EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

Question2: Which of the following would be of GREATEST assistance when justifying investment in risk response strategies?

Question3: Which of the following can be used to assign a monetary value to risk?

Question4: A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:

Question5: Which of the following is MOST likely to be impacted as a result of a new policy which allows staff members to remotely connect to the organization's IT systems via personal or public computers?

Question6: An IT license audit has revealed that there are several unlicensed copies of co be to:

Question7: Which of the following BEST enables a risk practitioner to enhance understanding of risk among stakeholders?

Question8: Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

Question9: Which of the following should be initiated when a high number of noncompliant conditions are observed during review of a control procedure?

Question10: It is MOST appropriate for changes to be promoted to production after they are;

Question11: Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

Question12: Mapping open risk issues to an enterprise risk heat map BEST facilitates:

Question13: Which of the following should be the MAIN consideration when validating an organization's risk appetite?

Question14: A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?

Question15: Which of the following is MOST commonly compared against the risk appetite?

Question16: Performing a background check on a new employee candidate before hiring is an example of what type of control?

Question17: Which of the following is the MOST effective key performance indicator (KPI) for change management?

Question18: Which of the following would be considered a vulnerability?

Question19: An organization has been notified that a disgruntled, terminated IT administrator has tried to break into the corporate network. Which of the following discoveries should be of GREATEST concern to the organization?

Question20: Which of the following will BEST help an organization select a recovery strategy for critical systems?

Question21: It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:

Question22: Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?

Question23: Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?

Question24: Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?

Question25: Which of The following will BEST communicate the importance of risk mitigation initiatives to senior management?

Question26: Which of the following approaches BEST identifies information systems control deficiencies?

Question27: Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

Question28: During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner's BEST course of action?

Question29: An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner's GREATEST concern?

Question30: Which of the following is MOST important when developing key risk indicators (KRIs)?

Question31: The FIRST task when developing a business continuity plan should be to:

Question32: A contract associated with a cloud service provider MUST include:

Question33: Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

Question34: Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Question35: Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

Question36: While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

Question37: The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:

Question38: A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:

Question39: Which of the following is the BEST way to determine the ongoing efficiency of control processes?

Question40: Which of the following risk management practices BEST facilitates the incorporation of IT risk scenarios into the enterprise-wide risk register?

Question41: The PRIMARY advantage of implementing an IT risk management framework is the:

Question42: During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Question43: When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?

Question44: When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?

Question45: Which of the following approaches would BEST help to identify relevant risk scenarios?

Question46: Which of the following is the MOST cost-effective way to test a business continuity plan?

Question47: Which of the following provides The MOST useful information when determining a risk management program's maturity level?

Question48: Which of the following should be the PRIMARY objective of promoting a risk-aware culture within an organization?

Question49: The MAIN goal of the risk analysis process is to determine the:

Question50: Which of The following would offer the MOST insight with regard to an organization's risk culture?

Question51: A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems. What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?

Question52: After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?

Question53: Which of the following BEST helps to balance the costs and benefits of managing IT risk?

Question54: Which of the following is MOST critical when designing controls?

Question55: What is the GREATEST concern with maintaining decentralized risk registers instead of a consolidated risk register?

Question56: During a control review, the control owner states that an existing control has deteriorated over time. What is the BEST recommendation to the control owner?

Question57: Which of the following is the GREATEST concern associated with the transmission of healthcare data across the internet?

Question58: Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?

Question59: Improvements in the design and implementation of a control will MOST likely result in an update to:

Question60: The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:

Question61: Which of the following is the MOST common concern associated with outsourcing to a service provider?

Question62: Which of the following is the BEST approach for determining whether a risk action plan is effective?

Question63: Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Question64: Which of The following is the PRIMARY consideration when establishing an organization's risk management methodology?

Question65: Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

Question66: Who is accountable for risk treatment?

Question67: The BEST reason to classify IT assets during a risk assessment is to determine the:

Question68: Which of the following is the PRIMARY objective of providing an aggregated view of IT risk to business management?

Question69: Which of the following would BEST help secure online financial transactions from improper users?

Question70: Which of the following will BEST help mitigate the risk associated with malicious functionality in outsourced application development?

Question71: Which of the following is a KEY outcome of risk ownership?

Question72: Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?

Question73: In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?

Question74: Which of the following will BEST help in communicating strategic risk priorities?

Question75: When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

Question76: Which of the following is MOST important for a risk practitioner to update when a software upgrade renders an existing key control ineffective?

Question77: Accountability for a particular risk is BEST represented in a:

Question78: Which of the following aspects of an IT risk and control self-assessment would be MOST important to include in a report to senior management?

Question79: An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

Question80: Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

Question81: An organizations chief technology officer (CTO) has decided to accept the risk associated with the potential loss from a denial-of-service (DoS) attack. In this situation, the risk practitioner's BEST course of action is to:

Question82: Which of the following is MOST helpful in identifying gaps between the current and desired state of the IT risk environment?

Question83: An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?

Question84: The PRIMARY reason for establishing various Threshold levels for a set of key risk indicators (KRIs) is to:

Question85: When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?

Question86: A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments. Which of the following i the BEST recommendation to address this situation?

Question87: While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach?

Question88: When prioritizing risk response, management should FIRST:

Question89: Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?

Question90: Which of the following should be the HIGHEST priority when developing a risk response?

Question91: Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?

Question92: Which of the following key risk indicators (KRIs) is MOST effective for monitoring risk related to a bring your own device (BYOD) program?

Question93: Which of the following BEST indicates effective information security incident management?

Question94: Which of the following is MOST important for a risk practitioner to ensure once a risk action plan has been completed?

Question95: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Question96: Deviation from a mitigation action plan's completion date should be determined by which of the following?

