Try 10 focused Project+ questions on Basics of IT and Governance, with answers and explanations, then continue with PM Mastery.
| Field | Detail |
|---|---|
| Exam route | Project+ |
| Topic area | Basics of IT and Governance |
| Blueprint weight | 18% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Basics of IT and Governance for Project+. Work through the 10 questions first, then review the explanations and return to mixed practice in PM Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 18% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original PM Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Basics of IT and Governance
A project team is configuring a new HR SaaS platform and is collaborating in Teams/SharePoint. The schedule is slipping due to repeated rework: team members keep working from exported copies of payroll data, and changes are made in multiple places without a clear approver. An internal audit finds that a folder containing employee PII was shared via a public channel link, and there is no defined retention for the shared site. Which underlying cause is MOST likely?
Best answer: C
What this tests: Basics of IT and Governance
Explanation: The symptoms point to collaboration happening without guardrails for sensitive information. When classification-driven rules aren’t defined and applied in the tool, users can share PII too broadly, store it in the wrong places, and keep uncontrolled copies that cause version conflicts and rework. Adding classification and enforcing sharing/retention settings addresses both the audit finding and the repeated rework.
In collaboration tools, sensitive data should be handled based on its classification (for example, PII as Confidential/Restricted) so that sharing, storage locations, and retention are controlled. Here, PII was shared via a public link and there is no retention defined, which indicates governance gaps rather than a one-time mistake. The repeated rework and unclear ownership also fit a lack of defined rules and accountability for how classified data is created, stored, and shared (leading to offline copies and parallel edits). Implementing classification labels and mapping them to controls (external sharing restrictions, approved repositories, retention policies, and an owner/approver) prevents oversharing and reduces version sprawl. The key takeaway is that classification must drive collaboration-tool configuration and user practices.
Without defined classification rules (sharing, storage, retention) and enforcement, the team will overshare sensitive data and create uncontrolled copies/versions.
Topic: Basics of IT and Governance
You manage change control for an on-prem IAM platform. The change policy defines:
A vendor releases a security hotfix for a zero-day that is actively exploited. Security states the vulnerability exposes customer PII and requests deployment within 6 hours, before the next scheduled CAB meeting.
Which handling path is MOST appropriate?
Best answer: B
What this tests: Basics of IT and Governance
Explanation: This situation is driven by urgency and risk: an actively exploited zero-day with potential PII exposure requires action before normal governance cycles can occur. Under the provided definitions, that combination makes it an emergency change. The correct handling includes expedited approval (per emergency procedure) and a post-implementation review to document outcomes and any follow-up actions.
Change classification should follow the policy definitions provided in the scenario, using the single most decisive factor. Here, the vendor hotfix is requested within hours due to active exploitation and potential exposure of regulated data, and it cannot wait for the next CAB meeting. That matches the definition of an emergency change: unplanned and required immediately to prevent imminent business impact.
The appropriate emergency handling path is:
A “standard change” requires pre-approval and repeatability, and a “normal change” assumes there is time for standard CAB review.
The hotfix is unplanned and time-critical to prevent imminent impact, so it fits the emergency path with expedited approval and required PIR.
Topic: Basics of IT and Governance
A project team is preparing to go live with a new SaaS HR system that stores employee PII. The organization requires evidence that privacy and compliance controls were validated before production release.
Which of the following is NOT appropriate evidence to validate compliance for go-live approval?
Best answer: B
What this tests: Basics of IT and Governance
Explanation: Compliance validation requires objective, reviewable artifacts such as sign-offs, test reports, and documented control verification. Informal statements that a control exists are not sufficient because they cannot be independently verified or audited later. The best evidence is something traceable to a reviewer and/or measurable test results tied to the required controls.
To validate compliance before go-live, you need evidence that is objective, traceable, and auditable. In practice this means documented approvals from accountable roles (for example, privacy or security), test results that demonstrate controls are working as intended, and documented verification activities (including independent assurance reports when applicable). Meeting comments or undocumented claims that a control is “enabled” do not provide repeatable proof, do not show what was tested, and usually fail an audit trail requirement.
Key takeaway: compliance validation is based on recorded sign-offs and control verification artifacts, not informal assurance.
Verbal/undocumented assertions without a recorded sign-off or test/verification artifact are not reliable compliance evidence.
Topic: Basics of IT and Governance
A project team is preparing to deploy a new internal SaaS ticketing system integrated with SSO. Operations will own the service after go-live, and the security team requires evidence that deployment and transition include least-privilege access, documented response procedures, and ongoing monitoring. The project manager needs one piece of evidence to validate security readiness for the transition to operations.
