CCNA It Governance Mgmt Questions

75 of 111 questions · Page 1/2 · It Governance Mgmt topic · Answers revealed

1
MCQhard

An IS auditor is reviewing the balanced scorecard for IT. Which of the following metrics BEST aligns with the 'customer perspective'?

A.Average system uptime for critical applications
B.Percentage of IT projects under budget
C.Number of change requests completed on time
D.Percentage of staff with ITIL certification
AnswerA

Uptime reflects customer-facing service levels.

Why this answer

Option B is correct because system uptime directly measures service delivery to customers. Option A aligns with financial perspective. Option C aligns with internal processes.

Option D aligns with learning and growth.

2
MCQhard

A multinational manufacturing company with operations in 20 countries has historically allowed each regional division to manage its own IT systems independently. Recently, the company experienced a significant data breach originating from a region with weaker security controls, leading to financial losses and reputational damage. The board has mandated stronger IT governance to prevent future incidents. The CIO proposes implementing a global IT governance framework with centralized policy enforcement. However, regional directors argue that local regulations and business needs require autonomy. The governance committee must decide on a course of action that balances risk and business flexibility. Which of the following approaches is the MOST appropriate?

A.Adopt a federated governance model with global policies and local flexibility within defined tolerances.
B.Allow each region to continue independently but require quarterly reporting to the committee.
C.Implement a fully centralized IT governance model with no regional deviations.
D.Maintain the status quo but enforce minimum security standards across all regions.
AnswerA

Federated governance balances consistency with local adaptation.

Why this answer

Option C is correct because a federated model allows consistent governance at the top while permitting regional adaptations within defined boundaries, balancing control and flexibility. Option A is wrong because a fully centralized model may ignore local constraints and hinder business. Option B is wrong because the committee should not delegate entirely; the board expects governance.

Option D is wrong because minimum standards are insufficient; a stronger framework is needed after a breach.

3
MCQmedium

A company has multiple business units with conflicting IT priorities. Which governance body should resolve this?

A.IT steering committee
B.Board of directors
C.IT management
D.Audit committee
AnswerA

This committee is designed to align and prioritize IT investments.

Why this answer

An IT steering committee, comprising business and IT leadership, is responsible for prioritizing IT initiatives and resolving conflicts. IT management may lack authority; board and audit committee have broader oversight roles.

4
Multi-Selecteasy

Which TWO of the following are common objectives of an IT balanced scorecard? (Choose two.)

Select 2 answers
A.Deploying a new ERP system
B.Reducing the number of help desk tickets
C.Enhancing IT staff skills and knowledge
D.Implementing a new firewall
E.Improving customer satisfaction with IT services
AnswersC, E

Learning and growth perspective.

Why this answer

Correct answers: B and D. The balanced scorecard typically includes customer, financial, internal process, and learning/growth perspectives. Option A is a metric, not an objective.

Option C is operational. Option E is security-specific.

5
MCQmedium

A large enterprise recently experienced a data breach due to an insider threat. The IT governance committee is reviewing the incident and considering measures to prevent recurrence. Which of the following is the BEST course of action to address the root cause?

A.Implement a privileged access management (PAM) solution to control and monitor elevated access.
B.Increase logging and auditing of all user activities.
C.Deploy a security information and event management (SIEM) tool.
D.Terminate the employment of the insider who caused the breach.
AnswerA

PAM directly prevents and controls unauthorized privileged access, addressing the root cause.

Why this answer

A privileged access management (PAM) solution directly addresses the root cause of an insider threat by controlling, monitoring, and auditing elevated access rights. Since the breach was caused by an insider, limiting and tracking privileged accounts prevents unauthorized or excessive use of administrative credentials, which is the most effective preventive measure against recurrence.

Exam trap

The trap here is that candidates often confuse detective controls (logging, SIEM) with preventive controls (PAM), or they mistakenly view termination as a root-cause fix rather than a reactive measure, failing to recognize that the root cause is the lack of access governance.

How to eliminate wrong answers

Option B is wrong because increasing logging and auditing of all user activities is a detective control, not a preventive one; it helps identify breaches after they occur but does not stop an insider from abusing elevated access. Option C is wrong because deploying a SIEM tool aggregates and correlates logs for detection and analysis, but it does not prevent an insider from using privileged access to cause a breach. Option D is wrong because terminating the insider is a reactive disciplinary action that addresses the specific individual but does not fix the underlying lack of access controls, leaving the enterprise vulnerable to future insider threats.

6
Multi-Selectmedium

Which TWO of the following are key components of an IT governance framework?

Select 2 answers
A.Resource management
B.Strategic alignment
C.Performance measurement
D.Risk management
E.Value delivery
AnswersB, E

Strategic alignment ensures IT goals are in line with business goals, a core governance component.

Why this answer

Strategic alignment (B) is a key component of an IT governance framework because it ensures that IT strategies, investments, and operations are directly linked to business goals and objectives. This alignment is achieved through mechanisms such as balanced scorecards, IT steering committees, and portfolio management, which translate business strategy into IT priorities. Without strategic alignment, IT may operate in a silo, leading to wasted resources and missed opportunities for business value.

Exam trap

The trap here is that candidates often confuse the five focus areas of COBIT (strategic alignment, value delivery, risk management, resource management, performance measurement) with the two core components of an IT governance framework, leading them to select all five or pick risk management as a core component.

7
Multi-Selecteasy

Which TWO of the following are key components of an IT governance framework? (Choose two.)

Select 2 answers
A.Network topology diagram
B.Help desk procedures
C.Hardware inventory
D.IT strategy
E.IT steering committee
AnswersD, E

Correct. Defines alignment with business goals.

Why this answer

Options A and B are correct because an IT steering committee and an IT strategy are fundamental governance components. Option C is incorrect as hardware inventory is operational. Option D is incorrect as help desk procedures are operational.

Option E is incorrect as network topology is technical.

8
Multi-Selectmedium

An organization is implementing COBIT 2019. Which TWO of the following are governance enablers? (Choose two.)

Select 2 answers
A.Hardware configuration
B.Project schedule
C.Organizational structures
D.Network performance
E.Culture, ethics and behavior
AnswersC, E

Correct. A COBIT enabler for governance.

Why this answer

Options A and D are correct because organizational structures and culture, ethics, and behavior are COBIT enablers. Option B is incorrect as hardware configuration is an implementation detail. Option C is incorrect as project schedule is a project management artifact.

Option E is incorrect as network performance is operational.

9
MCQmedium

A financial institution is evaluating its IT governance structure. Which of the following roles is BEST suited to ensure independent oversight of IT investments?

A.Chief Information Officer (CIO)
B.Project Management Office (PMO) director
C.IT Audit Committee
D.Chief Information Security Officer (CISO)
AnswerC

An independent audit committee provides objective oversight.

Why this answer

The IT Audit Committee is the correct answer because it provides independent oversight of IT investments by operating outside of management's direct reporting structure. Unlike the CIO, PMO director, or CISO, who are all part of management and may have vested interests in project approvals or resource allocation, the IT Audit Committee reports to the board of directors and ensures that IT investments align with enterprise strategy, risk appetite, and regulatory requirements without bias.

Exam trap

The trap here is that candidates often confuse operational management roles (CIO, PMO director, CISO) with governance roles, mistakenly believing that a senior IT manager can provide independent oversight when they are actually part of the management chain being overseen.

How to eliminate wrong answers

Option A is wrong because the Chief Information Officer (CIO) is a senior management role responsible for the day-to-day operation and strategic planning of IT, which inherently lacks the independence required for oversight of IT investments. Option B is wrong because the Project Management Office (PMO) director is focused on project execution, resource management, and delivery metrics, not on independent governance or strategic alignment of IT investments. Option D is wrong because the Chief Information Security Officer (CISO) is primarily concerned with information security risk management and compliance, not with the broader financial and strategic oversight of IT investments.

10
MCQeasy

An organization wants to ensure that IT performance is measured against strategic goals. Which tool is BEST suited?

A.Balanced scorecard
B.Pareto chart
C.SWOT analysis
D.Gantt chart
AnswerA

BSC aligns IT metrics with strategic goals.

Why this answer

A balanced scorecard translates strategic goals into performance metrics across financial, customer, internal process, and learning perspectives. Gantt charts, SWOT analysis, and Pareto charts are not designed for this purpose.

11
MCQhard

An organization's IT governance committee is reviewing a proposal to use a public cloud provider that does not meet the organization's data encryption standards. The board has set a low risk appetite for data privacy. What is the BEST action?

A.Accept the proposal with additional monitoring
B.Delegate the decision to the security team
C.Accept the proposal but require the provider to sign a waiver
D.Reject the proposal until encryption requirements are met
AnswerD

Correct. The proposal does not align with risk appetite.

Why this answer

Option A is correct because the proposal violates the board's risk appetite, so it should be rejected until requirements are met. Option B is incorrect because additional monitoring does not address the encryption gap. Option C is incorrect because waivers do not reduce the risk.

Option D is incorrect because the committee should not delegate a decision that contradicts risk appetite.

12
MCQhard

An auditor finds that access reviews have not been completed for two quarters. What is the MOST significant risk?

A.Data integrity may be compromised
B.Unauthorized access may be granted and persist
C.System performance may degrade
D.Audit findings may be reported to management
AnswerB

Correct. Incomplete reviews allow inappropriate access to continue.

Why this answer

Option A is correct because without regular reviews, unauthorized or inappropriate access may go undetected, increasing the risk of data breaches. Option B is incorrect because while audit findings will be reported, that is a consequence, not the primary risk. Option C is incorrect as system performance is unrelated.

Option D is incorrect because data integrity may be at risk but is less direct than unauthorized access.

13
Multi-Selecthard

Which THREE of the following are components of the COBIT 2019 governance system?

Select 3 answers
A.Organizational structures
B.Information items
C.Processes
D.Service desk
E.Project management office
AnswersA, B, C

Organizational structures are a governance component.

Why this answer

Options A, C, and E are correct because COBIT 2019 includes governance components: Processes, Organizational Structures, and Information Items. Option B (Service Desk) is an operational process not a governance component. Option D (Project Management Office) is a management structure, not a governance component as defined in COBIT 2019.

14
MCQmedium

A large financial institution is evaluating the effectiveness of its IT governance framework. The board has requested a review to ensure alignment with business objectives and regulatory requirements. Which of the following is the MOST important factor for the board to consider when assessing the IT governance framework?

A.The framework is integrated with enterprise governance and supports strategic objectives.
B.The framework includes a detailed incident response plan.
C.The framework focuses on achieving high technical efficiency.
D.The framework minimizes overall IT costs.
AnswerA

Integration with enterprise governance ensures IT supports business goals and regulatory compliance.

Why this answer

Option B is correct because a well-defined IT governance framework must integrate with enterprise governance to ensure alignment with business objectives and regulatory requirements. Option A is wrong because focusing solely on cost reduction may conflict with strategic priorities. Option C is wrong because incident response is operational, not governance-level.

Option D is wrong because technical efficiency is a management concern, not board-level governance.

15
MCQeasy

Refer to the exhibit. Based on the governance status report, which component should be addressed as a priority?

A.Strategy Alignment
B.Performance Measurement
C.Resource Optimization
D.Risk Management
AnswerC

Red status requires urgent action.

Why this answer

Resource Optimization has a Red status, indicating critical risk or non-compliance, requiring immediate attention. Green and Yellow components are less urgent.

16
MCQeasy

A healthcare organization must comply with HIPAA regulations regarding patient data privacy. The IT department has implemented technical controls, but the compliance officer discovers that some employees are sharing passwords. What is the BEST governance response?

A.Implement multi-factor authentication to prevent password sharing.
B.Enforce the existing policy through disciplinary actions and additional training.
C.Report the incident to the regulatory authority as a data breach.
D.Revise the password policy to require more complex passwords.
AnswerB

Enforcement and training are key governance controls.

Why this answer

Option D is correct because enforcing policy through disciplinary action and training addresses the root cause. Option A is wrong because over-reliance on technical controls may not prevent deliberate sharing. Option B is wrong because policy revision alone may not change behavior.

Option C is wrong because reporting to regulator is premature.

17
MCQeasy

A medium-sized manufacturing company has recently deployed an ERP system to integrate its financial, supply chain, and HR processes. The IT department is small (5 staff) and reports to the CFO. The company has no formal IT governance committee; IT decisions are made by the CFO and CEO informally. During a recent audit, it was found that several critical security patches for the ERP system have not been applied, and there are no documented procedures for change management. The IT manager states that patches are applied when time permits, and changes are discussed via email. The CFO argues that the ERP is running fine and the audit findings are low risk. The IS auditor needs to recommend a course of action to improve IT governance. Which of the following is the MOST appropriate initial step?

A.Elevate the issue to the board of directors with a recommendation to outsource IT management
B.Recommend the formation of an IT steering committee comprising key business stakeholders to oversee IT strategy, risk, and resource allocation
C.Develop a comprehensive patch management policy and present it to the CFO for approval
D.Insist that the IT manager immediately apply all missing patches within one week
AnswerB

Correct. This addresses the root cause of lack of governance and oversight.

Why this answer

Option A is correct because the fundamental issue is the lack of governance structure; establishing an IT steering committee with business representation ensures that IT decisions are aligned with business needs and risks are properly evaluated. Option B is premature because without governance, there is no process to prioritize patches. Option C is too narrow; it addresses only patches, not the underlying governance gap.

Option D is incorrect because pushing the auditor's own opinion may create conflict and does not establish a sustainable governance process.

18
Matchingmedium

Match each COBIT 5 domain to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Evaluate, Direct, and Monitor

Align, Plan, and Organize

Build, Acquire, and Implement

Deliver, Service, and Support

Monitor, Evaluate, and Assess

Why these pairings

COBIT 5 process domains are key for IT governance.

19
MCQmedium

An organization's IT governance framework includes a policy that all system access must be reviewed quarterly. The internal audit finds that reviews are incomplete. What is the BEST action?

A.Implement an automated access review tool
B.Reinforce accountability with managers
C.Disable all non-compliant accounts
D.Update the policy to require monthly reviews
AnswerB

Correct. Holding managers responsible ensures reviews are completed.

Why this answer

Option B is correct because reinforcing accountability with managers directly addresses the root cause of incomplete reviews. Option A is incorrect because increasing frequency does not solve the underlying issue. Option C is incorrect because automation may help but is a long-term solution.

Option D is incorrect because disabling accounts may disrupt business operations without fixing the process.

20
MCQmedium

A business continuity plan (BCP) includes a tabletop exercise once a year. An IS auditor finds that the exercise only involves IT staff. Which of the following is the BEST recommendation?

A.Perform a failover test of the production environment
B.Increase the frequency of IT-only exercises
C.Invite business process owners to participate in future exercises
D.Include a data restoration test in the exercise
AnswerC

Business involvement is key for BCP effectiveness.

Why this answer

Option C is correct because exercises should include business units to validate integrated response. Option A is too narrow. Option B focuses on data, not participation.

Option D tests technical skills but not coordination.

21
MCQmedium

Based on the exhibit, what is the MOST likely security risk?

A.The web server is fully protected
B.Traffic to port 80 is not encrypted
C.Unrestricted traffic is allowed after the specific deny
D.The host 192.168.1.100 is exposed to denial-of-service attacks
AnswerC

The permit any any allows all traffic, making the deny ineffective.

Why this answer

Option C is correct because the 'permit ip any any' at the end allows all traffic, bypassing earlier specific denials. Option A is not correct because the deny line only blocks other traffic, but the permit any any overrides it. Option B is not directly indicated.

