The board and senior management of a new enterprise recently met to formalize an IT governance framework. The board of directors' FIRST step in implementing IT governance is to ensure that:

A. an IT balanced scorecard is implemented.

B. a portfolio of IT-enabled investments is developed.

C. IT roles and responsibilities are established.

D. IT policies and procedures are defined.

An enterprise has identified potential environmental disasters that could occur in the area where its data center is located. Which of the following should be done NEXT?

A. Implement an early warning detection and notification system.

B. Assess the likelihood and impact on the data center.

C. Relocate the data center to minimize the threat.

D. Assess how the data center is protected against the threat.

The responsibility for the development of a business continuity plan (BCP) is BEST assigned to the:

A. business risk manager.

B. business owner.

C. chief executive officer (CEO).

D. IT systems owner.

To develop appropriate measures to improve organizational performance, the measures MUST be:

A. a result of benchmarking and comparative analysis.

B. accepted by and meaningful to the stakeholders.

C. based on existing and validated data sources.

D. approved by the IT steering committee.

Which of the following provides the MOST comprehensive insight into the effectiveness of IT?

A. IT balanced scorecard

B. IT strategy

C. Return on investment (ROI)

D. Key risk indicators (KRIs)

A multinational enterprise recently purchased a large company located in a different country. When introducing the concept of governance to the new acquisition, it is MOST important that executive management recognize:

A. language differences.

B. the use of international standards.

C. the impact of cultural changes.

D. globally recognized good practices.

The IT program manager does not see the value of conducting risk assessments for a new major IT project. The manager is reluctant to cooperate with internal auditors and the newly formed steering committee. Midway through the project, program requirements were changed because the CEO is a friend of a vendor and wants to implement this vendor's new technology. This decision will cause the current IT program budget to be insufficient and will be shown as overspending. After the requirement change request, the IT program manager should FIRST:

A. obtain confirmation from the business and a decision by the steering committee.

B. request additional funding from the business owner to cover the additional scope.

C. report the matter to internal audit as a program deviation to be reviewed.

D. align IT with the business and agree to the business request.

Acceptance of an enterprise's newly implemented IT governance initiatives has been resisted by a functional group requesting more autonomy over technology choices. Which of the following is MOST important to accommodate this need for autonomy?

A. Continuous improvement processes

B. Documentation of key management practices

C. An exception management process

D. A change control process

Which of the following is the MOST important, characteristic of a well-defined information architecture?

A. It addresses key stakeholder requirements.

B. It ensures compliance with regulations.

C. It enables achievement of service level agreements (SLAs).

D. It supports IT strategic goals.

Which of the following should be the MAIN reason for an enterprise to implement an IT risk management framework?

A. The need to enable IT risk-aware decisions by executives

B. The results of an external audit report concerning IT risk management processes.

C. The need to address market regulations and internal compliance in IT risk

D. The ability to benchmark IT risk policies against major competitors