Domain 1: IT Risk Identification

Practice Question 1
Before implementing an IT balanced
scorecard (BSC) for projects, an enterprise
MUST:
A. update the IT resource inventory.
Domain 1 B. define key performance indicators
(KPIs) for each project.
Governance
C. group all strategic projects into a
project portfolio.
D. have IT service management practices
in place.
48 48

1 48

Practice Question 2 Practice Question 3

Which of the following has the GREATEST
impact on the design of the IT governance
framework?
A. Information security risk and the security
organization
B. Organizational structure and leadership
C. Organizational budgets and investment
plans
D. The number of business units and
employees
Which of the following MOST enhances the
oversight of the board of directors over the
effectiveness of IT internal controls?
A. Continuous auditing
B. An audit committee
C. Independent annual IT audits
D. Periodic reports from the chief
information officer (CIO)

49 49 50 50

49 50

1
 Domain 1: IT Risk Identification

Practice Question 4 Practice Question 5

Effective governance of enterprise IT Which of the following should be achieved
requires that: FIRST to enable implementation a
A. the IT strategy be an extension of the framework for the governance of enterprise
enterprise strategy. IT?
B. the enterprise strategy be an extension A. Establishing the desire to change
of the IT strategy.
B. Forming an implementation team
C. IT governance be independent of
enterprise governance. C. Empowering role players
D. investments in IT be made to obtain D. Embedding new approaches
competitive advantage.
51 51 52 52

51 52

Practice Question 6 Practice Question 7

Which of the following facilitates strategic Which of the following should be performed
FIRST when establishing an IT governance
alignment? program within an enterprise?
A. Business owner sponsorship of A. Appointing a chief technology officer
projects (CTO)
B. Establishing cross-functional teams and
B. A business impact analysis (BIA) committees
C. Alignment of the IT budget to strategic C. Holding awareness sessions within the
objectives enterprise
D. Understanding the enterprise’s mission,
D. Project monitoring objectives, vision, values, culture and
management style
53 53 54 54

53 54

2

Practice Question 8
Which of the following BEST ensures the
overall success of an IT program at the
enterprise level?
A. Identifying and monitoring the
interdependencies between projects
B. Establishing a project-monitoring process
and continuously monitoring the
implementation
C. Conducting regular IT audits and formal
project reviews
D. Monitoring and controlling project costs
55 55
55
Practice Question 10
The MOST effective starting point to
determine whether the IT strategic plan
continues to support the enterprise’s
objectives is to conduct interviews with:
A. business process owners.
B. IT management.
C. external auditors.
D. executive management.
57 57
57
Domain 1: IT Risk Identification
Practice Question 9
Which of the following methods is the MOST
effective in monitoring the interdependencies of
strategic initiatives and their impact on value
delivery and risk?
A. Architecture reviews with business
process stakeholders
B. Interviews with business process
stakeholders
C. Business process mapping
D. Review of the business strategy defined
by senior leadership
56 56
56
Practice Question 1
§ An enterprise expanded operations into Europe,
Asia and Latin America. The enterprise has a
single-version, multiple-language employee
handbook last updated three years ago. Which of
the following is of MOST concern?
A. The handbook may not have been correctly
translated into all languages.
B. Newer policies may not be included in the
handbook.
C. Expired policies may be included in the handbook.
D. The handbook may violate local laws and
regulations.
82
82
3
 Domain 1: IT Risk Identification

Practice Question 2 Practice Question 3

§ Which of the following is the BEST
approach when conducting an IT risk
awareness campaign?
A. Provide technical details on exploits.
B. Provide common messages tailored for
different groups.
C. Target system administrators and help desk
staff.
D. Target senior managers and business
process owners.
§ Which of the following activities provides
the BEST basis for establishing risk
ownership?
A. Documenting interdependencies between
departments
B. Mapping identified risk to a specific business
process
C. Referring to available RACI charts
D. Distributing risk equally among all asset
owners

83 84

83 84

Practice Question 4 Practice Question 5

§ Which of the following is MOST important
for effective risk management?
A. Assignment of risk owners to identified risk
B. Ensuring compliance with regulatory
requirements
C. Integration of risk management into
operational processes
D. Implementation of a risk avoidance strategy
§ Which of the following statements BEST
describes the value of a risk register?
A. It captures the risk inventory.
B. It drives the risk response plan.
C. It is a risk reporting tool.
D. It lists internal risk and external risk.

85 86

85 86

4
 Domain 1: IT Risk Identification

Practice Question 6 Practice Question 7

§ It is MOST important that risk appetite be § Who is accountable for business risk
aligned with business objectives to ensure related to IT?
that: A. The chief information officer (CIO)
A. resources are directed toward areas of low B. The chief financial officer (CFO)
risk tolerance. C. Users of IT services—the business
B. major risk is identified and eliminated. D. The chief architect
C. IT and business goals are aligned.
D. the risk strategy is adequately
communicated.

87 88

87 88

Practice Question 8 Practice Question 9

§ Which of the following is a PRIMARY
consideration when developing an IT risk
awareness program?
A. Why technology risk is owned by IT
B. How technology risk can impact each
attendee’s area of business
C. How business process owners can transfer
technology risk
D. Why technology risk is more difficult to
manage compared to other risk
§ Which of the following is the GREATEST
benefit of a risk-aware culture?
A. Issues are escalated when suspicious
activity is noticed.
B. Controls are double-checked to anticipate
any issues.
C. Individuals communicate with peers for
knowledge sharing.
D. Employees are self-motivated to learn about
costs and benefits.

89 90

89 90

5
 Domain 1: IT Risk Identification

Practice Question 10
§ Which of the following is the MOST
important information to include in a risk
management strategic plan?
A. Risk management staffing requirements
B. The risk management mission statement
C. Risk mitigation investment plans
D. The current state and desired future state

91

91