EMT Practice Test

1. Question Content...


Question List

Question1: When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:

Question2: A cloud service provider contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The provider's security operation center is not notified in advance of the scope of the audit and the test vectors. Which mode has been selected by the provider?

Question3: What is an advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?

Question4: The PRIMARY objective for an auditor to understand the organization's context for a cloud audit is to:

Question5: To ensure integration of security testing is implemented on large code sets in environments where time to completion is critical, what form of validation should an auditor expect?

Question6: During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT course of action?

Question7: Which of the following is the PRIMARY area for an auditor to examine in order to understand the criticality of the cloud services in an organization, along with their dependencies and risks?

Question8: Which of the following is an example of financial business impact?

Question9: In relation to testing business continuity management and operational resilience, an auditor should review which of the following database documentation?

Question10: Which objective is MOST appropriate to measure the effectiveness of password policy?

Question11: In audit parlance, what is meant by "management representation"?

Question12: What areas should be reviewed when auditing a public cloud?

Question13: A cloud service provider utilizes services of other service providers for its cloud service. Which of the following is the BEST approach for the auditor while performing the audit for the cloud service?

Question14: Which of the following is the GREATEST risk associated with hidden interdependencies between cloud services?

Question15: Application programming interfaces (APIs) are likely to be attacked continuously by bad actors because they:

Question16: What is a sign that an organization has adopted a shift-left concept of code release cycles?

Question17: Who should define what constitutes a policy violation?

Question18: A certification target helps in the formation of a continuous certification framework by incorporating:

Question19: Which of the following is MOST important to manage risk from cloud vendors who might accidentally introduce unnecessary risk to an organization by adding new features to their solutions?

Question20: When mapping controls to architectural implementations, requirements define:

Question21: Which of the following is an example of financial business impact?

Question22: When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?

Question23: In the context of Infrastructure as a Service (laaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:

Question24: The effect of which of the following should have priority in planning the scope and objectives of a cloud audit?

Question25: Why should the results of third-party audits and certification be relied on when analyzing and assessing the cybersecurity risks in the cloud?

Question26: An organization employing the Cloud Controls Matrix (CCM) to perform a compliance assessment leverages the Scope Applicability direct mapping to:

Question27: Which of the following cloud service provider activities MUST obtain a client's approval?

Question28: The BEST way to deliver continuous compliance in a cloud environment is to:

Question29: Which of the following can be used to determine whether access keys are stored in the source code or any other configuration files during development?

Question30: What does "The Egregious 11" refer to?

Question31: Controls mapping found in the Scope Applicability column of the Cloud Controls Matrix (CCM) may help organizations to realize cost savings:

Question32: During the cloud service provider evaluation process, which of the following BEST helps identify baseline configuration requirements?

Question33: If a customer management interface is compromised over the public Internet, it can lead to:

Question34: Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:

Question35: When reviewing a third-party agreement with a cloud service provider, which of the following should be the GREATEST concern regarding customer data privacy?

Question36: When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider's model and accountability is:

Question37: An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month. Which of the following What should be the BEST recommendation to reduce the provider's burden?

Question38: The Cloud Octagon Model was developed to support organizations':

Question39: Which of the following has been provided by the Federal Office for Information Security in Germany to support customers in selecting, controlling, and monitoring their cloud service providers?

Question40: Which of the following is the PRIMARY area for an auditor to examine in order to understand the criticality of the cloud services in an organization, along with their dependencies and risks?

Question41: A dot release of the Cloud Controls Matrix (CCM) indicates:

Question42: A cloud service provider providing cloud services currently being used by the United States federal government should obtain which of the following to assure compliance to stringent government standards?

Question43: Which of the following is the reason for designing the Consensus Assessments Initiative Questionnaire (CAIQ)?

Question44: Cloud Controls Matrix (CCM) controls can be used by cloud customers to:

Question45: In all three cloud deployment models, (laaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?

Question46: Which of the following is the MOST significant difference between a cloud risk management program and a traditional risk management program?

Question47: Which of the following is the MOST relevant question in the cloud compliance program design phase?

Question48: Which of the following is the BEST tool to perform cloud security control audits?

Question49: It is MOST important for an auditor to be aware that an inventory of assets within a cloud environment:

Question50: Organizations maintain mappings between the different control frameworks they adopt to:

Question51: Which of the following is the MOST important audit scope document when conducting a review of a cloud service provider?

Question52: What is a sign that an organization has adopted a shift-left concept of code release cycles?