CCNA It Governance Mgmt Questions

36 of 111 questions · Page 2/2 · It Governance Mgmt topic · Answers revealed

76
MCQeasy

A small business lacks formal IT governance. What is the FIRST step to establish governance?

A.Assign an IT manager
B.Define IT policies
C.Conduct a risk assessment
D.Implement COBIT
AnswerC

Risk assessment reveals the starting point for governance.

Why this answer

Conducting a risk assessment identifies the most critical issues and guides the development of governance policies and structure. Defining policies or assigning roles without understanding risks may be premature.

77
MCQmedium

An organization is implementing a new IT governance framework. Which of the following is the BEST approach to ensure alignment between IT strategy and business goals?

A.Align IT budget with the previous year's business plan
B.Conduct annual IT strategy reviews independent of business cycles
C.Establish an IT steering committee with business representation
D.Delegate IT strategy to the CIO without business input
AnswerC

A steering committee with business leaders ensures ongoing alignment.

Why this answer

Option A is correct because a steering committee with both IT and business leaders ensures strategic alignment. Option B is wrong because it only involves IT. Option C is wrong because reactive alignment after budgeting is less effective.

Option D is wrong because annual reviews are insufficient for ongoing alignment.

78
MCQhard

An organization uses the policy shown. Which of the following is an omission in the policy?

A.No definition of authorized users
B.No mention of backup frequency
C.No specification of data disposal methods after retention periods
D.Missing encryption requirement for log data
AnswerC

The policy defines retention but not deletion or archiving.

Why this answer

Option A is correct because there is no rule for data disposal after retention. Option B is present. Option C is addressed.

Option D is not mentioned but not an omission in this context.

79
Multi-Selectmedium

An organization is adopting COBIT 2019. Which TWO of the following are components of the governance system?

Select 2 answers
A.Processes
B.IT hardware inventory
C.Information flows
D.Organizational structures
E.Employee satisfaction surveys
AnswersA, D

Processes are a core component in COBIT.

Why this answer

Options A and B are correct. COBIT 2019 defines governance system components including processes (A) and organizational structures (B). C (hardware inventory) is an asset, not a component.

D (information flows) is part of the information component but not a standalone component. E (employee satisfaction) is not a component.

80
MCQhard

A multinational corporation is adopting a hybrid cloud strategy. The IT governance board must decide on a framework to ensure alignment with business objectives and regulatory compliance. Which framework is MOST appropriate?

A.ITIL 4 Service Value System
B.COBIT 2019
C.ISO/IEC 27001 Information Security Management
D.PMBOK Guide
AnswerB

COBIT 2019 is a comprehensive framework for IT governance and management.

Why this answer

COBIT 2019 is the most appropriate framework because it is specifically designed for IT governance, providing a comprehensive set of controls and processes to align IT with business objectives and ensure regulatory compliance. In a hybrid cloud strategy, COBIT 2019's focus on governance objectives, stakeholder needs, and risk management directly addresses the board's need for oversight across on-premises and cloud environments, unlike frameworks that target service management, security, or project management.

Exam trap

The trap here is that candidates often confuse ITIL (service management) with governance, assuming that best practices for service delivery inherently cover board-level alignment and compliance, but ITIL lacks the governance objectives and stakeholder-driven goal cascade that COBIT provides for hybrid cloud strategies.

How to eliminate wrong answers

Option A is wrong because ITIL 4 Service Value System focuses on IT service management (ITSM) best practices, such as incident and change management, but lacks the governance and compliance alignment mechanisms required for board-level decision-making in a hybrid cloud strategy. Option C is wrong because ISO/IEC 27001 is an information security management standard that addresses security controls and risk management, but it does not provide a holistic governance framework for aligning IT with business objectives and regulatory compliance across the entire enterprise. Option D is wrong because PMBOK Guide is a project management framework that covers project lifecycle and processes, but it is not designed for ongoing IT governance or ensuring sustained alignment with business goals and compliance in a hybrid cloud environment.

81
Multi-Selectmedium

Which TWO of the following are primary objectives of IT governance as defined by COBIT 5?

