From an IT governance perspective, establishing performance measurements is PRIMARILY the responsibility of:

A. the board of directors

B. the IT architecture review board

C. senior management

D. enterprise risk management (ERM)

An enterprise has performed a business impact analysis (BIA) considering a number of risk scenarios. Which of the following should the enterprise do NEXT?

A. Assess risk mitigation strategies

B. Verify compliance with relevant legislation

C. Perform a risk controls gap analysis

D. Update the disaster recovery plan (DRP)

Which of the following is MOST important for an enterprise to review when classifying information assets?

A. Procedures for information handling

B. Requirements for information retention

C. Impact of information exposure

D. Media used for storage and backup

An enterprise's strategic change requires an IT strategic initiative re-evaluation. Which of the following BEST indicates that an established IT governance framework could handle the re-evaluation?

A. Creation of an IT steering committee to align the IT strategic initiatives to the recent change

B. Inclusion of IT portfolio management procedures with strategic change review activities

C. Development of a business case to evaluate the impact of the strategic change

D. Holding IT investments until an analysis of the strategic change impact was complete

An enterprise's board of directors has asked the CIO to implement ways to make the IT function more environmentally responsible. Which of the following should be the CIO's FIRST step to ensure continued alignment of IT needs with the requirements of the board?

A. Create a staff awareness education plan focused on IT environmental responsibility.

B. Incorporate new environmentally responsible objectives into existing IT goals.

C. Assess potential environmentally responsible IT initiatives.

D. Write a business case for an environmentally responsible initiative for IT.

A software company's products have had significant quality issues in recent releases. As a result, market reputation and customer satisfaction ratings have been suffering. What should executive leadership do FIRST to address this concern?

A. Allocate budget to hire more software and quality assurance specialists.

B. Require a root cause analysis and review results.

C. Implement a software development life cycle (SDLC) framework.

D. Mandate more robust software testing prior to release.

An enterprise has identified a number of plausible risk scenarios that could result in economic loss associated with major IT investments. Which of the following is the BEST method to assess the risk?

A. Quantitative analysis

B. Cost-benefit analysis

C. Qualitative analysis

D. Business impact analysis (BIA)

Following a re-prioritization of business objectives by management, which of the following should be performed FIRST to allocate resources to IT processes?

A. Perform a maturity assessment.

B. Implement a RACI model.

C. Refine the human resource management plan.

D. Update the IT strategy.

Establishing a uniform definition for likelihood and impact BEST enables an enterprise to:

A. reduce risk appetite and tolerance levels.

B. develop key risk indicators (KRIs).

C. reduce variance in the assessment of risk.

D. prioritize threat assessment.

Which of the following is the BEST way to address concerns associated with outsourcing an IT process?

A. Implement a business continuity plan.

B. Perform a risk assessment.

C. Review the IT governance framework.

D. Manage service levels.

An IT governance committee is defining a risk management policy for a portfolio of IT-enabled investments. Which of the following should be the PRIMARY consideration when developing the policy?

A. Risk appetite of the enterprise

B. Risk management framework

C. Value obtained with minimum risk

D. Possible investment failures

To successfully implement enterprise IT governance, which of the following should be the MAIN focus of IT policies?

A. Optimizing operational benefits

B. Enhancing organizational capability

C. Limiting IT costs

D. Providing business value

A regulatory audit of an IT department has identified discrepancies between processes described in the procedures and what is actually done by system administrators. The discrepancies were caused by recent IT application changes. Which of the following would be the BEST way to prevent the recurrence of similar findings in the future?

A. Include the update of documentation within the change management framework.

B. Assign the responsibility for periodic revisions and changes to process owners.

C. Require each IT employee to confirm compliance with IT procedures on an annual basis.

D. Establish high-level procedures to minimize process changes.

In an effort to reduce operation costs, an enterprise is switching from all internally-hosted applications to a mixture of internally- and externally-hosted applications.
Of the following, the risk appetite for this decision would BEST be defined by the:

A. vendor oversight committee.

B. board of directors.

C. chief information security officer.

D. chief information officer.

An enterprise has a zero-tolerance policy regarding security. This policy is causing a large number of email attachments to be blocked and is a disruption to the enterprise. Which of the following should be the FIRST governance step to address this email issue?

A. Obtain senior management input based on identified risk.

B. Direct the development of an email usage policy.

C. Recommend business sign-off on the zero-tolerance policy.

D. Introduce an exception process.

When developing an IT governance framework, it is MOST important for an enterprise to consider:

A. stakeholders’ support.

B. information technology risk.

C. framework development cost.

D. information technology strategy.

For a large enterprise, which of the following is the BEST indicator that IT governance has a poor reputation?