Option D is a risk but less direct than the rule order issue.

22
MCQhard

Scenario: A mid-sized manufacturing company has recently experienced a significant IT outage that halted production for 8 hours. The root cause was a failed firmware update on a core switch that was performed outside the change management process by a senior network engineer who claimed the update was urgent to patch a critical vulnerability. The company has a well-documented change management policy that requires all changes to be reviewed by the change advisory board (CAB) before implementation, except for emergency changes which require post-implementation review within 48 hours. The engineer did not follow the emergency change process; he implemented the update directly. The IT director wants to prevent such incidents in the future. Which of the following is the BEST action?

A.Implement automatic firmware updates to eliminate human error.
B.Increase the frequency of CAB meetings to weekly to expedite change approvals.
C.Enforce the change management policy by implementing stricter controls and disciplinary measures for non-compliance.
D.Remove the network engineer's administrative access to all network devices.
AnswerC

Enforcing existing policy with consequences ensures adherence.

Why this answer

Option C is correct because the root cause was a deliberate bypass of the existing change management policy, not a flaw in the policy itself. Enforcing stricter controls and disciplinary measures directly addresses the human factor by reinforcing accountability and deterring unauthorized changes, which is the most effective way to prevent recurrence when a well-documented process is already in place but ignored.

Exam trap

The trap here is that candidates often choose technical controls (like automatic updates or removing access) instead of recognizing that the fundamental issue is a governance failure—the policy exists but was not enforced, so the best action is to strengthen enforcement and accountability, not to add or remove technical capabilities.

How to eliminate wrong answers

Option A is wrong because implementing automatic firmware updates would remove human oversight entirely, potentially causing widespread outages if a faulty update is pushed without testing or CAB review, and it does not address the policy violation. Option B is wrong because increasing CAB meeting frequency does not solve the core issue of an engineer bypassing the process; the emergency change process already exists for urgent patches, so the problem is non-compliance, not approval speed. Option D is wrong because removing the network engineer's administrative access is an overly punitive and impractical measure that could hinder legitimate emergency responses; it does not enforce the existing change management process and may violate the principle of least privilege by eliminating necessary access for a qualified engineer.

23
MCQmedium

An IT governance framework has been implemented, but the board is not receiving regular reports on IT performance. Which of the following is the BEST course of action?

A.Conduct an IT risk assessment to identify critical areas.
B.Develop a dashboard that presents key IT metrics to the board.
C.Implement an IT balanced scorecard that aligns with corporate strategy.
D.Assign a chief information officer (CIO) to report directly to the board.
AnswerB

A dashboard facilitates regular reporting and board oversight.

Why this answer

Option A is correct because a dashboard provides a concise, regular view of key metrics for the board. Option B may help but does not directly address reporting. Option C is a broader initiative.

Option D focuses on risk, not reporting.

24
MCQeasy

An organization has implemented a balanced scorecard (BSC) for IT performance measurement. Which of the following is the PRIMARY benefit of using a BSC?

A.It simplifies the IT budgeting process.
B.It ensures IT metrics are aligned with business strategy.
C.It automates data collection for IT metrics.
D.It provides a single financial metric for IT performance.
AnswerB

BSC translates strategy into operational metrics.

Why this answer

Option B is correct because the balanced scorecard aligns IT metrics with business strategy across multiple perspectives. Option A is incorrect because BSC includes non-financial metrics. Option C is not the primary benefit; BSC does not simplify budgeting.

Option D is not correct; data collection is not automated by BSC.

25
Multi-Selectmedium

Which TWO of the following are key components of an IT governance framework? (Choose two.)

Select 2 answers
A.Configuration management database
B.Performance measurement
C.Vulnerability assessment results
D.Strategic alignment of IT with business
E.Firewall rules
AnswersB, D

Measuring IT performance is essential for governance.

Why this answer

Correct answers: A and D. Both are core governance elements. Option B is operational, not governance.

Option C is a specific control. Option E is risk management, which is part of governance but not a framework component itself; frameworks include processes like risk management.

26
MCQhard

A company is implementing IT governance based on COBIT 2019. Which of the following design factors would have the GREATEST impact on the governance system design?

A.The IT infrastructure complexity.
B.The size of the organization.
C.The number of IT staff.
D.The industry and regulatory environment.
AnswerD

Industry and regulations impose compliance requirements that shape governance.

Why this answer

Option B is correct because according to COBIT 2019, the enterprise strategy and regulatory environment are key design factors that drive governance requirements. Option A (size) is a factor but less impactful than industry/regulatory. Options C and D are operational details.

27
Multi-Selecthard

Which THREE of the following are responsibilities of the board of directors regarding IT governance? (Choose three.)

Select 3 answers
A.Implementing IT security controls
B.Approving the IT strategy
C.Reviewing and approving IT policies
D.Monitoring daily IT operations
E.Ensuring that IT risks are managed within acceptable levels
AnswersB, C, E

Board approves strategic direction.

Why this answer

Correct answers: A, C, E. The board is responsible for strategy oversight, risk acceptance, and policy approval. Option B is a management duty.

Option D is operational.

28
Multi-Selecthard

A large enterprise is assessing its IT governance maturity. Which THREE of the following are indicators of a mature governance process? (Select exactly three.)

Select 3 answers
A.IT decisions are made in silos
B.IT budget is allocated based on historical spending
C.There is a formal IT governance committee
D.IT performance metrics are linked to business outcomes
E.IT strategy is reviewed quarterly by the board
AnswersC, D, E

Formal committee is a hallmark of maturity.

Why this answer

Mature governance involves board-level review of IT strategy, linking IT metrics to business outcomes, and having a formal governance committee. Decisions in silos and historical budget allocation are signs of low maturity.

29
Multi-Selecteasy

An IT governance framework should include which TWO key components? (Select exactly two.)

Select 2 answers
A.User training
B.Vendor lock-in
C.Strategic alignment
D.Network firewall rules
E.Performance measurement
AnswersC, E

Aligns IT with business objectives.

Why this answer

Strategic alignment ensures IT supports business goals; performance measurement tracks achievement. Network firewall rules, user training, and vendor lock-in are operational or tactical, not core governance components.

30
MCQeasy

An organization has a policy requiring all employees to complete annual information security awareness training. Which of the following is the BEST way to verify compliance with this policy?

A.Conduct phishing simulation tests
B.Survey employees about their satisfaction with training
C.Interview HR about training content
D.Review training completion records from the learning management system
AnswerD

Records provide direct evidence of completion.

Why this answer

Option C is correct because reviewing training completion records directly confirms compliance. Option A assumes training content is known. Option B tests knowledge but not compliance.

Option D measures satisfaction, not completion.

31
Multi-Selecteasy

Which TWO of the following are benefits of implementing an IT governance framework?

Select 2 answers
A.Improved risk management and mitigation
B.Reduction in IT staff headcount
C.Enhanced regulatory compliance
D.Reduced IT operational costs
E.Elimination of all IT project failures
AnswersA, C

Frameworks like COBIT emphasize risk management.

Why this answer

Implementing an IT governance framework, such as COBIT or ISO/IEC 38500, establishes structured policies, procedures, and controls that directly improve risk management and mitigation. By defining clear roles, accountability, and risk appetite, the framework ensures that risks are systematically identified, assessed, and treated, rather than being managed ad hoc. This aligns IT strategy with business objectives and embeds risk management into daily operations.

Exam trap

The trap here is that candidates often confuse the benefits of an IT governance framework with operational cost-cutting or headcount reduction, when in fact the framework's core value is in aligning IT with business goals, improving risk management, and ensuring compliance, not in directly reducing expenses or eliminating failures.

32
MCQeasy

A company is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of aligning IT strategy with business strategy?

A.Simplifies IT architecture
B.Improves IT staff morale
C.Ensures IT investments support business objectives
D.Reduces IT costs
AnswerC

This is the core purpose of alignment: IT enables business goals.

