An internal auditor conducts an assessment of a two-year-old IT risk management program. Which of the following findings should be of MOST concern to the CIO?
Correct Answer: A
Organizational responsibility for IT risk management is a critical factor for the success of the program. Without clear roles and responsibilities, the program may lack accountability, coordination, communication and alignment with the business objectives. The other options are not as concerning as option A, because they do not affect the core of the program. Having risk management-related certifications is desirable, but not mandatory, for the IT risk management team. Monitoring only a few key risk indicators (KRIs) is acceptable, as long as they are relevant and meaningful for the program. Retaining IT risk training records is important, but not essential, for the program effectiveness. References := ISACA, CGEIT Review Manual, 7th Edition, Chapter 3: Benefits Realization, Section 3.2: IT Risk Management, p. 113-114.
Question 182
An IT steering committee wants the enterprise's mobile workforce to use cloud-based file storage to save non-sensitive corporate data, removing the need for remote access to that information. Before this change is implemented, what should be included in the data management policy?
Correct Answer: B
Question 183
What is the formula for measuring the "usage gap"?
Correct Answer: A
Section: Volume C
Question 184
The board of a start-up company has directed the CIO to develop a technology resource acquisition and management policy. Which of the following should be the MOST important consideration during the development of this policy?
Correct Answer: B
Question 185
An enterprise is initiating efforts to improve system availability to mitigate IT risk to the business. Which of the following results would be MOST important to report to the CIO to measure progress?
Correct Answer: A
Incident severity and downtime trend analysis is the most important result to report to the CIO to measure progress in improving system availability to mitigate IT risk to the business, because it directly reflects the impact and frequency of system failures or disruptions on the business operations, processes, and functions. By analyzing the severity and duration of incidents over time, the CIO can evaluate the effectiveness of the IT risk management and system availability strategies, and identify any gaps, issues, or opportunities for improvement. Incident severity and downtime trend analysis can also help the CIO to communicate the value and performance of the IT risk management and system availability initiatives to the business stakeholders, and justify any further investment or action required to achieve the desired outcomes. The other options are not as important as incident severity and downtime trend analysis, because they are either too indirect or too subjective to measure progress in improving system availability to mitigate IT risk to the business. Probability and severity of each IT risk is a useful input for IT risk management, but it does not necessarily reflect the actual occurrence or impact of system failures or disruptions on the business1. Financial losses and bad press releases are possible consequences of system failures or disruptions, but they may not capture the full extent or root causes of the IT risk to the business2. Customer and stakeholder complaints over time are indicators of customer satisfaction and loyalty, but they may not be reliable or consistent measures of system availability or IT risk to the business