A. Regulatory noncompliance

B. Low attendance at strategy committee meetings

C. High turnover of IT staff

D. Data leakage

Which of the following is the BEST way for a CIO to secure support for a strategy to achieve long-term IT objectives?

A. Develop tactics to implement the strategy and share with stakeholders.

B. Make the necessary strategic decisions and notify staff accordingly.

C. Meet with stakeholders to explain the strategy and incorporate feedback.

D. Develop a communication plan for distribution of information to staff.

Who is PRIMARILY accountable for delivering the benefits of an IT-enabled investment program to the enterprise?

A. Business sponsor

B. IT steering committee chair

C. CIO

D. Program manager

An enterprise is determining the objectives for an IT training improvement initiative. From a governance perspective, it would be MOST important to ensure that:

A. IT employees are surveyed and interviewed to identify development needs.

B. courses of instruction that will maximize employee productivity are identified.

C. several different training strategies are created for final approval by the CIO.

D. policies and processes address both enterprise requirements and professional growth.

The risk committee is overwhelmed by the number of false positives included in risk reports. What action would BEST address this situation?

A. Evaluate key risk indicators.

B. Adjust IT balanced scorecard.

C. Conduct a risk assessment.

D. Change the reporting format.

An internal auditor conducts an assessment of a two-year-old IT risk management program. Which of the following findings should be of MOST concern to the
CIO?

A. Organizational responsibility for IT risk management is not clearly defined.

B. IT risk training records are not properly retained in accordance with established schedules.

C. None of the members of the IT risk management team have risk management-related certifications.

D. Only a few key risk indicators identified by the IT risk management team are being monitored and the rest will be on a phased schedule.

The PRIMARY benefit of using an IT service catalog as part of the IT governance program is that it:

A. establishes enterprise performance metrics per service.

B. improves the ability to allocate IT resources.

C. provides a foundation for measuring IT performance.

D. ensures IT effectively meets future business needs.

Which of the following should be the PRIMARY basis for establishing categories within an information classification scheme?

A. Information security policy

B. Business impact

C. Information architecture

D. Industry standards

Which of the following is the MOST important benefit of developing an information architecture model consistent with enterprise strategy?

A. It identifies information architecture priorities

B. It supports and facilitates decision making

C. It enables information architecture roadmap updates

D. It optimizes information delivery and storage costs

Which of the following is the PRIMARY role of an enterprise architecture?

A. Improves transparency and compliance

B. Provides a visual perspective of information systems

C. Improves interoperability and scalability

D. Ensures continuous innovation

Which of the following is the PRIMARY benefit of communicating the IT strategy across the enterprise?

A. Optimization of IT investment in supporting business objectives

B. On-time and on-budget delivery of strategic projects

C. Reduced organizational resistance during strategy execution

D. Improvement in IT balanced scorecard performance

The FIRST step in aligning resource management to the enterprise's IT strategic plan would be to:

A. develop a responsible, accountable, consulted, and informed (RACI) chart

B. assign appropriate roles and responsibilities

C. identify outsourcing opportunities

D. perform a gap analysis

Which of the following should be the FIRST step for executive management to take in communicating what is considered acceptable use with regard to personally owned devices for company business?

A. Post awareness messages throughout the facility.

B. Develop and disseminate an applicable policy.

C. Provide training on how to protect data on personal devices.

D. Require employees to read and sign a disclaimer.

Which of the following is MOST critical to support IT governance cultural changes within an organization?

A. IT governance process manuals

B. Regularly scheduled governance training

C. Demonstrated management commitment

D. Established IT monitoring and measuring

Which of the following activities MUST be completed before developing an IT strategic plan?

A. Review the enterprise business plan.

B. Align the enterprise vision statement with business processes.

C. Review the enterprise risk tolerance level.

D. Develop an enterprise architecture (EA) framework.

An IT value delivery framework PRIMARILY helps an enterprise:

A. assist top management in approving IT projects.

B. improve value of successful IT projects.

C. increase transparency of value to the enterprise.

D. optimize value to the enterprise.

Which of the following is the MOST important input for designing a development program to help IT employees improve their ability to respond to business needs?

A. Skills competency assessment

B. Cost-benefit analysis

C. Annual performance evaluations

D. Capability maturity model

Which of the following is the MOST important driver of IT governance?