Why this answer

Aligning IT strategy with business strategy ensures that IT investments support business objectives, delivering value and reducing waste. Reducing costs, improving morale, or simplifying architecture are secondary benefits.

33
Multi-Selectmedium

Which TWO of the following are recommended practices for aligning IT strategy with business goals, according to COBIT 2019?

Select 2 answers
A.Implementing a continuous monitoring system for IT operational metrics
B.Conducting monthly IT steering committee meetings to review project status
C.Adopting a governance framework that covers all IT-related activities and stakeholder needs
D.Defining IT investment portfolios based on business value contribution
E.Using agile development methodologies for all IT projects
AnswersC, D

Correct. A holistic governance framework like COBIT 2019 ensures alignment.

Why this answer

Option C is correct because COBIT 2019 explicitly requires a governance framework that covers all IT-related activities and stakeholder needs to ensure alignment with business goals. This framework integrates enterprise governance principles, such as the Governance System and Governance Framework components, to bridge IT and business strategy through policies, structures, and processes.

Exam trap

The trap here is that candidates confuse operational or tactical activities (like monitoring metrics or project reviews) with strategic governance practices, which COBIT 2019 defines as framework-level alignment, not day-to-day management tasks.

34
MCQeasy

An organization is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of aligning IT strategy with business strategy?

A.Increased technical efficiency
B.Improved resource allocation
C.Reduced IT costs
D.Enhanced security posture
AnswerB

Correct. Alignment ensures IT resources are focused on business priorities.

Why this answer

Option A is correct because aligning IT strategy with business strategy ensures that IT investments and initiatives directly support business goals, improving resource allocation and value delivery. Option B is incorrect because cost reduction is a possible outcome but not the primary benefit. Option C is incorrect because technical efficiency is an operational concern.

Option D is incorrect because security posture is one aspect but not the primary benefit.

35
MCQeasy

Based on the exhibit, what is the default retention period for data?

A.365 days
B.30 days for Legal role only
C.The policy does not specify a default period
D.30 days
AnswerA

Correct. The default retention period is 365 days.

Why this answer

Option B is correct because the JSON clearly shows 'retentionPeriodDays': 365. Option A is incorrect; 30 days is the extension for the Legal role. Option C is incorrect as the extension applies only to Legal.

Option D is incorrect because the policy explicitly specifies the default period.

36
MCQmedium

A company plans to outsource its data center operations to a cloud service provider. What is the MOST important governance consideration for the board before finalizing the contract?

A.Select a provider with the lowest cost per transaction.
B.Negotiate the transfer of existing IT staff to the provider.
C.Ensure the contract includes clauses for regulatory compliance and audit rights.
D.Define a detailed exit strategy for transitioning to another provider.
AnswerC

Compliance and audit rights are critical for governance and oversight.

Why this answer

Option A is correct because the board must ensure regulatory compliance (e.g., data residency, security standards) is contractually enforced. Option B is wrong while important, it is operational. Option C is wrong because transfer of staff is an HR concern.

Option D is wrong because exit strategy is detailed but not the most critical for board.

37
MCQhard

What is the MOST significant weakness in the planned remediation?

A.The remediation only addresses a subset of projects.
B.The remediation may not eliminate the segregation of duties issue.
C.The remediation relies on technology rather than process.
D.The remediation does not include a compensating control.
AnswerB

An automated tool does not prevent the same developer from performing both coding and review if they run the tool.

Why this answer

Option C is correct because an automated code review tool may still be run by the same developer, not ensuring segregation of duties. The remediation does not address the root cause of the same person performing both tasks. Option A (only addresses subset) is not the most significant; the tool could be applied to all projects.

Option B (technology vs. process) is valid but secondary. Option D (no compensating control) is related but not as direct.

38
MCQhard

Based on the exhibit, which control deficiency is most critical for the IS auditor to address?

A.SSH is configured to allow root login
B.The admin user logged in successfully with a password
C.Public key authentication is not being used
D.The system lacks a policy to lock accounts after repeated failed login attempts
AnswerD

Correct. Multiple failed attempts for root from the same IP indicate a brute-force attack, and no lockout is evident.

Why this answer

Option D is the most critical deficiency because without an account lockout policy, the system is vulnerable to brute-force password guessing attacks. Even if other controls like SSH key authentication are missing, a lockout policy is a fundamental defense that directly mitigates repeated login attempts, which is a primary attack vector for gaining unauthorized access.

Exam trap

The trap here is that candidates often focus on technical misconfigurations like root login or missing public key authentication, overlooking the foundational security control of account lockout, which is a direct defense against brute-force attacks and is frequently tested as a critical deficiency in CISA exams.

How to eliminate wrong answers

Option A is wrong because while allowing root login via SSH is a security risk, it is less critical than the absence of a lockout policy; root login can be mitigated with other controls like key-based authentication and sudo restrictions. Option B is wrong because a successful password login by the admin user is expected behavior and not a control deficiency; the issue is the lack of stronger authentication methods, not the act of logging in. Option C is wrong because although public key authentication is more secure than password authentication, its absence is a weakness but not as immediately critical as the lack of a lockout policy, which leaves the system exposed to brute-force attacks regardless of authentication method.

39
MCQhard

A multinational corporation is implementing a global IT governance framework. Which of the following challenges is MOST likely to arise?

A.Conflicting regulatory requirements
B.Standardizing hardware across regions
C.Training users on new procedures
D.Software licensing costs
AnswerA

Correct. Different legal environments require careful navigation.

Why this answer

Option C is correct because conflicting regulatory requirements across countries create the most significant challenge for a global framework. Options A, B, and D are all potential issues but are typically easier to manage compared to legal compliance.

40
MCQeasy

Based on the log, what is the MOST likely root cause of the backup failure?

A.Network connectivity issues
B.Incorrect backup schedule
C.Backup software corruption
D.Insufficient storage capacity
AnswerD

The target directory is full, causing the failure.

Why this answer

Option D is correct because the log clearly indicates the target directory is full. Options A, B, C are not indicated in the log.

41
MCQeasy

A medium-sized e-commerce company recently suffered a ransomware attack that encrypted critical databases. The IT team restored systems from backups, but the incident exposed a lack of clear roles and responsibilities for incident response. The board has asked the IT governance committee to review and improve the incident response governance. The committee notes that while there is an incident response policy, it is not regularly tested, and staff are unsure of their roles. The company also lacks a formal communication protocol for notifying stakeholders. What should the committee prioritize to strengthen governance over incident response?

A.Invest in advanced endpoint detection and response tools.
B.Outsource incident response to a managed security service provider.
C.Define and communicate clear roles and responsibilities for incident response, and establish accountability.
D.Conduct a tabletop exercise to test the current plan.
AnswerC

Clear governance structure is foundational.

Why this answer

Option A is correct because a governance framework must include clear roles, responsibilities, and accountability, which is the root cause. Option B is wrong because technology alone does not fix governance gaps. Option C is wrong while testing is valuable, it should follow role definition.

Option D is wrong because outsourcing does not address internal governance deficiencies.

42
MCQhard

A multinational corporation is evaluating its IT governance structure. The board wants to ensure that IT investments are prioritized based on risk and value. Which framework component is MOST critical?

A.Service level agreements
B.Balanced scorecard
C.IT steering committee
D.Portfolio management process
AnswerD

This process evaluates and ranks investments by risk and value.

Why this answer

A portfolio management process systematically evaluates and prioritizes investments based on risk and value, aligning with board objectives. Steering committee provides oversight, but portfolio management is the mechanism for prioritization.

