Passleader Isaca Cgeit Dumps 504 Q&as

Vendor: ISACA
Exam Code: CGEIT
Exam Name: Certified in the Governance of Enterprise IT
Version: 23.091
QUESTION 1
An enterprise has established a new department to oversee the life cycle of activities that support
data management objectives. Which of the following should be done NEXT?
A. Develop a business continuity plan (BCP).

B. Assess the current data business model.
C. Review data privacy requirements.
D. Establish a RACI chart
Answer: D
QUESTION 2
Which of the following is the MOST important attribute of an information steward?
A. The information steward manages the systems that process the relevant data.
B. The information steward has expertise in managing data quality systems.
C. The information steward is closely aligned with the business function.
D. The information steward is part of the information architecture group.
Answer: A
QUESTION 3
From a governance perspective, which of the following roles is MOST important for an enterprise
to keep in-house?
A. Information auditor
B. Information architect
C. Information steward
D. Information analyst
Answer: A
QUESTION 4
An enterprise learns that a new privacy regulation was recently published to protect customers in
the event of a breach involving personally identifiable information (Pll). The IT risk management
team's FIRST course of action should be to:
A. evaluate the risk appetite for the new regulation.

B. define the risk tolerance for the new regulation.
C. determine if the new regulation introduces new risk.
D. assign a risk owner for the new regulation.
Answer: C
QUESTION 5
An enterprise has decided to utilize a cloud vendor for the first time to provide email as a service,
eliminating in-house email capabilities. Which of the following IT strategic actions should be
triggered by this decision?
Get Latest & Actual CGEIT Exam Questions and Answers from PassLeader. 2
https://www.passleader.com/
A. Develop a data protection awareness education training program
B. Monitor outgoing email traffic for malware.
C. Implement a data classification and storage managemen tool.
D. Update and communicate data storage and transmission policies.
Answer: A
QUESTION 6
Which of the following componen s of a policy BEST enables the governance of enterprise IT?
A. Disciplinary actions
B. Regulatory requirements
C. Roles and responsibilities
D. Terms and definitions
Answer: C
QUESTION 7
Which of the following is PRIMARILY achieved through performance measurement?
A. Process improvement
B. Transparency
C. Cost efficiency
D. Benefit realization
Answer: D
QUESTION 8
A large retail chain realizes that while there has not been any loss of da a, IT security has not been
a priority and should become a key goal for the enterprise. What should be the FIRST high-level
initiative for a newly created IT strategy committee in order to support this business goal?
A. Identifying gaps in information asset protection

B. Defining data archiving and retrieval policies
C. Recruiting and training qualified IT security staff
D. Modernizing internal IT security practices
Answer: A
QUESTION 9
Risk management strategies are PRIMARILY adopted to:
A. avoid risks for bu iness and IT assets.

B. take necessary precautions for claims and losses.
C. achieve acceptable residual risk levels.
D. achieve compliance with legal requirements.
Answer: C
QUESTION 10
An enterprise made a significant change to its business operating model that resulted in a new
strategic direction. Which of the following should be reviewed FIRST to ensure IT congruence with
the new business strategy?
A. IT risk appetite
B. Enterprise project management framework
C. IT investment portfolio
D. Information systems architecture
Answer: C
QUESTION 11
A chief technology officer (CTO) wants to ensure IT governance practices adequately address risk
management specific to mobile applications. To create the appropriate risk policies for IT, it is
MOST important for the CTO to:
A. understand the enterprise's risk tolerance.

B. create an IT risk scorecard.
C. map the business goals to IT risk processes.
D. identify the mobile technical requirements.
Answer: A
QUESTION 12
A large financial institution is considering outsourcing customer call center operations which will
allow the chosen vendor to access systems from offshore locations. Which of the following
represents the GREATEST risk?
A. Inconsistent customer service and reporti g

B. Loss of data confidentiality
C. Lack of network availability
D. Inadequate business continuity p anning
Answer: B
QUESTION 13
An IT director is negotiating a contract with a vendor for application management services. There
is concern by other departments that the outsourced services may not be delivered successfully.
Which of the following is the BEST way for the IT director to address this concern?
A. Implement a communication management plan.

B. Develop a comprehensive vendor management plan.
C. Review the IT service risk management plan.
D. Establish a policy on operational level agreements with vendors.
Answer: D
QUESTION 14
Which of the following is the BEST IT architecture concept to ensure consistency, interoperability,
and agility for infrastructure capabilities?
A. Establishment of an IT steering committee

B. Standards-based reference architecture and design specifications
C. Establishment of standard vendor and technology designations
D. Design of policies and procedures
Answer: A
QUESTION 15
A company is considering selling products online, and the CIO has been asked to advise the board
of directors of potential problems with this strategy. Which of the following is the ClO's BEST course
of action?
A. Review the security framework.

B. Conduct a return on investment (ROI) analysis.
C. Review the enterprise architecture (EA).
D. Perform a risk assessment.
Answer: D
QUESTION 16
In a large enterprise, which of The following is the MOST effective way to understand the business
activities associated with the enterprise s information architecture?
A. Reviewing IT design with business process managers

B. Reviewing business strategy with senior management
C. Mapping business processes within a framework
D. Aligning business objectives to organizational strategy
Answer: A
QUESTION 17
A board of directors is concerned that a major IT implementation has the potential to significantly
disrupt enterprise operations. Which of the following would be MOST helpful in identifying the extent
of the potential impact of the disruption?
A. An analysis of the current enterprise risk appetite

B. An earned value analysis (EVA) of the implementation
C. A risk assessment of the implementation
D. A review of lessons learned from previous implementations
Answer: C
QUESTION 18
Which of the following is the MOST comprehensive method to report on overall IT performance to
the board of directors?
A. Balanced scorecard
B. Net present value (NPV)
C. Performance-based payments
D. Return on investment (ROI)
Answer: A
QUESTION 19
A CIO has been asked to modify an organization's IT performance measurement system to reflect
recent changes in technology, including the movement of some data processing to a cloud solution.
Which of the following is the PRIMARY consideration when designing such a measurement system?
A. Ensuring that cost of measurement and reporting is minimized

B. Ensuring the measurement system maps to the enterprise architecture (EA)
C. Adequately defining the scope of services moved to the cloud
D. Correctly understanding stakeholder needs for IT-related measurement
Answer: D
QUESTION 20
Which of the following MOST effectively demonstrates operational readiness to address
information security risk issues?
A. Executive management has announced an information security risk initiative.

B. IT management has communicated the need for information security risk management to the
business.
C. A policy has been communicated stating enterprise commitment and readiness to address
information security risk.
D. Procedures have been established for assessing and mitigating information security risks.
Answer: D
QUESTION 21
An enterprise's CIO requires all IT processes within the enterprise to be clearly defined. Which of
the following would be the MOST immediate
outcome?
A. Performance
B. Repeatability
C. Scalability
D. Optimization
Answer: A
QUESTION 22
Best practice states that IT governance MUST:
A. enforce consistent policy across the enterprise.
B. be applied in the same manner throughout the enterprise.
C. apply consistent target levels of maturity to processes.
D. be a component of enterprise governance.
Answer: D
QUESTION 23
The MOST important aspect of an IT governance framework to ensure that IT supports repeatable
business processes is:
A. earned value management.

B. quality management,.
C. resource management.
D. risk management
Answer: A
QUESTION 24
A new CIO has been charged with updating the IT governance structure. Which of the following is
the MOST important consideration to effectively influence organizational and process change?
A. Obtaining guidance from consultants

B. Aligning IT services to business processes
C. Redefining the IT risk appetite
D. Ensuring the commitment of stakeholders
Answer: D
QUESTION 25
Which of the following is the PRIMARY ongoing responsibility of the IT governance function related
to risk?
A. Responding to and controlling all IT risk events

B. Communicating the enterprise risk management plan
C. Ensuring IT risk management is aligned with business risk appetite
D. Verifying that all business units have staff skilled at assessing risk
Answer: C
QUESTION 26
An enterprise considering implementing IT governance should FIRST develop the scope of the IT
governance program and:
A. initiate the program using an implementation roadmap.

B. establish initiatives for business and managers.
C. acquire the resources that will be required.
D. communicate the program to stakeholders to gain consensus.
Answer: D
QUESTION 27
Which of the following should be the MAIN reason for an enterprise to implement an IT risk
management framework?
A. The need to enable IT risk-aware decisions by executives

B. The results of an external audit report conce ning IT risk management processes.
C. The need to address market regulations a d internal compliance in IT risk
D. The ability to benchmark IT risk policies against major competitors
Answer: A
QUESTION 28
An enterprise's information security function is making changes to its data retention and backup
policies. Which of the following presents the GREATEST risk?
A. Business data owners were not consulted.

B. The new policies Increase the cost of data backups.
C. Data backups will be hosted at third-party locations.
D. The retention period for data backups is Increased.
Answer: A
QUESTION 29
Which of the following would be MOST important to update if a decision is made to ban end user-
owned devices in the workplace?
A. Employee nondisclosure agreement

B. Enterprise risk appetite statement
C. Enterprise acceptable use policy
D. Orientation training materials
Answer: C
QUESTION 30
Which of the following is the MOST effective way to manage risks within the enterprise?
A. Assign individuals responsibilities and accountabilities for management of risks.

B. Make staff aware of the risks in their area and risk management techniques.
C. Provide financial resources for risk management systems.
D. Document procedures and reporting processes.
Answer: A
QUESTION 31
Which of the following is an ADVANTAGE of using strategy mapping?
A. It provides effective indicators of productivity and growth.
B. It depicts the maturity levels of processes that support organizational strategy.
C. It identifies barriers to strategic alignment and links them to specific outcomes.
D. It depicts the cause-and-effect linked relationships between strategic objectives.
Answer: D
QUESTION 32
Due to continually missed service level agreements (SLAs), an enterprise plans to terminate its
contract with a vendor providing IT help desk services. The enterprise s IT department will assume
the help desk-related responsibilities. Which of the following would BEST facilitate this transition?
A. Requiring the enterprise architecture (EA) be updated

B. Validating that the balanced scorecard is still meaningful
C. Ensuring IT will operate at a lower cost than the vendor
D. Ensuring a change management plan is in place
Answer: D
QUESTION 33
A manufacturing company has recently decided to outsource portions of its IT operations. Which
of the following would BEST justify this decision?
A. Core legacy systems are not fully integrated with enterprise IT systems.
B. Business users are not able to decide upon IT service levels to be provided.
C. Increasing complexity of core business and IT processes have led to dramatic increasing costs.
D. The business strategy requires significant IT resource scalability over the next five years.
Answer: D
QUESTION 34
A CIO believes that a recent mission-critical IT decision by the board of directors is not in the best
financial interest of all stakeholders. Which of the following is the MOST ethical course of action?
A. Share concerns with the legal department.

B. Request a meeting with the board.
C. Engage an independent cost-benefit analysis.
D. Request an internal audit review of the board's decision.
Answer: B
QUESTION 35
A retail enterprise has cost reduction as its top priority. From a governance perspective, which of
the following should be the MOST important consideration when evaluating different IT investment
options?
A. Support for increased sales

B. Risk associated with each option
C. Industry best practices
D. Business value impact
Answer: D
QUESTION 36
Which of the following is the MOST important consideration for data classification to be successfully
implemented?
A. Users should be provided with clear instructions that are easy to follow and understand.
B. The data classification tools integrate with other tools that help manage the data.
C. The classification scheme should be closely aligned with the IT strategic plan.
D. Senior management should be properly trained in monitoring compliance.
Answer: B
QUESTION 37
Which of the following BEST reflects the ethical values adopted by an IT organization?
A. IT principles and policies

B. IT balanced scorecard
C. IT governance framework
D. IT goals and objectives
Answer: A
QUESTION 38
Which of the following would provide the BEST input for prioritizing strategic IT improvement
initiatives?
A. Business dependency assessment

B. Business process analysis
C. Business case evaluation
D. Business impact analysis (BIA)
Answer: D
QUESTION 39
What is the PRIMARY objective for performing an IT due diligence review prior to the acquisition
of a competitor?
A. Document the competitor's governance structure.

B. Ensure that the competitor u derstands significant IT risks.
C. Assess the status of the risk profile of the competitor.
D. Determine whether the competitor is using industry-accepted practices.
Answer: C
QUESTION 40
The IT program manager does not see the value of conducting risk assessments for a new major
IT project. The manager is reluctant to cooperate with internal auditors and the newly formed
steering committee. Midway through the project, program requirements were changed because the
CEO is a friend of a vendor and wants to implement this vendor's new technology. This decision
will cause the current IT program budget to be insufficient and will be shown as overspending. After
the requirement change request, the IT program manager should FIRST:
A. obtain confirmation from the business and a decision by the steering committee.
B. request additional funding from the business owner to cover the additional scope.
C. report the matter to internal audit as a program deviation to be reviewed.
D. align IT with the business and agree to the business request.
Answer: C
QUESTION 41
An enterprise is planning a change in business direction. As a result, IT risk will significantly
increase. Which of the following should be the GO'S FIRST course of action?
A. Recommend delaying the business change.

B. Implement IT changes to align with the plan.
C. Report the risk to executive management
D. Plan for the corresponding IT reorganization.
Answer: C
QUESTION 42
Which of the following is MOST important to effectively initiate IT-enabled change?
A. Establish a change management process.

B. Obtain top management support and ownership.
C. Ensure compliance with corporate policy.
D. Benchmark against best practices.
Answer: A
QUESTION 43
Which of the following would BEST help to improve an enterprise's ability to manage large IT
investment projects?
A. Creating a change management board

B. Reviewing and evaluating existing business cases
C. Implementing a review and approval process for each phase
D. Publishing the IT approval process online for wider scrutiny
Answer: C
QUESTION 44
A business case indicates an enterprise would reduce costs by implementing a bring your own
device (BYOD) program allowing employees to use personal devices for email. Which of the
following should be the FIRST governance action?
A. Assess the enterprise architecture (EA).
B. Update the network infrastructure.
C. Update the BYOD policy.
D. Assess the BYOD risk.
Answer: D
QUESTION 45
The CIO of a financial services company is tasked with ensuring IT processes are in compliance
with recently instituted regulatory changes. The FIRST course of action should be to:
A. align IT project portfolio with regulatory requirements.

B. create an IT balanced scorecard.
C. identify the penalties for noncompliance.
D. perform a current state assessment.
Answer: D
QUESTION 46
The CIO of an enterprise learns the payroll server of a competitor has been the victim of
ransomware. To help plan for the possibility of ransomed corporate data, what should be the ClO's
FIRST course of action?
A. Require development of key risk indicators (KRls).

B. Develop a policy to address ransomware.
C. Request a targeted risk assessment.
D. Back up corporate data to a secur location.
Answer: C
QUESTION 47
Which of the following aspects of the transition from X-rays to digital images would be BEST
addressed by implementing information security policy and procedures?
A. Establishing data retention procedures

B. Training technicians on acceptable use policy
C. Minimizing the impact of hospital operation disruptions on patient care
D. Protecting personal health information
Answer: D
QUESTION 48
Prior to decommissioning an IT system, it is MOST important to:
A. assess compliance with environmental regulations.

B. assess compliance with the retention policy.
C. review the media disposal records.
D. review the data sanitation records.
Answer: B
QUESTION 49
A CEO determines the enterprise is lagging behind its competitors in consumer mobile offerings,
and mandates an aggressive rollout of several new mobile services within the next 12 months. To
ensure the IT organization is capable of supporting this business objective, what should the CIO
do FIRST?
A. Request an assessment of current in-house mobile technology skills.

B. Create a sense of urgency with the IT team that mobile knowledge is mandatory.
C. Procure contractors with experience in mobile application development
D. Task direct reports with creating training plans for their teams.
Answer: A
QUESTION 50
Which of the following is the MOST effective way for a CIO to govern business unit deployment of
shadow IT applications in a cloud environment?
A. Implement controls to block the installation of unapproved applications.

B. Educate the executive team abou the risk associated with shadow IT applications.
C. Provide training to the help desk to identify shadow IT applications.
D. Review and update the application implementation process.
Answer: B
QUESTION 51
Before an IT strategy committee can approve an IT risk assessment framework, which of the
following is MOST important to have established?
A. An enterprise risk mitigation strategy

B. Leading and lagging risk indicators
C. IT performance metrics and standards
D. Enterprise definitions for risk impact and probability
Answer: D
QUESTION 52
An IT governance committee wants to ensure there is a clear description of the "data owner" in the
enterprise data policy. Which of the following would BEST define the owner of data stored in an
external cloud?
A. The business leader who is most impacted by the loss of data.

B. The risk manager who is responsible for protecting data stored in the cloud.
C. The contract manager who monitors the security of the cloud provider.
D. The vendor who submits the data to the organization via online forms
Answer: A
QUESTION 53
Which of the following has the GREATEST influence on data quality assurance?
A. Data classification
B. Data encryption
C. Data modeling
D. Data stewardship
Answer: B
QUESTION 54
A multinational enterprise recently pur hased a large company located in a different country. When
introducing the concept of governance to the new acquisition, it is MOST important that executive
management recognize:
A. language differences.
B. the use of international standards.
C. the impact of cultural changes.
D. globally rec gnized good practices.
Answer: C
QUESTION 55
The results of an internal audit show that the business and IT acquire resources differently, which
causes duplicate purchases. Which of the following is the BEST way to address this issue?
A. Align IT objectives to the business procurement process.

B. Involve business in IT procurement decisions.
C. Establish a centralized procurement approval process.
D. Define roles and responsibilities through a RAG chart
Answer: D
QUESTION 56
Which of the following is the MOST important benefit of developing an information architecture
model consistent with enterprise strategy?
A. It identifies information architecture priorities.

B. It support and facilitates decision making.
C. It enables information architecture roadmap updates.
D. It optimizes information delivery and storage costs.
Answer: B
QUESTION 57
Which of the following is the BEST course of action to enable effective resource management?
A. Conduct an enterprise risk assessment.
B. Implement a cross-training program.
C. Assign resources based on business priorities.
D. Assign resources based on risk appetite.
Answer: B
QUESTION 58
IT has launched new portfolio management policies and processes to improve the alignment of IT
projects with enterprise goals The latest audit report indicates that no improvement has been made
due to confusion in the decision-making process. Which of the following is the BEST course of
action for the CIO?
A. Deliver prioritization and facilitation training.

B. Implem nt a performance management framework.
C. Create an IT portfolio management risk framework.
D. Develop and communicate an accountability matrix.
Answer: D
QUESTION 59
Which of the following responsibilities should be retained within an enterprise when outsourcing a
project management office (PMO) function?
A. Selecting projects
B. Managing projects
C. Tracking project cost
D. Defining project methodology
Answer: A
QUESTION 60
Which of the following should be the MOST important consideration when defining an information
architecture?
A. Frequency and quantity of information updates

B. Information to justify business cases
C. Incorporation of emerging technologies
D. Access to and exchange of information
Answer: D
QUESTION 61
Which of the following roles has PRIMARY accountability for the security related to data assets?
A. Database administrator
B. Data owner
C. Data analyst
D. Security architect
Answer: B
QUESTION 62
Senior management is reviewing the results of a recent security incident with significant business
impact. Which of the following findings should be of GREATEST concern?
A. Significant gaps are present m the incident documentation.

B. The incident was not logged in the ticketing system.
C. Response decisions were made without consulting the appropriate authority.
D. Response efforts had to be outsourced due to insufficient internal resources.
Answer: C
QUESTION 63
A large enterprise that is diversifying its business will be transitioning to a new software platform,
which is expected to cause data changes. Which of the following should be done FIRST when
developing the related metadata management process?
A. Require an update to enterprise data policies.

