Which of the following should be the PRIMARY consideration for an enterprise when prioritizing IT projects?

A. Results of IT performance benchmarks against competitors

B. Impact on the business due to expected project outcomes

C. Technical capability of the enterprise to execute the projects

D. Process owner expectations based on operational benefits

Senior management finds that too many projects are currently in-progress and all are experiencing expensive project overruns due to lack of resources. Many of the projects also appear to overlap in their objectives and expected outcomes.
Which of the following would BEST streamline the process of evaluating and selecting funding priorities?

A. Portfolio management

B. Value governance

C. Project management

D. Business case development

The MOST effective way to ensure that IT supports the agile needs of an enterprise is to:

A. implement open source systems.

B. outsource infrastructure management.

C. develop a robust enterprise architecture (EA).

D. perform process modeling.

Portfolio management in a large enterprise BEST enables which of the following?

A. Performance management

B. Risk reduction

C. Value creation

D. Human resource optimization

A contracted company employs key IT systems operational personnel to oversee technology used to manage a critical line of business. Management is concerned that a mass resignation by many disgruntled personnel may lead to a shutdown of these key systems. Which of the following should be the PRIMARY responsibility of IT governance to address this risk?

A. Renegotiate employment agreements to lessen the likelihood of a mass resignation.

B. Cross train management to assume support of the technology.

C. Develop a resourcing strategy that quickly replaces staff.

D. Survey key support staff to determine what is causing them to be disgruntled.

An IT governance committee is defining a risk management policy for a portfolio of IT-enabled investments. Which of the following should be the PRIMARY consideration when developing the policy?

A. Risk appetite of the enterprise

B. Risk management framework

C. Value obtained with minimum risk

D. Possible investment failures

A data governance strategy has been defined by the IT strategy committee which includes privacy objectives related to access controls, authorized use, and data collection. Which of the following should the committee do NEXT?

A. Mandate the creation of a data privacy policy.

B. Establish a data privacy budget.

C. Perform a data privacy impact assessment.

D. Mandate data privacy training for employees.

Once an IT governance framework has been defined, which of the following is the MOST effective approach to align IT to business objectives?

A. Auditing the alignment of IT to business objectives regularly

B. Reviewing the return on investment of IT initiatives on a regular basis

C. Establishing a cross business unit committee to prioritize IT investment

D. Reporting IT investment and performance to senior management regularly

Following a merger of two major corporations, the new strategic goal is `One business function. One IT system.` Which of the following should be the FIRST step to achieve this goal?

A. Form a combined IT steering committee.

B. Document requirements for each business function.

C. Create a standard enterprise architecture.

D. Define service level agreements with each business function.

The board of directors of an enterprise has questioned whether the business is focused on optimizing value. The IT strategy committee's BEST action to address the board's concern is to:

A. initiate reporting and review of key IT performance metrics.

B. form a technology council to monitor the efficiency of project implementation.

C. conduct a portfolio review to assess the benefits realization of IT investments.

D. conduct a benchmark to assess IT value relative to competitors.

An enterprise decides to accept the IT risk of a subsidiary located in another country even though it exceeds the enterprise's risk appetite. Which of the following would be the BEST justification for this decision?

A. Local market common practices

B. Risk framework alignment

C. Technical gaps among subsidiaries

D. Compliance with local regulations

Which of the following is MOST critical for sustaining a newly implemented IT governance program?

A. Launch an enterprise-wide IT governance awareness program.

B. Designate a board representative to sponsor the IT governance program.

C. Ensure that there are IT policies, procedures, and standards in place.

D. Benchmark the program periodically against industry peers.

Which of the following would be the BEST way for an enterprise to address new legal and regulatory requirements applicable to IT?

A. Benchmark how other IT organizations are treating the new requirements.

B. Adopt a zero-tolerance approach for noncompliance with regulatory matters.

C. Treat as a risk to be assessed before developing a response.

D. Use a cost-benefit analysis to determine if compliance is warranted.

An enterprise is planning a change in business direction. As a result, IT risk will significantly increase. Which of the following should be the CIO's FIRST course of action?

A. Plan for the corresponding IT reorganization.

B. Recommend delaying the business change.

C. Report the risk to executive management.

D. Implement IT changes to align with the plan.

A regulatory audit assessed an enterprise's main transactional application as noncompliant. In addition to fines and required corrections, an agreement was reached to implement a set of governance controls over IT. Accountability for these controls is BEST assigned to which of the following?

A. Internal audit director

B. CIO

C. The board of directors

D. Application users

An enterprise has discovered that there is significant duplication of IT investments. Which of the following would be MOST helpful in addressing this issue?

A. Establishing an IT steering committee

B. Delegating IT investment decisions to centralized IT

C. Maintaining an inventory of IT investments

D. Increasing the frequency of IT investment audits

Which of the following is the MOST important driver of IT governance?