Which artifact best validates this readiness?
Best answer: A
What this tests: Basics of IT and Governance
Explanation: The strongest validation is an auditable transition/operational readiness artifact that confirms required security activities are complete and verified. A signed checklist that includes access recertification and monitoring/alert tests demonstrates the service can be securely operated after go-live. This is better evidence than progress indicators or general acceptance sign-offs.
For deployment and transition, security readiness is best validated with evidence that operations can run the service securely on day one. That typically means: access has been reviewed and approved (least privilege, correct roles/groups), runbooks exist for routine operations and incidents, and monitoring/alerting is implemented and tested so responders can detect and act.
A signed operational readiness (transition) checklist is strong evidence because it is both comprehensive and verifiable: it ties required items (access review, monitoring tests, runbook availability) to an accountable sign-off before handover. A draft or a performance/progress metric can exist without proving those controls were validated.
A signed readiness checklist provides auditable evidence that access, runbooks, and monitoring requirements were completed and validated before handoff.
Topic: Basics of IT and Governance
You are coordinating an on-prem virtualization refresh for a 200-VM environment. Constraints are explicit: go-live must occur within 10 weeks due to expiring support, and the cost cap is $250,000. The sponsor also states two non-negotiable ESG requirements: decommissioned hardware must be sent to a certified e-waste recycler, and the new solution must reduce estimated power consumption by at least 30% versus the current baseline.
Which action SHOULD AVOID in order to balance cost/schedule tradeoffs with the stated ESG requirements?
Best answer: A
What this tests: Basics of IT and Governance
Explanation: When ESG requirements are explicitly non-negotiable, the project team must treat them as constraints alongside cost and schedule. Acceptable actions include making transparent tradeoffs through documented selection criteria, change control, and realistic phasing. The anti-pattern is choosing an approach that knowingly violates ESG constraints and hoping to fix it later.
The core concept is managing explicit, prioritized constraints: if a sponsor states ESG requirements are non-negotiable, they are constraints like a hard deadline or a cost cap. The project manager should evaluate options that satisfy ESG while working within time and budget, and use governance mechanisms when tradeoffs are unavoidable (e.g., change requests, documented decisions, or phased delivery).
An approach that intentionally ignores the stated ESG constraints (such as deferring certified recycling or accepting a solution that cannot meet the power-reduction target) is not a valid “tradeoff” unless the sponsor formally changes priorities through change control. The key takeaway is to make tradeoffs transparent and approved, not implicit or deferred.
This bypasses the sponsor’s non-negotiable ESG requirements, creating an unapproved compliance gap regardless of cost/schedule pressure.
Topic: Basics of IT and Governance
A project team is implementing a SaaS HR system that will store employee PII. A SOC 2 audit starts in 6 weeks, and the planned go-live is in 8 weeks (the date cannot move). Today, approvals for configuration changes and access requests are mostly handled in email and chat, and evidence is stored inconsistently.
Which action BEST optimizes audit readiness by improving traceability, approvals, and logs without adding excessive rework or delaying go-live?
Best answer: D
What this tests: Basics of IT and Governance
Explanation: Audit readiness depends on a complete, consistent evidence trail showing what changed, who approved it, and what validation occurred. Enforcing a single workflow in an existing ticketing tool (with approvals and logging) creates end-to-end traceability across requirements, changes, and testing. This also reduces last-minute evidence gathering and supports the fixed go-live date.
For compliance and privacy audits, the strongest evidence is generated “as work happens”: traceable records that tie a request/change to approval, implementation, and validation, plus system logs that show who did what and when. The best optimization is to standardize on a single system of record (typically a ticketing/change system) and require work to flow through it with defined approval steps, attachments/links to artifacts (requirements, configs, commits, test results), and retained audit logs. This approach improves completeness and consistency while minimizing manual collation during the audit and avoiding schedule risk. In contrast, ad hoc email/PDF collection tends to be incomplete, hard to search, and difficult to prove as authoritative.
A single system-of-record with enforced approvals and linked evidence creates an auditable trail with minimal ongoing overhead.
Topic: Basics of IT and Governance
A team is deploying a new customer-support ticketing system to production and transitioning support to the operations team. Go-live is in 10 business days, and the sponsor will not approve new tools or added budget. The organization already has centralized logging/SIEM and an on-call rotation.
Which action best optimizes security during deployment and transition while meeting the constraints?
Best answer: A
What this tests: Basics of IT and Governance
Explanation: The best choice is to integrate security controls into the deployment and handoff artifacts the ops team will actually use. Updating runbooks to include a pre-cutover access review, logging/monitoring setup, and escalation procedures reduces security and operational risk without requiring new spend. It also supports a clean transition by making ownership and response actions explicit at go-live.