43
MCQeasy

A mid-sized company is implementing a new IT service management (ITSM) tool to improve incident management. The IT manager wants to ensure that the tool aligns with ITIL best practices. The company has a dedicated service desk team that handles about 200 incidents per week. The IT manager is considering whether to implement a self-service portal for users to submit incidents and check status, or to continue using email-based incident reporting. The service desk team is concerned that a self-service portal might reduce their direct interaction with users and potentially lead to less personalized support. However, the IT manager believes that a portal could improve efficiency and tracking. The company's IT governance framework requires that any major IT investment be approved by the steering committee and that there be a clear business case. The IT manager has prepared a business case but the steering committee wants to ensure that the solution is aligned with ITIL and that it addresses key incident management processes. Which of the following is the most appropriate next step for the IT manager?

A.Implement the self-service portal immediately to improve efficiency, then present the business case later.
B.Conduct a process review with stakeholders to define requirements based on ITIL guidelines before selecting a tool.
C.Proceed with the self-service portal without further review because it is clearly beneficial.
D.Abandon the self-service portal idea and continue with email-based reporting.
AnswerB

This ensures alignment with ITIL and addresses concerns through stakeholder involvement.

Why this answer

Option B is correct because ITIL best practices emphasize that process design should precede tool selection. Conducting a process review with stakeholders ensures the self-service portal aligns with defined incident management workflows, such as categorization, prioritization, and escalation, before committing to a specific tool. This step also satisfies the IT governance requirement for a clear business case by validating requirements against ITIL guidelines.

Exam trap

The trap here is that candidates may assume any self-service portal automatically improves efficiency and aligns with ITIL, but CISA tests the principle that process definition must precede tool selection to ensure governance and best practice alignment.

How to eliminate wrong answers

Option A is wrong because implementing the portal immediately without presenting the business case violates the IT governance framework requiring steering committee approval for major IT investments, and it risks deploying a tool that does not align with ITIL-defined incident management processes. Option C is wrong because proceeding without further review ignores the service desk team's concerns about reduced personalization and fails to ensure the portal supports ITIL processes like incident categorization and SLA tracking, which could lead to inefficiencies. Option D is wrong because abandoning the portal idea outright dismisses the potential efficiency gains and tracking improvements that a properly designed self-service portal can provide, and it does not address the need to align with ITIL best practices.

44
MCQhard

A multinational corporation has defined its risk appetite as 'moderate' for IT investments. The IT steering committee is evaluating a new project with potential high returns but also significant cybersecurity risks. The project's risk profile is assessed as 'high' by the risk management team. What should the committee do FIRST?

A.Request the project team to identify risk mitigation measures.
B.Approve the project but increase monitoring.
C.Escalate the decision to the board of directors.
D.Reject the project immediately as it exceeds risk appetite.
AnswerA

First, see if risk can be reduced to align with appetite.

Why this answer

Option D is correct because if the risk exceeds appetite, risk mitigation measures should be explored to bring it to an acceptable level. Option A is wrong because rejecting outright without considering mitigation may miss valuable opportunities. Option B is wrong because escalating to the board should be after mitigation options are considered.

Option C is wrong because approving as is violates risk appetite.

45
MCQhard

Refer to the exhibit. Which perspective shows the greatest deviation from target?

A.Customer
B.Learning & Growth
C.Financial
D.Internal Process
AnswerB

20% below target, the largest deviation.

Why this answer

Learning & Growth is 30 hours short of 150 (20% deficit), while Financial is 10% short, Internal Process is 4% short, and Customer exceeds target. Thus, Learning & Growth has the largest negative gap.

46
MCQmedium

Refer to the exhibit. The organization is planning to achieve the target level. What is the MOST appropriate action?

A.Assign a process owner
B.Implement process metrics and statistical controls
C.Conduct awareness training
D.Increase process documentation
AnswerB

Level 4 requires quantitative management.

Why this answer

To move from Level 3 (Established) to Level 4 (Predictable), the process must be measured and controlled using statistical techniques. Implementing metrics and statistical controls directly addresses the gap. Documentation, ownership, and training are earlier-level activities.

47
Drag & Dropmedium

Order the steps for performing a data backup in the correct sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Backup process: identify data, choose method, schedule, execute/verify, and store offsite.

48
MCQmedium

Scenario: A healthcare organization is implementing a new electronic health records (EHR) system. The project has been delayed due to scope creep and resource constraints. The project sponsor is pressuring the project manager to accelerate the timeline by skipping user acceptance testing (UAT) and going live immediately. The organization has a governance policy that requires all IT projects to complete UAT before deployment. The project manager is concerned about quality and patient safety. Which of the following is the BEST course of action?

A.Compromise by conducting a limited UAT on only critical functionalities.
B.Resign from the project due to ethical concerns.
C.Accept the sponsor's request and skip UAT to meet the deadline.
D.Adhere to the governance policy and escalate the risk to the steering committee for a decision.
AnswerD

Follows policy and involves proper governance body.

Why this answer

Option D is correct because the governance policy mandates UAT before deployment, and skipping it could compromise patient safety and data integrity in the EHR system. By escalating the risk to the steering committee, the project manager ensures that the decision is made at the appropriate governance level, balancing project pressures with compliance and quality. This approach aligns with the CISA domain of Governance and Management of IT, where adherence to policies and risk escalation are key controls.

Exam trap

The trap here is that candidates may choose a compromise (Option A) thinking it balances speed and quality, but it still violates the governance policy and fails to address the root cause of scope creep and resource constraints through proper escalation.

How to eliminate wrong answers

Option A is wrong because conducting a limited UAT on only critical functionalities still violates the governance policy and may miss integration or workflow defects that affect patient safety across non-critical modules. Option B is wrong because resigning is an extreme measure that abdicates professional responsibility; the project manager should first use escalation channels and governance processes to address the conflict. Option C is wrong because skipping UAT entirely disregards the governance policy and introduces unacceptable risks to patient safety and regulatory compliance, which could lead to severe consequences for the organization.

49
MCQhard

An IT department uses a balanced scorecard (BSC) to measure performance. The financial perspective shows that IT costs are within budget, but customer satisfaction scores are declining. The learning and growth perspective indicates low employee engagement. Which action should the IT governance committee prioritize?

A.Reduce IT costs further to reallocate savings to customer service.
B.Invest in training and development programs for IT staff.
C.Increase the IT budget to hire more staff.
D.Outsource customer-facing IT support to a third party.
AnswerB

Training improves skills and engagement, leading to better customer satisfaction.

Why this answer

Option D is correct because investing in training improves employee engagement (learning & growth) which likely leads to better service and customer satisfaction. Option A is wrong because reducing budget may worsen customer satisfaction. Option B is wrong because cost reduction does not address root cause.

Option C is wrong because engaging external consultants is a temporary fix.

50
MCQhard

An organization's IT strategy is developed by the IT department without input from business stakeholders. Which of the following is the MOST significant risk?

A.Technology may become obsolete quickly.
B.IT projects may exceed budget.
C.IT staff may lack required skills.
D.IT strategy may not support business objectives.
AnswerD

Lack of business input leads to misalignment, the most significant risk.

Why this answer

Option D is correct because without business input, the strategy may not support business objectives, leading to misalignment. Option A is a possible outcome. Options B and C are less directly related.

51
MCQeasy

A medium-sized manufacturing company has a decentralized IT structure where each business unit manages its own IT budget and projects. The CEO is concerned that IT investments are not aligned with corporate strategy and that there is duplication of effort. The IT department lacks a formal project portfolio management process. The company has experienced several project failures due to poor prioritization. The CEO has asked the newly hired IT auditor to recommend an initial step to improve IT governance. The auditor should recommend:

A.Establishing an IT steering committee with representatives from business units and IT
B.Implementing a project portfolio management software tool immediately to track all projects
C.Conducting a security risk assessment of all IT systems
D.Outsourcing IT management to a third-party provider
AnswerA

A steering committee provides strategic direction, prioritization, and governance over IT investments.

Why this answer

Option B is correct because establishing an IT steering committee is a foundational step to provide oversight, prioritize projects, and align IT with business strategy. Option A is premature; a process should be defined with governance approval. Option C addresses security but not overall governance.

