Which of the following is the BEST way for the CIO to ensure senior business management understands the current IT risk profile?

A. Present an aggregated view of risk.
B. Present the updated risk register.
C. Present a detailed list of risk findings.
D. Present a list of scheduled risk mitigation actions.

Which of the following is the MOST important objective of IT program portfolio management?

A. Reduced technology costs
B. Reduced project management costs
C. Improved IT service delivery
D. Appropriate investment mix

An enterprise can BEST assess the benefits of a new IT project through its life cycle by:

A. calculation of the total cost of ownership.
B. calculation of the net present value.
C. periodic review of the business case.
D. periodic measurement of the project slip rate.

An IT audit report indicates that a lack of IT employee risk awareness is creating serious security issues in application design and configuration. Which of the following would be the BEST key risk indicator (KRI) to show progress in IT employee behavior?

A. Results of application security testing
B. Results of application security awareness training quizzes
C. Number of reported security incidents
D. Number of IT employees attending security training sessions

Which of the following is MOST critical to have in place before management can establish an IT risk assessment and response approach?

A. A portfolio of IT investments
B. Defined roles and responsibilities
C. Historic data on risk events
D. A balanced scorecard

An enterprise has decided to implement an enterprise resource planning (ERP) system to achieve operating and cost efficiencies through global IT standardization. The business units are resistant because they are used to operating autonomously. The CEO has instructed the CIO to move quickly with the implementation to force acceptance with business unit leaders. Which of the following should be the CIO's FIRST step?

A. Request funding from the CEO to hire ERP consultants.
B. Ask the CEO to be the sponsor of the program.
C. Engage a reluctant business unit to conduct a proof-of-concept pilot.
D. Build a governance framework for identifying non-standard processes.

A business case indicates an enterprise would reduce costs by implementing a bring your own device (BYOD) program allowing employees to use personal devices for e-mail. Which of the following should be the FIRST governance action?

A. Assess the enterprise architecture (EA).
B. Update the BYOD policy.
C. Update the network infrastructure.
D. Assess the BYOD risk.

The IT function received only 50% of the requested funding to support the IT strategy for new business initiatives. Which of the following is the CIO's MOST important course of action before considering alternative resource options?

A. Prioritize the portfolio.
B. Terminate less visible maintenance projects.
C. Develop a new balanced scorecard.
D. Conduct a cost-benefit analysis.

Senior management has made a decision to automate a number of key controls due to concerns that current IT risk controls are overly cumbersome and adversely impacting IT agility. Which of the following should be required FIRST to facilitate this process?

A. Control gap analysis
B. Control self-assessments
C. Controls optimization
D. Cost-benefit analysis

An enterprise has decided to create its first mobile application. The IT director is concerned about the potential impact of this initiative. Which of the following is the MOST important input for managing the risk associated with this initiative?

A. Business requirements
B. IT risk scorecard
C. Enterprise risk appetite
D. Enterprise architecture (EA)