B. Request an impact analysis.
C. Review documented data interdependence.
D. Validate against existing architecture.
Answer: D
QUESTION 64
An IT director has become aware that a certain subset of data collected lawfully can be used to
generate additional revenue. However, this particular use of the data is outside the original intention.
What is the PRIMARY reason this situation should be escalated to the IT steering committee?
A. Potential legal penalties

B. Ethical concerns
C. Regulatory requirements
D. Data protection
Answer: C
QUESTION 65
Of the following, who should approve the crite ia for information quality within an enterprise?
A. Information architect
B. Information analyst
C. Information steward
D. Information owner
Answer: D
QUESTION 66
From a governance perspective, the PRIMARY goal of an IT risk optimization process should be
to ensure:
A. IT risk thresholds are defined in the enterprise architecture (EA).

B. the IT risk mitigation strategy is approved by management.
C. IT risk is mapped to the balanced scorecard.
D. the impact of IT risk to the enterprise is managed.
Answer: D
QUESTION 67
Which of the following is the BEST way to ensure new systems can be adequately supported once
in production?
A. Establish a resource management framework.

B. Evaluate the operational requirements of the business stakeholders.
C. Identify key performance indicators (KPIs).
D. Require operational management be identified in the business case.
Answer: B
QUESTION 68
To benefit from economies of scale, a CIO is deciding whether to outsource some IT services.
Which of the following would be the MOST important consideration during the decision-mak ng
process?
A. IT staff morale
B. Core IT processes
C. Outsourcer's reputation
D. New service level agreements (SLAs)
Answer: B
QUESTION 69
The board and senior management of a new enterprise recently met to formalize an IT governance
framework. The board of directors' FIRST step in implementing IT governance is to ensure that:
A. an IT balanced scorecard is implemented.

B. a portfolio of IT-enabled investments is developed.
C. IT roles and responsibilities are established.
D. IT policies and procedures are defined.
Answer: C
QUESTION 70
An IT risk assessment for a large healthcare group revealed an increased risk of unauthorized
disclosure of information. Which of the following should be established FIRST to address the risk?
A. Data encryption tools
B. Data loss prevention tools
C. Data classification policy
D. Data retention policy
Answer: C
QUESTION 71
Which of the following should be the MAIN governance focus when implementing a newly approved
bring your own device (BYOD) policy?
A. Recommending mobile applications that will increase business productivity

B. Training employees on the enterprise's chosen mobile device management system
C. Educating employees on the increased IT security risk to the enterprise
D. Understanding knowledge gaps of IT employees to support different mobile platforms
Answer: C
QUESTION 72
An audit report has revealed that data scientists are analyzing sensitive "big data" files using an
offsite cloud because corporate servers do not have the necessary processing capabilities. A
review of policies indicates this practice is not prohibited. Which of the following should be the
FIRST strategic action to address the report?
A. Authorize a risk analysis of the practice.

B. Update data governance practices.
C. Revise the information security policy.
D. Recommend the use of a private cloud.
Answer: A
QUESTION 73
Which of the following BEST lowers costs and improves scalability from an IT enterprise
architecture (EA) perspective?
A. Cost management
B. IT strategic ourcing
C. Standardization
D. Business agility
Answer: C
QUESTION 74
While assessing the feasibility of introducing new IT practices and standards into the IT governance
framework, it is CRITICAL to understand an organization's:
A. culture.
B. level of outsourcing.
C. enterprise architecture (EA).
D. maturity of IT processes.
Answer: C
QUESTION 75
When determining the optimal IT service levels to support business, which of the following is MOST
important?
A. IT capacity utilization and availability.

B. Cost/benefit to the business.
C. Available IT budget.
D. Business user requests
Answer: B
QUESTION 76
Which of the following is MOST important when an IT-enabled business initiative involves multiple
business functions?
A. Defining cross-departmental budget allocation

B. Conducting a systemic risk assessment
C. Developing independent business cases
D. Establishing a steering committee with business representation
Answer: D
QUESTION 77
A recent benchmarking analysis has indicated an IT organization is retaining more data and
spending significantly more on data retention than its competitors. Which of the following would
BEST ensure the optimization of retention costs?
A. Requiring that all business cases contain data deletion and retention plans
B. Revalidating the organization's risk tolerance and re-aligning the retention policy
C. Moving all high-risk and medium-risk data backups to cloud storage
D. Redefining the retention policy to align with industry best practices
Answer: B
QUESTION 78
Which of the following MOST effectively prevents an IT system from becoming technologically
obsolete before its planned return on investment (ROi)?
A. Requesting periodic third-party assessments of the system throughout its life

B. Obtaining long-term support commitments from the system platform vendors)
C. Obtaining independent assurance that the system will conform to future business requirements
D. Ensuring that the system is maintained in compliance with enterprise architecture (EA) standards
Answer: D
QUESTION 79
The board of a start-up company has directed the CIO to develop a technology resource acquisition
and management policy. Which of the following should be the MOST important consideration during
the development of this policy?
A. Enterprise growth plans

B. Industry best practices
C. Organizational knowledge retention
D. IT staff competencies
Answer: A
QUESTION 80
When developing effective metrics for the measurement of solution delivery, it is MOST important
to:
A. establish project controls and monitoring objectives.

B. perform an objective analysis of the p oject roadmap.
C. establish the objectives and expe ted benefits.
D. specify quantitative measures for solution delivery.
Answer: A
QUESTION 81
Which of the following is the BEST indication of effective IT-business strategic alignment?
A. Business management is involved as IT strategies are developed.

B. IT senior management is required to report to the board.
C. Business strategy is documented to allow IT architecture to be designed quickly.
D. IT-business collaboration results in a strategy focused on IT cost reduction.
Answer: A
QUESTION 82
The BEST way to manage an outsourced vendor relationship is by:
A. conducting periodic risk assessments.

B. reviewing annual independent third-party reports.
C. providing clear objectives and transparency.
D. analyzing performance statistics from the vendor.
Answer: D
QUESTION 83
Which of the following BEST reflects mature risk management in an enterprise?
A. A regularly updated risk register

B. Ongoing risk assessment
C. Ongoing investment in risk mitigation
D. Responsive risk awareness culture
Answer: D
QUESTION 84
An enterprise is initiating efforts to improve system a ailability to mitigate IT risk to the business.
Which of the following results would be MOST important to report to the CIO to measure progress?
A. Incident severity and downtime trend analysis

B. Probability and seventy of each IT risk
C. Financial losses and bad press releases
D. Customer and stakeholder compl ints over time
Answer: A
QUESTION 85
A review of the effectiveness of IT governance within an enterprise has revealed that several
innovation improvement initiatives are failing. An analysis shows a lack of stakeholder buy-in to the
improvements. Implementing which of the following would have prevented this problem?
A. An IT project roadmap
B. An IT risk management program
C. A change management program
D. A service delivery framework
Answer: C
QUESTION 86
Which of the following is the BEST way for a CIO to secure support for a strategy to achieve long-
term IT objectives?
A. Make the necessary strategic decisions and notify staff accordingly.

B. Develop tactics to implement the strategy and share with stakeholders.
C. Develop a communication plan for distribution of information to staff.
D. Meet with stakeholders to explain the strategy and incorporate feedback.
Answer: D
QUESTION 87
Two large financial institutions with different corporate cultures are engaged in a merger. From a
governance perspective, which of the following should be the GREATEST concern?
A. Technology infrastructure
B. Risk appetite
C. Combined cost of operations
D. Enterprise architecture (EA) integration
Answer: D
QUESTION 88
A healthcare enterprise that is subject to strict compliance requirements has decided to outsource
several key IT services to third-party providers. Which of the following would be the BEST way to
assess compliance and avoid reputational damage?
A. Require quarterly reports from the providers demonstrating compliance.

B. Require documentation that the providers have adequate controls in place.
C. Exercise the right to perform an audit.
D. Impose monetary penalties for noncompliance.
Answer: C
QUESTION 89
An enterprise plans to expand into new markets in countries lacking data privacy regulations,
increasing risk exposure. Which of the following is the BEST course of action for the CIO?
A. Identify business risk appetite and tolerance levels.

B. Quantify the risk impact and evaluate possible countermeasures.
C. Limit the personal data available to the high-risk countries.
D. Mandate the strengthening of user access controls.
Answer: A
QUESTION 90
A global financial institution has decided to integrate data from branch locations into a common
database to address regulatory reporting requirements. Analysis of data flows and the full data life
cycle should be conducted at which level?
A. Transaction level
B. Enterprise level
C. Branch level
D. Department level
Answer: A
QUESTION 91
An enterprise's service center is experiencing long delays in fulfilling !T service requests and very
low customer satisfaction. The BEST way to determine if staff competency is the root cause of
these performance problems is to compare required staff competencies with:
A. certification requirements.
B. current skills inventory.
C. training program completions.
D. hiring and staffing practices.
Answer: B
QUESTION 92
Which of the following are PRIMARY factors in ensuring the success of an enterprise quality
assurance program?
A. Enterprise risk appetite and tolerance

B. Risk management and control frameworks
C. Continuous improvement plans
D. A process maturity framework and documented procedures
Answer: C
QUESTION 93
Which of the following is the BEST way to demonstrate that IT strategy supports a new enterprise
strategy?
A. Monitor new key risk indicators (KRIs).

B. Measure return on IT investments against balanced scorecards.
C. Review and update the portfolio management process.
D. Map IT programs to business goals.
Answer: D
QUESTION 94
Prior to setting IT objectives, an enterprise MUST have established its:
A. architecture.
B. policies.
C. strategies.
D. controls.
Answer: C
QUESTION 95
An enterprise's board of directors can BEST manage enterprise risk by:
A. mandating board-approved enterprise risk management (ERM) modifications.

B. requiring the establishment of an enterprise risk management (ERM) framework.
C. requiring the establishment of an enterprise wide program management office.
D. ensuring the cost-effectiveness of the internal control system.
Answer: B
QUESTION 96
A strategic IT-enabled investment is failing due to unforeseen technology problems. What should
be the board of directo s' FIRST course of action?
A. Terminate the investment.

B. Assess the business risk and options.
C. Approve an investment budget increase.
D. Revise the investment selection process.
Answer: B
QUESTION 97
Which of the following MUST be established before implementing an information architecture that
restricts access to data based on sensitivity?
A. Risk and control frameworks

B. Probability and impact analysis
C. Classification and ownership
D. Security and privacy policies
Answer: C
QUESTION 98
A CEO is concerned that IT costs have significantly exceeded budget without resulting benefits.
The root causes are an overlap of IT projects and a lack of alignment with business demands.
Which of the following would BEST enable remediation of this situation?
A. Require IT business cases be approved by the board of directors.

B. Assign a set of key risk indicators (KRIs) to each new IT project.
C. Conduct a performance assessment of IT projects.
D. Implement an IT portfolio management policy.
Answer: A
QUESTION 99
Senior management wants to expand offshoring to include T services as other types of business
offshoring have already resulted in significant financial benefits for the enterprise. The CIO is
currently midway through a successful five-year strategy that relies heavily on internal IT resources.
What should the CIO do NEXT?
A. Reevaluate the offshoring strategy.

B. Abandon the current IT strategy.
C. Continue with the existing IT st ategy.
D. Reevaluate the current IT strategy.
Answer: D
QUESTION 100
Which of the following is the BEST way to ensure the continued usefulness of IT governance reports
for stakeholders?
A. Conduct quarterly audits and adjust reporting based on findings.

B. Establish a standard process for providing feedback.
C. Rely on IT leaders to advise when adjustments should be made.
D. Issue frequent service level satisfaction surveys.
Answer: B
QUESTION 101
The use of an IT balanced scorecard enables the realization of business value of IT through:
A. business value and control mechanisms.

B. outcome measures and performance drivers.
C. financial measures and investment management.
D. vision and alignment with corporate programs.
Answer: B
QUESTION 102
The CEO of a large enterprise has announced me commencement of a major business expansion
that will double the size of the organization. IT will need to support the expected demand expansion.
What should the CIO do FIRST?
A. Review the resource utilisation matrix.

B. Recruit IT resources based on the expansion decision.
C. Embed IT personnel in the business units.
D. Update the IT strategic plan to align with the decision.
Answer: D
QUESTION 103
An enterprise has been focused on establish ng an IT risk management framework. Which of the
following should be the PRIMARY motivation behind this objective?
A. Promoting responsibility throughout the enterprise for managing IT risk.

B. Increasing the enterprise's risk tolerance level and risk appetite.
C. Engaging executives in examining IT risk when developing policies.
D. Maintaining a complete and accurate risk registry to belief manage IT risk
Answer: A
QUESTION 104
Which of the following is MOST important for the effective design of an IT balanced scorecard?
A. On-demand reporting and continuous monitoring

B. Consulting with the CIO
C. Emphasizing the financial results
D. Identifying appropriate key performance indicators (KPls)
Answer: D
QUESTION 105
An IT audit report indicates that a lack of IT employee risk awareness is creating serious security
issues in application design and configuration. Which of the following would be the BEST key risk
indicator (KRI) to show progress in IT employee behavior?
A. Number of IT employees attending security training sessions

B. Results of application security testing
C. Number of reported security incidents
D. Results of application security awareness training quizzes
Answer: B
QUESTION 106
A strategic systems project was implemented several months ago. Which of he following is the
BEST reference for the IT steering committee as they evaluate its level of success?
A. Stakeholder satisfaction surveys

B. The project's net present value (NPV)
C. The project's business case
D. Operating metrics of the new system
Answer: A
QUESTION 107
Which of the following is the MOST important reason for selecting IT key risk indicators (KRIs)?
A. Demonstrating the effectiveness of IT risk policies

B. Assessing the current IT controls model
C. Enabling comparison against similar IT KRIs
D. Increasing the probability of achieving IT goals
Answer: A
QUESTION 108
A large organization with branches across many countries is in the midst of an enterprise resource
planning (ERP) transformation. The IT organization receives news that the branches in a country
where the impact to the enterprise is to be greatest are being sold. What should be the NEXT step?
A. Update the ERP business case and re-evaluate the ROI.

B. Cancel the ERP transformation and re-allocate project funds.
C. Adjust the ERP implementation plan and budget.
D. Continue with the ERP migration according to plan.
Answer: A
QUESTION 109
A marketing enterprise is considering procuring customer information to more accurately target
customer communications and increase sales. The data has a very high cost to the enterprise.
Which of the following would provide the MOST comprehensive view into the potential value to the
organization?
A. Investment services board review
B. Net present value {NPV) calculation
C. Risk assessment results
D. Cost-benefit analysis results
Answer: B
QUESTION 110
Which of the following provides the BEST assurance on the effectiveness of IT service
management processes?
A. Performance of incident response

B. Continuous monitoring
C. Key risk indicators (KRIs)
D. Compliance with internal controls
Answer: A
QUESTION 111
A rail transport company has the worst on-time arrival record in the industry due to an antiquated
IT system that controls scheduling. Despite employee resistance, an initiative lo upgrade the
technology and related processes has been approved. To maximize employee engagement
throughout the project, which of the following should be in place prior to the start of the initiative?
A. Procurement management plan

B. Organizational change management plan
C. Risk response plan
D. Resource management plan
Answer: B
QUESTION 112
A financial institution with a highly regarded reputation for protecting customer interests has
recently deployed a mobile payments program. Which of the following key risk indicators (KRIs)
would be of MOST interest to the CIO?
A. Number of failed software updates on mobile devices

B. Percentage of incomplete transactions
C. Failure rate of point-of-sale systems
D. Total volume of suspicious transactions
Answer: D
QUESTION 113
An enterprise has a large backlog of IT projects. The current strategy is to execute projects as they
are submitted, but executive management does not believe this method is optimal. Which of the
following is the MOST important action to address this concern?
A. Implement stage-gating to determine the value of each project.

B. Establish a performance dashboard that determines business valu
C. Implement a methodology to prioritize projects based on resou ce availability.
D. Create a combined business/IT committee to determine projec prioritization.
Answer: D
QUESTION 114
An IT strategy committee wants to ensure that a risk program is successfully implemented
throughout the enterprise. Which of the following would BEST support this goal?
A. A risk management framework

B. Mandatory risk awareness courses for staff
C. A risk recognition and reporting policy
D. Commitment from senior management
Answer: D
QUESTION 115
Which of the following would be the PRIMARY impact on IT governance when a business strategy
is changed?
A. Performance outcomes of IT objectives

B. IT governance structure
C. Maturity level of IT processes
D. Relationship level with IT outsourcers
Answer: A
QUESTION 116
The MOST successful IT performance metrics are those that:
A. measure financial results.

B. measure all areas.
C. are approved by the stakeholders.
D. contain objective measures.
Answer: B
QUESTION 117
When implementing an IT governance framework, which of the following would BEST ensure
acceptance of the framework?
A. Factoring in the effects of enterprise culture

B. Using subject matter experts
C. Using industry-accepted practices
D. Complying with regulatory requirements
Answer: A
QUESTION 118
An executive sponsor of a partially completed IT project has learned that the financial assumptions
supporting the project have changed. Which of the following governance actions should be taken
FIRST?
A. Schedule an interim project review.

B. Request a risk assessment.
C. Re-evaluate the project in the portfolio.
D. Request an update to the business case
Answer: A
QUESTION 119
An enterprise has decided to create its first mobile application. The IT director is concerned about
the potential impact of this initiative. Which of the following is the MOST important input for
managing the risk associated with this initiative?
A. Enterprise architecture (EA)

B. IT risk scorecard
C. Enterprise risk appetite
D. Business requirements
Answer: C
QUESTION 120
A strengthening the department's human resource assets?
A. Develop a responsible, accountable, consulted, and informed (RACI) chart.

B. Create an effective recruitment, retention, and training program.
C. Commit to the board performance metrics and bonus structure.
D. Develop personnel requirements for third-party assurance.
Answer: B
QUESTION 121
To generate value for the enterprise, it is MOST important that IT investments are:
A. aligned with the IT strategic objectives.

B. approved by the CFO.
C. consistent with the enterprise's business objectives
D. included in the balanced scorecard.
Answer: C
QUESTION 122
An enterprise plans to implement a business intelligence (Bl) tool with data sources from various
enterprise applications. Which of the following is the GREATEST challenge to implementation?
A. Interface issues between enterprise and Bl applications
B. Large volumes of data fed from enterprise applications
C. The need for staff to be trained on the new Bl tool
D. Data definition and mapping sources from applications
Answer: B
QUESTION 123
The use of new technology in an enterprise will require specific expertise and updated system
development processes. There is concern that IT is not properly sourced. Which of the following
should be the FIRST course of action?
A. Perform a risk assessment on potential outsourcing.