Select 2 answers
A.Resource optimization
B.Cost reduction
C.Incident response
D.Value delivery
E.Data encryption
AnswersA, D

Resource optimization is a key governance objective.

Why this answer

Options A and C are correct because COBIT 5 defines IT governance objectives as stakeholder value creation and resource optimization. Option B is a management objective, not governance. Option D is a goal of information security, not governance overall.

Option E is too narrow (cost reduction) and not a primary governance objective.

82
Multi-Selecteasy

Which TWO of the following are key components of an IT governance framework?

Select 2 answers
A.IT strategy committee
B.IT asset inventory
C.IT risk management
D.IT project portfolio management
E.IT help desk ticketing system
AnswersA, C

Governance requires a steering or strategy committee.

Why this answer

Options A and E are correct. An IT governance framework includes structures like an IT strategy committee (A) and processes like IT risk management (E). B (project portfolio management) is a management practice, not a core governance component.

C (help desk) and D (asset inventory) are operational.

83
MCQhard

During an IT audit, the auditor discovers that the IT department has not conducted a business impact analysis (BIA) for three years. The organization's disaster recovery plan (DRP) is based on the previous BIA. The IT manager argues that the DRP is still valid because no major changes have occurred. What should the auditor recommend?

A.Recommend that a new BIA be conducted to validate and update the DRP.
B.Accept the IT manager's rationale and close the finding.
C.Recommend terminating the current DRP until the BIA is completed.
D.Recommend accepting the risk and documenting the decision.
AnswerA

A current BIA is essential to identify changes in business processes and threats, ensuring the DRP is aligned.

Why this answer

A business impact analysis (BIA) is the foundation of a valid disaster recovery plan (DRP). Without a current BIA, the DRP may not reflect the organization's current critical processes, recovery time objectives (RTOs), or recovery point objectives (RPOs). Even if no major changes are perceived, subtle shifts in dependencies, resource availability, or regulatory requirements can render the DRP ineffective.

Therefore, the auditor should recommend conducting a new BIA to validate and update the DRP.

Exam trap

The trap here is that candidates may assume the IT manager's claim of 'no major changes' is sufficient, but the CISA exam emphasizes that a BIA must be periodically reviewed (typically annually) regardless of perceived stability, because hidden dependencies or gradual changes can still affect recovery requirements.

How to eliminate wrong answers

Option B is wrong because accepting the IT manager's rationale without evidence ignores the risk that the DRP may be outdated; the auditor's role is to verify, not assume, that no changes have impacted recovery requirements. Option C is wrong because terminating the current DRP would leave the organization without any recovery plan until the BIA is completed, increasing operational risk unnecessarily. Option D is wrong because accepting the risk and documenting the decision without further action is premature; the auditor should first recommend a BIA to determine the actual risk level before deciding to accept it.

84
Multi-Selectmedium

An organization is implementing IT governance based on COBIT. Which THREE of the following are enablers? (Select exactly three.)

Select 3 answers
A.Application software
B.Organizational structures
C.Culture, ethics, and behavior
D.Network infrastructure
E.Processes
AnswersB, C, E

Structures are enablers for decision-making.

Why this answer

COBIT defines enablers as factors that influence the effectiveness of governance. Processes, organizational structures, and culture/ethics/behavior are key enablers. Network infrastructure and application software are resources, not enablers in the COBIT framework.

85
Multi-Selectmedium

An organization is implementing an IT governance framework to align IT with business objectives. Which TWO of the following are primary responsibilities of the IT steering committee?

Select 2 answers
A.Performing daily IT operations
B.Defining IT security policies
C.Approving IT project budgets and priorities
D.Conducting technical vulnerability assessments
E.Ensuring IT investments deliver value
AnswersC, E

The IT steering committee provides oversight and approval for major IT investments and priorities.

Why this answer

Options A and D are correct. The IT steering committee is responsible for approving IT project budgets and priorities (A) and ensuring IT investments deliver value (D). Performing daily IT operations (B) is an operational management task.

Defining IT security policies (C) is typically the responsibility of the security function. Conducting technical vulnerability assessments (E) is a technical operational activity.

86
MCQmedium

Based on the exhibit, which metric would be LEAST relevant to the 'Customer' perspective?

A.Number of New Features Delivered
B.System Uptime Percentage
C.Satisfaction Survey Score
D.Complaint Resolution Time
AnswerB

Correct. Uptime is more aligned with internal process perspective.

Why this answer

Option C is correct because system uptime is an operational metric typically aligned with the Internal Process perspective, not directly with customer satisfaction as measured by surveys and complaint resolution. Option A is incorrect because survey scores directly measure customer satisfaction. Option B is incorrect because complaint resolution time is a customer-facing metric.

Option D is incorrect because number of new features may be customer-driven, but it is less directly related than the given metrics; however, it is still more relevant than uptime. Uptime is the least relevant.

87
MCQmedium

A large financial institution has a well-defined IT governance framework with a clear organizational structure, policies, and processes. However, the internal audit department has identified that several IT projects are over budget and behind schedule. The project managers blame unclear requirements and scope creep. The IT governance committee meets monthly but reviews projects only at a high level. The auditor's best recommendation to improve project governance is to:

A.Increase the frequency of security reviews for all projects
B.Change the IT steering committee's meeting frequency to weekly with detailed reviews
C.Establish a project management office (PMO) to oversee project governance and reporting
D.Require all projects to use a specific project management software tool
AnswerC

A PMO provides centralized oversight, standardizes processes, and ensures compliance with governance.

Why this answer

Option C is correct because establishing a project management office (PMO) provides standardized project management practices, oversight, and controls to prevent scope creep and improve delivery. Option A is tactical and does not address governance. Option B focuses on security, not project delivery.

Option D may improve business alignment but does not directly address project management issues.

88
MCQhard

During a risk assessment, an IS auditor identifies that the IT department has not performed a business impact analysis (BIA) for critical systems. Which of the following is the MOST significant risk?

A.Non-compliance with software licensing
B.Increased likelihood of security breaches
C.Inability to calculate total cost of ownership
D.Uncertainty regarding recovery time objectives for critical systems
AnswerD

BIA defines RTOs; without it, recovery priorities are unclear.

Why this answer

Option D is correct because without a BIA, recovery time objectives (RTOs) are uncertain, leading to potential unacceptable downtime. Option A is a consequence but not the primary risk. Option B is incorrect because BIA is for recovery, not cost.

Option C is less direct.

89
MCQhard

A financial institution is required by regulators to demonstrate that IT controls are effective. Which of the following provides the BEST evidence?

A.IT balanced scorecard
B.Internal audit reports
C.IT risk register
D.Service organization control (SOC) reports
AnswerD

SOC reports provide independent assurance on controls.

Why this answer

Service organization control (SOC) reports are independent audits of control effectiveness, highly regarded by regulators. Internal audit reports are valuable but may lack independence; risk register and balanced scorecard are not direct evidence of control effectiveness.

90
MCQeasy

An IT department uses a balanced scorecard to measure performance. Which metric would BEST reflect the 'customer perspective'?

A.Training hours per employee
B.System uptime percentage
C.User satisfaction survey results
D.Project completion rate
AnswerC

Correct. Directly measures customer perception.

Why this answer

Option C is correct because the customer perspective focuses on user satisfaction and service responsiveness. Option A is incorrect as system uptime is an internal process metric. Option B is incorrect as project completion rate is an internal efficiency metric.

Option D is incorrect as training hours relate to learning and growth perspective.

91
MCQmedium

An IT manager is reviewing the service level agreements (SLAs) for a cloud-based email service. The SLA guarantees 99.9% uptime per month. The service experienced an outage of 45 minutes in a 30-day month. Did the service meet the SLA?

A.Yes, because 45 minutes is within 0.1% of the total time.
B.Yes, because the SLA is calculated per day, not per month.
C.No, because any downtime exceeding 30 minutes is a violation.
D.No, because the allowed downtime for 99.9% uptime is approximately 43 minutes.
AnswerD

The SLA allows 43.2 minutes; 45 minutes is over the limit.

