An IS auditor reviewing the risk assessment process of an organization should FIRST:

An IS auditor is reviewing an IT security risk management program. Measures of security risk should:

Which of the following should be considered FIRST when implementing a risk management
program?

As a driver of IT governance, transparency of IT’s cost, value and risks is primarily achieved through:

Which of the following should be the MOST important consideration when deciding areas of priority
for IT governance implementation?

The PRIMARY benefit of implementing a security program as part of a security governance
framework is the:

An IS auditor who is reviewing incident reports discovers that, in one instance, an important
document left on an employee’s desk was removed and put in the garbage by the outsourced
cleaning staff. Which of the following should the IS auditor recommend to management?

During an audit, an IS auditor notices that the IT department of a medium-sized organization has no
separate risk management function, and the organization’s operational risk documentation only
contains a few broadly described IT risks. What is the MOST appropriate recommendation in this
situation?

The IT balanced scorecard is a business governance tool intended to monitor IT performance
evaluation indicators other than:

Before implementing an IT balanced scorecard, an organization must: