EMT Practice Test

1. Question Content...


Question List

Question1: Supply chain agreements between a cloud service provider and cloud customers should, at a minimum, include:

Question2: Which of the following is MOST important to ensure effective cloud application controls are maintained in an organization?

Question3: An organization is using the Cloud Controls Matrix (CCM) to extend its IT governance in the cloud. Which of the following is the BEST way for the organization to take advantage of the supplier relationship feature?

Question4: What is an advantage of using dynamic application security testing (DAST) over static application security testing (SAST) methodology?

Question5: Which of the following types of SOC reports BEST helps to ensure operating effectiveness of controls in a cloud service provider offering?

Question6: After finding a vulnerability in an Internet-facing server of an organization, a cybersecurity criminal is able to access an encrypted file system and successfully manages to overwrite parts of some files with random data.
In reference to the Top Threats Analysis methodology, how would the technical impact of this incident be categorized?

Question7: A cloud service customer is looking to subscribe to a finance solution provided by a cloud service provider.
The provider has clarified that the audit logs cannot be taken out of the cloud environment by the customer to its security information and event management (SIEM) solution for monitoring purposes. Which of the following should be the GREATEST concern to the auditor?

Question8: During the planning phase of a cloud audit, the PRIMARY goal of a cloud auditor is to:

Question9: The BEST method to report continuous assessment of a cloud provider's services to the Cloud Security Alliance (CSA) is through:

Question10: In audit parlance, what is meant by "management representation"?

Question11: DevSecOps aims to integrate security tools and processes directly into the software development life cycle and should be done:

Question12: What aspect of Software as a Service (SaaS) functionality and operations would the cloud customer be responsible for and should be audited?

Question13: Which of the following should be an assurance requirement when an organization is migrating to a Software as a Service (SaaS) provider?

Question14: Which of the following is an example of reputational business impact?

Question15: Which of the following types of risk is associated specifically with the use of multi-cloud environments in an organization?

Question16: A cloud service provider utilizes services of other service providers for its cloud service. Which of the following is the BEST approach for the auditor while performing the audit for the cloud service?

Question17: What does "The Egregious 11" refer to?

Question18: Which of the following has the MOST substantial impact on how aggressive or conservative the cloud approach of an organization will be?

Question19: Organizations maintain mappings between the different control frameworks they adopt to:

Question20: Which of the following is an example of integrity technical impact?

Question21: Which of the following can be used to determine whether access keys are stored in the source code or any other configuration files during development?

Question22: When an organization is using cloud services, the security responsibilities largely vary depending on the service delivery model used, while the accountability for compliance should remain with the:

Question23: Which of the following is a good candidate for continuous auditing?

Question24: Which of the following would be the MOST critical finding of an application security and DevOps audit?

Question25: In relation to testing business continuity management and operational resilience, an auditor should review which of the following database documentation?

Question26: "Network environments and virtual instances shall be designed and configured to restrict and monitor traffic between trusted and untrusted connections. These configurations shall be reviewed at least annually, and supported by a documented justification for use for all allowed services, protocols, ports, and by compensating controls." Which of the following types of controls BEST matches this control description?

Question27: The MOST important goal of regression testing is to ensure:

Question28: A cloud service provider providing cloud services currently being used by the United States federal government should obtain which of the following to assure compliance to stringent government standards?

Question29: When applying the Top Threats Analysis methodology following an incident, what is the scope of the technical impact identification step?

Question30: An auditor is assessing a European organization's compliance. Which regulation is suitable if health information needs to be protected?

Question31: In all three cloud deployment models, (laaS, PaaS, and SaaS), who is responsible for the patching of the hypervisor layer?

Question32: Which of the following has been provided by the Federal Office for Information Security in Germany to support customers in selecting, controlling, and monitoring their cloud service providers?

Question33: Which of the following processes should be performed FIRST to properly implement the NIST SP 800-53 r4 control framework in an organization?

Question34: Which of the following is the GREATEST risk associated with hidden interdependencies between cloud services?

Question35: Who should define what constitutes a policy violation?

Question36: Which of the following cloud environments should be a concern to an organization s cloud auditor?

Question37: An auditor identifies that a cloud service provider received multiple customer inquiries and requests for proposal (RFPs) during the last month. Which of the following What should be the BEST recommendation to reduce the provider's burden?

Question38: Which of the following metrics are frequently immature?

Question39: From the perspective of a senior cloud security audit practitioner in an organization with a mature security program and cloud adoption, which of the following statements BEST describes the DevSecOps concept?

Question40: Which of the following is the MOST relevant question in the cloud compliance program design phase?

Question41: Which of the following is MOST useful for an auditor to review when seeking visibility into the cloud supply chain for a newly acquired Software as a Service (SaaS) solution?