Question97: The PRIMARY objective of The board of directors periodically reviewing the risk profile is to help ensure:

Question98: Which of the following risk register updates is MOST important for senior management to review?

Question99: A risk practitioner has learned that an effort to implement a risk mitigation action plan has stalled due to lack of funding. The risk practitioner should report that the associated risk has been:

Question100: When evaluating enterprise IT risk management it is MOST important to:

Question101: A new policy has been published to forbid copying of data onto removable medi a. Which type of control has been implemented?

Question102: What is the BEST information to present to business control owners when justifying costs related to controls?

Question103: When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:

Question104: Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?

Question105: The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:

Question106: Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Question107: An organization has decided to implement an emerging technology and incorporate the new capabilities into its strategic business plan. Business operations for the technology will be outsourced. What will be the risk practitioner's PRIMARY role during the change?

Question108: Which of the following is the BEST way to support communication of emerging risk?

Question109: The purpose of requiring source code escrow in a contractual agreement is to:

Question110: Which of the following is the PRIMARY reason to perform ongoing risk assessments?

Question111: Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

Question112: Which of the following is of GREATEST concern when uncontrolled changes are made to the control environment?

Question113: A risk practitioner discovers several key documents detailing the design of a product currently in development have been posted on the Internet. What should be the risk practitioner's FIRST course of action?

Question114: A PRIMARY advantage of involving business management in evaluating and managing risk is that management:

Question115: Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

Question116: Which of the following is the MAIN reason to continuously monitor IT-related risk?

Question117: The MAIN purpose of having a documented risk profile is to:

Question118: Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?

Question119: Which of the following is the BEST measure of the effectiveness of an employee deprovisioning process?

Question120: An application owner has specified the acceptable downtime in the event of an incident to be much lower than the actual time required for the response team to recover the application. Which of the following should be the NEXT course of action?

Question121: Which of the following would be a risk practitioners BEST recommendation for preventing cyber intrusion?

Question122: Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager. Which of the following would be the BEST method to use when developing the scenarios?

Question123: Which of the following should be a risk practitioner s MOST important consideration when developing IT risk scenarios?

Question124: Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

Question125: A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency. Before updating the risk register, it is MOST important for the risk practitioner to:

Question126: An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

Question127: Which of the following is the GREATEST concern when using a generic set of IT risk scenarios for risk analysis?

Question128: Which of the following would be MOST helpful to a risk owner when making risk-aware decisions?

Question129: A global organization is planning to collect customer behavior data through social media advertising. Which of the following is the MOST important business risk to be considered?

Question130: Which of the following will BEST mitigate the risk associated with IT and business misalignment?

Question131: Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?

Question132: Whether the results of risk analyses should be presented in quantitative or qualitative terms should be based PRIMARILY on the:

Question133: When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment options is being applied?

Question134: Which of the following should be included in a risk scenario to be used for risk analysis?

Question135: Which of the following is MOST important when discussing risk within an organization?

Question136: A risk practitioner learns that the organization s industry is experiencing a trend of rising security incidents. Which of the following is the BEST course of action?

Question137: The PRIMARY objective for selecting risk response options is to:

Question138: The PRIMARY benefit of maintaining an up-to-date risk register is that it helps to:

Question139: An organization's risk tolerance should be defined and approved by which of the following?

Question140: An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

Question141: Which of the following is the MAIN reason for analyzing risk scenarios?

Question142: An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?

Question143: Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?

Question144: Which of the following is the GREATEST benefit of analyzing logs collected from different systems?

Question145: A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?

Question146: Who should be accountable for ensuring effective cybersecurity controls are established?

Question147: Which of the following would prompt changes in key risk indicator {KRI) thresholds?

Question148: Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?

Question149: Which of the following is MOST important for an organization that wants to reduce IT operational risk?

Question150: A large organization is replacing its enterprise resource planning (ERP) system and has decided not to deploy the payroll module of the new system. Instead, the current payroll system will continue to be used. Of the following, who should own the risk if the ERP and payroll system fail to operate as expected?

Question151: Which of the following should be the PRIMARY objective of a risk awareness training program?

Question152: Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

Question153: Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

Question154: Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Question155: Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

Question156: Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

Question157: Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?

Question158: A risk practitioner observes that hardware failure incidents have been increasing over the last few months. However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:

Question159: Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

Question160: A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?

Question161: Which of the following presents the GREATEST challenge for an IT risk practitioner who wants to report on trends in historical IT risk levels?

Question162: To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:

Question163: A control owner has completed a year-long project To strengthen existing controls. It is MOST important for the risk practitioner to:

Question164: A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner's PRIMARY concern?

Question165: Which of the following data would be used when performing a business impact analysis (BIA)?

Question166: The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:

Question167: A key risk indicator (KRI) is reported to senior management on a periodic basis as exceeding thresholds, but each time senior management has decided to take no action to reduce the risk. Which of the following is the MOST likely reason for senior management's response?

Question168: Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

Question169: Risk management strategies are PRIMARILY adopted to:

Question170: Which of The following should be of GREATEST concern for an organization considering the adoption of a bring your own device (BYOD) initiative?

Question171: Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?

Question172: A systems interruption has been traced to a personal USB device plugged into the corporate network by an IT employee who bypassed internal control procedures. Of the following, who should be accountable?

Question173: The BEST metric to monitor the risk associated with changes deployed to production is the percentage of:

Question174: Reviewing results from which of the following is the BEST way to identify information systems control deficiencies?

Question175: An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Question176: Risk mitigation procedures should include:

Question177: Which of the following is the BEST way to identify changes to the risk landscape?

Question178: The PRIMARY purpose of IT control status reporting is to: