EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following should be the PRIMARY input when designing IT controls?

Question2: Which of the following BEST facilitates the development of effective IT risk scenarios?

Question3: While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach?

Question4: From a risk management perspective, the PRIMARY objective of using maturity models is to enable:

Question5: Prior to selecting key performance indicators (KPIs), itis MOST important to ensure:

Question6: When establishing leading indicators for the information security incident response process it is MOST important to consider the percentage of reported incidents:

Question7: An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data?

Question8: Which of the following will BEST quantify the risk associated with malicious users in an organization?

Question9: The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:

Question10: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

Question11: Which of the following is the MOST important input when developing risk scenarios?

Question12: Which of the following is MOST helpful to management when determining the resources needed to mitigate a risk?

Question13: An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

Question14: In an organization where each division manages risk independently, which of the following would BEST enable management of risk at the enterprise level?

Question15: To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:

Question16: Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?

Question17: Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?

Question18: Which of the following is MOST important for an organization to have in place when developing a risk management framework?

Question19: Which of the following would be MOST helpful to an information security management team when allocating resources to mitigate exposures?

Question20: Which of the following risk register updates is MOST important for senior management to review?

Question21: Which of the following would BEST help identify the owner for each risk scenario in a risk register?

Question22: An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Question23: Which of The following will BEST communicate the importance of risk mitigation initiatives to senior management?

Question24: Which of the following is a KEY outcome of risk ownership?

Question25: Participants in a risk workshop have become focused on the financial cost to mitigate risk rather than choosing the most appropriate response. Which of the following is the BEST way to address this type of issue in the long term?

Question26: To communicate the risk associated with IT in business terms, which of the following MUST be defined?

Question27: Which of the following is MOST important to have in place to ensure the effectiveness of risk and security metrics reporting?

Question28: Which of the following risk register elements is MOST likely to be updated if the attack surface or exposure of an asset is reduced?

Question29: An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?

Question30: Which of the following BEST contributes to the implementation of an effective risk response action plan?

Question31: An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?

Question32: A bank is experiencing an increasing incidence of customer identity theft. Which of the following is the BEST way to mitigate this risk?

Question33: The PRIMARY purpose of IT control status reporting is to:

Question34: Which of the following approaches would BEST help to identify relevant risk scenarios?

Question35: Numerous media reports indicate a recently discovered technical vulnerability is being actively exploited.
Which of the following would be the BEST response to this scenario?

Question36: Which of the following would be MOST beneficial as a key risk indicator (KRI)?

Question37: The PRIMARY purpose of vulnerability assessments is to:

Question38: Which of the following BEST indicates effective information security incident management?

Question39: A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?

Question40: An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?

Question41: The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:

Question42: Which of The following is the MOST relevant information to include in a risk management strategy?

Question43: From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?

Question44: Which of the following could BEST detect an in-house developer inserting malicious functions into a web-based application?

Question45: Which of the following is the GREATEST benefit to an organization when updates to the risk register are made promptly after the completion of a risk assessment?

Question46: An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

Question47: Following a significant change to a business process, a risk practitioner believes the associated risk has been reduced. The risk practitioner should advise the risk owner to FIRST

Question48: The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:

Question49: While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

Question50: Which of the following is the BEST indicator of the effectiveness of IT risk management processes?

Question51: Which of the following BEST indicates the effectiveness of anti-malware software?

Question52: Which of the following is the BEST course of action when risk is found to be above the acceptable risk appetite?

Question53: Due to a change in business processes, an identified risk scenario no longer requires mitigation. Which of the following is the MOST important reason the risk should remain in the risk register?

Question54: A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems. What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?

Question55: Who is accountable for risk treatment?

Question56: Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

Question57: Which of the following is the BEST control to detect an advanced persistent threat (APT)?

Question58: Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?

Question59: An organization is considering modifying its system to enable acceptance of credit card payments. To reduce the risk of data exposure, which of the following should the organization do FIRST?

Question60: Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?

Question61: Which of the following should be a risk practitioner s MOST important consideration when developing IT risk scenarios?

Question62: Which of the following is MOST influential when management makes risk response decisions?

Question63: An organization has received notification that it is a potential victim of a cybercrime that may have compromised sensitive customer data. What should be The FIRST course of action?

Question64: A new policy has been published to forbid copying of data onto removable medi a. Which type of control has been implemented?

Question65: Which of the following is the GREATEST risk associated with the use of data analytics?

Question66: A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

Question67: Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Question68: Who is responsible for IT security controls that are outsourced to an external service provider?

Question69: Which of the following is the BEST evidence that a user account has been properly authorized?

Question70: Which of the following is the BEST indicator of the effectiveness of a control monitoring program?

Question71: During testing, a risk practitioner finds the IT department's recovery time objective (RTO) for a key system does not align with the enterprise's business continuity plan (BCP). Which of the following should be done NEXT?

