EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following metrics are frequently immature?

Question2: The rapid and dynamic rate of changes found in a cloud environment affects the organization's:

Question3: Which of the following cloud models prohibits penetration testing?

Question4: Which of the following is the MOST feasible way to validate the performance of CSPs for the delivery of technology resources?

Question5: The Cloud Computing Compliance Controls Catalogue (C5) framework is maintained by which of the following agencies?

Question6: Due to cloud audit team resource constraints, an audit plan as initially approved cannot be completed. Assuming that the situation is communicated in the cloud audit report which course of action is MOST relevant?

Question7: A CSP contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The CSP's security operation center is not notified in advance of the scope of the audit and the test vectors. Which mode is selected by the CSP?

Question8: When building a cloud governance model, which of the following requirements will focus more on the cloud service provider's evaluation and control checklist?

Question9: What should be the auditor's PRIMARY objective while examining a cloud service provider's (CSP's) SLA?

Question10: An independent contractor is assessing security maturity of a SaaS company against industry standards. The SaaS company has developed and hosted all their products using the cloud services provided by a third-party cloud service provider (CSP). What is the optimal and most efficient mechanism to assess the controls CSP is responsible for?

Question11: Which of the following should be the FIRST step to establish a cloud assurance program during a cloud migration?

Question12: Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?

Question13: When developing a cloud compliance program, what is the PRIMARY reason for a cloud customer to review which cloud services will be deployed?

Question14: Which of the following is a cloud-native solution designed to counter threats that do not exist within the enterprise?

Question15: Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?

Question16: Which of the following key stakeholders should be identified the earliest when an organization is designing a cloud compliance program?

Question17: Which of the following would be considered as a factor to trust in a cloud service provider?

Question18: What should be an organization's control audit schedule of a cloud service provider's business continuity plan and operational resilience policy?

Question19: Which objective is MOST appropriate to measure the effectiveness of password policy?

Question20: Which of the following is a fundamental concept of FedRAMP that intends to save costs, time, and staff conducting superfluous agency security assessments?

Question21: To ensure that cloud audit resources deliver the best value to the organization, the PRIMARY step would be to:

Question22: Within an organization, which of the following functions should be responsible for defining the cloud adoption approach?

Question23: A large organization with subsidiaries in multiple locations has a business requirement to organize IT systems to have identified resources reside in particular locations with organizational personnel. Which access control method will allow IT personnel to be segregated across the various locations?

Question24: Which of the following would give an auditor the BEST view of design and implementation decisions when an organization uses programmatic automation for Infrastructure as a Service (IaaS) deployments? The visibility of:

Question25: Account design in the cloud should be driven by:

Question26: You have been assigned the implementation of an ISMS, whose scope must cover both on premise and cloud infrastructure. Which of the following is your BEST option?

Question27: Which of the following CSP activities requires a client's approval?

Question28: Which of the following approaches encompasses social engineering of staff, bypassing of physical access controls and penetration testing?

Question29: From the perspective of a senior cloud security audit practitioner in an organization of a mature security program with cloud adoption, which of the following statements BEST describes the DevSecOps concept?

Question30: What data center and physical security measures should a cloud customer consider when assessing a cloud service provider?

Question31: Cloud Control Matrix (CCM) controls can be used by cloud customers to:

Question32: As a developer building codes into a container in a DevSecOps environment, which of the following is the appropriate place(s) to perform security tests?

Question33: An auditor is performing an audit on behalf of a cloud customer. For assessing security awareness, the auditor should:

Question34: When performing audits in relation to Business Continuity Management and Operational Resilience strategy, what would be the MOST critical aspect to audit in relation to the strategy of the cloud customer that should be formulated jointly with the cloud service provider?

Question35: Which of the following is a corrective control that may be identified in a SaaS service provider?

Question36: Which of the following standards is designed to be used by organizations for cloud services that intend to select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001?

Question37: Which of the following is the BEST way for a client to enforce a policy violation committed by a cloud service provider (CSP)?

Question38: Under GDPR, an organization should report a data breach within what time frame?

Question39: SAST testing is performed by:

Question40: In cloud computing, with whom does the responsibility and accountability for compliance lie?

Question41: During an audit it was identified that a critical application hosted in an off-premises cloud is not part of the organization's DRP (Disaster Recovery Plan). Management stated that it is responsible for ensuring that the cloud service provider (CSP) has a plan that is tested annually. What should be the auditor's NEXT course of action?

Question42: With regard to the Cloud Control Matrix (CCM), the 'Architectural Relevance' is a feature that enables the filtering of security controls by:

Question43: To assist an organization with planning a cloud migration strategy to execution, an auditor should recommend the use of:

Question44: A certification target helps in the formation of a continuous certification framework by incorporating: