the following is MOST important to ensure appropriate ownership of access controls to address this deficiency?

A. Engaging an audit of logical access controls and related security policies

B. Authenticating access to information assets based on roles or business rules

C. Implementing multi-factor authentication controls

D. Granting access to information based on information architecture

An enterprise learns that a new privacy regulation was recently published to protect customers in the event of a breach involving personally identifiable information
(PII). The IT risk management team's FIRST course of action should be to:

A. evaluate the risk appetite for the new regulation.

B. determine if the new regulation introduces new risk.

C. assign a risk owner for the new regulation.

D. define the risk tolerance for the new regulation.

To ensure that the process of developing a business case for IT-enabled investments continually supports benefits realization, the benefits expected from investment programs must be actively managed through:

A. the system development life cycle.

B. the economic life cycle.

C. obsolescence planning.

D. project life cycle.

An enterprise has performed a business impact analysis (BIA) considering a number of risk scenarios. Which of the following should the enterprise do NEXT?

A. Assess risk mitigation strategies

B. Verify compliance with relevant legislation

C. Perform a risk controls gap analysis

D. Update the disaster recovery plan (DRP)

When preparing a new IT strategic plan for board approval, the MOST important consideration is to ensure the plan identifies:

A. specific resourcing requirements for identified IT projects.

B. frameworks that will be aligned to IT programs.

C. roles and responsibilities that link to IT objectives.

D. implications of the strategy on the procurement process.

Which of the following would be MOST useful for prioritizing IT improvement initiatives to achieve desired business outcomes?

A. Portfolio management

B. Budget variance analysis

C. IT skills matrix

D. Enterprise architecture (EA)

A company is considering selling products online, and the CIO has been asked to advise the board of directors of potential problems with this strategy. Which of the following would be the CIO's BEST course of action?

A. Perform a risk assessment.

B. Review the security framework.

C. Conduct a return on investment analysis.

D. Review the enterprise architecture.