B. Update the enterprise architecture (EA) with the new technology.
C. Review the IT balanced scorecard for sourcing opportunities.
D. Assess the gap between current and required staff competencies.
Answer: D
QUESTION 124
An enterprise is evaluating a Software as a Service (SaaS) solution to support a core business
process. There is no outsourcing governance or vendor management in place. What should be the
CEO's FIRST course of action?
A. Ensure the roles and responsibilities to manage service providers are defined.
B. Establish a contract with the SaaS solution provider.
C. Instruct management to use the standard procurement process.
D. Ensure the service level agreements (SLAs) for service providers are defined
Answer: A
QUESTION 125
An IT steering committee wants the enterprise's mobile wo kforce to use cloud-based file storage
to save non-sensitive corporate data, removing the need for remote access to that information.
Before this change is implemented, what should be included in the data management policy?
A. A mandate for periodic employee training on how to classify corporate data files
B. A mandate for the encryption of all corporate data files at rest that contain sensitive data
C. A process for blocking access to cloud based apps if inappropriate content is discovered
D. A requirement to scan approved loud-based apps for inappropriate content
Answer: A
QUESTION 126
Who is PRIMARILY accountable for delivering the benefits of an IT-enabled investment program
to the enterprise?
A. Program manager
B. IT steering committee chair
C. CIO
D. Business sponsor
Answer: D
QUESTION 127
An enterprise incurred penalties for noncompliance with privacy regulations. Which of the following
is MOST important to ensure appropriate ownership of access controls to address this deficiency?
A. Authenticating access to information assets based on roles or business rules.

B. Implementing multi-factor authentication controls
C. Granting access to information based on information architecture
D. Engaging an audit of logical access controls and related security policies
Answer: A
QUESTION 128
Which of the following would be of MOST concern regarding the effectiveness of risk management
processes?
A. Key risk indicators (KRIs) are not established.

B. Risk management requirements are not included in performance reviews
C. The plans and procedures are not updated on an annual basis.
D. There is no framework to ensure effective reporting of risk events
Answer: A
QUESTION 129
An enterprise has a zero-tolerance policy regarding security. This policy is causing a large number
of email attachments to be blocked and is a disruption to enterprise. Which of the following should
be the FIRST governance step to address this email issue?
A. Direct the development of an em il usage policy.

B. Obtain senior management input based on identified risk.
C. Recommend business sign-off on the zero-tolerance policy.
D. Introduce an exception process.
Answer: B
QUESTION 130
Which of the following is the BEST method for determining an enterprise's current appetite for risk?
A. Interviewing senior management

B. Evaluating the balanced scorecard
C. Reviewing recent audit findings
D. Assessing social media adoption
Answer: A
QUESTION 131
Which of the following is the MOST effective approach to ensure senior management sponsorship
of IT risk management?
A. Benchmark risk framework against best practices.

B. Calculate financial impact for each IT risk finding.
C. Periodically review the IT risk register entries.
D. Integrate IT risk into enterprise risk management (ERM).
Answer: C
QUESTION 132
Which of the following is the MOST effective means for IT management to report to executive
management regarding the value of IT?
A. IT process maturity level

B. Cost-benefit analysis
C. Resource assessment
D. Balanced scorecard
Answer: A
QUESTION 133
Which of the following is the PRIMARY benefit of communicating the IT strategy across the
enterprise?
A. On-time and on-budget deliv ry of strategic projects

B. Improvement in IT balanced scorecard performance
C. Optimization of IT investment in supporting business objectives
D. Reduced organizational resistance during strategy execution
Answer: D
QUESTION 134
The CIO in a large enterprise is seeking assurance that significant IT risk is being proactively
monitored and does not exceed agreed risk tolerance levels. The BEST way to provide this ongoing
assurance is to require the development of:
A. an IT risk appetite statement.

B. a risk management policy.
C. key risk indicators (KRIs).
D. a risk register.
Answer: C
QUESTION 135
The BEST way to ensure an IT steering committee meets enterprise objectives is to:
A. require a member of the committee to have IT governance expertise.
B. benchmark against industry best practices.
C. establish key performance indicators (KPIs).
D. have key business stakeholders represented on the committee.
Answer: D
QUESTION 136
Establishing a uniform definition for likelihood and impact through risk management standards
PRIMARILY addresses which of the following concerns?
A. Inconsistent categories of vulnerabilities

B. Conflicting interpretations of risk levels
C. Inconsistent data classification
D. Lack of strategic IT alignment
Answer: B
QUESTION 137
An enterprise embarked on an aggressive strategy requiring the implementation of several large IT
projects impacting multiple business processes across all departments. Initially employees were
supportive of the strategy but there is growing fatigue and frustration with the ongoing new
capabilities which must be learned. Which of the following would be the BEST action performed by
senior managemen ?
A. Incorporate an organizational change management program.

B. Establish "Reward and Recognition" efforts to boost employee morale.
C. Improve the system development life cycle (SDLC) process.
D. Assess current business and IT competencies.
Answer: B
QUESTION 138
An enterprise decides to accept the IT risk of a subsidiary located in another country even though
it exceeds the enterprise's risk appetite. Which of the following would be the BEST justification for
this decision?
A. Risk framework alignment

B. Local market common practices
C. Compliance with local regulations
D. Technical gaps among subsidiaries
Answer: C
QUESTION 139
Which of the following is the MOST valuable input when quantifying the loss associated with a
major risk event?
A. Key risk indicators (KRIs)

B. IT environment threat modeling
C. Business impact analysis (BIA) report
D. Recovery time objectives (RTOs)
Answer: C
QUESTION 140
To reduce the risk of reputational damage through inappropriate use of social media by employees
outside of the workplace, the enterprise approach regarding social media should PRIMARILY focus
on;
A. implementing preventative controls

B. developing policies on social media
C. implementing a review of processes utilizing social media.
D. ensuring each use of social media is approved by management.
Answer: B
QUESTION 141
An enterprise's internal audit group has scheduled a control review of a payroll system project but
has been told to wait until the system is implemented. Which of the following is the GREATEST
risk associated with the delay?
A. delay in the development of new key performance indicators (KPIs)

B. Continued dependency on compliant legacy systems
C. Increased cost to mitigate deficiencies
D. Lack of adherence to industry best practices
Answer: C
QUESTION 142
Which of the following provides the STRONGEST indication that IT governance is well established
within an organizational culture?
A. IT performance metrics are defined in the balanced scorecard.

B. Benefits of IT governance are realized throughout the organization.
C. There is awareness of IT metrics throughout the organization.
D. IT governance defines how IT projects should be assessed.
Answer: A
QUESTION 143
A board of directors has just received a report indicating that only a small number of IT initiatives
have been completed on time and within budget, A third of the projects were cancelled prior to
completion, and more than half will cost almost double their original estima es. An analysis has
determined that no one is held responsible for the completion of investment initiatives, and there is
no consistency in execution. Which of the following would BEST help the enterprise address these
problems?
A. Establishing a project governance framework
B. Assigning business management to an IT investment review board
C. Establishing an IT risk management plan
D. Aligning IT investment priorities to the business
Answer: B
QUESTION 144
An enterprise is trying to increase the maturity of its IT process from being ad hoc to being
repeatable. Which of the following is the PRIMARY benefit of this change?
A. Process optimiz tion is embedded across the organization.

B. Required outcomes are mapped to business objectives.
C. Process performance is measured in business terms.
D. Required outcomes are more frequently achieved.
Answer: D
QUESTION 145
A new chief information officer (CIO) of an enterprise recommends implementing portfolio
management after realizing there is no process in place for evaluating investments prior to selection.
What should be the PRIMARY strategic goal driving this decision?
A. Maximize value from the combined investments.

B. Standardize processes for investment evaluation.
C. Align investments to the enterprise architecture (EA).
D. Enable transparency within the investment process.
Answer: A
QUESTION 146
Supply chain management has established a supplier policy requiring multiple technology suppliers.
What is the BEST way to ensure the success of this policy?
A. Identity and select suppliers based on cost.

B. Align the vendor selection process with the security policy.
C. Implement a master service agreement.
D. Align enterprise architecture (EA) and procurement strategies.
Answer: D
QUESTION 147
When establishing an enterprise data model, the BEST way o ensure the integrity of data is to:
A. classify information using an agreed-upon schema.

B. implement the highest level of protection to data across the enterprise.
C. establish a privileged access management platform.
D. implement a data loss prevention (DLP) program.
Answer: D
QUESTION 148
Which of the following is the BEST indication that enterprise value is being derived from IT?
A. IT strategy supports continuous improvement initiatives

B. Metrics are established for IT performance.
C. Rate of return for projects is achieved.
D. IT services enable business strategy.
Answer: D
QUESTION 149
Which of the following should be the FIRST step in planning an IT governance implementation?
A. Assign decision-making responsibilities.

B. Obtain necessary business funding.
C. Define key business performance indicators.
D. Identify business drivers.
Answer: D
QUESTION 150
A CIO just received a final audit report that indicates there is inconsistent enforcement of the
enterprise's mobile device acceptable use policy throughout all business units. Which of the
following should be the FIRST step to address this issue?
A. Incorporate compliance metrics into performance goals.

B. Review the relevance of existing policy.
C. Mandate awareness training for all mobile device users.
D. Implement controls to enforce the policy.
Answer: B
QUESTION 151
Which of the following should be the MOST important cons deration for a hospital planning to use
cloud services and mobile applications?
A. Privacy requirements
B. Data classification
C. Acceptable use policy
D. Internet connectivity
Answer: A
QUESTION 152
An enterprise is developing an ethics program, and the ethical standards have been defined. Which
of the following should the enterprise do NEXT?
A. Establish a training and awareness program focused on ethics.
B. Implement an enterprise-wide employee monitoring program.
C. Develop key performance indicators (KPIs) for program implementation.
D. Outline and document consequences for noncompliance.
Answer: C
QUESTION 153
Reviewing which of the following should be the FIRST step when evaluating the possibility of
outsourcing an IT system?
A. Outsourcing strategy
B. Outsourced business processes
C. Service level agreements (SLAs)
D. IT staff skill sets
Answer: A
QUESTION 154
To enable the development of required IT skill sets for the enterprise, it is MOST important to define
skill requirements based on:
A. training needs.
B. one set of skills applicable to all IT staff.
C. a best practices framework.
D. each role within the IT department.
Answer: D
QUESTION 155
An enterprise is conducting a SWOT analysis as part of IT strategy development. Which of the
following would be MOST helpful to identify opportunities and threats?
A. Risk appetite
B. Internal framework assessment
C. Competitor analysis
D. Critical success factors (CSF)
Answer: D
QUESTION 156
The CIO of a global technology company is considering introducing a bring your own device (BYOD)
program. What should the CIO do FIRST?
A. Ensure the infrastructure can meet BYOD requirements.

B. Establish a business case.
C. Define a clear and inclusive BYOD policy.
D. Focus on securing data and access to data.
Answer: B
QUESTION 157
What is the BEST way for an IT governance board to establish standards of behavior for the
adoption of artificial intelligence (Al)?
A. Direct the creation and approval of an ethical use policy.

B. Review and update the data privacy policy to align with industry standards.
C. Include specific ethics clauses in vendor agreements and contracts.
D. Include ethics topics within onboarding and awareness training.
Answer: C
QUESTION 158
An IT steering committee is preparing to review proposals for projects that implement emerging
technologies. In anticipation of the review, the committee should FIRST:
A. determine if the IT staff can support the emerging technologies.

B. understand how the emerging technologies will influence risk across he enterprise.
C. require a capacity plan and framework review for the emerging te hnologies,
D. require a review of the enterprise risk management framework
Answer: B
QUESTION 159
Which of the following provides the MOST comprehensive insight into the effectiveness of IT?
A. IT balanced scorecard
B. IT strategy
C. Return on investment (ROI)
D. Key risk indicators (KRIs)
Answer: A
QUESTION 160
Establishing a uniform definition for likelihood and impact BEST enables an enterprise to:
A. reduce variance in the assessment of risk.

B. develop key risk indicators (KRIs).
C. prioritize threat assessment.
D. reduce risk appetite and tolerance levels.
Answer: A
QUESTION 161
An enterprise-wide strategic plan has been approved by the board of directors. Which of the
following would BEST support the planning of IT investments required for the enterprise?
A. Service-oriented architecture
B. Enterprise architecture (EA)
C. Contingency planning
D. Enterprise balanced scorecard
Answer: B
QUESTION 162
An enterprise is concerned with the potential for data leakage as a result of increased use of social
media in the workplace, and wishes to establish a social media strategy. Which of the following
should be the MOST important consideration in developing this strategy?
A. Criticality of the information

B. Ensuring that the enterprise architecture (EA) is updated
C. Data ownership
D. The balance between business benefits and risk
Answer: A
QUESTION 163
The CIO of an international enterprise is considering the use of an offshore cloud service provider
to store customer dat
A. Which of the following should be he MOST important consideration when making this decision?
B. IT service delivery roles and responsibilities
C. Compliance with applicable legislation
D. Likelihood of natural disasters
E. The cloud service pr vider's reputation
Answer: B
QUESTION 164
Which of the following BEST indicates the success of an enterprise's IT governance framework
after implementation?
A. A high percentage of business owners involved with the approval of the IT strategic plan
B. A high percentage of IT systems complying with corporate information security standards
C. A high percentage of IT projects delivered on time and on budget
D. A high percentage of IT investments delivering expected benefits
Answer: D
QUESTION 165
Which of the following aspects of IT governance BEST addresses the potential intellectual property
implications of a cloud service provider having a database in another country?
A. Contract management
B. Continuity planning
C. Data management
D. Security architecture
Answer: A
QUESTION 166
After shifting from lease to purchase of IT infrastructure and software licenses, an enterprise has
to pay for unexpected lease extensions causing significant cost overruns. The BEST direction for
the IT steering committee would be to establish;
A. an end-of-life program to remove aging infrastructure from the environment.

B. budget cuts to compensate for the cost overruns.
C. a program to annually review financial policy on overruns.
D. a policy to consider total cost of ownership (TCO) in investment decisions.
Answer: A
QUESTION 167
Which of the following is MOST important to the successful implementation of enterprise
architecture (EA)?
A. Developing data modeling tools

B. Managing the challenge of change
C. Reducing the cost of IT investments
D. Establishing key performance indicators (KPIs)
Answer: B
QUESTION 168
The BEST time to identity metrics to measure the performance of an IT-enabled investment is
during:
A. system implementation
B. project initiation
C. investment feasibility analysis
D. business case development.
Answer: D
QUESTION 169
To meet the growing demands of a newly established business unit, IT senior management has
been tasked with changing the current IT organization model to service-oriented. With significant
growth expected of the IT organization, which of the following is the MOST important consideration
when planning for long-term IT service delivery?
A. The IT service delivery model is approved by the business.

B. An IT risk management process is in place.
C. IT is able to provide a comprehensive service catalog to the business.
D. The IT organization is able to sustain business requirements.
Answer: C
QUESTION 170
When preparing a new IT strategic plan for board approval, he MOST important consideration is to
ensure the plan identifies:
A. roles and responsibilities that link to IT objectives.

B. specific resourcing requirements for identified IT projects.
C. frameworks that will be aligned to IT programs.
D. implications of the strategy on the procurement process.
Answer: A
QUESTION 171
Which of the following should be done FIRST when defining responsibilities for ownership of
information and systems?
A. Require an information risk assessment.

B. Identify systems that are outsourced.
C. Ensure information is classified.
D. Require an inventory of information assets.
Answer: D
QUESTION 172
An enterprise is about to complete a major acquisition, and a decision has been made that both
companies will be using the parent company's IT infrastructure. Which of the following should be
done NEXT?
A. Update the enterprise architecture (EA).

B. Perform a business impact analysis (BIA.
C. Conduct a gap analysis.
D. Develop a communication plan to support the merger.
Answer: C
QUESTION 173
Following a strategic planning session, new IT objectives were announced. Which of the following
is the MOST effective way for the CIO to ensure these objectives are cascaded to IT personnel?
A. Communicate the new IT objectives during a staff meeting.

B. Define individual performance measures related to the IT objectives.
C. Establish IT management's performance measures based on the IT objectives.
D. Update the IT balanced scorecard to align with the new IT objectives.
Answer: B
QUESTION 174
When deciding to develop a system with sensitive data, which of the following is MOST important
to include in a business case?
A. A risk assessment to determine the appropriate controls

B. Updated enterprise architecture (EA)
C. Skills gap analysis
D. The additional cost of encrypting sensitive data
Answer: D
QUESTION 175
Which of the following provides the BEST evidence of an IT risk-aware culture across an enterprise?
A. Business staff report identified IT risks.

B. IT risks are communicated to the business.
C. IT risk-related policies are published.
D. The IT infrastructure is resilient.
Answer: A
QUESTION 176
An IT strategy committee wants to evaluate how well the IT department supports the business
strategy. Which of the following is the BEST method for making this determination?
A. Capability maturity assessment

B. Customer survey analysis
C. IT balanced scorecard reporting
D. IT controls assurance program
Answer: C
QUESTION 177
The MOST effective way to ensure that IT supports the agile needs of an enterprise is to:
A. perform process modeling.

B. outsource infrastructure management.
C. develop a robust enterprise architecture (EA).
D. implement open source systems.
Answer: C
QUESTION 178
Which of the following provides the BEST evidence of effective IT governance?
A. Cost savings and human resource optimization

B. Business value and customer satisfaction
C. IT risk identification and mitigation
D. Comprehensive IT policies and procedures
Answer: B
QUESTION 179
A business is considering a policy to anonymize personal data in enterprise systems. Before
making a decision, which of the following is MOST important for the IT steering committee to
consider?
A. Business impact analysis (BIA) results

B. Regulatory requirements
C. Sustainability costs to the enterprise
D. Potential implementation barriers
Answer: B
QUESTION 180
An enterprise is contracting with an outsourcing partner for a long-term engagement. The BEST
time for the enterprise to plan for the event of contract termination is when:
A. planning for the contract as part of business continuity.

B. issues surface in the contractual relationship.
C. developing the initial contract.
D. either party decides to terminate the contract.
Answer: C
QUESTION 181
The BEST way to decide how to prioritize issues identified in an IT risk and control self-assessment
(CSA) is to understand the risk and:
A. impact to the enterprise.

B. criticality of IT services affected.
C. number of IT systems affected.
D. funds required for remediation.
Answer: A
QUESTION 182
Which of the following is MOST critical to support IT governance cultural changes within an
organization?
A. Established IT monitoring and measuring

B. Regularly scheduled governance training
C. Demonstrated management commitment
D. IT governance process manuals
Answer: C
QUESTION 183
Which of the following is the PRIMARY purpose of information governance?
A. To develop control procedures that help ensure information is adequately protected throughout its
life cycle
B. To monitor the processes that deliver and enhance the value of information assets
C. To set direction for information management capabilities through prioritization and decision making
D. To ensure regulatory compliance is maintained while optimizing the utilization of information
Answer: A
QUESTION 184
Communicating which of the following to staff BEST demonstrates senior management's
commitment to IT governance?
A. Legal and regulatory requirements

B. Approved IT investment opportunities
C. Objectives and responsibilities
D. Need for enterprise architecture (EA)
Answer: C
QUESTION 185
Which of the following is the PRIMARY purpose of an effective set of key r sk indicators (KRIs)?
A. Identifying possible future adverse impacts on the enterprise

B. Evaluating existing technology for risk monitoring capabilities
C. Establishing executive level buy-in of the risk program
D. Quantifying the productivity of the risk management team
Answer: A
QUESTION 186
A multinational enterprise is planning to migrate to cloud-based systems. Which of the following
should be of MOST concern to the risk management committee?
A. Cost considerations
B. Regulatory compliance
C. Resource alignment
D. Security breaches
Answer: B
QUESTION 187
An enterprise is planning to outsource data processing for personally identifiable information (Pll).
When is the MOST appropriate time to define the requirements for security and privacy of
information?
A. When issuing requests for proposals (RFPs)

B. After an assessment of the current information architecture .
C. When developing service level agreements (SLAs)
D. During the initial vendor selection process
Answer: A
QUESTION 188
Which of the following is the MOST important aspect of business ethics?
A. Ensuring fair and consistent vendor management practices

B. Providing equal opportunities to employees
C. Protecting stakeholders' interests
D. Complying with legal and regulatory requirements
Answer: C
QUESTION 189
Which of the following is the BEST way to ensure all enterprise employees understand the
corporate code of business conduct?
A. Conduct scheduled and random compliance audits.