A. Management transparency

B. Technical excellence

C. Effective internal controls

D. Quality measurement

An internal auditor conducts an assessment of a two-year-old IT risk management program. Which of the following findings should be of MOST concern to the
CIO?

A. Organizational responsibility for IT risk management is not clearly defined.

B. IT risk training records are not properly retained in accordance with established schedules.

C. None of the members of the IT risk management team have risk management-related certifications.

D. Only a few key risk indicators identified by the IT risk management team are being monitored and the rest will be on a phased schedule.

A multinational enterprise recently purchased a large company located in a different country. When introducing the concept of governance to the new acquisition, it is MOST important that executive management recognize:

A. the use of international standards.

B. language differences.

C. globally recognized good practices.

D. the impact of cultural changes.

The CEO of a large enterprise has announced the commencement of a major business expansion that will double the size of the organization. IT will need to support the expected demand expansion. The CIO should FIRST:

A. update the IT strategic plan to align with the decision.

B. recruit IT resources based on the expansion decision.

C. review the resource utilization matrix.

D. embed IT personnel in the business units.

A CIO determines IT investment management processes are not fully realizing the benefits identified in business cases. Which of the following would be the BEST way to prevent this issue?

A. Document lessons learned throughout the investment life cycle.

B. Perform stage-gate reviews throughout the life cycle of each project.

C. Evaluate the delegation of investment approval authorities.

D. Establish a requirement for CIO review and approval of each business case.

Which of the following BEST defines the IT investment activities an enterprise will undertake when aligning to business goals?

A. Portfolio management

B. Procurement management

C. Project management

D. Risk management

An enterprise has decided to implement an enterprise resource planning (ERP) system to achieve operating and cost efficiencies through global IT standardization. The business units are resistant because they are used to operating autonomously. The CEO has instructed the CIO to move quickly with the implementation to force acceptance with business unit leaders. Which of the following should be the CIO's FIRST step?

A. Request funding from the CEO to hire ERP consultants.

B. Ask the CEO to be the sponsor of the program.

C. Engage a reluctant business unit to conduct a proof-of-concept pilot.

D. Build a governance framework for identifying non-standard processes.

A business case indicates an enterprise would reduce costs by implementing a bring your own device (BYOD) program allowing employees to use personal devices for e-mail. Which of the following should be the FIRST governance action?

A. Assess the enterprise architecture (EA).

B. Update the BYOD policy.

C. Update the network infrastructure.

D. Assess the BYOD risk.

The IT function received only 50% of the requested funding to support the IT strategy for new business initiatives. Which of the following is the CIO's MOST important course of action before considering alternative resource options?

A. Prioritize the portfolio.

B. Terminate less visible maintenance projects.

C. Develop a new balanced scorecard.

D. Conduct a cost-benefit analysis.

Senior management has made a decision to automate a number of key controls due to concerns that current IT risk controls are overly cumbersome and adversely impacting IT agility. Which of the following should be required FIRST to facilitate this process?

A. Control gap analysis

B. Control self-assessments

C. Controls optimization

D. Cost-benefit analysis

An enterprise has decided to create its first mobile application. The IT director is concerned about the potential impact of this initiative. Which of the following is the MOST important input for managing the risk associated with this initiative?

A. Business requirements

B. IT risk scorecard

C. Enterprise risk appetite

D. Enterprise architecture (EA)

An IT governance committee recently received a report indicating a scarcity of key IT skills in the marketplace to meet the core needs of the business. Reviewing which of the following would BEST help the committee respond to this situation?

A. IT balanced scorecard

B. Outsourcing strategy

C. IT strategic plan

D. Human resource strategy

An enterprise is planning to implement several strategic initiatives that will require the acquisition of new IT systems. Which of the following would BEST enable the IT steering committee to prioritize proposed initiatives based on business objectives?

A. IT strategic management

B. Project management

C. Enterprise architecture management

D. Project portfolio management

An enterprise's IT department has been operating independently without regard to business concerns, leading to misalignment between business and IT. The
BEST way to establish alignment would be to require:

A. business to help define IT goals.

B. IT to define business objectives.

C. business to fund IT services.

D. IT and business to define risks.

Which of the following would be MOST helpful in gaining executive support for an IT-enabled business initiative?

A. Framing the discussion in terms of impact to business value

B. Presenting a comprehensive risk management plan

C. Providing examples of risks realized by competitors for similar initiatives

D. Presenting key findings of a business impact analysis conducted by IT managers

What information is MOST important to include when reporting key risk indicators to the board of directors?

A. The effect of emerging risk trends on current risk exposure

B. Risk appetite, risk threshold and risk tolerance

C. Classification of current business risk

D. Costs and resource needs related to risk mitigation measures

Which of the following entities is structured PRIMARILY to ensure goals and objectives are aligned between IT and the business?

