An enterprise has launched a series of critical new IT initiatives that are expected to produce substantial value. Which of the following would BEST provide the board with an indication of progress of the IT initiatives?

A. Full life cycle cost-benefit analysis

B. Demonstration of prototype and user testing

C. Portfolio management review

D. Critical risk and issue walk-through

Establishing a uniform definition for likelihood and impact BEST enables an enterprise to:

A. reduce risk appetite and tolerance levels.

B. develop key risk indicators (KRIs).

C. reduce variance in the assessment of risk.

D. prioritize threat assessment.

Which of the following would a CIO use to present the overall view of IT performance to the board of directors?

A. Maturity model

B. Balanced scorecard

C. Key performance indicators (KPIs)

D. Key risk indicators (KRIS)

To ensure that information can be traced to the originating event and accountable parties, an enterprise should FIRST:

A. improve business process controls.

B. capture source information and supporting evidence.

C. review information event logs for potential incidents.

D. review retention requirements for source information.

During the implementation phase of a central ERP system, a project manager identifies a significant lack of human capabilities to support the system. The issue is reported to the project sponsor, and the sponsor sends a request for an increase in the budget to the IT steering committee. What should be the IT steering committee's FIRST action?

A. Require a revised business case.

B. Approve the budget request.

C. Provide appropriate training.

D. Refer back to the project sponsor for resolution.

Despite an adequate training budget, IT staff are not keeping skills current with emerging technologies critical to the enterprise. The BEST way for the enterprise to address this situation would be to:

A. establish an agreed-upon skills development plan with each employee.

B. allow staff to attend technology conferences.

C. create a standard-setting center of excellence.

D. assign human resources (HR) to develop an IT skills matrix.

What is the PRIMARY objective for performing an IT due diligence review prior to the acquisition of a competitor?

A. Document the competitor’s governance structure.

B. Determine whether the competitor is using industry-accepted practices.

C. Assess the status of the risk profile of the competitor.

D. Ensure that the competitor understands significant IT risks.

Which of the following has the GREATEST influence on data quality assurance?

A. Data classification

B. Data modeling

C. Data stewardship

D. Data encryption

An IT strategy committee wants to ensure that a risk program is successfully implemented throughout the enterprise. Which of the following would BEST support this goal?

A. Commitment from senior management

B. Mandatory risk awareness courses for staff

C. A risk management framework

D. A risk recognition and reporting policy

An enterprise's board of directors has asked the CIO to implement ways to make the IT function more environmentally responsible. Which of the following should be the CIO's FIRST step to ensure continued alignment of IT needs with the requirements of the board?

A. Create a staff awareness education plan focused on IT environmental responsibility.

B. Incorporate new environmentally responsible objectives into existing IT goals.

C. Assess potential environmentally responsible IT initiatives.

D. Write a business case for an environmentally responsible initiative for IT.

An enterprise's service center is experiencing long delays in fulfilling IT service requests and very low customer satisfaction. The BEST way to determine if staff competency is the root cause of these performance problems is to compare required staff competencies with:

A. hiring and staffing practices

B. training program completions

C. certification requirements

D. current skills inventory

Which of the following would be the PRIMARY impact on IT governance when a business strategy is changed?

A. Relationship level with IT outsourcers

B. Performance outcomes of IT objectives

C. IT governance structure

D. Maturity level of IT processes

Which of the following is the BEST way to address an IT audit finding that many enterprise application updates lack appropriate documentation?

A. Add change control to the risk register.

B. Conduct software quality audits.

C. Enforce change control procedures.

D. Review the application development life cycle.

A data governance strategy has been defined by the IT strategy committee which includes privacy objectives related to access controls, authorized use, and data collection. Which of the following should the committee do NEXT?

A. Mandate the creation of a data privacy policy.

B. Establish a data privacy budget.

C. Perform a data privacy impact assessment.

D. Mandate data privacy training for employees.

Which of the following is MOST critical for the successful implementation of an IT process?

A. Objectives and metrics

B. IT process assessment

C. Process framework

D. Service delivery process model

Which of the following is the BEST IT architecture concept to ensure consistency, interoperability, and agility for infrastructure capabilities?

A. Establishment of an IT steering committee

B. Standards-based reference architecture and design specifications

C. Design of policies and procedures

D. Establishment of standard vendor and technology designations

When conducting a risk assessment in support of a new regulatory requirement, the IT risk committee should FIRST consider the:

A. cost burden to achieve compliance.

B. disruption to normal business operations.

C. readiness of IT systems to address the risk.

D. risk profile of the enterprise.

An enterprise has been focused on establishing an IT risk management framework. Which of the following should be the PRIMARY motivation behind this objective?