Option D is too drastic and does not solve the alignment issue.

52
MCQhard

An organization has implemented a new IT service management (ITSM) tool. The IT manager wants to measure the effectiveness of incident management. Which metric is MOST appropriate?

A.Mean time to resolve (MTTR) incidents
B.Percentage of incidents resolved on first call
C.Number of incidents reported per month
D.Percentage of system uptime
AnswerA

MTTR directly measures how quickly incidents are resolved.

Why this answer

Mean time to resolve (MTTR) is the most appropriate metric for measuring the effectiveness of incident management because it directly reflects how quickly the IT team can restore normal service operation after an incident. In ITIL-based ITSM tools, MTTR tracks the elapsed time from incident logging to resolution, providing a clear indicator of process efficiency and team responsiveness.

Exam trap

The trap here is that candidates often confuse incident management metrics with service desk or availability metrics, picking 'percentage of incidents resolved on first call' because it sounds like a measure of effectiveness, but it actually measures first-contact resolution efficiency, not the end-to-end incident management process.

How to eliminate wrong answers

Option B is wrong because the percentage of incidents resolved on first call measures first-level support efficiency, not the overall effectiveness of the incident management process, which includes escalation and resolution workflows. Option C is wrong because the number of incidents reported per month is a volume metric that indicates incident frequency, not the quality or speed of resolution. Option D is wrong because system uptime is a metric for availability management, not incident management; it measures service reliability rather than how incidents are handled.

53
MCQeasy

An organization is implementing a new IT governance framework. Which of the following is the PRIMARY benefit of using a framework like COBIT?

A.Reducing IT operational costs.
B.Aligning IT strategy with business goals.
C.Eliminating all IT-related risks.
D.Ensuring compliance with all regulatory requirements.
AnswerB

COBIT and similar frameworks focus on creating value by aligning IT with business objectives.

Why this answer

COBIT is designed to bridge the gap between business objectives and IT operations by providing a framework that maps IT processes to business goals. The primary benefit is ensuring that IT strategy directly supports and enables business strategy, rather than focusing on cost reduction or risk elimination.

Exam trap

The trap here is that candidates often confuse the primary benefit of a governance framework (strategic alignment) with secondary benefits like cost reduction or compliance, leading them to pick a plausible but incorrect answer that addresses a tactical outcome rather than the core strategic purpose.

How to eliminate wrong answers

Option A is wrong because reducing IT operational costs is a possible outcome of good governance but not the primary purpose of COBIT; cost reduction is more directly addressed by frameworks like ITIL or specific cost-optimization practices. Option C is wrong because no framework can eliminate all IT-related risks; risk management aims to reduce risk to an acceptable level, not achieve zero risk. Option D is wrong because ensuring compliance with all regulatory requirements is an objective of governance but not the primary benefit of COBIT; compliance is one component of a broader alignment goal, and no framework can guarantee compliance with every regulation.

54
MCQhard

A government agency has an IT governance framework that includes an IT strategy committee, an IT steering committee, and a project management office. Despite this, there is a lack of transparency regarding IT spending and resource allocation. The agency's annual audit found that several IT initiatives were not approved by the steering committee and were funded out of operational budgets. The CFO is frustrated because IT costs are unpredictable. The agency's chief information officer (CIO) reports to the CFO but the IT steering committee is chaired by the CIO. The auditor's best recommendation to improve governance is to:

A.Establish a chargeback system to allocate IT costs to business units
B.Require all IT projects to submit a business case to the steering committee for approval
C.Change the steering committee chair to a senior business executive independent of IT
D.Implement a policy that prohibits funding IT projects from operational budgets without steering committee approval
AnswerC

Independence strengthens oversight and reduces the ability of the CIO to bypass governance.

Why this answer

Option B is correct because having an independent steering committee chair (e.g., a business executive) ensures checks and balances and prevents the CIO from bypassing governance. Option A addresses approval but does not fix the conflict of interest. Option C is a policy change that can be ignored without structural change.

Option D focuses on cost allocation but not the root cause of governance bypass.

55
MCQhard

You are the IT governance lead at a multinational corporation with a complex IT environment spanning multiple business units. The company has recently experienced a series of minor security incidents where unauthorized access was gained through unused user accounts that were not disabled after employees left the organization. Additionally, there have been delays in provisioning access for new hires, leading to productivity losses. The IT department currently uses a manual process for access management, with each business unit maintaining its own user lists. The company has a policy that requires access reviews every quarter, but these are often missed or performed superficially. The CIO has asked you to recommend a solution that addresses these issues while ensuring compliance with regulations such as GDPR and SOX. Which of the following is the BEST course of action?

A.Require each business unit to submit monthly reports of active users to IT, which will then manually disable accounts not on the list.
B.Develop a new policy that mandates quarterly access reviews and disciplinary action for non-compliance.
C.Increase the frequency of access reviews to monthly and assign a dedicated team to perform them.
D.Implement an identity governance and administration (IGA) tool that automates user provisioning and de-provisioning, integrates with HR systems, and enforces access reviews.
AnswerD

Automation addresses the root causes: timely de-provisioning, consistent reviews, and compliance.

Why this answer

Option D is correct because implementing an Identity Governance and Administration (IGA) tool directly addresses the root causes: manual, decentralized access management and lack of automated de-provisioning. IGA integrates with HR systems (e.g., Workday, SAP SuccessFactors) to trigger automatic account creation for new hires and immediate deactivation upon termination, eliminating orphaned accounts. It also enforces scheduled, auditable access reviews with certification workflows, ensuring compliance with GDPR (right to erasure, data minimization) and SOX (segregation of duties, access controls).

This automated approach resolves both the security incidents from unused accounts and the productivity losses from delayed provisioning.

Exam trap

The trap here is that candidates often choose options that increase manual oversight (like monthly reports or dedicated teams) because they seem practical, but the CISA exam emphasizes automated, integrated solutions (IGA) as the only sustainable way to achieve compliance and security at scale in complex, multi-unit environments.

How to eliminate wrong answers

Option A is wrong because it perpetuates the manual, error-prone process by relying on business units to submit reports and IT to manually disable accounts, which does not scale, introduces latency, and fails to prevent orphaned accounts between reporting cycles. Option B is wrong because developing a new policy without automated enforcement tools does not address the root cause of missed or superficial reviews; it merely adds another layer of documentation that is likely to be ignored without technical controls. Option C is wrong because increasing review frequency and assigning a dedicated team still relies on manual processes, which are costly, prone to human error, and cannot guarantee timely de-provisioning or integration with HR lifecycle events.

56
MCQmedium

An IT steering committee is reviewing a proposal for a new customer relationship management (CRM) system. What is the committee's MOST important role?

A.Approving technical specifications
B.Selecting the vendor
C.Ensuring alignment with business objectives
D.Managing the project budget
AnswerC

Correct. The committee provides strategic oversight.

Why this answer

Option B is correct because the steering committee's primary role is to ensure that the proposed system aligns with business objectives. Option A is incorrect as technical specification approval is typically handled by technical teams. Option C is incorrect because budget management is a project management responsibility.

Option D is incorrect because vendor selection is often a procurement function, though the committee may provide input.

57
Matchingmedium

Match each log type to its typical content.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

System and application events

User login attempts and access

Changes to sensitive data

System errors and failures

Why these pairings

Logs are essential for monitoring and forensics.

58
MCQeasy

An IT manager needs to ensure that the organization's IT resources are used efficiently. Which of the following is the BEST metric to measure IT resource utilization?

A.System uptime percentage
B.Average server CPU utilization
C.Number of help desk tickets resolved per day
D.Percentage of projects completed on time
AnswerB

Directly measures how efficiently computing resources are used.

Why this answer

Average server CPU utilization directly measures how much of the computing capacity is being consumed over time, making it the most relevant metric for assessing whether IT resources are being used efficiently. High or low CPU utilization can indicate over-provisioning, under-utilization, or potential performance bottlenecks, enabling the IT manager to optimize resource allocation.

Exam trap

The trap here is that candidates often confuse availability metrics (uptime) with utilization metrics, or they mistakenly equate operational outputs (tickets resolved, project completion) with resource efficiency, leading them to pick a superficially plausible but incorrect answer.

How to eliminate wrong answers

Option A is wrong because system uptime percentage measures availability, not utilization; a server can be up 99.999% of the time but idle, wasting resources. Option C is wrong because the number of help desk tickets resolved per day measures service desk productivity and incident handling efficiency, not the utilization of IT resources like servers or storage. Option D is wrong because the percentage of projects completed on time measures project management performance and schedule adherence, not the operational efficiency of IT resource usage.

59
MCQeasy

An organization has a policy requiring annual information security awareness training for all employees. During a recent audit, it was found that 20% of employees had not completed the training. What is the BEST course of action for the IT governance committee?

A.Reduce the training frequency to biennial.
B.Require managers to ensure their teams complete training and escalate non-compliance to HR.
C.Extend the training deadline by three months.
D.Make the training optional for employees with high performance ratings.
AnswerB

Manager accountability and HR escalation enforce policy.

Why this answer

Option B is correct because enforcing compliance through HR and management reinforces the policy. Option A is wrong because extending the deadline does not address non-compliance. Option C is wrong because reducing training frequency weakens security.

Option D is wrong because training is a mandatory policy, not optional.

60
MCQmedium

A company outsources its data center operations to a third-party provider. Which of the following is the MOST important control to include in the outsourcing contract?

A.Detailed escalation procedures for incidents
B.Service level agreements with financial penalties
C.Requirements for encryption of data at rest
D.Right to audit the provider's facilities and processes
AnswerD

Audit rights enable independent verification of controls.

Why this answer

Option D is correct because the right to audit allows the company to verify the provider's compliance. Option A is important but less critical than audit rights. Option B is operational.

Option C is a security control but not the most important contractual safeguard.

61
Multi-Selectmedium

Which TWO of the following are key responsibilities of an IT steering committee?

Select 2 answers
A.Approving the annual IT budget and major capital expenditures
B.Performing daily system monitoring and incident response
C.Defining IT policies and standards
D.Writing application code for new software features
E.Configuring firewall rules and network access controls
AnswersA, C

The steering committee typically approves the IT budget and major expenditures to ensure alignment with business strategy.

Why this answer

The IT steering committee is a senior-level governance body responsible for aligning IT strategy with business objectives. Approving the annual IT budget and major capital expenditures (A) is a core fiduciary duty, ensuring resources are allocated to approved projects and initiatives. Defining IT policies and standards (C) establishes the governance framework for security, compliance, and operational consistency across the enterprise.

Exam trap

The trap here is confusing strategic governance roles (steering committee) with operational or technical roles (system administrators, developers, or network engineers), leading candidates to select hands-on tasks like monitoring, coding, or firewall configuration.

62
MCQmedium

A financial services company is migrating its core banking system to a public cloud to improve scalability and reduce costs. The project is high-risk due to regulatory compliance requirements (e.g., data residency, audit trails). The IT governance committee has reviewed the project plan and finds that the risk assessment is incomplete – it does not address the potential impact of a cloud provider outage on critical transactions. The committee must approve the project or request changes. The project manager argues that the cloud provider's SLA guarantees 99.99% uptime and that additional controls would delay the project. What should the governance committee do?

A.Reject the project and require the system to remain on-premises.
B.Request a revised risk assessment that includes contingency plans for provider outages.
C.Approve the project based on the provider's strong SLA.
D.Approve a pilot migration for non-critical systems first.
AnswerB

The committee must ensure all risks are identified and mitigated.

Why this answer

Option D is correct because the committee's duty is to ensure risks are adequately addressed; requiring a comprehensive risk assessment and contingency plans is necessary. Option A is wrong because committees should not bypass governance processes. Option B is wrong because SLAs do not cover all risks (e.g., data residency).

Option C is wrong because a pilot does not address the missing assessment.

63
MCQhard

Based on the exhibit, which control is most likely missing to prevent this type of event?

A.Applying the latest security patches to the SSH service
B.Implementing account lockout after three failed attempts
C.Disabling direct root login via SSH
D.Enforcing strong password complexity
AnswerB

Account lockout directly mitigates brute-force attacks by blocking further attempts.

Why this answer

The exhibit describes a brute-force attack against an SSH service, where an attacker repeatedly attempts to guess credentials. Implementing account lockout after three failed attempts is the most direct control to prevent this type of event, as it halts further login attempts after a threshold, stopping the attack in its tracks regardless of password strength or patching.

Exam trap

The trap here is that candidates often choose 'Disabling direct root login via SSH' (Option C) because it is a well-known security best practice, but it does not prevent brute-force attacks against other user accounts, whereas account lockout directly stops the attack mechanism.

How to eliminate wrong answers

Option A is wrong because applying the latest security patches to the SSH service addresses vulnerabilities in the SSH protocol or implementation, but does not prevent brute-force attacks that exploit weak or guessed credentials. Option C is wrong because disabling direct root login via SSH reduces the attack surface by requiring a non-root account first, but it does not prevent brute-force attacks against any user account; the attacker can still target other usernames. Option D is wrong because enforcing strong password complexity makes passwords harder to guess, but it does not stop an attacker from making unlimited attempts; a brute-force attack can still succeed over time if no lockout mechanism is in place.

64
MCQeasy

Based on the exhibit, what is the MOST appropriate action for IT management?

A.Investigate the reasons for the shortfall and implement corrective actions.
B.Ignore the variance as it is within acceptable range.
C.Adjust the target to 80% to match actual performance.
D.Replace the survey with a different measurement tool.
AnswerA

A gap between actual and target should be analyzed and addressed.

Why this answer

Option A is correct because the actual score (82%) is below the target (85%), so IT management should investigate and take corrective action. Option B (lowering the target) is not appropriate without analysis. Option C (replacing the survey) is premature.

Option D (ignoring the variance) is not acceptable because it is below target.

65
MCQhard

An organization's IT strategy is not aligned with business strategy due to lack of communication. Which of the following would BEST improve alignment?

A.Business-IT strategy mapping workshops
B.Weekly IT status reports
C.Outsourcing non-core IT functions
D.IT budget increase
AnswerA

Workshops enable joint development of aligned strategies.

Why this answer

Business-IT strategy mapping workshops facilitate direct communication and collaboration, ensuring both sides understand and agree on priorities. Status reports, budget increases, or outsourcing do not address the communication gap.

66
MCQhard

A multinational corporation operates in a highly regulated industry. The IT governance framework includes a risk appetite statement approved by the board. Recently, the company suffered a significant data breach due to an unpatched vulnerability that had been identified three months earlier. The IT audit found that the vulnerability was reported to the IT department but was not prioritized for remediation because it was deemed low risk by the IT operations team. The incident response plan was not activated because the breach was not initially detected. The board wants to strengthen governance to prevent recurrence. The most effective course of action for the auditor to recommend is:

A.Deploying an intrusion detection system to identify breaches sooner
B.Establishing a formal vulnerability management policy that requires risk-based prioritization in accordance with the risk appetite and escalation to the IT risk committee for decisions outside tolerance
C.Disciplining the IT operations team for not escalating the vulnerability
D.Implementing a more robust patch management system with automated patching
AnswerB

This embeds risk governance into the vulnerability management process, ensuring alignment with board-approved risk appetite.

Why this answer

Option D is correct because integrating vulnerability management with risk governance ensures that risk decisions are made according to the approved risk appetite, not solely by IT operations. Option A is too narrow. Option B addresses incident detection but not the governance gap.

Option C is reactive and does not prevent future occurrences.

67
MCQeasy

An IT manager submits a request to change the firewall configuration during business hours. According to best practices for change management, what should be done FIRST?