A. Board of directors

B. Portfolio management committee

C. Change advisory board

D. IT strategy committee

The PRIMARY reason a CIO and IT senior management should stay aware of the business environment is to:

A. measure efficiency of IT resources.

B. revisit prioritization of IT projects.

C. re-assess the IT investment portfolio.

D. adjust IT strategy as needed.

Prior to decommissioning an IT system, it is MOST important to:

A. assess compliance with environmental regulations.

B. review the media disposal records.

C. assess compliance with the retention policy.

D. review the data sanitization records.

To enable consistent assessment of candidate program investments for inclusion into the IT portfolio, it is MOST important to identify:

A. an IT balanced scorecard.

B. the impact on enterprise architecture.

C. common selection criteria.

D. currently available resources.

When developing an IT strategic plan that supports an enterprise's business goals, which of the following should be done FIRST?

A. Understand the current vision.

B. Perform a business impact analysis.

C. Ensure that IT drives business goals.

D. Analyze benchmarking data.

Despite an adequate training budget, IT staff are not keeping skills current with emerging technologies critical to the enterprise. The BEST way for the enterprise to address this situation would be to:

A. establish an agreed-upon skills development plan with each employee.

B. allow staff to attend technology conferences.

C. create a standard-setting center of excellence.

D. assign human resources (HR) to develop an IT skills matrix.

From an IT governance perspective, which of the following would be the MOST significant impact of moving all IT applications to an external Software as a Service
(SaaS) cloud provider?

A. The necessity to update key risk indicators (KRIs)

B. The integration of the IT department with business lines

C. The improvement of IT service alignment with business

D. The shift from service delivery to service management

An IT audit report indicates that a lack of IT employee risk awareness is creating serious security issues in application design and configuration. Which of the following would be the BEST key risk indicator (KRI) to show progress in IT employee behavior?

A. Results of application security testing

B. Results of application security awareness training quizzes

C. Number of reported security incidents

D. Number of IT employees attending security training sessions

Which of the following is the MOST important objective of IT program portfolio management?

A. Reduced technology costs

B. Reduced project management costs

C. Improved IT service delivery

D. Appropriate investment mix

Which of the following is MOST critical to have in place before management can establish an IT risk assessment and response approach?

A. A portfolio of IT investments

B. Defined roles and responsibilities

C. Historic data on risk events

D. A balanced scorecard

Which of the following is the BEST outcome measure to determine the effectiveness of IT risk management processes?

A. Time lag between when IT risk is identified and the enterprise’s response

B. Percentage of business users satisfied with the quality of risk training

C. Frequency of updates to the IT risk register

D. Number of events impacting business processes due to delays in responding to risks

Which of the following is the PRIMARY ongoing responsibility of the IT governance function related to risk?

A. Responding to and controlling all IT risk events

B. Verifying that all business units have staff skilled at assessing risk

C. Communicating the enterprise risk management plan

D. Ensuring IT risk management is aligned with business risk appetite

Following a major IT incident that resulted in a loss to the enterprise, a CIO is preparing for a meeting with the board of directors to discuss what may have failed internally. Which of the following should the CIO do FIRST to provide assurance to the board?

A. Review the IT control environment.

B. Ensure IT and enterprise risk management alignment.

C. Review the incident response policy.

D. Verify continuous monitoring is being performed.

A newly established IT steering committee is concerned whether or not a system is meeting availability objectives. Which of the following will provide the BEST information to make an assessment?

A. Critical success factors

B. Balanced scorecard

C. Performance indicators

D. Capability maturity levels

In a successful enterprise that is profitable in its marketplace and consistently growing in size, the non-IT workforce has grown by 50% in the last two years. The demand for IT staff in the marketplace is more than the supply, and the enterprise is losing staff to rival organizations. Due to the rapid growth, IT has struggled to keep up with the enterprise, and IT procedures and associated job roles are not well-defined. The MOST critical activity for reducing the impact caused by IT staff turnover is to:

A. outsource the IT operation.

B. increase compensation for IT staff.

C. hire temporary staff.

D. document processes and procedures.

When developing an IT governance framework, it is MOST important for an enterprise to consider:

A. stakeholders’ support.

B. information technology risk.

C. framework development cost.

D. information technology strategy.

A large enterprise has been experiencing high turnover of skilled IT personnel, resulting in a significant loss of knowledge within the IT department. Which of the following should be done FIRST to address this problem?

A. Conduct a survey of current IT staff.

B. Revise the IT resource management plan.

C. Update human resources policies and practices.

D. Develop an incentive scheme for IT employees.

Which of the following would BEST help to ensure timely reporting on risk events and responses to appropriate levels of management?

A. Corporate directory

B. Key personnel interviews

C. Emergency response team

D. Escalation procedures