Question72: Which of the following is an IT business owner's BEST course of action following an unexpected increase in emergency changes?

Question73: A software developer has administrative access to a production application. Which of the following should be of GREATEST concern to a risk practitioner?

Question74: A risk practitioner is assisting with the preparation of a report on the organization s disaster recovery (DR) capabilities. Which information would have the MOST impact on the overall recovery profile?

Question75: Which of the following would prompt changes in key risk indicator {KRI) thresholds?

Question76: Which of the following should be the HIGHEST priority when developing a risk response?

Question77: A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?

Question78: A PRIMARY function of the risk register is to provide supporting information for the development of an organization's risk:

Question79: After identifying new risk events during a project, the project manager s NEXT step should be to:

Question80: Which of the following would qualify as a key performance indicator (KPI)?

Question81: An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

Question82: Which of the following is the PRIMARY role of a data custodian in the risk management process?

Question83: Which of the following BEST provides an early warning that network access of terminated employees is not being revoked in accordance with the service level agreement (SLA)?

Question84: A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?

Question85: Which of the following methods would BEST contribute to identifying obscure risk scenarios?

Question86: Which of the following BEST enables a proactive approach to minimizing the potential impact of unauthorized data disclosure?

Question87: A large organization needs to report risk at all levels for a new centralized visualization project to reduce cost and improve performance. Which of the following would MOST effectively represent the overall risk of the project to senior management?

Question88: After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

Question89: Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?

Question90: Which of the following would be- MOST helpful to understand the impact of a new technology system on an organization's current risk profile?

Question91: Which of the following is the MOST effective way to help ensure an organization's current risk scenarios are relevant?

Question92: Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?

Question93: Calculation of the recovery time objective (RTO) is necessary to determine the:

Question94: The MAIN purpose of a risk register is to:

Question95: Which of The following is the BEST way to confirm whether appropriate automated controls are in place within a recently implemented system?

Question96: An effective control environment is BEST indicated by controls that:

Question97: Which of the following is the GREATEST concern associated with the transmission of healthcare data across the internet?

Question98: Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?

Question99: The BEST way to improve a risk register is to ensure the register:

Question100: A risk assessment indicates the residual risk associated with a new bring your own device (BYOD) program is within organizational risk tolerance. Which of the following should the risk practitioner recommend be done NEXT?

Question101: Which of the following would require updates to an organization's IT risk register?

Question102: After migrating a key financial system to a new provider, it was discovered that a developer could gain access to the production environment. Which of the following is the BEST way to mitigate the risk in this situation?

Question103: Which of The following is the PRIMARY consideration when establishing an organization's risk management methodology?

Question104: An audit reveals that several terminated employee accounts maintain access. Which of the following should be the FIRST step to address the risk?

Question105: During a control review, the control owner states that an existing control has deteriorated over time. What is the BEST recommendation to the control owner?

Question106: An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?

Question107: What are the MOST important criteria to consider when developing a data classification scheme to facilitate risk assessment and the prioritization of risk mitigation activities?

Question108: An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?

Question109: Which of the following is MOST important for an organization that wants to reduce IT operational risk?

Question110: Which of the following will BEST help an organization select a recovery strategy for critical systems?

Question111: Risk aggregation in a complex organization will be MOST successful when:

Question112: Who should be responsible for strategic decisions on risk management?

Question113: When reporting on the performance of an organization's control environment including which of the following would BEST inform stakeholders risk decision-making?

Question114: Which of the following will BEST help in communicating strategic risk priorities?

Question115: Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?

Question116: The BEST way to test the operational effectiveness of a data backup procedure is to:

Question117: Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?

Question118: Which of the following is the GREATEST benefit of analyzing logs collected from different systems?

Question119: An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

Question120: Several network user accounts were recently created without the required management approvals. Which of the following would be the risk practitioner's BEST recommendation to address this situation?

Question121: Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?

Question122: Which of the following should be the PRIMARY objective of a risk awareness training program?

Question123: Which of the following is the MOST common concern associated with outsourcing to a service provider?

Question124: A business unit has decided to accept the risk of implementing an off-the-shelf, commercial software package that uses weak password controls. The BEST course of action would be to:

Question125: Which of the following should be the PRIMARY consideration when assessing the automation of control monitoring?

Question126: Whose risk tolerance matters MOST when making a risk decision?

Question127: Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

Question128: An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:

Question129: Which of the following is the MOST effective control to maintain the integrity of system configuration files?

Question130: Which of the following indicates an organization follows IT risk management best practice?

Question131: Which of the following is the MOST important consideration when multiple risk practitioners capture risk scenarios in a single risk register?

Question132: Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?

Question133: Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?

Question134: Which of the following is MOST critical when designing controls?

Question135: Which of the following provides the MOST helpful reference point when communicating the results of a risk assessment to stakeholders?

Question136: The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:

Question137: When using a third party to perform penetration testing, which of the following is the MOST important control to minimize operational impact?

