Domain 4 – Section A Review: Information Technology Principles

Architecture defines structure.
Operations define discipline.
Lifecycle defines exposure.

Domain 4 Section A tests whether you understand:

• How technology decisions influence inherent risk
• How operational weaknesses increase residual risk
• How lifecycle governance reduces exposure
• How resilience aligns with business impact
• How innovation introduces uncertainty

These questions require structural thinking — not memorization.

10 scenario-based questions

Question 1

An organization centralizes all identity services into a single platform without redundancy.

What is the PRIMARY architectural risk?

A. Strong standardization
B. Concentration and single point of failure risk
C. Reduced inherent risk
D. Improved KPI tracking

Question 2

Emergency production changes are frequently implemented without formal review and approved retroactively.

What governance principle is MOST compromised?

A. Incident management
B. Change control integrity
C. Risk aggregation
D. Disaster recovery

Question 3

A project expands scope late in development without reassessing risk exposure.

What is the PRIMARY governance weakness?

A. Strong agility
B. Failure to reassess risk during scope change
C. Reduced inherent risk
D. Improved KPI

Question 4

A system’s Recovery Time Objective (RTO) exceeds the Maximum Tolerable Downtime (MTD) identified in the BIA.

What does this indicate?

A. Strong resilience
B. Misalignment between recovery capability and business tolerance
C. Excessive mitigation
D. Lower inherent risk

Question 5

Customer data is retained indefinitely because storage is inexpensive.

What is the MOST significant risk?

A. Strong data availability
B. Increased regulatory and breach impact exposure
C. Lower inherent risk
D. Improved monitoring

Question 6

Security requirements were not defined during SDLC planning and must be retrofitted post-deployment.

What principle was violated?

A. Agile methodology
B. Security-by-design discipline
C. Risk avoidance
D. KPI structure

Question 7

An unsupported legacy system remains in production because replacement is “too risky.”

What is the PRIMARY risk concern?

A. Strong mitigation
B. Increasing inherent and operational vulnerability risk
C. Reduced exposure
D. Improved governance

Question 8

An organization deploys AI tools rapidly without performing a formal risk assessment.

What governance principle is MOST compromised?

A. Innovation agility
B. Risk evaluation prior to adoption
C. KPI performance
D. Disaster recovery alignment

Question 9

Incidents are resolved quickly, but recurring root causes are never addressed.

What operational weakness exists?

A. Strong incident response
B. Weak problem management discipline
C. Reduced inherent risk
D. Strong KCI

Question 10

A cloud vendor contract does not define data destruction procedures upon termination.

Which lifecycle stage is MOST exposed?

A. Creation
B. Storage
C. Use
D. Disposal

Section A master pattern

When answering Domain 4 Section A questions, remember:

• Architecture creates inherent risk structure.
• Centralization increases concentration risk.
• Change management protects stability.
• Projects require continuous risk reassessment.
• RTO/RPO must align with BIA.
• Over-retention increases regulatory liability.
• Security must be embedded in SDLC early.
• Legacy systems increase exposure.
• Emerging tech increases uncertainty.
• Root cause analysis prevents recurring risk.

This domain rewards structural risk thinking — not deep technical memorization.