Why this answer

The SLA guarantees 99.9% uptime per month. For a 30-day month (43,200 minutes), 99.9% uptime allows only 0.1% downtime, which is 43.2 minutes. The actual outage of 45 minutes exceeds this threshold, so the SLA was not met.

Option D correctly identifies the allowed downtime as approximately 43 minutes.

Exam trap

The trap here is that candidates may incorrectly round 43.2 minutes to 43 minutes and then assume 45 minutes is close enough, or they may mistakenly think 0.1% of a month is 30 minutes, leading them to choose option C.

How to eliminate wrong answers

Option A is wrong because 45 minutes is not within 0.1% of the total time; 0.1% of 43,200 minutes is 43.2 minutes, so 45 minutes exceeds the allowed downtime. Option B is wrong because the SLA explicitly states 'per month,' not per day, and calculating per day would allow even less downtime (e.g., 0.1% of 1,440 minutes = 1.44 minutes per day). Option C is wrong because the SLA does not specify a 30-minute threshold; the allowed downtime is derived from the 99.9% uptime calculation, not an arbitrary 30-minute limit.

92
MCQmedium

An IT audit revealed that the organization's IT steering committee has not met in the past six months. Which of the following is the MOST likely consequence of this situation?

A.Higher IT staff turnover.
B.Increased number of security incidents.
C.Inconsistent IT policies across departments.
D.Delayed decision-making on IT investments.
AnswerD

The committee's primary role is to make strategic decisions.

Why this answer

Option B is correct because the steering committee is responsible for approving and prioritizing IT investments; lack of meetings delays decision-making. Option A may occur but is less direct. Option C is unrelated.

Option D may happen but is secondary.

93
Multi-Selecteasy

Which TWO of the following are benefits of establishing an IT steering committee?

Select 2 answers
A.Improved operational efficiency of IT systems
B.Enhanced prioritization of IT investments
C.Better alignment between IT and business strategy
D.Reduction of management overhead
E.Direct control over technical IT decisions
AnswersB, C

Prioritization is a core benefit.

Why this answer

Options B and D are correct because an IT steering committee provides strategic alignment and prioritization of IT initiatives. Option A is not a benefit; it may increase bureaucracy. Option C is not a direct benefit; operational efficiency is management's role.

Option E is not a primary benefit; detailed technical decisions are outside committee scope.

94
MCQmedium

An organization is planning to outsource its data center operations. Which of the following governance practices should be implemented to ensure proper oversight?

A.Conduct annual financial audits of the outsourcer.
B.Require the outsourcer to obtain ISO 27001 certification.
C.Establish a service level agreement (SLA) with key performance indicators (KPIs).
D.Allow the outsourcer to manage all security controls independently.
AnswerC

SLA with KPIs enables ongoing performance monitoring.

Why this answer

Option B is correct because an SLA with KPIs provides measurable performance targets and accountability. Option A is a certification but not a governance practice for oversight. Option C abdicates control.

Option D is financial, not operational oversight.

95
Multi-Selecthard

Which THREE of the following are commonly recognized benefits of implementing a formal IT service management (ITSM) framework such as ITIL?

Select 3 answers
A.Better alignment between IT services and business needs
B.Guaranteed zero downtime for critical services
C.Elimination of the need for external IT audits
D.Improved service quality and availability
E.Increased efficiency and cost savings through standardized processes
AnswersA, D, E

ITSM incorporates business requirements into service design and delivery.

Why this answer

Option A is correct because a formal ITSM framework like ITIL explicitly focuses on aligning IT service delivery with business objectives through defined processes like service strategy and service design. This alignment ensures that IT investments and operations directly support business outcomes, such as improving customer satisfaction or enabling new revenue streams, rather than operating in a silo.

Exam trap

The trap here is that candidates may confuse the risk-reduction benefits of ITSM (like improved availability) with an absolute guarantee, or assume that a framework replaces independent verification, when in reality ITSM improves processes but does not eliminate the need for external audits or guarantee perfect uptime.

96
MCQeasy

An IT manager is developing a governance policy for change management. Which element is MOST important to include?

A.Project management methodology
B.Detailed technical procedures
C.List of all applications
D.Roles and responsibilities
AnswerD

Correct. Governance policies define who is responsible for what.