Planning security into deployment and transition means ensuring the system is supportable and secure on day one, using operational artifacts like runbooks and checklists. Under a tight timeline and no-budget constraint, the highest-value approach is to leverage existing capabilities (SIEM, on-call) and bake required security steps into the cutover and steady-state procedures.
A practical transition-ready runbook typically includes:
This reduces the chance of excessive access, undetected events, and confusion during incidents compared with postponing security tasks or depending on defaults.
It embeds security into transition by validating least-privilege access and enabling monitoring/escalation using existing tools within the timeline.
Topic: Basics of IT and Governance
A project team is implementing updates to an internal HR web application using dev, test, staging, and production environments. The organization requires separation of duties, auditability, and minimal risk of unauthorized changes in production.
Which practice should the project manager NOT allow as part of environment governance?
Best answer: B
What this tests: Basics of IT and Governance
Explanation: Production should have the strictest access controls because it affects real users and data. Allowing developers to deploy to production with shared admin credentials breaks separation of duties and makes changes hard to attribute and audit. Strong governance uses controlled promotion paths and least-privilege access to reduce operational and compliance risk.
Dev/test/staging are used to build and validate changes before they reach production, but production governance must prioritize control, traceability, and reduced blast radius. A common best practice is to promote builds through environments using a controlled release mechanism (often CI/CD) with approvals and logs, while restricting production privileges to a small set of authorized roles. Shared administrative credentials and direct developer access to production undermine separation of duties, weaken accountability (no reliable audit trail of who changed what), and increase the likelihood of unreviewed or untested changes impacting live services and sensitive data. The key takeaway is that production access should be least-privilege and tightly governed, while validation happens in test/staging with appropriate data handling.
This bypasses separation of duties and audit trails and greatly increases the risk of uncontrolled production changes.
Topic: Basics of IT and Governance
You are managing a SaaS rollout that must meet the company’s security baseline. During planning, you review a requirements traceability excerpt.
Exhibit: Traceability excerpt
Req ID | Security requirement | Work item | Verification
SR-01 | MFA for all users | US-14 | TC-22
SR-02 | Encrypt data in transit (TLS) | US-09 | TC-10
SR-03 | 90-day audit log retention | (not mapped) | (not defined)
SR-04 | Least-privilege admin roles | US-18 | TC-31
What is the best next action to ensure security requirements are identified early and tracked through delivery?
Best answer: B
What this tests: Basics of IT and Governance
Explanation: The exhibit shows a security requirement (audit log retention) that is not tied to any planned work or verification. The most effective way to track security requirements through planning and delivery is to create explicit traceability from the requirement to a work item and to a validation method. This prevents late discovery and ensures the requirement is built and tested.
A key control for managing security requirements is traceability: every security requirement should be identified early, translated into planned work, and validated before go-live. In the exhibit, SR-03 has no mapped work item and no defined verification, which means it can easily be missed until late testing or after deployment.
The correct action is to immediately:
This keeps security requirements visible during execution and provides objective proof during acceptance and compliance reviews.
Mapping SR-03 to planned work and verification creates end-to-end traceability so the security requirement is implemented and validated.
Topic: Basics of IT and Governance
A project team is implementing a new SaaS HR onboarding portal. During backlog refinement, a stakeholder requests adding a step to collect and store employees’ government IDs and bank account numbers for direct deposit.
The company’s data-handling policy classifies this as “restricted data” and requires security and privacy approval before any system is designed to store it. The team is scheduled to start configuration work next week.
What is the BEST next step?
Best answer: C
What this tests: Basics of IT and Governance
Explanation: When a new requirement introduces regulated or policy-restricted data, compliance requirements apply immediately and constrain what can be built and when. The right next step is to formally raise the request and trigger the required security/privacy approval process before design or configuration begins. This prevents building a solution that is later found noncompliant or requires rework.
The core concept is recognizing when compliance requirements apply and using governance to constrain delivery. Because the new backlog item adds “restricted data,” the project cannot safely proceed with design/configuration until security and privacy have assessed the impact (controls, approvals, data flows, retention, access) and the change is approved.
A practical next-step sequence is:
The key takeaway is that compliance-triggering requirements must be validated and approved before committing project work, not after testing or procurement actions.
Because restricted data triggers mandatory approvals, the request must go through compliance review and change control before committing to design or delivery.
Use the Project+ Practice Test page for the full PM Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Use the full PM Mastery practice page above for the latest review links and practice route.