B. Mandate annual ethics training that includes an exam
C. Require external business activities be documented and reported.
D. Distribute a copy of the code and require a signature.
Answer: B
QUESTION 190
A major data leakage incident at an enterprise has resulted in a mandate to strengthen and enforce
current data governance practices. Which of the following should be done FIRST to achieve this
objective?
A. Assess data security controls.

B. Review data logs.
C. Analyze data quality.
D. Verify data owners.
Answer: A
QUESTION 191
A newly hired CIO has been told the enterprise has an established IT governance process, but
finds it is not being followed. To address this problem, the CIO should FIRST
A. gain an understanding of the existing governance process and corporate culture.

B. replace the current governance process with one the CIO has successfully used before.
C. establish personal relationships with executive-level peers to leverage goodwill,
D. engage audit to review current governance processes and validate the ClO's concerns.
Answer: A
QUESTION 192
Which of the following should be the FIRST step in updating an IT strategic plan?
A. Revise the enterprise architecture (EA).

B. Review IT performance objectives and indicators.
C. Evaluate IT capabilities and resources.
D. Identify changes in enterprise goals.
Answer: D
QUESTION 193
Which of the following would be MOST useful for prioritizing IT improvement initiatives to achieve
desired business outcomes?
A. Budget variance analysis

B. Enterprise architecture (EA)
C. IT skills matrix
D. Portfolio management
Answer: D
QUESTION 194
Which of the following is the BEST method to confirm whether a pilot project was successful?
A. Determine whether the pilot aligns with the as-is enterprise architecture (EA).
B. Evaluate whether the pilot project achieved planned schedule and cost.
C. Assess the results of the pilot project against the expected performance outcomes.
D. Review the metrics recorded in the IT balanced scorecard.
Answer: C
QUESTION 195
The CIO of a large enterprise has taken the necessary steps to align IT objectives with business
objectives. What is the BEST way for the CIO to ensure these objectives are delivered effectively
by IT staff?
A. Map the IT objectives to an industry-accepted framework.

B. Enhance Ihe budget for training based on the IT objectives.
C. Include the IT objectives in staff performance plans.
D. Include CIO sign-off of the objectives as part of the IT strategic plan.
Answer: B
QUESTION 196
The CIO of a large enterprise has taken the necessary steps to align IT objectives with business
objectives. What is the BEST way for the CIO to ensure these objectives are delivered effectively
by IT staff?
A. Map the IT objectives to an industry-accepted framework.
B. Enhance the budget for training based on the IT objectives.
C. Include the IT objectives in staff performance plans.
D. Include CIO sign-off of the objectives as part of the IT strategic plan.
Answer: B
QUESTION 197
An IT manager is trying to determine optimal IT service levels. Which of the following should be the
PRIMARY consideration?
A. Internal rate of return

B. Recovery time objective (RTO)
C. Cost-benefit analysis
D. Resource utilization analysis
Answer: C
QUESTION 198
The board of directors of a large organization has directed IT senior management to improve IT
governance within the organization. IT senior management's MOST important course of action
should be to:
A. understand the driver that led to a desire to change.

B. assess the current slate of IT governance within the organization.
C. review IT strategy and direction.
D. analyze IT service levels and performance.
Answer: B
QUESTION 199
When assessing the impact of a new regulatory requirement, which of the following should be the
FIRST course of action?
A. Update affected IT policies.

B. Assess the budget impact of the new regulation.
C. Map the regulation to business processes.
D. Implement new regulatory requirements.
Answer: C
QUESTION 200
An IT strategy committee has reviewed an audit report indicating sales employees are using
personal smartphones to conduct corporate business. Although the committee appreciates the
business benefits, it is also concerned with the security risk. To deliver the business benefi what
should be the committee's FIRST recommendation?
A. Document procedures for securing personal devices.

B. Improve training courses on securing corporate information.
C. Perform a risk assessment on personal device data protection.
D. Update the corporate security policy to include personal devices.
Answer: B
QUESTION 201
An enterprise has made the strategic decision to reduce operating costs for the next year and is
taking advantage of cost reductions ffered by an external cloud service provider. Which of the
following should be the IT steering committee's PRIMARY concern?
A. Calculating the cost of the current solution

B. Updating the busine s risk profile
C. Changing the IT s eering committee charter
D. Revising he business's balanced scorecard
Answer: A
QUESTION 202
Which of the following should be the PRIMARY goal of implementing an IT strategic planning
process?
A. Determining benefits from IT deployments

B. Optimizing IT resources to drive innovation
C. Directing business strategy to achieve goals
D. Translating business needs into IT initiatives
Answer: D
QUESTION 203
A health tech enterprise wants to ensure that its in-house developed mobile app for users complies
with data privacy regulations. Which of the following should be identified FIRST when creating an
inventory of information systems and data related to the mobile app?
A. Data maintained by vendors

B. Vendors and outsourced systems
C. Application and data owners
D. Information classification scheme
Answer: D
QUESTION 204
Which of the following is the MOST important, characteristic of a well-defined information
architecture?
A. It addresses key stakeholder requirements.

B. It ensures compliance with regulations.
C. It enables achievement of service level agreements (SLAs).
D. It supports IT strategic goals.
Answer: B
QUESTION 205
An enterprise wants to address the human factors of social engineering risk within the organization.
From a governance perspective, which of the following is the BEST way to mitigate this risk?
A. Distribute the social media information security policy to staff.

B. Mandate annual security awareness training.
C. Restrict access to social media.
D. Mandate security requirements be included in employee contracts.
Answer: B
QUESTION 206
Which of the following has the GREATEST influence on data quality assurance?
A. Data stewardship
B. Data encryption
C. Data classification
D. Data modeling
Answer: D
QUESTION 207
Which of the following is MOST important to consider when planning to implement a cloud-based
application for sharing documents with internal and external parties?
A. Cloud implementation model

B. User experience
C. Information ownership
D. Third-party access rights
Answer: D
QUESTION 208
In an enterprise that has worldwide business units and a cent a ized financial control model, which
of the following is a barrier to strategic alignment of busine s and IT?
A. Each business unit has its own steering committee for IT investment and prioritization.
B. Uniform portfolio management is in place throughout the business units.
C. IT is the exclusive provider of IT services to the business units.
D. The enterprise's CIO is a member of the executive committee.
Answer: A
QUESTION 209
An enterprise's executive team has recently released a new IT strategy and related objectives.
Which of the following would be the MOST effective way for the CIO to ensure IT personnel are
supporting the new strategy's objectives?
A. Measure progress towards IT objectives and communicate the results to IT staff.

B. Incorporate IT objectives into individual performance evaluations.
C. Develop communication materials to promote the new IT strategy and objectives.
D. Require IT managers to assign activities aligned to the IT objectives.
Answer: D
QUESTION 210
The PRIMARY reason for using quantitative criteria in developing business cases for IT projects is
to:
A. improve the process of evaluating returns after implementation.

B. benchmark project success with similar enterprises.
C. learn lessons from errors made in past projects.
D. apply other corporate standards to the development project.
Answer: A
QUESTION 211
Which of the following is the MOST important reason to include internal audit as a stakeholder
when establishing clear roles for the governance of IT?
A. Internal audit has knowledge and technical expertise to advise on IT infrastructure.

B. Internal audit is accountable for the overall enterprise governance of IT.
C. Internal audit implements controls over IT risks and security.
D. Internal audit provides input on relevant issues and control processes.
Answer: D
QUESTION 212
When developing an IT governance framework, it is MOST important for an enterprise to consider:
A. information technology risk.

B. framework development cost.
C. information technology strategy.
D. stakeholders' support.
Answer: D
QUESTION 213
To ensure that information can be traced to the originating event and accountable parties, an
enterprise should FIRST:
A. capture source information and supporting evidence.

B. improve business process controls.
C. review information event logs tor potential incidents.
D. review retention requirements for source information.
Answer: D
QUESTION 214
An enterprise has developed a new digital strategy to improve fraud detection. Which of the
following is MOST important to consider when updating the information architecture?
A. Resource constraints related to implementing the digital strategy.

B. The business use cases supporting the digital strategy
C. Changes to the legacy business and data architectures
D. The history of fraud incidents and their root causes
Answer: D
QUESTION 215
A software company's products have had significant quality issues in recent releases. As a resul
market reputation and customer satisfaction ratings have been suffering. What should executive
leadership do FIRST to address this concern?
A. Allocate budget to hire more software and quality assurance specialists

B. Implement a software development life cycle (SDLC) framework.
C. Mandate more robust software testing prior to release.
D. Require a root cause analysis and review results.
Answer: D
QUESTION 216
An enterprise's board of directors has determined that IT is not sufficiently supporting its corporate
objectives, and has established a committee to address this problem. Which of the following should
be the committees FIRST action?
A. Implement a continuous improvement plan.

B. Specify IT human resource performance measures.
C. Create an IT strategic plan.
D. Develop a service level management plan.
Answer: C
QUESTION 217
The CEO of an organization is concerned that there are inconsistencies in the way information
assets are classified across the enterprise. Which of the following is be the BEST way for the CIO
to address these concerns?
A. Include data assets in the IT inventory.

B. Identify data owners across the enterprise.
C. Require enterprise risk assessments.
D. Implement enterprise data governance.
Answer: D
QUESTION 218
The PRIMARY objective of promoting business ethics within the IT enterprise should be to ensure:
A. trust among internal and external stakeholders.

B. employees act more responsibly.
C. corporate social responsibility.
D. legal and regulatory compliance.
Answer: A
QUESTION 219
The PRIMARY reason for periodically evaluating IT resource staffing requirem nts is to:
A. ascertain the IT function has sufficient skilled staff to maintain daily operations.
B. ensure the enterprise has sufficient resources to address changing business and IT needs.
C. verify that human resource recruitment and retention processes meet enterprise IT objectives.
D. confirm IT-related responsibilities are defined for the enterprise's business and IT staff.
Answer: B
QUESTION 220
Which of the following BEST indicates that a change management process has been implemented
successfully?
A. Maturity levels
B. Degree of control
C. Process performance
D. Outcome measures
Answer: C
QUESTION 221
Following a re-prioritization of business objectives by management, which of the following should
be performed FIRST to allocate resources to IT processes?
A. Perform a maturity assessment.

B. Implement a RACI model.
C. Refine the human resource management plan.
D. Update the IT strategy.
Answer: C
QUESTION 222
IT security is concerned with employees' increasing use of personal equipment for work-related
purposes, while employees claim it allows them to be more productive. A decision on whether to
modify the enterprise information security policy should be based on:
A. audit findings.
B. user access approval procedures.
C. the impact to security.
D. a risk and benefit evaluation.
Answer: D
QUESTION 223
Which of the following resource categories includes skill sets, certifications, productivity, and
morale?
A. Partners
B. Processes
C. People
D. Products
Answer: C
QUESTION 224
In which of the following editions of COBIT was "Management Guidelines" added?
A. The third edition

B. The first edition
C. The fourth edition
D. The second edition
Answer: D
QUESTION 225
A newly established IT steering committee is concerned whether a system is meeting availability
objectives. Which of the following will provide the BEST information to make an assessment?
B. Capability maturity levels
C. Performance indicators
D. Critical success factors (CSFs)
Answer: B
QUESTION 226
Which of the following is the BEST method to monitor IT governance effectiveness?
A. Service level management

B. Balanced scorecard
C. Risk control self-assessment (CSA)
D. SWOT analysis
Answer: B
QUESTION 227
A newly established IT steering committee is concerned whether a system is meeting availability
objectives. Which of the following will provide the BEST information to make an assessment?
B. Capability maturity levels
C. Performance indicators
D. Critical success factors (CSFs)
Answer: C
QUESTION 228
An IT audit reveals inconsistent maintenance of data privacy in enterprise systems primarily due to
a lack of data sensitivity categorizations. Once the categorizations are defined, what is the BEST
long- term strategic response by IT governance to address this problem?
A. Standardize data classification processes throughout the enterprise.

B. Incorporate enterprise privacy categorizations into contracts.
C. Require business impact analyses (BIAs) for enterprise systems.
D. Reassess the data governance policy.
Answer: A
QUESTION 229
A new and expanding enterprise has recently received a report indicating 90% of its data has been
collected in just the last six months, triggering data breach and privacy concerns. What should be
the IT steering committee's FIRST course of action to ensure new data is managed effectively?
A. Mitigate and track data-related issues and risks.

B. Modify legal and regulatory data requirements.
C. Define data protection and privacy practices.
D. Assess the information governance framework.
Answer: C
QUESTION 230
An enterprise is planning to replace multiple enterprise resource planning (ERP) systems at various
regions with one company-wide ERP system. The main objective of this change is to achieve
economies of scale efficiencies resulting in cost reductions. To meet this objective, what is the
BEST approach in the planning phase of the project?
A. Implement an ERP system on shared resources with the lowest cost.

B. Minimize custom zation by standardizing ERP processes across regions.
C. Adopt a b st in breed web-based architecture for the ERP system.
D. Use a ser ice provider to evaluate and implement the new ERP processes.
Answer: B
QUESTION 231
While monitoring an enterprise's IT projects portfolio, it is discovered that a project is 75% complete,
but all budgeted resources have been expended. Which of the following is the MOST important
task to perform?
A. Review the IT investments.

B. Reorganize the IT projects portfolio.
C. Re-evaluate the business case.
D. Review the IT governance structure.
Answer: C
QUESTION 232
Six months ago, an enterprise's CIO reorganized IT to improve service delivery to the business.
Which of the following would BEST demonstrate the effectiveness of the reorganization?
A. The number of help desk calls

B. A balanced scorecard
C. A survey of IT staff
D. IT cost reduction
Answer: B
QUESTION 233
Which of the following examples are included in the general controls embedded in IT processes
and services?
Each correct answer represents a complete solution. Choose all that apply.
A. Completeness
B. Change management
C. Systems development
D. Accuracy
Answer: BC
QUESTION 234
Which of the following is a process that occurs due to mergers, outsourcing or changing business
needs?
A. Voluntary exit
B. Plant closing
C. Involuntary exit
D. Outplacement
Answer: C
QUESTION 235
An enterprise has made the strategic decision to reduce operating costs for the next year and is
taking advantage of cost reductions offered by an external cloud service provider. Which of the
following should be the IT steering committee's PRIMARY concern?
A. Revising the business $ balanced storecard

B. Updating the business risk profile
C. Changing the IT steering committee charter
D. Calculating the cost of the current solution
Answer: B
QUESTION 236
An IT investment review board wants to ensure that IT will be able to support business initiatives.
Each initiative is comprised of several interrelated IT projects. Which of the following would help
ensure that the initiatives meet their goals?
A. Review of project management methodology

B. Review of the business case for each initiative
C. Establishment of portfolio management
D. Verification of initiatives against the architecture
Answer: B
QUESTION 237
It has been discovered that multiple business units across an enterprise are using duplicate IT
applications and services to fulfill their individual needs. Which of the following would be MOST
helpful to address this concern?

B. Enterprise risk framework
C. IT service management
D. IT project roadmap
Answer: C
QUESTION 238
Results of an enterprise's customer survey indicate customers prefer using mobile applications.
However, this same survey shows the enterprise's mobile applications are considered inferior
compared to legacy browser-based applications. Which of the following should be the FIRST step
in creating an effective long-term mobile application strategy?
A. Establish service level agreements (SLAs) with the development team.

B. Identify key risks and mitigation strategies for mobile applications.
C. Implement key performance indicators (KPIs) that include application quality.
D. Identify business requirements concerning mobile applications.
Answer: D
QUESTION 239
Which of the following is the GREATEST impact to an enterprise that has ineffective information
architecture?
A. Poor desktop service delivery
B. Data retention
C. Redundant systems
D. Poor business decisions
Answer: D
QUESTION 240
Of the following, who should be responsible for ensuring the regular review of quality management
performance against defined quality metrics?
A. Process owners
B. Risk management team
C. Internal auditors
D. Executive management
Answer: A
QUESTION 241
An enterprise experiencing issues with data protection and least privilege is implementing
enterprise-wide data encryption in response Which of the following is the BEST approach to ensure
all business units work toward remediating these issues?
A. Develop key performance indicators (KPIs) to measure enterprise adoption.

B. Integrate data encryption requirements into existing and planned projects.
C. Assign owners for data governance initiatives.
D. Mandate the creation of a data governance framework.
Answer: B
QUESTION 242
Senior management wants to promote investment in IT, but is uncertain that associated risks are
being properly identified. The BEST way to address this concern is to:
A. engage an external consultant to develop risk scenarios.

B. appoint an IT representative to the business risk committee.
C. assign an IT cost controller to the finance department.
D. ensure business cases are developed by IT.
Answer: D
QUESTION 243
Which of the following represents the GREATEST challenge to implementing IT governance?
A. Determining the best practice to follow

B. Planning the project itself
C. Developing a business case
D. Applying behavioral change management
Answer: D
QUESTION 244
Which of the following is the BEST method for making a strategic decision to invest in cloud services?
A. Prepare a business case.

B. Prepare a request for information (RFI),
C. Benchmarking.
D. Define a balanced scorecard.
Answer: A
QUESTION 245
An enterprise is developing several consumer-based services using emerging technologies
involving sensitive personal data.
The CIO is under pressure to ensure the enterprise is first to market, but security scan results have
not been adequately addressed.
Reviewing which of the following will enable the CIO to make the BEST decision for the customers?
A. Acceptable use policy

B. Risk register
C. Ethics standards
D. Change ma agement policy
Answer: B
QUESTION 246
An organization's board of directors has questioned the value provided by IT key performance
indicators (KPIs). Which of the following is the BEST way to determine whether the KPIs adequately
support organizational objectives?
A. Define a strategy for IT measurement.

B. Define policies and procedures around current KPIs.
C. Review the KPIs with key business executives.
D. Work directly with the CEO to identify what measures should be used.
Answer: C
QUESTION 247
In which of the following types of biases does the data collection itself interfere with the process it
is measuring?
A. Interaction
B. Nonresponse
C. Perception
D. Operational
Answer: A
QUESTION 248
Which of the following objectives can be the best coordinated with the Human resource
management?
A. Increasing the automation of the business processes

B. Satisfying the business needs
C. Rewarding employee fairly
D. Focusing on the business improvements
Answer: B
QUESTION 249
An enterprise is evaluating a possible strategic initiative for which IT would be the main driver.
There are several risk scenarios associated with the initiative that have been identified. Which of
the following should be done FIRST to facilitate a decision?
A. Define the risk mitigation strategy.

B. Assess the impact of each risk.
C. Establish a baseline for each initiative.
D. Select qualified personnel to manage the project.
Answer: B
QUESTION 250
Enterprise IT has overseen the implementation of an array of data services with overlapping
functionality leading to business inefficiencies. Which of the following is the MOST likely cause of
this situation?
A. insufficient information architecture

B. Ineffective project management
C. An outdated service level agreement (SLA)
D. An incomplete cost-benefit analysis
Answer: A
QUESTION 251
Which of the following would be the BEST way to facilitate the adoption of strong IT governance
practices throughout a multi-divisional enterprise?
A. Ensuring each divisional policy is consistent with corporate policy

B. Ensuring divisional governance fosters continuous improvement processes
C. Mandating data standardization across the distributed enterprise
D. Documenting and communicating key management practices across divisions
Answer: D
QUESTION 252
An enterprise considers implementing a system that uses a technology that is not in line with its IT
strategy. The business case indicates significant benefit to the enterprise. Which of the following is
the BEST way to manage this situation within an IT governance framework?
A. Update the IT strategy to align with the new technology.