A. Management transparency

B. Technical excellence

C. Effective internal controls

D. Quality measurement

An enterprise considering implementing IT governance should FIRST develop the scope of the IT governance program and:

A. communicate the program to stakeholders to gain consensus

B. establish initiatives for business and managers

C. initiate the program using an implementation roadmap

D. acquire the resources that will be required

When determining the desired maturity levels for IT governance processes, it is MOST important to:

A. ensure that maturity can be achieved at the lowest cost.

B. ensure target levels are in line with external competitor benchmarks.

C. agree on target levels in response to need.

D. focus on existing strengths as key drivers for the target levels.

Following a major IT incident that resulted in a loss to the enterprise, a CIO is preparing for a meeting with the board of directors to discuss what may have failed internally. Which of the following should the CIO do FIRST to provide assurance to the board?

A. Review the IT control environment.

B. Ensure IT and enterprise risk management alignment.

C. Review the incident response policy.

D. Verify continuous monitoring is being performed.

The use of an enterprise architecture framework BEST supports IT governance by providing:

A. key information for IT service level management.

B. IT standards for application development.

C. business information for IT capacity planning.

D. reference models to align IT with business.

Which of the following is the MOST important input for the development of a human resources strategy to address IT skill gaps?

A. Technology direction of the enterprise

B. Training budget allocated for IT staff

C. A recent IT skills matrix

D. Training effectiveness reports

A contracted company employs key IT systems operational personnel to oversee technology used to manage a critical line of business. Management is concerned that a mass resignation by many disgruntled personnel may lead to a shutdown of these key systems. Which of the following should be the PRIMARY responsibility of IT governance to address this risk?

A. Renegotiate employment agreements to lessen the likelihood of a mass resignation.

B. Cross train management to assume support of the technology.

C. Develop a resourcing strategy that quickly replaces staff.

D. Survey key support staff to determine what is causing them to be disgruntled.

Which of the following represents the GREATEST challenge to implementing IT governance?

A. Developing a business case

B. Determining the best practice to follow

C. Applying behavioral change management

D. Planning the project itself

The MOST important aspect of an IT governance framework to ensure that IT supports repeatable business processes is:

A. resource management.

B. quality management.

C. risk management.

D. earned value management.

Which of the following is the BEST way to address an IT audit finding that many enterprise application updates lack appropriate documentation?

A. Add change control to the risk register.

B. Conduct software quality audits.

C. Enforce change control procedures.

D. Review the application development life cycle.

An internal audit revealed a widespread perception that the enterprise's IT governance reporting lacks transparency. Which of the following should the CIO do
FIRST?

A. Adopt an industry-recognized template to standardize reports.

B. Develop a communication and awareness strategy.

C. Meet with key stakeholders to understand their concerns.

D. Add stakeholder transparency metrics to the balanced scorecard.

Which of the following would BEST help to ensure an IT steering committee is informed of newly emerging risks in critical IT projects?

A. Requiring regular updates of the risk register for each project

B. Requiring a summarized report of relevant risks

C. Reviewing the response for each risk in the log

D. Conducting periodic reviews of project performance

A health tech enterprise wants to ensure that its in-house developed mobile app for users complies with data privacy regulations. Which of the following should be identified FIRST when creating an inventory of information systems and data related to the mobile app?

A. Vendors and outsourced systems

B. Data maintained by vendors

C. Information classification scheme

D. Application and data owners

After shifting from lease to purchase of IT infrastructure and software licenses, an enterprise has to pay for unexpected lease extensions causing significant cost overruns. The BEST direction for the IT steering committee would be to establish:

A. a program to annually review financial policy on overruns.

B. an end-of-life program to remove aging infrastructure from the environment.

C. budget cuts to compensate for the cost overruns.

D. a policy to consider total cost of ownership in investment decisions.

A newly established IT steering committee is concerned whether or not a system is meeting availability objectives. Which of the following will provide the BEST information to make an assessment?

A. Critical success factors

B. Balanced scorecard

C. Performance indicators

D. Capability maturity levels

When establishing a methodology for business cases, it would be MOST beneficial for an enterprise to include procedures for:

A. addressing required changes outside the business case.

B. updating the business case throughout its life cycle.

C. identifying metrics post-implementation to measure project success.

D. entering the business case into the enterprise architecture.

The IT function received only 50% of the requested funding to support the IT strategy for new business initiatives. Which of the following is the CIO's MOST important course of action before considering alternative resource options?

A. Prioritize the portfolio.

B. Terminate less visible maintenance projects.

C. Develop a new balanced scorecard.

D. Conduct a cost-benefit analysis.