A.Obtain approval from the change advisory board
B.Notify all users of the planned change
C.Assess the impact and risk of the proposed change
D.Implement the change immediately to address an urgent threat
AnswerC

Risk assessment is required before approval.

Why this answer

Option A is correct because assessing the impact and risk is the initial step. Option B may be done after assessment. Option C is premature without assessment.

Option D is not standard.

68
MCQmedium

An organization's IT department implemented a new change management process that requires all changes to be approved by a change advisory board (CAB). A critical security patch needs to be deployed within 2 hours to address an active zero-day vulnerability. The change request was submitted but the CAB is not scheduled to meet for another 24 hours. What is the BEST course of action?

A.Deploy the patch and inform the CAB after the fact during the next meeting.
B.Wait for the next scheduled CAB meeting to approve the change.
C.Deploy the patch immediately without any approval as it is a critical security fix.
D.Use the emergency change process to obtain expedited approval from a designated CAB member.
AnswerD

An emergency change process allows swift approval for critical patches, balancing security and control.

Why this answer

Option D is correct because it aligns with the ITIL-based emergency change process, which allows for expedited approval from a designated CAB member or emergency authority when a critical security patch must be deployed within hours to mitigate an active zero-day vulnerability. This ensures the change is authorized without waiting for the full CAB meeting, maintaining security while preserving governance and audit trails.

Exam trap

The trap here is that candidates may assume any critical security patch can be deployed immediately without approval (Option C) or that informing the CAB after the fact (Option A) is acceptable, but CISA emphasizes that even emergency changes must follow a defined process with expedited approval to maintain control and accountability.

How to eliminate wrong answers

Option A is wrong because deploying the patch without prior approval violates the change management policy and could lead to unauthorized changes, lack of audit trail, and potential conflicts with other changes. Option B is wrong because waiting 24 hours for the next CAB meeting would leave the system exposed to the active zero-day vulnerability, increasing risk of exploitation. Option C is wrong because deploying without any approval bypasses all governance controls, ignoring the need for documented authorization even for emergency fixes, and could cause operational disruptions without coordination.

69
MCQeasy

Which of the following is the PRIMARY purpose of an IT governance framework?

A.To ensure IT aligns with and supports business strategy
B.To ensure compliance with laws and regulations
C.To protect IT assets from cyber threats
D.To reduce IT operational costs
AnswerA

Governance frameworks focus on alignment and value delivery.

Why this answer

The primary purpose of an IT governance framework is to ensure that IT investments, strategies, and operations are aligned with and support the overall business strategy, enabling the organization to achieve its goals. This alignment is achieved through mechanisms such as strategic planning, portfolio management, and performance measurement, which are core to frameworks like COBIT 2019. Without this alignment, IT may operate in isolation, leading to wasted resources and missed business opportunities.

Exam trap

The trap here is that candidates often confuse the primary purpose of IT governance with operational or security objectives, such as compliance or cost reduction, because those are more tangible and frequently tested in other domains, but the CISA exam emphasizes that governance is fundamentally about strategic alignment and value delivery.

How to eliminate wrong answers

Option B is wrong because ensuring compliance with laws and regulations is a secondary objective of IT governance, not the primary purpose; compliance is typically addressed through specific controls and policies within the framework, but the framework's overarching goal is strategic alignment. Option C is wrong because protecting IT assets from cyber threats is a function of information security management and risk management, which are components of governance but not its primary purpose; governance focuses on direction and oversight, not operational security. Option D is wrong because reducing IT operational costs is a potential outcome of effective governance, but it is not the primary purpose; cost reduction is a tactical benefit, whereas governance is fundamentally about value creation and strategic alignment.

70
MCQmedium

Which of the following is a potential risk in this RACI matrix?

A.The IT Director is accountable but not informed of all changes.
B.IT Operations is informed, but should be responsible for implementation.
C.The Business Process Owner is consulted, which may delay approvals.
D.The Change Manager is responsible but lacks authority to approve.
AnswerD

If the Change Manager is responsible but not accountable, they may not have approval authority, leading to bypassed controls.

Why this answer

Option B is correct because the Change Manager is marked as Responsible but typically the Responsible party performs the work; for approval, the Responsible party may lack the authority to approve (which would be Accountable). This creates a risk of unauthorized approvals. Option A is not a risk because Accountable can be informed later.

Option C is fine; consultation is normal. Option D is not a concern because IT Operations is informed appropriately.

71
MCQeasy

Which of the following is the PRIMARY purpose of an IT strategy committee?

A.To monitor IT project timelines
B.To manage IT vendor contracts
C.To approve IT project budgets
D.To ensure IT investments support business objectives
AnswerD

Strategic alignment is the primary goal.

Why this answer

Option B is correct because the committee's role is to align IT with business strategy. Option A is operational. Option C is project-specific.

Option D is too narrow.

72
MCQmedium

A retail company is merging with a competitor. The IT departments of both organizations have different IT governance structures: Company A uses a centralized model with strict change management, while Company B uses a decentralized model with autonomous business unit IT. The CIO has been tasked with integrating the IT functions post-merger. The board expects cost synergies and improved service levels. The integration team is facing resistance from Company B's business heads who fear loss of agility. The CIO needs to propose a governance model for the merged entity. Which approach would BEST meet the board's expectations while addressing resistance?

A.Keep both models separate and allow business units to choose their preferred model.
B.Adopt Company B's decentralized model to preserve agility.
C.Immediately impose Company A's centralized model across the merged entity.
D.Implement a phased integration with a transitional governance structure that includes representatives from both sides.
AnswerD

Phased integration respects both cultures and reduces resistance.

Why this answer

Option B is correct because a phased integration with interim governance allows gradual convergence, managing change and resistance while building toward synergy. Option A is wrong because immediate full centralization may cause disruption and strong resistance. Option C is wrong because adopting the weaker model (decentralized) may not achieve synergies.

Option D is wrong because maintaining both models permanently does not achieve integration.

73
MCQhard

An organization has decentralized IT management with each business unit making its own technology decisions. Which of the following is the BEST way to maintain enterprise-wide governance?

A.Deploy a single enterprise resource planning (ERP) system across all units.
B.Require all IT projects to be approved by the corporate IT department.
C.Create a central IT budget that allocates funds to business units.
D.Establish an enterprise architecture review board with representatives from all business units.
AnswerD

This provides governance without removing unit autonomy.

Why this answer

Option A is correct because an enterprise architecture review board with unit representatives ensures alignment while respecting decentralization. Option B is too centralized. Option C forces a single system, which may not suit all units.

Option D is budgeting, not governance of decisions.

74
MCQhard

An organization outsources its data center operations. What is the BEST way to ensure the service provider's controls are effective?

A.Conduct periodic third-party audits
B.Rely on the provider's internal audit reports
C.Monitor service level agreements only
D.Require the provider to implement all organizational controls
AnswerA

Correct. Independent audits validate control design and operation.

Why this answer

Option A is correct because independent third-party audits provide objective verification of controls. Option B is incorrect because relying solely on the provider's internal audit may lack independence. Option C is incorrect because requiring all controls may be impractical and expensive.

Option D is incorrect because SLAs focus on performance, not control effectiveness.

75
Multi-Selecthard

Which THREE of the following are responsibilities of the board of directors regarding IT governance? (Choose three.)

Select 3 answers
A.Designing network security architecture
B.Setting IT risk appetite
C.Reviewing IT performance
D.Implementing IT controls
E.Approving IT strategy
AnswersB, C, E

Correct. Board defines risk tolerance.

Why this answer

Options A, B, and C are correct because setting IT risk appetite, approving IT strategy, and reviewing IT performance are board-level responsibilities. Option D is incorrect as implementing controls is management's role. Option E is incorrect as designing network security is an operational task.

Page 1 of 2 · 111 questions totalNext →

Ready to test yourself?

Try a timed practice session using only It Governance Mgmt questions.