B. Initiate an operational change request.
C. Reject based on non-alignment.
D. Address as part of an architecture exception process.
Answer: B
QUESTION 253
Which of the following groups should approve the implementation of new technology?
A. IT steering committee
B. IT audit department
C. Portfolio management office
D. Program management office
Answer: A
QUESTION 254
A regulatory audit assessed an enterprise's main transactional application as noncompliant. In
addition to fines and required corrections, an agreement was reached to implement a set of
governance controls over IT. Accountability for these controls is BEST assigned to which of the
following?
A. CIO
B. Internal audit director
C. Application users
D. The board of directors
Answer: D
QUESTION 255
An enterprise can BEST assess the benefits of a new IT project through its life cycle by:
A. calculation of the total cost of ownership.

B. periodic review of the business case.
C. periodic measurement of the project slip rate.
D. calculation of the net present value (NPV).
Answer: A
QUESTION 256
The PRIMARY reason for an enterprise to adopt an IT governance framework s to:
A. assure IT sustains and extends the enterprise strategies and objectives.

B. expedite IT investments among other competing business inves ments.
C. establish IT initiatives focused on the business strategy.
D. allow IT to optimize confidentiality, integrity, and availability of information assets.
Answer: A
QUESTION 257
Which of the following is the BEST approach when reviewing The security status of a new business
acquisition?
A. Embed IT risk management strategies in service level agreements (SLAs).

B. Establish a committee to oversee the alignment of IT security in new businesses.
C. Incorporate IT security objectives to cover additional risks associated with new businesses.
D. Integrate IT risk assessment into the overall due diligence process.
Answer: D
QUESTION 258
The board of directors of an enterprise has approved a three-year IT strategic program to centralize
the core business processes of its global entities into one core system. Which of the following
should be the ClO's NEXT step?
A. Engage a team to perform a business impact analysis (BIA).

B. Require the development of a risk management plan.
C. Determine resource requirements for program implementation.
D. Require the development of a program roadmap.
Answer: D
QUESTION 259
An organization supports both programs and projects for various industries. What is a portfolio?
A. A portfolio describes all of the monies that are invested in the organization.
B. A portfolio is the total amount of funds that have been invested in programs, projects, and
operations.
C. A portfolio describes any project or program within one industry or application area.
D. A portfolio describes the organization of related projects, programs, and operations.
Answer: D
QUESTION 260
Which of the following steps are performed in the Planning phase of IT Assurance methodology?
A. Plan the risk-based assurance initiatives.

B. Scope and plan assurance initiatives.
C. Perform a quick risk assessment.
D. Assess process maturity.
Answer: ACD
QUESTION 261
The PRIMARY benefit of integrating IT resource planning into enterprise strategic planning is that
it enables the enterprise to:
A. allocate resources efficiently to achieve desired goals.

B. adjust business goals depending upon resource availability.
C. prioritize resource allocation based on sourcing strategy.
D. develop tactical plans to achieve resource optimization.
Answer: A
QUESTION 262
An enterprise is implementing a new IT governance program. Which of the following is the BEST
way to increase the likelihood of its success?
A. The IT steering committee approves the implementation efforts.

B. The CIO communicates why IT governance is important to the enterprise
C. Implementation follows an IT audit recommendation.
D. The CIO issues a mandate for adherence to the program.
Answer: A
QUESTION 263
Which of the following is the PRIMARY elemen in sustaining an effective governance framework?
A. Identification of optimal business resources

B. Establishment of a performance metric system
C. Ranking of critical business risks
D. Assurance of the execution of business controls
Answer: B
QUESTION 264
A global financial enterprise has been experiencing a substantial number of information security
incidents that have directly affected its business reputation. Which of the following should be the IT
governance board's FIRST course of action?
A. Require revisions to how security incidents are managed by the IT department.

B. Request an IT security assessment to identify the main security gaps.
C. Execute an IT maturity assessment of the security process.
D. Mandate an update to the enterprise's IT security policy.
Answer: B
QUESTION 265
An enterprise has had the same IT governance framework in place for several years. Currently,
large and small capital projects go through the same architectural governance reviews. Despite
repeated requests to streamline the review process for small capital projects, business units have
received no response from IT. The business units have recently escalated this issue to the newly
appointed GO. Which of the following should be done FIRST to begin addressing business needs?
A. Create a central repository for the business to submit requests.

B. Explain the importance of the IT governance framework.
C. Assess the impact of the proposed change.
D. Assign a project team to implement necessary changes.
Answer: C
QUESTION 266
Which of the following is MOST critical for the successful implementation of an IT process?
A. Process framework
B. Service delivery process model
C. Objectives and metrics
D. IT process assessment
Answer: B
QUESTION 267
The board of directors has mandated the use of geolocation software to track mobile assets
assigned to employees who travel outsid of their home country. To comply with this mandate, the
IT steering committee should FIRST request
A. the inclusion of mandatory training for remote device users.

B. an architect ral review to determine appropriate solution design.
C. an assessment to determine if data privacy protection is addressed.
D. an update to the acceptable use policy.
Answer: C
QUESTION 268
An analysis of an organization s security breach is complete. The results indicate that the quality
of the code used for updates to its primary customer-facing software has been declining and
security flaws were introduced. The FIRST IT governance action to correct this problem should be
to review:
A. compliance with the user testing process.

B. the change management control framework.
C. the qualifications of developers to write secure code.
D. the incident response plan.
Answer: B
QUESTION 269
Which of the following is the MOST effective way of assessing enterprise risk?
A. Business impact analysis (BIA)
B. Business vulnerability assessment
C. Likelihood of threat analysis
D. Operational risk assessment
Answer: D
QUESTION 270
A CIO must determine if IT staff have adequate skills to deliver on key strategic objectives. Which
of the following will provide the MOST useful information?
A. Employee performance metrics

B. Project risk reports
C. Gap analysis results
D. Training program statistics
Answer: C
QUESTION 271
When evaluating benefits realization of IT process performance, the analysis MUST be based on;
A. key business objectives.

B. industry standard key performance indicators (KPIs).
C. portfolio prioritization criteria.
D. IT risk policies.
Answer: A
QUESTION 272
Paul has been asked to complete SWOT analysis for his solution scope. What does SWOT analysis
mean?
A. Stakeholder Weaknesses, Organizational Threats

B. Strengths, Weaknesses, Opportunities, Threats
C. Strengths, Weaknesses, Opportunities, Time
D. Stakeholders Weaknesses, Organization, Threats
Answer: B
QUESTION 273
Which of the following attributes are the COBIT's generic maturity model attributes?
A. Policies, plans and procedures

B. Tools and automation
C. Awareness and communication
D. Availability and accessibility
Answer: ABC
QUESTION 274
Which of the following is the MOST important driver of IT governance?
A. Effective internal controls

B. Management transparency
C. Quality measurement
D. Technical excellence
Answer: B
QUESTION 275
A global enterprise is experiencing an economic downturn and is rapidly losing market share. IT
senior management is reassessing the core activities of the business, including IT, and the
associated resource implications. Management has decided to focus on its local market and to
close international operations. A critical issue from a resource management perspective is to retain
the most capable staff. This is BEST achieved by:
A. reviewing current goals-based performance appraisals across the enterprise.

B. ranking employees across the enterprise based on their compensation.
C. ranking employees across the enterprise based on length of service.
D. retaining capable staff exclusively from th local market.
Answer: D
QUESTION 276
An IT steering committee is presented with an audit finding that new software applications are
delivered on time but consistently have unacceptable levels of defects. Which of the following would
be the BEST direction from the committee?
A. Implement performance indicators.

B. Evaluate the change management process.
C. Establish code peer reviews.
D. Evaluate the quality assurance process.
Answer: D
QUESTION 277
A CIO is concerned with the potential of vendor system failures that could cause a large amount of
unintended system downtime. To determine how to prepare for this concern, what is MOST
important for the CIO to review?
B. Service-level metrics
C. IT procurement policy
D. Business impact analysis (BIA)
Answer: D
QUESTION 278
The BEST way to manage continuous improvement of governance-related processes is to:
A. assess existing process resource capacities.

B. define accountability based on roles and responsibilities.
C. apply effective quality management practices.
D. require third-party independent reviews.
Answer: C
QUESTION 279
Which of the following would BEST enable business innovation through IT?
A. Outsourcing of IT to a strategic business partner

B. Business participation in IT strategy devel pment
C. Adoption of a standardized business development life cycle
D. IT participation in business strategy development
Answer: D
QUESTION 280
Acceptance of an enterprise's newly implemented IT governance initiatives has been resisted by a
functional group requesting more autonomy over technology choices. Which of the following is
MOST important to accommodate this need for autonomy?
A. Continuous improvement processes

B. Documentation of key management practices
C. An exception management process
D. A change control process
Answer: D
QUESTION 281
A board of directors wants to ensure the enterprise is responsive to changes in its environment that
would directly impact critical business processes. Which of the following will BEST facilitate meeting
this objective?
A. Scheduling frequent threat analyses

B. Monitoring key risk indicators (KRIs)
C. Regularly reviewing the enterprise risk appetite
D. Implementing a competitive intelligence tool
Answer: B
QUESTION 282
Which of the following is the PRIMARY consideration when developing an information asset
management program?
A. Operational requirements
B. Industry best practice
C. Cost benefit
D. Regulatory requirements
Answer: A
QUESTION 283
An enterprise is determining the objectives for an IT training improvement initiative from a
governance prosoectic. it would be MOST important to ensure that:
A. policies and processes address both enterprise requirements and professional growth
B. courses of instruction that will maximize employee productivity are identified
C. several different training strategies are created for final approval by the CIO
D. IT employees are surveyed and interviewed to identify development needs
Answer: A
QUESTION 284
Which of the following is the BEST way to maximize the value of an enterprise's information aseet
base?
A. Seek additional opportunities to leverage existing information assets .

B. Facilitate widespread user access to ail information assets
C. Regularly purge information assets to minimize maintenance costs
D. Implement an automated information management platform
Answer: D
QUESTION 285
The PRIMARY benefit of using an IT service catalog as part of the IT governance program is that
it.
A. ensures IT effectively meets future business needs,

B. provides a foundation for measuring IT performance,
C. improves the ability to allocate IT resources
D. establishes enterprise performance metrics per service
Answer: A
QUESTION 286
When developing an IT strategic plan that supports an enterprise's business goals which of the
following should be done FIRST?
A. Ensure that IT drives business goals

B. Analyze benchmarking data
C. Understand the current vision
D. Perform a business impact analysis (BIA)
Answer: C
QUESTION 287
The PRIMARY reason for implementing an IT governance program in an enterprise is to
A. balance the demand for information and the ability to deliver.

B. comply with regulatory requirements
C. reduce risks due to improved compensating controls.
D. decrease the scale of investment in information systems due to budgetary controls.
Answer: A
QUESTION 288
Which of the following is the BEST way to address an IT audit finding that many enterprise
application updates lack appropriate documentation?
A. Enforce change control procedures.

B. Conduct software quality audits
C. Review the application development life cycle.
D. Add change control to the risk register.
Answer: B
QUESTION 289
Which of the following is the GREATEST benefit of using a quantitative nsk assessment method?
A. It uses resources more efficiently

B. It can be used to assess risks against non-tangible assets
C. It reduces subjectivity
D. It helps in prioritizing risk response action plans
Answer: C
QUESTION 290
Following the rollout of an enterprise IT software solution that hosts sensitive data it was discovered
that the application's role-based access control was not functioning as specified Which of the
following is the BEST way to prevent reoccurrence in the future?
A. Ensure supplier contracts include penalties if solutions do not meet functional requirements
B. Ensure the evaluation process requires independent assessment of solutions prior to
implementation
C. Ensure supplier contracts include a provision for the right to audit on an annual basis
D. Ensure procurement processes require the identification of alternate vendors to ensure business
continuity.
Answer: B
QUESTION 291
An enterprise is considering outsourcing non-core IT processes Which of the following should be
the FIRST step?
A. Update resource allocation policies

B. Conduct a cost-benefit analysis for outsourcing.
C. Issue a formal request for proposal to outsourcing vendors.
D. Establish service level metrics for outsourced activities
Answer: B
QUESTION 292
The board of directors of an enterprise has questioned whether the business is focused on
optimizing value. The IT strategy committees BEST action to address the board's concern is to:
A. initiate reporting and review of key IT performance metrics.

B. conduct a portfolio review to assess the benefits realization of IT investments.
C. conduct a benchmark to assess IT value relative to competitors.
D. form a technology council to monitor the efficiency of project implementation.
Answer: A
QUESTION 293
Which of the following activities MUST be completed before developing an IT strategic plan?
A. Review the enterprise business plan

B. Align the enterprise vision statement with business processes
C. Develop an enterprise architecture (EA) framework
D. Review the enterprise risk tolerance level
Answer: A
QUESTION 294
Which of the following is the BEST indication that information security requirements are taken into
consideration when developing IT processes?
A. The database is deployed in a distributed processing platform

B. The information architecture incorporates data classification
C. Customer profiles are stored with a domestic service provider
D. The integrity of sensitive information is periodically reviewed
Answer: B
QUESTION 295
To minimize the potential mishandling of customer personal information in a system located in a
country with strict privacy regulations which of the following is the BEST action to take?
A. Update the information architecture

B. Revise the IT strategic plan
C. Implement data loss prevention (DLP)
D. Establish new IT key risk indicators (KRIs)
Answer: A
QUESTION 296
The IT department has determined that problems with a business report are due to quality issues
within a set of data To whom should IT refer the matter for resolution?
A. Internal audit
B. Data architect
C. Business analyst
D. Data steward
Answer: D
QUESTION 297
Which of the following is the MOST important consideration when developing a new IT service'?
A. Return on investment (ROI)

B. Resource requirements.
D. Economies of scale
Answer: A
QUESTION 298
Which of the following BEST facilitates governance oversight of data protection measures?
A. Information ownership
B. Information classification
C. Information custodianship
D. Information life cycle management
Answer: B
QUESTION 299
An airline wants to launch a new program involving the use of artificial intelligence (Al) and machine
learning The mam objective of the program is to use customer behavior to determine new routes
and markets Which of the following should be done NEXT?
A. Consult with the enterprise privacy function

B. Define the critical success factors (CSFs)
C. Present the proposal to the IT strategy committee
D. Perform a business impact analysis (BIA)
Answer: A
QUESTION 300
Which of the following BEST facilitates the standardization of IT vendor selection?
A. Cost-benefit analysis
B. Contract management office
D. Procurement framework
Answer: D
QUESTION 301
An IT governance committee is defining a risk management policy for a portfolio of !T-enabled
investments Which of the following should be the PRIMARY consideration when developing the
policy?
A. Risk management framework

B. Possible investment failures
C. Value obtained with minimum risk
D. Risk appetite of the enterprise
Answer: D
QUESTION 302
An internal audit revealed a widespread perception that the enterprise's IT governance reporting
lacks transparency Which of the following should the CIO do FIRST?
A. Add stakeholder transparency metrics to the balanced scorecard

B. Develop a communication and awareness strategy
C. Meet with key stakeholders to understand their concerns
D. Adopt an industry-recognized template to standardize reports.
Answer: C
QUESTION 303
An enterprise has decided to execute a risk self-assessment to identify improvement opportunities
for current IT services. Which of the following is MOST important to address in the assessment?
A. Related business risk

B. Residual IT risk
C. Mapping of business objectives to IT risk
D. IT capability and performance measures
Answer: A
QUESTION 304
Which of the following is MOST important for IT governance to have in place to ensure the
enterprise can maintain operations during extensive system downtime?
A. Fault-tolerant hardware
B. An incident response plan
C. A crisis communications plan
D. A business continuity plan (BCP)
Answer: A
QUESTION 305
Which of the following is MOST important for an enterprise to review when classifying information
assets?
A. Procedures for information handling

B. Requirements for information retention.
C. Media used for storage and backup
D. Impact of information exposure
Answer: D
QUESTION 306
Which of the following is MOST important to document for a business ethics program?
A. Guiding principles and best practices

B. Violation response matrix
C. Whistle-blower protection protocols.
D. Employee awareness and training content
Answer: A
QUESTION 307
Which of the following is the BEST outcome measure to determine the effectiveness of IT nsk
management processes?
A. Frequency of updates to the IT risk register

B. Time lag between when IT risk is identified and the enterprise's response
C. Number of events impacting business processes due to delays in responding to risks
D. Percentage of business users satisfied with the quality of risk training
Answer: C
QUESTION 308
An IT department outsourced application support and negotiated service level agreements (SLAs)
directly with the vendor Although the vendor met the SLAs business owner expectations are not
met and senior management cancels the contract This situation can be avoided in the future by:
A. improving the business requirements gathering process

B. improving the negotiation process for service level agreements (SLAs)
C. implementing a vendor performance scorecard
D. assigning responsibility for vendor management
Answer: A
QUESTION 309
An IT value delivery framework PRIMARILY helps an enterprise
A. increase transparency of value to the enterprise

B. assist top management in approving IT projects
C. improve value of successful IT projects
D. optimize value to the enterprise.
Answer: D
QUESTION 310
Which of the following IT governance practices would BEST support IT and enterprise strategic
alignment?
A. An IT communication plan is continuously updated

B. External consultants regularly review the IT portfolio
C. Senior management regularly reviews the IT portfolio
D. IT service level agreements (SLAs) are periodically updated
Answer: C
QUESTION 311
Which of the following is the BEST way for an organization to minimize the difference between
expected and delivered services when acquiring resources?
A. Negotiate service level agreements (SLAs)

B. Measure service delivery using industry benchmarks
C. Require quarterly benefits realization reporting
D. Include a right-to-audit clause in the contract.
Answer: A
QUESTION 312
Which of the following is (he GREATEST benefit of using the life cycle approach to govern
information assets'?
A. Overall costs are optimized

B. Operational costs are maintained
C. Information availability is improved
D. Compliance with regulatory requirements is ensured
Answer: A
QUESTION 313
Which of the following provides the BEST information to assess the effective alignment of IT
investments?
B. Net present value (NPV).
C. IT delivery time metrics
D. Total cost of ownership (TCO)
Answer: A
QUESTION 314
An enterprise is planning a transformation initiative by leveraging emerging technology that will
have a significant impact on existing products and services Which of the following is the BEST way
for IT to prepare for this change?
A. Use a balanced scorecard to measure IT outcomes.

B. Analyze emerging technology products and related training needs.
C. Procure appropriate resources to support emerging technology
D. Assess the impact on the existing IT strategy
Answer: A
QUESTION 315
Which of the following would be MOST helpful to an enterprise that wants to standardize how
sensitive corporate data is handled?
A. Information classification framework

B. Enterprise risk policy
C. Enterprise risk management (ERM) framework
D. Information security policy
Answer: C
QUESTION 316
When selecting a vendor to provide services associated with a critical application which of the
following is the MOST important consideration with respect to business continuity planning (BCP)?
A. Procuring a copy of the vendor's BCP during the contracting process

B. Testing the vendor's BCP and analyzing the results
C. Obtaining independent audit reports of the vendor's BCP
D. Evaluating whether the vendor's BCP aligns with the enterprise's BCP
Answer: B
QUESTION 317
IT management has reported difficulty retaining qualified IT personnel to support the organization's
new strategy Given that outsourcing is not a viable approach, which of the following would be the
BEST way for IT governance to address this situation?
A. Implement an incentive-based employee referral program

B. Direct the development of a strategic HR plan for IT
C. Recommend enhancements to the online recruiting platform specific to IT
D. Work with HR to enhance compensation packages for IT personnel
Answer: B
QUESTION 318
Which of the following is the BEST approach to assist an enterprise in planning for iT-enabled
investments?
A. Enterprise architecture (EA) .

