Senior management wants to promote investment in IT, but is uncertain that associated risks are being properly identified. The BEST way to address this concern is to:

A. ensure business cases are developed by IT.
B. engage an external consultant to develop risk scenarios.
C. assign an IT cost controller to the finance department.
D. appoint an IT representative to the business risk committee.

Which of the following should be the CIO’s GREATEST consideration when making changes to the IT strategy?

A. Have key stakeholders been consulted?
B. Have IT risk metrics been adjusted?
C. Has the investment portfolio been revised?
D. Has the impact to the enterprise architecture been assessed?

Which of the following MOST effectively demonstrates operational readiness to address information security risk issues?

A. Executive management has announced an information security risk initiative.
B. Procedures have been established for assessing and mitigating information security risks.
C. IT management has communicated the need for information security risk management to the business.
D. A policy has been communicated stating enterprise commitment and readiness to address information security risk.

Which of the following would BEST help to ensure an IT steering committee is informed of newly emerging risks in critical IT projects?

A. Requiring regular updates of the risk register for each project
B. Requiring a summarized report of relevant risks
C. Reviewing the response for each risk in the log
D. Conducting periodic reviews of project performance

An IT team is having difficulty meeting new demands placed on the department as a result of a major and radical shift in enterprise business strategy. Which of the following the CIO’s BEST course of action to address this situation?

A. Review the current IT strategy.
B. Utilize third parties for non-value-added processes.
C. Align the business strategy with the IT strategy.
D. Review the IT risk appetite.

A root-cause analysis indicates a major service disruption due to a lack of competency of newly-hired IT system administrators. Who should be accountable for resolving the situation?

A. HR training director
B. Chief information officer
C. HR recruitment manager
D. Business process owner

As part of the implementation of IT governance, the board of an enterprise should establish an IT strategy committee to:

A. ensure IT risks inherent in the enterprise strategy implementation are managed.
B. drive IT strategy development and take responsibility for implementing the IT strategy.
C. assume governance accountability for the business strategy on behalf of the board.
D. provide input to and ensure alignment of the enterprise and IT strategies.

An organization requires updates to their IT infrastructure to meet business needs. Which of the following will provide the MOST useful information when planning for the necessary IT investments?

A. Audit findings
B. Business user satisfaction metrics
C. Enterprise architecture
D. Risk assessment report

Which of the following would be the BEST way for a CIO to assess the consistency of IT processes against industry benchmarks to determine where to focus improvement initiatives?

A. Utilizing a capability maturity model
B. Reviewing key performance measures
C. Reviewing IT process audit results
D. Evaluating the current balanced scorecard

An IT security team identified a significant weakness in the enterprise’s Internet-facing infrastructure. The exposure requires immediate corrective action that is both cost and resource intensive. Which of the following is the MAIN reason why accountability for this risk should be assigned to the board of directors?

A. The exploit can cause serious disruptions to the enterprise’s reputation and profitability.
B. The board should be aware of risks concerning organizational operations.
C. Risk ownership at the highest level will ensure risk awareness throughout the enterprise.
D. The IT organization cannot take ownership for self-identified risks concerning infrastructure security.