Why this answer

Option D is correct because clearly defined roles and responsibilities ensure accountability in the change process. Option A is incorrect as technical procedures are part of implementation, not governance. Option B is incorrect because listing applications is operational.

Option C is incorrect because methodology is separate from governance.

97
Multi-Selecthard

Which THREE of the following are components of a typical IT governance framework?

Select 3 answers
A.Network troubleshooting procedures
B.Strategic alignment of IT with business
C.Risk management and compliance
D.Performance measurement and reporting
E.Vendor contract management
AnswersB, C, D

Core governance component.

Why this answer

Strategic alignment of IT with business is a core component of an IT governance framework because it ensures that IT initiatives directly support and enable the organization's business objectives and strategies. This alignment is achieved through mechanisms like balanced scorecards and IT steering committees, which prioritize IT investments based on business value. Without this component, IT may operate in a silo, leading to wasted resources and missed opportunities.

Exam trap

The trap here is that candidates often confuse operational IT activities (like troubleshooting or contract management) with the strategic, oversight-oriented components of governance, leading them to select options that describe 'doing IT' rather than 'governing IT'.

98
MCQmedium

A company's IT governance policy requires that all critical systems have a documented business continuity plan (BCP). During an audit, an IT auditor finds that the BCP for a critical financial system has not been updated in three years. Which of the following is the BEST recommendation?

A.Archive the outdated BCP and develop a new one from scratch.
B.Update the BCP to reflect current processes and conduct a test.
C.Accept the risk because the system has been stable.
D.Implement a new system with built-in redundancy.
AnswerB

Updating and testing ensures the plan is viable and aligns with governance requirements.

Why this answer

Option B is correct because IT governance policies require that BCPs remain current to reflect actual operational processes. An outdated BCP (three years stale) may contain obsolete recovery procedures, contact information, or dependencies, rendering it ineffective during a real incident. Updating the BCP and then testing it validates that the documented steps align with the current system architecture and can be executed successfully, which is a core requirement of the BCP lifecycle per ISACA guidelines.

Exam trap

The trap here is that candidates may assume a stable system means the BCP remains valid, but CISA tests the principle that BCPs must be living documents reviewed and tested at regular intervals (typically annually) regardless of system stability.

How to eliminate wrong answers

Option A is wrong because archiving and rewriting from scratch is unnecessarily disruptive and time-consuming; the existing BCP likely contains valuable baseline information that should be reviewed and updated rather than discarded. Option C is wrong because accepting risk based on system stability ignores the fact that processes, personnel, and dependencies change over time; a stable system does not guarantee that the BCP's recovery steps, contact lists, or resource allocations are still valid. Option D is wrong because implementing a new system with built-in redundancy is a disproportionate and costly response to an outdated BCP; it does not address the immediate compliance gap and may introduce new risks without proper BCP documentation.

99
MCQmedium

According to COBIT 2019, which design factor is MOST critical for tailoring a governance system?

A.Regulatory environment
B.Technology complexity
C.Organizational size
D.Enterprise strategy
AnswerD

Correct. Strategy sets the direction for governance design.

Why this answer

Option D is correct because enterprise strategy determines the governance objectives and risk appetite, making it the most critical design factor. Options A, B, and C are all important but secondary; they influence the system but are driven by strategy.

100
MCQeasy

An organization's IT strategy must be aligned with business strategy. Which of the following is the PRIMARY benefit of this alignment?

A.Faster adoption of new technologies
B.Enhanced security posture
C.Reduced IT operational costs
D.Increased value of IT investments to business objectives
AnswerD

Alignment ensures IT delivers value that supports business strategy.

Why this answer

When IT strategy is aligned with business strategy, every IT investment is directly tied to achieving specific business objectives, such as increasing revenue, improving customer experience, or enabling new business models. This alignment ensures that resources are allocated to projects that deliver measurable business value, rather than being spent on technology for its own sake. The primary benefit is therefore the increased value of IT investments to business objectives, as misalignment often leads to wasted expenditure on systems that do not support core business goals.