B. IT process mapping
C. Task management
D. Service level management
Answer: A
QUESTION 319
Which of the following is the BEST approach to assist an enterprise in planning for iT-enabled
investments'?
A. Enterprise architecture (EA).

B. IT process mapping
C. Task management
D. Service level management
Answer: A
QUESTION 320
Before establishing IT key nsk indicators (KRls) which of the following should be defined FIRST?
A. IT resource strategy
B. IT risk and secunty framework
C. IT goals and objectives
D. IT key performance indicators (KPIs)
Answer: C
QUESTION 321
Which of the following should be the ClO's GREATEST consideration when making changes to the
IT strategy'?
A. Has the impact to the enterprise architecture (EA) been assessed?

B. Has the investment portfolio been revised?
C. Have key stakeholders been consulted?
D. Have IT risk metrics been adjusted?
Answer: C
QUESTION 322
An independent consultant has been hired to conduct an ad hoc audit of an enterprise's information
security office with results reported to the IT governance committee and the board Which of the
following is MOST important to provide to the consultant before the audit begins?
A. Acceptance of the audit risks and opportunities

B. The scope and stakeholders of the audit
C. The organizational structure of the security office
D. The policies and framework used by the security office
Answer: B
QUESTION 323
Which of the following should be the MOST important consideration when designing an
implementation plan for IT governance?
A. Principles and policies

B. Roles and responsibilities
C. Risk tolerance levels
D. Organizational culture
Answer: D
QUESTION 324
Enterprise leadership is concerned with the potential for discnmination against certain demographic
groups resulting from the use of machine learning models What should be done FIRST to address
this concern?
A. Obtain stakeholders' input regarding the ethics associated with machine learning
B. Revise the code of conduct to discourage bias within automated processes
C. Develop a machine learning policy articulating guidelines for machine learning use
D. Assess recent case law related to the enterprise's machine learning business strategy
Answer: C
QUESTION 325
An enterprise has identified a number of plausible risk scenarios that could result in economic loss
associated with major IT investments. Which of the following is the BEST method to assess the
risk?
A. Cost-benefit analysis
B. Qualitative analysis
C. Business impact analysis (BIA)
D. Quantitative analysis
Answer: C
QUESTION 326
Which of the following roles is accountable for the confidentiality integrity and availability of
information within an enterprise?
A. Risk manager
B. Data owner
C. Lead legal counsel
D. Data custodian
Answer: B
QUESTION 327
Which of the following should be the PRIMARY basis for establishing categories within an
information classification scheme?
A. Information architecture
B. Industry standards
C. Information security policy
D. Business impact
Answer: D
QUESTION 328
An enterprise will be adopting wearable technology to improve business performance Whtch of the
following would be the BEST way for the CIO to validate IPs preparedness for this initiative?
A. Request an enterprise architecture (EA) review.

B. Request reprioritization of the IT portfolio.
C. Perform a baseline business value assessment
D. Identify the penalties for noncompliance.
Answer: C
QUESTION 329
Which of the following is a responsibility of an IT strategy committee?
A. Providing oversight on enterprise strategy implementation

B. Approving the business strategy and its IT implications
C. Advising the board on the development of IT goals
D. Tracking projects in the IT investment portfolio
Answer: C
QUESTION 330
When establishing a risk management process which of the following should be the FIRST step?
A. Determine the probability of occurrence

B. Identify threats
C. Identify assets
D. Assess risk exposures
Answer: C
QUESTION 331
Which of the following would be the BEST long-term solution to address the concern regarding loss
of expenenced staff?
A. implement knowledge management practices

B. Establish a mentoring program for IT staff
C. Determine key risk indicators (KRIs)
D. Retain key staff as consultants.
Answer: A
QUESTION 332
An enterprise has performed a business impact analysis (BIA) considering a number of risk
scenarios Which of the following should the enterpnse do NEXT?
A. Perform a risk controls gap analysis

B. Update the disaster recovery plan (DRP)
C. Verify compliance with relevant legislation
D. Assess risk mitigation strategies
Answer: A
QUESTION 333
An enterprise has finalized a major acquisition and a new business strategy in line with stakeholder
needs has been introduced To help ensure continuous alignment of IT with the new business
strategy the CiO should FIRST
A. review the existing IT strategy against the new business strategy

B. revise the existing IT strategy to align with the new business strategy
C. establish a new IT strategy committee for the new enterprise
D. assess the IT cultural aspects of the acquired entity
Answer: A
QUESTION 334
An enterprise has decided to implement an IT risk management program After establishing
stakeholder desired outcomes, the MAIN goal of the IT strategy committee should be to:
A. identify business data that requires protection.

B. perform a risk analysis on key IT processes
C. implement controls to address high risk areas
D. ensure IT risk alignment with enterprise risk
Answer: D
QUESTION 335
An enterprise has learned of a new regulation that may impact delivery of one of its core technology
services Which of the following should the done FIRST?
A. Update the risk management framework
B. Determine whether the board wants to comply with the regulation
C. Assess the risk associated with the new regulation
D. Request an action plan from the risk team
Answer: C
QUESTION 336
The BEST way for a CIO to monitor the alignment between the business and IT strategy is to
regularly review
A. key risk indicators (KRIs)

B. IT services supporting business processes
C. the balanced scorecard
D. the risk register
Answer: B
QUESTION 337
The FIRST step in aligning resource management to the enterprise's IT strategic plan would be to
A. develop a responsible, accountable, consulted and informed (RACI) chart

B. assign appropriate roles and responsibilities
C. perform a gap analysis
D. identify outsourcing opportunities
Answer: C
QUESTION 338
Which of the following should a new CIO do FIRST to ensure information assets are effectively
governed?
A. Quantify the business value of information assets

B. Perform an information gap analysis
C. Review information classification procedures
D. Evaluate information access methods
Answer: C
QUESTION 339
An IT steering committee wants to select a disaster recovery site based on available nsk data
Which of the following would BE ST enable the mapping of cost to risk?
A. Key risk indicators (KRIs)

B. Scenario-based assessment
C. Business impact analysis (BIA)
D. Qualitative forecasting
Answer: B
QUESTION 340
An enterprise incurred penalties for noncompliance with privacy regulations. Which of the following
is MOST important to ensure appropriate ownership of access controls to address this deficiency?
A. Granting access to information based on information architecture

B. Engaging an audit of logical access controls and related security policies
C. Implementing multi-factor authentication controls
D. Authenticating access to information assets based on roles or business rules
Answer: D
QUESTION 341
Which of the following would BEST support an enterprise's initiative to incorporate desired
organizational behaviors into the IT governance framework?
A. Enterprise code of ethics

B. Risk mitigation strategies and action plans
C. Documented consequences for noncompliance
D. Enterprise RACI matrix
Answer: A
QUESTION 342
To develop appropriate measures to improve organizational performance, the measures MUST be:
A. a result of benchmarking and comparative analysis.

B. accepted by and meaningful to the stakeholders.
C. based on existing and validated data sources.
D. approved by the IT steering committee.
Answer: B
QUESTION 343
When considering an IT change that would enable a potential new line of business, the FIRST
strategic step for IT governance would be to ensure agreement among the stakeholders regarding:
A. objectives to achieve goals.

B. metrics to measure effectiveness
C. a vision for the future state,
D. a change response plan
Answer: C
QUESTION 344
Which of the following should be the PRIMARY consideration for an enterprise when prioritizing IT
projects?
A. Technical capability of the enterprise to execute the projects
B. Process owner expectations based on operational benefits
C. Results of IT performance benchmarks against competitors
D. Impact on the business due to expected project outcomes
Answer: D
QUESTION 345
An enterprise is planning to migrate its IT infrastructure to a cloud-based solution but does not have
experience with this technology. Which of the following should be done FIRST to reduce the risk of
IT service disruptions when using this new technology?
A. Implement key performance indicators (KPIs).

B. Reflect the change in the enterprise architecture (EA).
C. Evaluate the sourcing options.
D. Engage an experienced IT consultant to perform the migration.
Answer: B
QUESTION 346
Which of the following roles should be responsible for data normalization when it is found that a
new system includes duplicates of data items?
A. Business system owner

B. Data steward
C. Database administrator (DBA)
D. Application manager
Answer: C
QUESTION 347
As part of the implementation of IT governance, the board of an enterprise should establish an IT
strategy committee to:
A. provide input to and ensure alignment of the enterprise and IT strategies.

B. ensure IT risks inherent in the enterprise strategy implementation are managed
C. drive IT strategy development and take responsibility for implementing the IT strategy.
D. assume governance accountability for the business strategy on behalf of the board
Answer: A
QUESTION 348
An enterprise has identified potential environmental disasters that could occur in the area where its
data center is located. Which of the following should be done NEXT?
A. Implement an early warning detection and notification system.

B. Assess the likelihood and impact on the data center.
C. Relocate the data center to minimize the threat.
D. Assess how the data center is protected against the threat.
Answer: B
QUESTION 349
Which of the following should IT governance mandate before any transition of data from a legacy
system to a new technology platform?
A. Data conversion has documented approvals from business process data owners.
B. Data conversion is performed in a test environment to confirm correctness
C. Control totals of key transaction values are matched with data converted for migration.
D. A crisis management plan has been approved by the IT steering committee
Answer: C
QUESTION 350
A CIO of an enterprise is concerned that IT and the business have different priorities. Which of the
following would BEST demonstrate the current state of strategic alignment?
A. IT maturity model
B. Business case
C. Balanced scorecard
D. IT investment status
Answer: C
QUESTION 351
Which of the following would a CIO use to present the overall view of IT performance to the board
of directors?
B. Key risk indicators (KRIs)
C. Maturity model
D. Key performance indicators (KPIs)
Answer: A
QUESTION 352
Which of the following is the BEST justification for a procurement manager to agree to purchase IT
equipment from a specific vendor during a sales promotion?
A. The IT benefit surpasses the business benefit from the purchase.

B. The equipment adds value to the enterprise.
C. The business profit surpasses the IT cost for the equipment.
D. The product is offered at the lowest price.
Answer: C
QUESTION 353
When evaluating the process for acquiring third-party IT resources, management identified several
suppliers with repeated downtime issues impacting the enterprise.
Which of the following is the BEST approach to help ensure future service delivery in accordance
with business objectives?
A. Establish key performance indicators (KPls)

B. Appoint a procurement oversight committee
C. Establish key risk indicators (KRIs).
D. Implement contract monitoring.
Answer: A
QUESTION 354
Which of the following should be the PRIMARY input when developing IT strategy?
A. Vision statement
B. Process and capability maturity
C. Governance objectives
D. Balanced scorecard
Answer: C
QUESTION 355
Due to the recent introduction of personal data protection regulations, an enterprise is required to
maintain its employee data in production systems only for a limited time.
Which of the following is MOST important to review?
A. Asset retention policies

B. Information retention policies
C. Data archival policies
D. Data backup and restoration policies
Answer: C
QUESTION 356
A data governance strategy has been defined by the IT strategy committee which includes privacy
objectives related to access controls, authorized use. and data collection. Which of the following
should the committee do NEXT?
A. Mandate data privacy training for employees.

B. Establish a data privacy budget
C. Perform a data privacy impact assessment.
D. Mandate the creation of a data privacy policy.
Answer: D
QUESTION 357
Which of the following is the MOST appropriate mechanism for measuring overall IT organizational
performance?
A. IT portfolio return on investment (ROI)

B. Maturity model
C. IT balanced scorecard
D. Service level metrics
Answer: C
QUESTION 358
A large enterprise has decided to use an emerging technology that needs to be integrated with the
current IT infrastructure. Which of the following is the BEST way to prevent adverse effects to the
enterprise resulting from the new technology?
A. Develop key performance indicators (KPIs).

B. Update the risk appetite statement
C. Develop key risk indicators (KRIs).
D. Implement service level agreements (SLAs)
Answer: C
QUESTION 359
Which of the following would be the BEST way for an IT steering committee to monitor the adoption
of a new enterprise IT strategy?
A. Establish key performance indicators (KPIs).

B. Establish key risk indicators (KRIs).
C. Schedule ongoing audit reviews.
D. Implement service level agreements (SLAs)
Answer: A
QUESTION 360
Which of the following is the MOST important input for the development of a human resources
strategy to address IT skill gaps?
A. Training budget allocated for IT staff

B. Training effectiveness reports
C. Technology direction of the enterprise
D. A recent IT skills matrix
Answer: D
QUESTION 361
An enterprise wishes to establish key risk indicators (KRIs) in an effort to better manage IT risk.
Which of the following should be identified FIRST?
A. Risk mitigation strategies

B. Enterprise architecture (EA) components
C. The enterprise risk appetite
D. Key performance metrics
Answer: C
QUESTION 362
Which of the following would be the BEST way to facilitate the successful adoption of a new
technology across the enterprise?
A. Ensure the use of a business case

B. Review business goals.
C. Establish an IT balanced scorecard.
D. Highlight the risk the new technology will address.
Answer: A
QUESTION 363
Which of the following should be the FIRST consideration for an enterprise faced with a pandemic
situation resulting in a mandatory remote work environment?
A. Reviewing and testing disaster recovery plans (DRPs)

B. Ensuring staff has the necessary technology to be productive
C. Ensuring remote work policies are updated and communicated
D. Revising IT performance monitoring metrics
Answer: C
QUESTION 364
The MAIN responsibility of the board of directors regarding the management of enterprise risk is to:
A. ensure a risk process exists which addresses the risk appetite.

B. sustain investment in staff training regarding IT risk.
C. promote a benefits-driven culture throughout the enterprise.
D. maintain awareness of IT risk to the business.
Answer: A
QUESTION 365
Which of the following BEST supports an enterprise's ability to comply with privacy laws and
regulations?
A. Complete inventory of enterprise data

B. Implementation of a breach notification process
C. Accurate classification of enterprise data
D. Robust enterprise policy related to data retention
Answer: C
QUESTION 366
Which of the following methods is MOST likely to be used to assess plausible risk scenarios that
could result in reputational risk to the enterprise?
A. Controls gap analysis

B. Qualitative analysis
C. Quantitative analysis
D. SWOT analysis
Answer: D
QUESTION 367
Which of the following would provide the MOST useful information to understand the associated
risks when implementing a new digital transformation strategy?
A. Risk policy
B. Risk framework
C. Risk heat map
D. Risk register
Answer: B
QUESTION 368
Which of the following roles should approve major IT purchases to help prevent conflicts of interest?
A. IT steering committee
B. Chief information officer (CIO)
C. Chief compliance officer
D. Project management office (PMO)
Answer: A
QUESTION 369
From an IT governance perspective, establishing performance measurements is PRIMARILY the
responsibility of:
A. the IT architecture review board.

B. senior management.
C. the board of directors.
D. enterprise risk management (ERM).
Answer: C
QUESTION 370
Business management is seeking assurance from the CIO that controls are in place to help
minimize the risk of critical IT systems being unavailable during month-end financial processing.
What is the BEST way to address this concern?
A. Create a communication plan with risk owners.
B. Outsource infrastructure hosting.
C. Restrict and monitor user access.
D. Develop key risk indicators (KRIs) and action plans.
Answer: D
QUESTION 371
A root-cause analysis indicates a major service disruption due to a lack of competency of newly
hired IT system administrators. Who should be accountable for resolving the situation?
A. HR training director
B. HR recruitment manager
C. Chief information officer
D. (CIO) Business process owner
Answer: C
QUESTION 372
Which of the following would be the MOST effective way to ensure IT capabilities are appropriately
aligned with business requirements for specific business processes?
A. Establishing key performance indicators {KPIs)

B. Requiring Internal IT architecture and design reviews
C. Requiring architecture and design reviews with business process stakeholders
D. Issuing a management mandate that IT and business process stakeholders work together
Answer: D
QUESTION 373
Which of the following has PRIMARY responsibility to define the requirements for IT service levels
for the enterprise?
A. The business manager

B. The help desk
C. The CIO
D. The business continuity vendor
Answer: A
QUESTION 374
Which of the following should be management's GREATEST consideration when trying to optimize
the use of benefits from IT?
A. Value delivery
B. Quality management
C. Process improvement
D. Alignment of business to IT
Answer: A
QUESTION 375
The use of an enterprise architecture (EA) framework BEST supports IT governance by providing:
A. key information for IT service level management.

B. reference models to align IT with business.
C. IT standards for application development
D. business information for IT capacity planning.
Answer: D
QUESTION 376
To ensure IT risk is managed in a consistent manner, it is MOST important for IT governance to
establish a:
A. risk management committee to identify IT-related risks.

B. risk management framework.
C. balanced scorecard that includes IT risks.
D. risk management reporting tool to ensure compliance.
Answer: B
QUESTION 377
Individual business units within an enterprise have been designing their own IT solutions without
consulting the IT department. From a governance perspective, what is the GREATEST issue
associated with this situation?
A. Security controls may not meet IT requirements.

B. The enterprise does not have the skills to manage the solutions.
C. The solutions conflict with IT goals and objectives.
D. The solution may conflict with existing enterprise goals.
Answer: D
QUESTION 378
The responsibility for the development of a business continuity plan (BCP) is BEST assigned to the:
A. business risk manager.

B. business owner.
C. chief executive officer (CEO).
D. IT systems owner.
Answer: A
QUESTION 379
Which of the following BEST demonstrates the effectiveness of enterprise IT governance?
A. An IT balanced scorecard is used.
B. Business objectives are achieved.
C. Business objectives are defined.
D. IT processes are measured.
Answer: A
QUESTION 380
An IT steering committee is concerned that enterprise technologies have grown stagnant and are
outdated. Which of the following is the BEST strategy to invest in modern technology?
A. Decrease spending on steady state and increase spending on modernization and enhancements.
B. Redefine the target architecture to define new technologies that can be incorporated into the
infrastructure.
C. Create a new investment category for innovation that becomes a new way for tracking investment
decisions.
D. Update the IT human resource management plan to require training and development for emerging
technologies.
Answer: B
QUESTION 381
The PRIMARY objective of building outcome measures is to:
A. monitor whether the chosen strategy is successful

B. visualize how the strategy will be achieved.
C. demonstrate commitment to IT governance.
D. clarify the cause-and-effect relationship of the strategy.
Answer: A
QUESTION 382
Once the strategic vision has been established, which of the following would be the BEST activity
for supporting the implementation of performance measures?
A. Monitor service level performance.

B. Document strengths, weaknesses, opportunities, and threats.
C. Document policy requirements
D. Identify key performance indicators (KPIs).
Answer: C
QUESTION 383
Which of the following BEST supports the implementation of an effective data classification policy?
A. Monitoring with key performance indicators (KPIs)

B. Implementation of data loss prevention (DLP) tools
C. Clear guidelines adopted by the business
D. Classification policy approval by the board
Answer: C
QUESTION 384
An enterprise has lost an unencrypted backup tape of archived customer dat
A. A data breach report is not mandatory in the relevant jurisdiction. From an ethical standpoint, what
should the enterprise do NEXT?
B. Initiate disciplinary proceedings against relevant employees.
C. Mandate a review of backup tape inventory procedures.
D. Communicate the breach to customers.
E. Require an evaluation of storage facility vendors.
Answer: C
QUESTION 385
When developing an IT training plan, which of the following is the BEST way to ensure that resource
skills requirements are identified?
A. Extract training requirements from deficiencies reported in customer service satisfaction surveys.
B. Ask managers to determine IT training requirements annually.
C. Determine training needs based on the capabilities to support the IT strategy.
D. Survey employees for IT skills requirements based upon technology trends.
Answer: C
QUESTION 386
In which of the following situations is it MOST appropriate to use a quantitative risk assessment?
A. There is a lack of accurate and reliable past and present risk data.
B. The risk assessment needs to be completed in a short period of time.
C. The objectivity of the risk assessment is of primary importance.
D. The risk assessment is needed for an IT project business case.
Answer: C
QUESTION 387
An IT department has forwarded a request to the IT strategy committee for funding of a
discretionary Investment. The committee's MOST important consideration should be to evaluate:
A. the technical feasibility of the investment.

B. the business and technical scope of the investment ?
C. whether the investment supports corporate goals
D. whether the investment aligns with the enterprise architecture (EA).
Answer: C
QUESTION 388
Which of the following should be identified FIRST when determining appropriate IT key risk
indicators (KRIs)?
A. IT-related risk
B. IT controls
C. IT threats
D. IT objectives
Answer: C
QUESTION 389
An IT risk committee is trying to mitigate the risk associated with a newly implemented bring your
own device (BYOD) policy and supporting mobile device management (MDM) tools. Which of the
following would be the BEST way to ensure employees understand how to protect sensitive
corporate data on their mobile devices?
A. Require staff to complete security awareness training

B. Develop security procedures for mobile devices.
C. Distribute the BYOD policy on the company Intranet.
D. Require staff to review and sign nondisclosure agreements (NDAs)
Answer: A
QUESTION 390
An enterprise's decision to move to a virtualized architecture will have the GREATEST impact on:
A. system life cycle management.

B. asset classification.
C. vendor management
D. vulnerability management.
Answer: D
QUESTION 391
A large bank has completed several acquisitions in the last few years that have resulted in
redundant IT applications. To align with the strategic initiative of providing integrated services to
customers, the IT steering committee has decided to share data and integrate applications. Which
of the following would be MOST important to review in this situation?

B. IT risk register
C. Balanced scorecard measures
D. IT strategic plan
Answer: A
QUESTION 392
What should be done FIRST when feedback indicates recently implemented software products are
not meeting business unit expectations?
A. Review help desk logs.
B. Confirm user acceptance testing (UAT) was completed.
C. Request a gap analysis.
D. Institute a new software training program
Answer: B
QUESTION 393
Of the following, who is PRIMARILY responsible for applying frameworks for the governance of IT
to balance the need for security controls with business requirements?
A. Data scientists
B. Data stewards
C. Data analysts
D. Data processors
Answer: B
QUESTION 394
An IT steering committee is evaluating whether a third-party supplier is delivering the correct level
of service Reviewing which of the following will provide the BEST information to the committee?
A. Key performance indicators (KPIs)

B. Service portfolio management
C. Vendor status reports
D. Operational cost reduction reports
Answer: B
QUESTION 395
Which of the following should be the PRIMARY goal of implementing service level agreements
(SLAs) with an outsourcing vendor?
A. Gaining a competitive advantage

B. Establishing penalties for not meeting service levels
C. Achieving operational objectives
D. Complying with regulatory requirements
Answer: C
QUESTION 396
An enterprise's chief information officer (CIO) has been receiving complaints from business
executives regarding the amount their units are being charged for IT services. To maintain a good
relationship with business peers, the CIO wants to be responsive to these complaints. To address
this issue, the FIRST step should be to:
A. agree to reduce charge rates and improve relationship management with the business.
B. look into outsourcing of support functions to drive down the cost structure.
C. ask the chief financial officer (CFO) about budget revisions for the business units' IT expenditures.
D. quantify consumption and service level agreement (SLA) achievements per business unit.
Answer: D
QUESTION 397
Which of the following should be the FIRST action taken by a newly formed IT governance
committee to ensure reports are compliant with regulations and identify key IT risks?
A. Direct the development of a reporting communication plan.

B. Develop and monitor IT key risk indicator (KRI) triggers.
C. Train end users on regulation requirements.
D. Implement a mechanism to ensure reporting escalation.
Answer: A
QUESTION 398
What is the BEST criterion for prioritizing IT risk remediation when resource requirements are equal?
A. Deviation from IT standards

B. IT strategy alignment
C. IT audit recommendations
D. Impact on business
Answer: D
QUESTION 399
When developing a framework to implement IT governance, which of the following BEST
contributes to the successful implementation?
A. Practical and enforceable policies

B. Automated compliance tracking
C. Comprehensive and timely audit reviews
D. Periodic peer reviews
Answer: A
QUESTION 400
In a successful enterprise that is profitable in its marketplace and consistently growing in size, the
non-IT workforce has grown by 50% in the last two years. The demand for IT staff in the
marketplace is more than the supply, and the enterprise is losing staff to rival organizations. Due
to the rapid growth. IT has struggled to keep up with the enterprise, and IT procedures and
associated job roles are not well-defined. The MOST critical activity for reducing the impact caused
by IT staff turnover is to:
A. document processes and procedures.

B. outsource the IT operation.
C. increase compensation for IT staff
D. hire temporary staff.
Answer: A
QUESTION 401
Which of the following should be done FIRST when concerns have been identified regarding the
financial viability of a potential software supplier?
A. Implement an escrow agreement

B. Perform a risk assessment
C. Include a right-to-audit clause in the contract
D. License the intellectual property
Answer: A
QUESTION 402
Which of the following is the MOST significant challenge faced by an enterprise when establishing
information stewardship?
A. Lack of documented policies and procedures

B. Information requirements of regulatory authorities
C. Insufficient knowledge of IT practices and controls
D. Lack of role clarity and specific responsibilities
Answer: D
QUESTION 403
An enterprise has decided to implement an enterprise resource planning (ERP) system to achieve
operating and cost efficiencies through global IT standardization. The business units are resistant
because they are used to operating autonomously. The CEO has instructed the CIO to move
quickly with the implementation to force acceptance with business unit leaders. Which of the
following should be the ClO's FIRST step?
A. Build a governance framework for identifying non-standard processes.

B. Request funding from the CEO to hire ERP consultants.
C. Ask the CEO to be the sponsor of the program
D. Engage a reluctant business unit to conduct a proof-of-concept pilot.
Answer: D
QUESTION 404
Which of the following is MOST important to review during IT strategy development?
A. Industry best practices

B. IT balanced scorecard
C. Current business environment
D. Data flows that indicate areas requiring IT support
Answer: C
QUESTION 405
During an IT strategy review, a new CIO determined that numerous important internal processes
have not been updated for several years and should be reexamined. Which of the following would
be the BEST approach to address this concern?
A. Implement a process review policy.

B. Assemble a project review team
C. Verify that the processes are still needed
D. Map the processes to a capability maturity model.
Answer: C
QUESTION 406
When conducting a risk assessment in support of a new regulatory requirement, the IT risk
committee should FIRST consider the:
A. disruption to normal business operations.

B. risk profile of the enterprise.
C. readiness of IT systems to address
D. the risk cost burden to achieve compliance.
Answer: C
QUESTION 407
Facing financial struggles, a CEO mandated severe budget cuts. A decision was also made to
immediately change the enterprise strategic focus to put more reliance on mobile, cloud, and
wireless services in an effort to boost revenue. The IT steering committee has asked the CIO to
suggest adjustments to the current IT project portfolio to allow support for the new direction despite
fewer funds. What should the CIO advise the committee to do FIRST?
A. Ask business stakeholders to discuss their vision for the new strategy.
B. Cancel projects with a net present value (NPV) below a defined threshold.
C. Conduct a risk assessment against the potential new services.
D. Start re-allocating budget to projects involving mobile or cloud.
Answer: C
QUESTION 408
An enterprise is approaching the escalation date of a major IT risk. The IT steering committee wants
to ascertain who is responsible for the risk response. Where should the committee find this
information?
A. Resource management plan

B. RACl chart
C. Risk management plan
D. Risk register
Answer: D
QUESTION 409
Which of the following IT governance actions would be the BEST way to minimize the likelihood of
IT failures jeopardizing the corporate value of an IT-dependent organization?
A. Implement an IT risk management framework.

B. Install an IT continuous monitoring solution.
C. Define IT performance management measures.
D. Benchmark IT strategy against industry peers.
Answer: A
QUESTION 410
Which aspect of information governance BEST enables an enterprise to avoid duplication of
records and promote consistency of data?
A. Data loss prevention (DLP)

B. Data modeling
C. Blockchain management
D. Enterprise architecture (EA)
Answer: B
QUESTION 411
The risk committee is overwhelmed by the number of false positives included in risk reports. What
action would BEST address this situation?
A. Conduct a risk assessment

B. Evaluate key risk indicators (KRIs).
C. Change the reporting format.
D. Adjust the IT balanced scorecard
Answer: B
QUESTION 412
Which of the following will BEST enable an IT steering committee to monitor the achievement of
overall IT objectives on a continuous basis?
A. Defined service level agreements (SLAs)

B. Project portfolio dashboards
C. Key performance indicators (KPIs)
D. IT user survey results
Answer: A
QUESTION 413
An enterprise has launched a series of critical new IT initiatives that are expected to produce
substantial value Which of the following would BEST provide the board with an indication of
progress of the IT initiatives?
A. Portfolio management review
B. Full life cycle cost-benefit analysis
C. Demonstration of prototype and user testing
D. Critical risk and issue walk-through
Answer: A
QUESTION 414
An enterprise wants to reduce the complexity of its data assets while ensuring impact to the
business is minimized during the transition. Which of the following should be done FIRST?
A. Remove applications that are not aligned with the information architecture.
B. Review the information classification and retention policies
C. Review the information architecture.
D. Assess current information ownership.
Answer: C
QUESTION 415
When developing a business case for an enterprise resource planning (ERP) implementation,
which of the following, if overlooked, causes the GREATEST impact to the enterprise?
A. Vendor selection
B. Salvage value of legacy hardware
C. Interdependent systems
D. IT best practices
Answer: C
QUESTION 416
The PRIMARY objective of IT resource planning within an enterprise should be to:
A. determine risk associated with IT resources.

B. maximize value received from IT.
C. determine IT outsourcing options.
D. finalize service level agreements (SLAs) for IT
Answer: B
QUESTION 417
An enterprise is replacing its customer relationship management (CRM) system with a cloud-based
system. Which of the following should be done FIRST when preparing for data migration"*
A. Review the enterprise data architecture.

B. Establish a data quality plan
C. Consult the quality assurance (QA) function.
D. Acquire data migration tools.
Answer: B
QUESTION 418
A business has outsourced IT operations to several third-party providers, but service level
agreements (SLAs) are not clearly defined in all cases. Which of the following is the GREATEST
risk to the business?
A. Costs are not measurable.

B. Third parties could provide overlapping services.
C. The scope of work is not clearly defined.
D. Quality of services is not enforceable.
Answer: D
QUESTION 419
An enterprise has committed to the implementation of a new IT governance model. The BEST way
to begin this implementation is to:
A. identify IT services that currently support the enterprise's capability.

B. define policies for data, applications, and organization of infrastructure.
C. identify the role of IT in supporting the business.
D. prioritize how much and where to invest in IT.
Answer: B
QUESTION 420
Which of the following should be the PRIMARY governance objective for selecting key risk
indicators (KRIs) related to legal and regulatory compliance?
A. Identifying the risk of noncompliance

B. Demonstrating sound risk management practices
C. Measuring IT alignment with enterprise risk management (ERM)
D. Ensuring the effectiveness of IT compliance controls
Answer: C
QUESTION 421
In a large enterprise, which of the following should be responsible for the implementation of an IT
balanced scorecard?
A. Project management office

B. Chief information officer (CIO)
C. IT steering committee
D. Chief risk officer (CRO)
Answer: A
QUESTION 422
Which of the following should be established FIRST so that data owners can consistently assess
the level of data protection needed across the enterprise?
A. Data encryption program

B. Data risk management program
C. Data retention policy
D. Data classification policy
Answer: D
QUESTION 423
IT maturity models measure:
A. performance.
B. value.
C. capabilities.
D. outcome.
Answer: C
QUESTION 424
A newly appointed CIO has been tasked with the responsibility of developing an effective IT
enterprise roadmap that meets business requirements. Which of the following is the BEST way to
ensure that the business needs have been taken into consideration?
A. Involve process owners in requirements gathering.

B. Implement a balanced scorecard.
C. Include user acceptance testing (UAT) as part of the resulting IT solutions.
Answer: A
QUESTION 425
Right-to-audit clauses are intended to ensure the vendor:
A. aligns staff skill sets adequately.

B. maintains adequate budget for risk management.
C. addresses compliance requirements.
D. optimizes IT operations for service delivery
Answer: C
QUESTION 426
Which of the following should be the FIRST step for executive management to take in
communicating what is considered acceptable use with regard to personally owned devices for
company business?
A. Require employees to read and sign a disclaimer.

B. Develop and disseminate an applicable policy.
C. Post awareness messages throughout the facility.
D. Provide training on how to protect data on personal devices.
Answer: B
QUESTION 427
When updating an IT governance framework to support an outsourcing strategy, which of the
following is MOST important?
A. Evaluating the choice of underlying technology platforms used by the service provider
B. Ensuring the outsource provider's IT function is aligned with its business function
C. Verifying the vendor has developed standard operation procedures for outsourced functions
D. Ensuring the effective management of contracts with third-party providers
Answer: C
QUESTION 428
A financial services company has implemented the use of a cloud-based centralized customer
relationship management (CRM) system. The company has decided to go multi-national. Which of
the following should be the enterprise risk management (ERM) committee's PRIMARY
consideration?
A. Security issues
B. Vendor capability
C. Return on investment (ROI)
D. Compliance issues
Answer: D
QUESTION 429
An organization is evaluating vendors to provide mobile device management (MDM) services.
Which of the following is a KEY governance consideration for the IT steering committee?
A. Service level targets align with business requirements.

B. Employee-owned devices will be covered by the service.
C. The MDM services are delivered via a cloud.
Answer: A
QUESTION 430
IT senior management has just received a survey report indicating that more than one third of the
organization's key IT staff plan to retire within the next 12 months. Which of the following is the
MOST important governance action to prepare for this possibility?
A. Engage human resources (HR) for recruitment of new staff.

B. Request the development of a succession plan.
C. Review motivation drivers for key IT staff.
D. Evaluate lower-level staff as succession candidates.
Answer: B
QUESTION 431
A CEO wants to establish a governance framework to facilitate the alignment of IT and business
strategies. Which of the following should be a KEY requirement of this framework?
A. Defined resourcing levels

B. A defined enterprise architecture (EA)
C. An outsourcing strategy
Answer: B
QUESTION 432
Which of the following BEST supports enterprise decision making for IT resource allocation?
A. IT-related regulatory requirements

B. Enterprise IT strategy
C. Enterprise IT risk assessment
D. IT balanced scorecard
Answer: B
QUESTION 433
Which of the following is the PRIMARY responsibility of a data steward?
A. Ensuring the appropriate users have access to the right data

B. Developing policies for data governance
C. Reporting data analysis to the board
D. Classifying and labeling organizational data assets
Answer: D
QUESTION 434
Which of the following is MOST important for an IT strategy committee to ensure before initiating
the development of an IT strategic plan?
A. Committee members are apprised of business needs

B. A risk assessment has been conducted.
C. Committee members are independent from business units.
D. IT initiatives are fully supported by the business.
Answer: A
QUESTION 435
Which of the following should senior management do FIRST when developing and managing digital
applications for a new enterprise?
A. Establish an architecture review board.

B. Define the risk appetite
C. Develop key risk indicators (KRIs).
D. Implement a sourcing program.
Answer: B
QUESTION 436
To successfully implement enterprise IT governance, which of the following should be the MAIN
focus of IT policies?
A. Providing business value

B. Optimizing operational benefits
C. Enhancing organizational capability
D. Limiting IT costs
Answer: A
QUESTION 437
An IT steering committee has received a report that supports the economic and service benefits of
moving infrastructure hosting to an external cloud provider. Business leadership is very concerned
about the security risk and potential loss of customer data. What is the BEST way for the committee
to address these concerns?
A. Mandate there will be no customer data at rest stored on cloud servers used by the vendor.
B. Include compliance with the enterprise's data governance policy in the contract.
C. Ensure reporting and penalty clauses are included in the contract for any loss of data.
D. Require an encrypted connection between the cloud and enterprise servers.
Answer: B
QUESTION 438
Which of the following metrics would provide senior management with the BEST indication of the
success of IT investments?
A. Number of IT investments tracked in the balanced scorecard

B. Percentage of IT investments recorded in the enterprise architecture (EA)
C. Number of IT investments impacted by business-related incidents
D. Percentage of IT investments that meet expected benefits
Answer: D
QUESTION 439
Which of the following would BEST help a CIO enhance the competencies of an IT business
analytics team?
A. Understanding current staff skill sets and identifying gaps

B. Creating operational processes and identifying resources
C. Defining the IT architecture and identifying training areas
D. Establishing team goals and identifying the proper structure
Answer: A
QUESTION 440
Which of the following is the MOST important input for designing a development program to help
IT employees improve their ability to respond to business needs?
A. Capability maturity model

C. Skills competency assessment
Answer: C
QUESTION 441
IT senior management is concerned that IT service levels consistently fall below those outlined in
the service level agreement (SLA). Which of the following would BEST enable the CIO to build a
corrective action plan?
A. Assessing the impact of the SLA failure

B. Conducting an IT performance evaluation
C. Reviewing the IT staff training plan
D. Performing a root cause analysis
Answer: D
QUESTION 442
A newly hired IT director of a large international enterprise has been asked to provide periodic
updates regarding IT risk to the board. Which of the following is the MOST effective way to initially
address this request?
A. Include a complete IT risk register in the monthly letter given to each board member.
B. Include key IT risks in a dashboard submitted to the board quarterly.
C. Submit a register of all IT audit findings to board members monthly.
D. Schedule quarterly meetings to discuss all open IT risks.
Answer: B
QUESTION 443
An assessment reveals that enterprise risk management (ERM) practices are being applied
inconsistently by IT staff. Which of the following would be the MOST effective corrective action?
A. Require ERM orientation sessions

B. Request the development of an IT risk register template.
C. Request a complete skills reassessment for all IT staff.
D. Update the ERM framework.
Answer: D
QUESTION 444
An enterprise's global IT program management office (PMO) has recently discovered that several
IT projects are being run within a specific region without knowledge of the PMO. The projects are
on time, on budget, and will deliver the proposed benefits to the specific region. Which of the
following should be the PRIMARY concern of the PMO?
A. Inability to reduce the impact to the risk level of the global portfolio
B. Projects may not follow system development life cycle (SDLC)
C. Lack of control and impact to the overall PMO budget
Answer: C
QUESTION 445
To evaluate IT resource management, it is MOST important to define:
A. responsibilities for executing resource management.

B. applicable key goals.
C. principles for the IT strategy.
D. IT resource utilization reporting procedures.
Answer: B
QUESTION 446
A newly appointed CIO has issued a new IT strategic plan. Which of the following is the MOST
effective way for the CIO to ensure the IT management team is held accountable for the delivery
of the plan?
A. Update the IT balanced scorecard with key objectives.

B. Enforce disciplinary action for managers if the plan is not delivered.
C. Revise the managers' performance goals to include key objectives.
Answer: A
QUESTION 447
An enterprise has entered into a new market which brings additional regulatory compliance
requirements. What should be done FIRST to address these requirements?
A. Outsource the compliance process.

B. Appoint a compliance officer.
C. Update the organization's risk profile.
D. Have executive management monitor compliance.
Answer: C
QUESTION 448
Which of the following is the MOST important benefit of effective IT governance reporting?
A. The enterprise balanced scorecard is aligned with IT dashboards.

B. Business executives better understand IT's value contribution to the enterprise
C. IT key performance indicators (KPIs) are included in the enterprise-level KPI dashboard.
D. IT processes are improved in line with business requirements.
Answer: B
QUESTION 449
A large enterprise has been experiencing high turnover of skilled IT personnel, resulting in a
significant loss of knowledge within the IT department. Which of the following is the BEST
governance action to address this concern?
A. Update the IT resource management plan.

B. Revise IT strategic objectives.
C. Update IT employee compensation packages.
D. Mandate the use of employee contracts.
Answer: A
QUESTION 450
The PRIMARY reason a CIO and IT senior management should stay aware of the business
environment is to:
A. revisit prioritization of IT projects.

B. adjust IT strategy as needed.
C. measure efficiency of IT resources.
D. re-assess the IT investment portfolio.
Answer: A
QUESTION 451
Which of the following decisions would be made by the IT strategy committee?
A. Communication plan for a major IT initiative

B. Cloud implementation and support plan
C. Enterprise risk management (ERM) framework
D. Composition of the investment portfolio
Answer: D
QUESTION 452
Which of the following BEST enables an enterprise to determine how business expectations should
be addressed in a governance program?

C. Enterprise risk analysis
D. Stakeholder analysis
Answer: D
QUESTION 453
The CIO of a financial and insurance company is considering the projects and portfolio for the
coming year Which of the following projects is a non-discretionary project?
A. Data center relocation

B. Compliance with statutory regulations
C. Actuarial application system analysis and design
Answer: B
QUESTION 454
Which of the following is MOST important to include in IT governance reporting to the board of
directors?
A. Critical risks
B. Technology cost savings
C. Threat landscape
D. Security events
Answer: A
QUESTION 455
A business unit is planning to replace an existing IT legacy solution with a hosted Software as a
Service (SaaS) solution. However, business management is concerned that stored data will be at
risk.
Which of the following is the MOST effective way to reduce the risk associated with the SaaS
solution?
A. Research the technology and identify potential security threats.

B. Include risk-related requirements in the SaaS contract.
C. Create key risk indicators (KRls) for the SaaS solution.
D. Redefine the risk appetite and risk tolerance.
Answer: C
QUESTION 456
A project sponsor has circumvented the request for proposal (RFP) selection process. Which of
the following is the MOST likely reason for this control gap?
A. Inadequate stage-gate reviews

B. Inadequate board oversight
C. Lack of accountability for policy adherence
D. Lack of a legal and regulatory review process
Answer: C
QUESTION 457
An enterprise is adopting a new governance framework. Of the following, the MOST effective
method to help ensure that key activities are performed by appropriate resources is through the
use of:
A. a RACI chart.
B. an organizational breakdown structure.
C. a work breakdown structure.
Answer: A
QUESTION 458
To enable IT to deliver adequate services and maintain availability of a web-facing infrastructure,
an IT governance committee should FIRST establish:
A. web operations procedures.

B. business continuity plans (BCPs).
C. key performance indicators (KPIs).
D. customer survey processes.
Answer: C
QUESTION 459
What should be an IT steering committee's FIRST course of action when an enterprise is
considering establishing a virtual reality store to sell its products?
A. Request a resource gap analysis.

B. Request development of key risk indicators (KRIs).
C. Request a threat assessment.
D. Request a cost-benefit analysis.
Answer: C
QUESTION 460
Which of the following should occur FIRST in the IT investment process?
A. Assess each project's impact on the enterprise's investment plan.

B. Select IT projects that will best support the enterprise's mission.
C. Analyze IT investments based on past data.
D. Analyze the risks and benefits of the investment for each IT project.
Answer: B
QUESTION 461
Which of the following should be done FIRST when designing an IT balanced scorecard?
A. Develop key performance indicators (KPIs).

B. Communicate to stakeholders
C. Analyze the business strategy.
D. Review the IT resource plan.
Answer: C
QUESTION 462
An IT strategy committee wants to ensure stakeholders understand who owns each strategic
objective. To enable this understanding, which of the following should be communicated to
stakeholders?
A. A RACI chart
B. The strategic plan
C. Performance measure
D. Risk owners
Answer: A
QUESTION 463
Which of the following are the MOST important processes for information asset life cycle
management?
A. Procurement management and third-party management

B. Configuration management and financial management
C. Vulnerability management and network management
D. Business continuity management and disaster recovery management
Answer: D
QUESTION 464
Which of the following is the BEST way to implement effective IT risk management?
A. Align with business risk management processes.

B. Establish a risk management function.
C. Minimize the number of IT risk management decision points.
D. Adopt risk management processes.
Answer: A
QUESTION 465
Which of the following is a PRIMARY responsibility of the CIO when an enterprise plans to replace
its enterprise resource applications?
A. Reviewing the IT application portfolio

B. Evaluating and selecting application vendors
C. Ensuring IT architecture requirements are considered
D. Establishing software quality criteria
Answer: C
QUESTION 466
A CIO is planning to interview enterprise stakeholders to assess whether the IT strategic plan is
continuing to support enterprise business objectives. The CIO would be MOST effective by starting
the interview process with:
A. the executive team.
B. the internal auditors.
C. senior IT managers.
D. business process owners.
Answer: A
QUESTION 467
Which of the following characteristics would BEST indicate that an IT process is a good candidate
for outsourcing?
A. Strategic processes that require expert professionals

B. Processes with higher risk to the enterprise
C. Non-strategic processes that are not documented
D. Operational processes that are well-defined
Answer: D
QUESTION 468
A CIO wants to make improvements to the enterprise's IT governance. Which of the following would
BEST help to demonstrate the expected benefits from proposed changes?
A. RACI chart
B. Balanced scorecard
C. Enterprise architecture (EA)
D. Business case
Answer: D
QUESTION 469
An IT team is having difficulty meeting new demands placed on the department as a result of a
major and radical shift in enterprise business strategy. Which of the following is the ClO's BEST
course of action to address this situation?
A. Utilize third parties for non-value-added processes.

B. Align the business strategy with the IT strategy.
C. Review the current IT strategy.
D. Review the IT risk appetite.
Answer: C
QUESTION 470
An organization has decided to integrate IT risk with the enterprise risk management (ERM)
framework. The FIRST step to enable this integration is to establish:
A. a common risk management taxonomy.

B. a common risk organization.
C. common key risk indicators (KRIs).
D. common risk mitigation strategies.
Answer: A
QUESTION 471
The BEST way for a CIO to manage the organizational impact of deploying a new enterprise-wide
tool is to implement:
A. change management.
B. project management.
C. risk management.
D. resource management.
Answer: C
QUESTION 472
An enterprise recently approved a bring your own device (BYOD) policy. The IT steering committee
has directed IT management to develop a communication plan to disseminate information
regarding the associated technical risks. Which of the following is MOST important to include in
this communication plan?
A. A link on the corporate intranet to the BYOD policy

B. Potential exposures and impacts using common terms
C. Schedule and content for mandatory training
D. Disciplinary actions for violation of the BYOD policy
Answer: B
QUESTION 473
Which of the following will BEST enable an enterprise to convey IT governance direction and
objectives?
A. Skills and competencies

B. Principles and policies
C. Corporate culture
D. Business processes
Answer: B
QUESTION 474
Which of the following is the MOST important reason that IT strategic planning processes need to
be adequately documented and communicated?
A. To justify spending on IT projects

B. To promote transparency to stakeholders
C. To ensure other departments are aligned with the direction set by IT
D. To inform business units of IT department achievements
Answer: C
QUESTION 475
Which of the following is the PRIMARY responsibility of a data steward at an enterprise with mature
data management programs?
A. Implementing processes for data collection and use

B. Ensuring compliance with data privacy laws and regulations
C. Establishing data quality requirements and metrics
D. Developing data-related policies and procedures
Answer: C
QUESTION 476
An enterprise recently implemented a significant change in its business strategy by moving to a
technologically advanced product with considerable impact on the business. What should be the
FINAL step in completing the changes to IT processes?
A. Updating the configuration management database (CMDB)

B. Empowering the business to embrace the changes
C. Ensuring a return to stabilized business operations
D. Updating the enterprise architecture (EA)
Answer: C
QUESTION 477
When selecting a cloud provider, which of the following provides the MOST comprehensive
information regarding the current status and effectiveness of the provider's controls?
A. Globally recognized certification

B. Third-party audit report
C. Control self-assessment (CSA)
D. Maturity assessment
Answer: B
QUESTION 478
Which of the following is the BEST way to encourage employees to raise ethics concerns in full
confidence?
A. Publish and enforce a code of conduct policy.

B. Provide access to legal resource benefits.
C. Establish and communicate a whistle-blower policy.
D. Provide protection language in employment contracts.
Answer: C
QUESTION 479
What is the PRIMARY benefit of aligning information architecture with enterprise architecture (EA)?
A. It improves communication with senior management and the business.
B. It ensures the adoption of enterprise data quality standards.
C. It enables the tracing of data to business functions.
D. It facilitates appropriate access to data consumers.
Answer: C
QUESTION 480
A CIO is planning to implement an enterprise resource planning (ERP) system at the request of the
business. Of the following, who is accountable for providing sponsorship for the IT-enabled change
across the enterprise?
A. CEO
B. Human resource (HR) director
C. IT strategy committee
Answer: C
QUESTION 481
Which of the following is MOST important to include in the customer dimension of an IT balanced
scorecard?
A. Business value creation

B. Stakeholder satisfaction
C. Maintenance of IT operations
D. Support for corporate customers
Answer: B
QUESTION 482
A CIO has recently been made aware of a new regulatory requirement that may affect IT-enabled
business activities. Which of the following should be the CIO s FIRST step in deciding the
appropriate response to the new requirement?
A. Revise initiatives that are active to reflect the new requirements.

B. Confirm there are adequate resources to mitigate compliance requirements.
C. Consult with legal and risk experts to understand the requirements.
Answer: C
QUESTION 483
Which of the following BEST enables effective enterprise risk management (ERM)?
A. Risk register
B. Risk ownership
C. Risk tolerance
D. Risk training
Answer: C
QUESTION 484
Which of the following BEST supports an IT staff restructure as part of an annual IT strategy review
with senior management?
A. Established IT key performance indicators (KPIs)

B. IT staff training program requirements
C. External IT staffing benchmarks
D. An updated business case for IT resourcing
Answer: A
QUESTION 485
Which of the following is the BEST critical success factor (CSF) to use when changing an IT value
management program in an enterprise?
A. Documenting the process for the board of directors' approval

B. Adopting the program by using an incremental approach
C. Implementing the program through the enterprise's change plan
D. Aligning the program to the business requirements
Answer: D
QUESTION 486
What should be the FIRST action of a new CIO when considering an IT governance framework for
an enterprise?
A. Understand corporate culture and IT'S role in providing business value.

B. Understand critical IT processes to define the scope of the IT governance framework.
C. Verify stakeholder sponsorship of the IT governance initiative.
D. Develop an IT balanced scorecard to monitor and track IT performance.
Answer: A
QUESTION 487
An enterprise has launched a critical new IT initiative that is expected to produce substantial value.
Which of the following would BEST facilitate the reporting of benefits realized by the IT investment
to the board?
B. Milestone chart
C. Performance management
Answer: C
QUESTION 488
The MOST appropriate method for evaluating the capability of IT governance is through the use of:
A. a maturity assessment.
B. benchmarking.
C. a cost-benefit analysis.
D. a risk assessment.
Answer: A
QUESTION 489
When a shortfall of IT resources is identified, the FIRST course of action is to;
A. perform a business impact analysis (BIA).

B. reallocate the budget to close the gap in resources.
C. reduce business requirements.
D. negotiate best pricing for contracted resources.
Answer: A
QUESTION 490
Which of the following is the BEST way to address the risk associated with new IT investments?
A. Develop security best practices to protect applications.

B. Integrate security requirements at the beginning of projects
C. Establish an enterprise-wide incident response process.
D. Implement an enterprise-wide security awareness program.
Answer: B
QUESTION 491
Which of the following BEST enables an enterprise to achieve the benefits of implementing new
Internet of Things (loT) technology?
A. IT project charter
B. Change management
C. Emerging technology roadmap
D. Enterprise architecture (EA)
Answer: D
QUESTION 492
A CIO was notified that a new employee was observed wearing a headset with an optical lens at
the organization's data center. The individual was entering voice commands into the device. When
approached, the employee explained the device is a new personal technology serving as a hands-
free version of a smart phone. The CIO is concerned with potential security vulnerabilities of
allowing such devices, and whether they should be banned from the facility. What should be the
NEXT course of action in response to the ClO's concern?
A. Define a risk mitigation strategy.

B. Update the acceptable use policy.
C. Research competitor usage of similar devices.
D. Assess the risk associated with the device.
Answer: D
QUESTION 493
Which of the following is the BEST way for a CIO to ensure that the work of IT employees is aligned
with approved IT directives?
A. Mandate technical training related to the IT objectives.

B. Have business leaders present their departments' objectives.
C. Include relevant IT goals in individual performance objectives.
D. Request a progress review of IT objectives by internal audit.
Answer: C
QUESTION 494
Which of the following would be MOST useful in developing IT strategic plans aligned with
technological needs?

B. Business case
C. Enterprise architecture (EA)
D. Benchmark analysis
Answer: C
QUESTION 495
Which of the following is the BEST indicator of the effectiveness of IT governance in an enterprise?
A. Value delivery
B. Resource utilization
C. Residual risk
D. Project delivery
Answer: A
QUESTION 496
An enterprise is assessing whether to utilize wearable technology. The enterprise has no prior
experience with this technology and has asked the chief technology officer (CTO) to assess the
impact to the enterprise. The CTO should FIRST:
A. understand the enterprise's risk tolerance.

B. create an IT risk scorecard.
C. prioritize wearable technology risk.
Answer: A
QUESTION 497
An internal auditor conducts an assessment of a two-year-old IT risk management program. Which
of the following findings should be of MOST concern to the CIO?
A. Organizational responsibility for IT risk management is not clearly defined.

B. None of the members of the IT risk management team have risk management-related certifications.
C. Only a few key risk indicators (KRIs) identified by the IT risk management team are being monitored
and the rest will be on a phased schedule.
Answer: A
QUESTION 498
The accountability for a business continuity program for business-critical systems is BEST assigned
to the:
A. enterprise risk manager.

B. chief executive officer (CEO).
C. director of internal audit.
D. chief information officer (CIO).
Answer: B
QUESTION 499
An enterprise plans to migrate its applications and data to an external cloud environment. Which of
the following should be the ClO's PRIMARY focus before the migration?
A. Reviewing the information governance framework

B. Selecting best-of-breed cloud offerings
C. Updates the enterprise architecture (EA) repository
D. Conducting IT staff training to manage cloud workloads
Answer: A
QUESTION 500
Which of the following is the MOST important consideration when integrating a new vendor with an
enterprise resource planning (ERP) system?
A. IT senior management selects the vendor.

B. A vendor risk assessment is conducted
C. ERP data mapping is approved by the enterprise architect.
D. Procurement provides the terms of the contract.
Answer: B
QUESTION 501
Which of the following would provide the MOST useful information to measure the alignment of IT
with the enterprise?
B. Control self-assessment (CSA)
C. Gap analysis
D. Audit reports
Answer: A
QUESTION 502
Which of the following is MOST important for a data steward to verify when a system's data is
edited by an automated tool to fix an incident?
A. The change has been requested by the business department and approved by the data owner.
B. The change is documented in preparation for future audits.
C. The change maintains consistency among databases and has no other impacts.
D. The change is a temporary fix for the incident, and the permanent solution is addressed by problem
management.
Answer: B
QUESTION 503
What is the BEST way for IT to achieve compliance with regulatory requirements?
A. Enforce IT policies and procedures.

B. Create an IT project portfolio.
C. Review an IT performance dashboard.
D. Report on IT audit findings and action plans.
Answer: A
QUESTION 504
Which of the following is the PRIMARY role of the governance function in enabling an enterprise to
achieve its business objectives?
A. Determining risk thresholds that the enterprise can sustain

B. Preparing business continuity and resiliency plans
C. Providing a means to effectively manage stakeholders
D. Monitoring strategic plans to reach the desired target state
Answer: D

Passleader Isaca Cgeit Dumps 504 Q&as

Uploaded by

Document Informationclick to expand document information

Document Informationclick to expand document information

Copyright:

Available Formats

Passleader Isaca Cgeit Dumps 504 Q&as

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Passleader Isaca Cgeit Dumps 504 Q&as

Uploaded by

Copyright:

Available Formats

Vendor: ISACA

Exam Code: CGEIT

Exam Name: Certified in the Governance of Enterprise IT

A. Develop a business continuity plan (BCP).

A. evaluate the risk appetite for the new regulation.

A. Identifying gaps in information asset protection

A. avoid risks for bu iness and IT assets.

A. understand the enterprise's risk tolerance.

A. Inconsistent customer service and reporti g

A. Implement a communication management plan.

A. Establishment of an IT steering committee

A. Review the security framework.

A. Reviewing IT design with business process managers

A. An analysis of the current enterprise risk appetite

A. Ensuring that cost of measurement and reporting is minimized

A. Executive management has announced an information security risk initiative.

A. enforce consistent policy across the enterprise.

A. earned value management.

A. Obtaining guidance from consultants

A. Responding to and controlling all IT risk events

A. initiate the program using an implementation roadmap.

A. The need to enable IT risk-aware decisions by executives

A. Business data owners were not consulted.

A. Employee nondisclosure agreement

A. Assign individuals responsibilities and accountabilities for management of risks.

A. It provides effective indicators of productivity and growth.

A. Requiring the enterprise architecture (EA) be updated

A. Share concerns with the legal department.

A. Support for increased sales

A. IT principles and policies

A. Business dependency assessment

A. Document the competitor's governance structure.

A. Recommend delaying the business change.

A. Establish a change management process.

A. Creating a change management board

A. align IT project portfolio with regulatory requirements.

A. Require development of key risk indicators (KRls).

A. Establishing data retention procedures

A. assess compliance with environmental regulations.

A. Request an assessment of current in-house mobile technology skills.

A. Implement controls to block the installation of unapproved applications.

A. An enterprise risk mitigation strategy

A. The business leader who is most impacted by the loss of data.

A. Align IT objectives to the business procurement process.

A. It identifies information architecture priorities.

A. Deliver prioritization and facilitation training.

A. Frequency and quantity of information updates

A. Significant gaps are present m the incident documentation.

A. Require an update to enterprise data policies.

A. Potential legal penalties

A. IT risk thresholds are defined in the enterprise architecture (EA).

A. Establish a resource management framework.

A. an IT balanced scorecard is implemented.

A. Recommending mobile applications that will increase business productivity

A. Authorize a risk analysis of the practice.

A. IT capacity utilization and availability.

A. Defining cross-departmental budget allocation