A. Increasing the enterprise’s risk tolerance level and risk appetite.

B. Engaging executives in examining IT risk when developing policies.

C. Promoting responsibility throughout the enterprise for managing IT risk.

D. Maintaining a complete and accurate risk registry to better manage IT risk.

A regulatory audit of an IT department has identified discrepancies between processes described in the procedures and what is actually done by system administrators. The discrepancies were caused by recent IT application changes. Which of the following would be the BEST way to prevent the recurrence of similar findings in the future?

A. Include the update of documentation within the change management framework.

B. Assign the responsibility for periodic revisions and changes to process owners.

C. Require each IT employee to confirm compliance with IT procedures on an annual basis.

D. Establish high-level procedures to minimize process changes.

An enterprise has finalized a major acquisition, and a new business strategy in line with stakeholder needs has been introduced. To help ensure continuous alignment of IT with the new business strategy, the CIO should FIRST:

A. assess the IT cultural aspects of the acquired entity

B. review the existing IT strategy against the new business strategy

C. revise the existing IT strategy to align with the new business strategy

D. establish a new IT strategy committee for the new enterprise

An enterprise is planning to implement several strategic initiatives that will require the acquisition of new IT systems. Which of the following would BEST enable the IT steering committee to prioritize proposed initiatives based on business objectives?

A. IT strategic management

B. Project management

C. Enterprise architecture management

D. Project portfolio management

Who should be accountable for quantifying the business impact of a potential breach of a server containing retail transactions for the last year?

A. Information systems security officer

B. Head of retail

C. Chief risk officer

D. Chief information officer

Which of the following provides the BEST evidence of an IT risk-aware culture across an enterprise?

A. The IT infrastructure is resilient.

B. IT risks are communicated to the business.

C. Business staff report identified IT risks.

D. IT risk-related policies are published.

A large enterprise has decided to use an emerging technology that needs to be integrated with the current IT infrastructure. Which of the following is the BEST way to prevent adverse effects to the enterprise resulting from the new technology?

A. Develop key risk indicators (KRIs).

B. Develop key performance indicators (KPIs).

C. Implement service level agreements (SLAs).

D. Update the risk appetite statement.

An IT department outsourced application support and negotiated service level agreements (SLAs) directly with the vendor. Although the vendor met the SLAs, business owner expectations are not met and senior management cancels the contract. This situation can be avoided in the future by:

A. improving the negotiation process for service level agreements (SLAs).

B. implementing a vendor performance scorecard.

C. assigning responsibility for vendor management.

D. improving the business requirements gathering process.

An enterprise learns that a new privacy regulation was recently published to protect customers in the event of a breach involving personally identifiable information
(PII). The IT risk management team's FIRST course of action should be to:

A. evaluate the risk appetite for the new regulation.

B. determine if the new regulation introduces new risk.

C. assign a risk owner for the new regulation.

D. define the risk tolerance for the new regulation.

A CIO determines IT investment management processes are not fully realizing the benefits identified in business cases. Which of the following would be the BEST way to prevent this issue?

A. Document lessons learned throughout the investment life cycle.

B. Perform stage-gate reviews throughout the life cycle of each project.

C. Evaluate the delegation of investment approval authorities.

D. Establish a requirement for CIO review and approval of each business case.

Which of the following roles should approve major IT purchases to help prevent conflicts of interest?

A. Chief information officer (CIO)

B. Chief compliance officer

C. IT steering committee

D. Project management office (PMO)

Which of the following would BEST help a CIO enhance the competencies of an IT business analytics team?

A. Understanding current staff skill sets and identifying gaps

B. Defining the IT architecture and identifying training areas

C. Creating operational processes and identifying resources

D. Establishing team goals and identifying the proper structure

An enterprise has a zero-tolerance policy regarding security. This policy is causing a large number of email attachments to be blocked and is a disruption to the enterprise. Which of the following should be the FIRST governance step to address this email issue?

A. Obtain senior management input based on identified risk.

B. Direct the development of an email usage policy.

C. Recommend business sign-off on the zero-tolerance policy.

D. Introduce an exception process.

To ensure IT risk is managed in a consistent manner, it is MOST important for IT governance to establish a:

A. risk management reporting tool to ensure compliance.

B. balanced scorecard that includes IT risks.

C. risk management committee to identify IT-related risks.

D. risk management framework.

An enterprise has decided to use third-party software for a business process which is hosted and supported by the same third party. The BEST way to provide quality of service oversight would be to establish a process:

A. to qualify service providers.

B. for enterprise architecture updates.

C. for robust change management.

D. for periodic service provider audits.

The CIO of a global technology company is considering introducing a bring your own device (BYOD) program. What should the CIO do FIRST?