Question42: Which of the following activities is performed outside information security monitoring?

Question43: Which objective is MOST appropriate to measure the effectiveness of password policy?

Question44: What do cloud service providers offer to encourage clients to extend the cloud platform?

Question45: One of the control specifications in the Cloud Controls Matrix (CCM) states that "independent reviews and assessments shall be performed at least annually to ensure that the organization addresses nonconformities of established policies, standards, procedures, and compliance obligation." Which of the following controls under the Audit Assurance and Compliance domain does this match to?

Question46: In a situation where duties related to cloud risk management and control are split between an organization and its cloud service providers, which of the following would BEST help to ensure a coordinated approach to risk and control processes?

Question47: What legal documents should be provided to the auditors in relation to risk management?

Question48: Which of the following activities are part of the implementation phase of a cloud assurance program during a cloud migration?

Question49: The PRIMARY objective for an auditor to understand the organization's context for a cloud audit is to:

Question50: As Infrastructure as a Service (laaS) cloud service providers often do not allow the cloud service customers to perform on-premise audits, the BEST approach for the auditor should be to:

Question51: A contract containing the phrase "You automatically consent to these terms by using or logging into the service to which they pertain" is establishing a contract of:

Question52: With regard to the Cloud Controls Matrix (CCM), the Architectural Relevance is a feature that enables the filtering of security controls by:

Question53: During an audit, it was identified that a critical application hosted in an off-premises cloud is not part of the organization's disaster recovery plan (DRP). Management stated that it is responsible for ensuring the cloud service provider has a plan that is tested annually. What should be the auditor's NEXT course of action?

Question54: What areas should be reviewed when auditing a public cloud?

Question55: Regarding suppliers of a cloud service provider, it is MOST important for the auditor to be aware that the:

Question56: What is a sign that an organization has adopted a shift-left concept of code release cycles?

Question57: Which of the following key stakeholders should be identified FIRST when an organization is designing a cloud compliance program?

Question58: Which of the following attestations allows for immediate adoption of the Cloud Controls Matrix (CCM) as additional criteria to AICPA Trust Service Criteria and provides the flexibility to update the criteria as technology and market requirements change?

Question59: Cloud Controls Matrix (CCM) controls can be used by cloud customers to:

Question60: Which of the following is an example of availability technical impact?

Question61: Application programming interfaces (APIs) are likely to be attacked continuously by bad actors because they:

Question62: In the context of Infrastructure as a Service (laaS), a vulnerability assessment will scan virtual machines to identify vulnerabilities in:

Question63: Which of the following is the reason for designing the Consensus Assessments Initiative Questionnaire (CAIQ)?

Question64: An auditor examining a cloud service provider's service level agreement (SLA) should be MOST concerned about whether:

Question65: A dot release of the Cloud Controls Matrix (CCM) indicates:

Question66: When mapping controls to architectural implementations, requirements define:

Question67: In cloud computing, which KEY subject area relies on measurement results and metrics?

Question68: Which of the following is a detective control that may be identified in a Software as a Service (SaaS) service provider?

Question69: A cloud service provider contracts for a penetration test to be conducted on its infrastructures. The auditor engages the target with no prior knowledge of its defenses, assets, or channels. The provider's security operation center is not notified in advance of the scope of the audit and the test vectors. Which mode has been selected by the provider?

Question70: When an organization is moving to the cloud, responsibilities are shared based upon the cloud service provider's model and accountability is:

Question71: Which of the following MOST enhances the internal stakeholder decision-making process for the remediation of risks identified from an organization's cloud compliance program?

Question72: Which of the following is the BEST method to demonstrate assurance in the cloud services to multiple cloud customers?

Question73: An independent contractor is assessing the security maturity of a Software as a Service (SaaS) company against industry standards. The SaaS company has developed and hosted all its products using the cloud services provided by a third-party cloud service provider. What is the optimal and most efficient mechanism to assess the controls provider is responsible for?

Question74: Which of the following is a category of trust in cloud computing?

Question75: During the cloud service provider evaluation process, which of the following BEST helps identify baseline configuration requirements?

Question76: Which of the following BEST describes the difference between a Type 1 and a Type 2 SOC report?

Question77: Which of the following aspects of risk management involves identifying the potential reputational and financial harm when an incident occurs?

Question78: The MOST important factor to consider when implementing cloud-related controls is the:

Question79: The three layers of Open Certification Framework (OCF) PRIMARILY help cloud service providers and cloud clients improve the level of:

Question80: What type of termination occurs at the initiative of one party and without the fault of the other party?

Question81: What is below the waterline in the context of cloud operationalization?