Exam trap

The trap here is that candidates often confuse operational benefits (like cost reduction or faster tech adoption) with the strategic primary benefit, failing to recognize that alignment is fundamentally about ensuring IT investments deliver value to the business, not about efficiency or security alone.

How to eliminate wrong answers

Option A is wrong because faster adoption of new technologies is a potential operational benefit, but it is not the primary benefit of alignment; rapid adoption without business context can actually lead to misalignment and wasted resources. Option B is wrong because enhanced security posture is a critical outcome of good IT governance, but it is a secondary benefit that results from aligning security controls with business risk appetite, not the primary reason for aligning IT and business strategy. Option C is wrong because reduced IT operational costs can be a byproduct of alignment (e.g., eliminating redundant systems), but cost reduction is not the primary goal; the primary goal is ensuring IT spending directly supports business value creation, which may sometimes require increased investment.

101
MCQhard

An organization is implementing a new ERP system. The project sponsor requests a change that will significantly increase project scope without additional budget. Which of the following is the BEST action for the project manager?

A.Accept the change and adjust the project timeline accordingly.
B.Initiate the formal change control process and escalate to the steering committee.
C.Implement the change and inform the steering committee later.
D.Reject the change because it is outside the original scope.
AnswerB

Proper change control ensures governance and stakeholder involvement.

Why this answer

The project manager must follow the formal change control process to evaluate the impact of a scope change that lacks additional budget. Escalating to the steering committee is appropriate because they have the authority to approve or reject changes that affect project constraints, ensuring alignment with organizational governance and IT strategy.

Exam trap

The trap here is that candidates may choose to reject the change outright (Option D) thinking it protects the baseline, but the CISA exam emphasizes following the formal change control process and escalating to the appropriate governance body rather than making unilateral decisions.

How to eliminate wrong answers

Option A is wrong because accepting the change without budget or formal approval violates project governance and may lead to resource overallocation and timeline failure. Option C is wrong because implementing the change before informing the steering committee bypasses the required change control process and risks unauthorized scope creep. Option D is wrong because outright rejection without following the change control process denies the steering committee the opportunity to assess the change's strategic value or reallocate priorities.

102
MCQhard

An organization's data classification policy defines 'Confidential' data as requiring encryption at rest. An IS auditor discovers that a database containing customer personal information is not encrypted. What is the auditor's BEST course of action?

A.Encrypt the database immediately
B.Report the finding to the data owner and IT management
C.Recommend a compensating control
D.Verify the classification of the data
AnswerB

Reporting ensures accountability for remediation.

Why this answer

Option D is correct because reporting the non-compliance to management is the auditor's responsibility. Option A is not an audit action. Option B may be outside scope.

Option C is after reporting.

103
MCQeasy

During an IT audit, the auditor discovers that the IT strategy is not formally documented. Which of the following is the MOST significant risk associated with this finding?

A.Difficulty in recruiting qualified IT staff.
B.Inability to measure the performance of IT systems.
C.Lack of alignment between IT investments and business goals.
D.Increased operational costs due to unplanned IT initiatives.
AnswerC

Undocumented strategy leads to misalignment, the most significant risk.

Why this answer

Option D is correct because without a documented strategy, IT investments may not support business goals, leading to misalignment. Option A is possible but less direct. Option B is a consequence but not the most significant.

Option C is unrelated.

104
Multi-Selectmedium

Which TWO of the following are key responsibilities of an IT steering committee?

Select 2 answers
A.Monitoring IT performance and value delivery
B.Managing day-to-day IT operations
C.Writing and testing application code
D.Prioritizing IT projects and allocating resources
E.Conducting IT audit engagements
AnswersA, D

Steering committee oversees performance.

Why this answer

The IT steering committee is a senior-level governance body responsible for aligning IT strategy with business objectives. Monitoring IT performance and value delivery (A) is a key responsibility because the committee must ensure that IT investments generate the expected business benefits and that service levels meet agreed targets. Prioritizing IT projects and allocating resources (D) is also a core duty, as the committee decides which initiatives receive funding and staffing based on strategic importance and risk, rather than operational urgency.

Exam trap

The trap here is confusing governance responsibilities (steering committee) with management or execution tasks (operations, coding, auditing), leading candidates to select options that sound plausible but belong to lower-level roles.

105
Multi-Selecthard

Which THREE of the following are indicators of mature IT governance?

Select 3 answers
A.The IT department has high staff retention.
B.IT risks are formally assessed and managed.
C.IT projects are completed on time and within budget.
D.IT decisions are aligned with business strategy.
E.The board receives regular IT performance reports.
AnswersB, D, E

Risk management is a hallmark of mature governance.

Why this answer

Options A, C, and E are correct. Mature governance ensures alignment with business strategy (A), formal risk management (C), and board reporting (E). B (on-time projects) is a project management metric, not governance.

D (staff retention) is an HR metric.

106
MCQmedium

An IT department is struggling with project delays and budget overruns. Which governance practice would be MOST effective?

A.Establishing a project management office (PMO)
B.Outsourcing projects
C.Increasing IT staff
D.Adopting agile methodology
AnswerA

PMO provides governance, standards, and oversight.

Why this answer

Establishing a Project Management Office (PMO) provides standardized project management practices, oversight, and governance, addressing delays and overruns. Agile methodology alone may not provide governance; increasing staff or outsourcing may not solve underlying issues.

107
Drag & Dropmedium

Arrange the steps to perform a risk assessment in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Risk assessment begins with asset identification, then threat/vulnerability identification, followed by risk analysis, prioritization, and documentation of treatment.

108
MCQeasy

An organization is developing its IT strategy to align with the overall business strategy. The business strategy emphasizes rapid market expansion through digital products. Which of the following IT strategies would BEST support this business goal?

A.Standardize all IT systems to reduce complexity.
B.Adopt agile development methods and scalable cloud infrastructure.
C.Outsource all IT operations to a low-cost provider.
D.Minimize IT investment to preserve capital for business growth.
AnswerB

Agile and cloud enable rapid, scalable deployment of digital products.

Why this answer

Option C is correct because rapid market expansion requires agility and speed. Option A is wrong because strict standardization may slow down innovation. Option B is wrong because minimizing IT investment would hinder digital product development.

Option D is wrong because outsourcing to the lowest-cost provider may compromise quality and speed.

109
MCQmedium

A company is considering restructuring its IT department from a centralized to a decentralized model to give business units more autonomy. What is a PRIMARY governance risk associated with this move?

A.Difficulty in managing vendor contracts due to decentralization.
B.Reduced innovation due to lack of central coordination.
C.Increased risk of project cost overruns.
D.Inconsistent IT policies and security controls across business units.
AnswerD

Decentralization often leads to divergence in standards and controls.

Why this answer

Option A is correct because decentralized IT can lead to inconsistent policies and standards across units. Option B is wrong because cost overruns can occur in any model. Option C is wrong because innovation may increase with autonomy.

Option D is wrong because vendor management can be decentralized but still controlled.

110
MCQmedium

An organization has experienced several security incidents due to unauthorized changes to production systems. Which governance mechanism should be strengthened?

A.IT asset management
B.Configuration management database
C.Incident response plan
D.Change management process
AnswerD

This controls the approval and implementation of changes.

Why this answer

A change management process ensures that all changes are authorized, tested, and approved, directly addressing unauthorized changes. Asset management, CMDB, and incident response are supportive but not the primary control.

111
MCQeasy

An IT steering committee is reviewing a proposal for a new customer relationship management (CRM) system. Which of the following BEST demonstrates that the proposal aligns with the organization's strategic goals?

A.The business case includes a clear link to the organization's five-year strategic plan.
B.The project manager has extensive experience with CRM implementations.
C.The proposed system includes advanced analytics capabilities.
D.The vendor offers discounted licensing for the first year.
AnswerA

Direct reference to the strategic plan demonstrates alignment.

Why this answer

Option C is correct because a clear link to the organization's strategic plan demonstrates alignment. Option A is about PM experience, not alignment. Option B is a feature that may not be strategic.

Option D is a cost-saving tactic, not evidence of strategic alignment.

← PreviousPage 2 of 2 · 111 questions total

Ready to test yourself?

Try a timed practice session using only It Governance Mgmt questions.