A. Ensure the infrastructure can meet BYOD requirements.

B. Define a clear and inclusive BYOD policy.

C. Establish a business case.

D. Focus on securing data and access to data.

In a large enterprise, which of the following is the MOST effective way to understand the business activities associated with the enterprise's information architecture?

A. Aligning business objectives to organizational strategy

B. Reviewing IT design with business process managers

C. Reviewing business strategy with senior management

D. Mapping business processes within a framework

An enterprise's decision to move to a virtualized architecture will have the GREATEST impact on:

A. system life cycle management

B. vendor management

C. vulnerability management

D. asset classification

Which of the following is the MOST effective way to manage risks within the enterprise?

A. Make staff aware of the risks in their area and risk management techniques.

B. Provide financial resources for risk management systems.

C. Document procedures and reporting processes.

D. Assign individuals responsibilities and accountabilities for management of risks.

An enterprise wants to implement an IT governance framework to ensure enterprise expectations of IT are met. Which of the following would be the MOST beneficial outcome of implementing the framework?

A. Optimization of IT performance

B. Development of IT policies

C. Creation of an IT balanced scorecard

D. Establishment of key IT risk indicators

An enterprise incurred penalties for noncompliance with privacy regulations. Which of the following is MOST important to ensure appropriate ownership of access controls to address this deficiency?

A. Engaging an audit of logical access controls and related security policies

B. Authenticating access to information assets based on roles or business rules

C. Implementing multi-factor authentication controls

D. Granting access to information based on information architecture

An analysis of an organization's security breach is complete. The results indicate that the quality of the code used for updates to its primary customer-facing software has been declining and security flaws were introduced. The FIRST IT governance action to correct this problem should be to review:

A. the incident response plan.

B. the change management control framework.

C. compliance with the user testing process.

D. the qualifications of developers to write secure code.

A newly hired CIO has been given projects of strategic importance along with operational responsibility for infrastructure. What are the two MOST important areas to be communicated to senior management?

A. Value delivery and risks

B. Project and change management

C. ROI and security accreditation

D. On-time and on-budget

Which of the following is the MOST effective means for IT management to report to executive management regarding the value of IT?

A. IT process maturity level

B. Resource assessment

C. Balanced scorecard

D. Cost-benefit analysis

Which of the following has PRIMARY responsibility to define the requirements for IT service levels for the enterprise?

A. The help desk

B. The business continuity vendor

C. The business manager

D. The CIO

To minimize the potential mishandling of customer personal information in a system located in a country with strict privacy regulations, which of the following is the BEST action to take?

A. Establish new IT key risk indicators (KRIs).

B. Revise the IT strategic plan.

C. Implement data loss prevention (DLP).

D. Update the information architecture.

An IT steering committee is preparing to review proposals for projects that implement emerging technologies. In anticipation of the review, the committee should
FIRST:

A. require a review of the enterprise risk management framework.

B. understand how the emerging technologies will influence risk across the enterprise.

C. determine if the IT staff can support the emerging technologies.

D. require a capacity plan and framework review for the emerging technologies.

An enterprise has recently experienced an excessive number of exceptions due to outdated control frameworks. What should the leadership team do FIRST?

A. Mandate a reassessment of the current control frameworks.

B. Review the IT control standards.

C. Mandate strict adherence to control frameworks.

D. Update the exception review and approval process.

Senior leadership is concerned about a recent trend of excessive exceptions to existing controls. Which of the following should be implemented to address this concern?

A. Continuous monitoring

B. Independent audits

C. A control library

D. Risk awareness training

The MOST beneficial aspect of utilizing an IT risk management framework is that it:

A. addresses a lack of data in risk reporting.

B. facilitates the identification of technologies posing the greatest risk to IT.

C. enables a consistent approach to risk management.

D. drives inclusion of the technology function in enterprise risk management.

A financial institution with a highly regarded reputation for protecting customer interests has recently deployed a mobile payments program. Which of the following key risk indicators (KRIs) would be of MOST interest to the CIO?

A. Number of failed software updates on mobile devices

B. Percentage of incomplete transactions

C. Total volume of suspicious transactions

D. Failure rate of point-of-sale systems

An enterprise's IT department has been operating independently without regard to business concerns, leading to misalignment between business and IT. The
BEST way to establish alignment would be to require:

A. business to help define IT goals.

B. IT to define business objectives.

C. business to fund IT services.

D. IT and business to define risks.

To enable consistent assessment of candidate program investments for inclusion into the IT portfolio, it is MOST important to identify:

A. an IT balanced scorecard.

B. the impact on enterprise architecture.

C. common selection criteria.

D. currently available resources.