Question138: When developing a new risk register, a risk practitioner should focus on which of the following risk management activities?

Question139: Which of the following is the BEST approach for determining whether a risk action plan is effective?

Question140: An organization has allowed its cyber risk insurance to lapse while seeking a new insurance provider. The risk practitioner should report to management that the risk has been:

Question141: The BEST criteria when selecting a risk response is the:

Question142: The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:

Question143: Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?

Question144: Which of the following is the MOST important enabler of effective risk management?

Question145: Which of the following would BEST provide early warning of a high-risk condition?

Question146: The maturity of an IT risk management program is MOST influenced by:

Question147: Which of the following is the MAIN reason for documenting the performance of controls?

Question148: A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

Question149: Which of the following is a KEY responsibility of the second line of defense?

Question150: Which of the following would be a risk practitioners BEST recommendation for preventing cyber intrusion?

Question151: Which of the following would BEST help to ensure that identified risk is efficiently managed?

Question152: Which of the following BEST enables the identification of trends in risk levels?

Question153: Which of the following is MOST commonly compared against the risk appetite?

Question154: Which of the following should be of GREATEST concern to a risk practitioner when determining the effectiveness of IT controls?

Question155: A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?

Question156: Which of the following should be the MAIN consideration when validating an organization's risk appetite?

Question157: The implementation of a risk treatment plan will exceed the resources originally allocated for the risk response. Which of the following should be the risk owner's NEXT action?

Question158: An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?

Question159: When updating a risk register with the results of an IT risk assessment, the risk practitioner should log:

Question160: An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?

Question161: Which of the following is the GREATEST benefit of incorporating IT risk scenarios into the corporate risk register?

Question162: Which of the following is MOST important when developing risk scenarios?

Question163: Which of the following will BEST help ensure that risk factors identified during an information systems review are addressed?

Question164: When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

Question165: Which of the following is the BEST method to identify unnecessary controls?

Question166: Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

Question167: The PRIMARY benefit associated with key risk indicators (KRls) is that they:

Question168: Which of the following is MOST important to enable well-informed cybersecurity risk decisions?

Question169: Which of the following is the MOST important responsibility of a risk owner?

Question170: Which of the following controls would BEST reduce the likelihood of a successful network attack through social engineering?

Question171: The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:

Question172: Which of the following conditions presents the GREATEST risk to an application?

Question173: Which of the following is the MOST important component of effective security incident response?

Question174: When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?

Question175: A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

Question176: Which of the following is the MOST important consideration when selecting either a qualitative or quantitative risk analysis?

Question177: A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?

Question178: An organization has completed a project to implement encryption on all databases that host customer data.
Which of the following elements of the risk register should be updated the reflect this change?

Question179: From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

Question180: Which of the following is the BEST way to identify changes to the risk landscape?

Question181: To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?

Question182: Who is the MOST appropriate owner for newly identified IT risk?

Question183: Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?

Question184: A key risk indicator (KRI) indicates a reduction in the percentage of appropriately patched servers. Which of the following is the risk practitioner's BEST course of action?

Question185: Malware has recently affected an organization, The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Question186: Which of the following is the BEST measure of the effectiveness of an employee deprovisioning process?

Question187: Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

Question188: When reviewing a risk response strategy, senior management's PRIMARY focus should be placed on the:

Question189: The PRIMARY purpose of using control metrics is to evaluate the:

Question190: A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner's GREATEST concern?

Question191: The MOST essential content to include in an IT risk awareness program is how to:

Question192: The PRIMARY advantage of implementing an IT risk management framework is the:

Question193: Quantifying the value of a single asset helps the organization to understand the:

Question194: The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:

Question195: When reviewing a business continuity plan (BCP). which of the following would be the MOST significant deficiency?

Question196: A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

Question197: When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:

Question198: Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager.
Which of the following would be the BEST method to use when developing the scenarios?

Question199: Which of the following is the MOST effective key performance indicator (KPI) for change management?

Question200: After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

Question201: A trusted third party service provider has determined that the risk of a client's systems being hacked is low.
Which of the following would be the client's BEST course of action?

Question202: A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:

Question203: Which of the following is the MOST appropriate key risk indicator (KRI) for backup media that is recycled monthly?

Question204: Which of the following is MOST important for a risk practitioner to verify when evaluating the effectiveness of an organization's existing controls?

Question205: An internal audit report reveals that not all IT application databases have encryption in place. Which of the following information would be MOST important for assessing the risk impact?

Question206: Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

Question207: A risk practitioner has become aware of production data being used in a test environment. Which of the following should be the practitioner's PRIMARY concern?

Question208: When an organization's disaster recovery plan has a reciprocal agreement, which of the following risk treatment options is being applied?

Question209: Mapping open risk issues to an enterprise risk heat map BEST facilitates:

Question210: Which of the following would be of GREATEST assistance when justifying investment in risk response strategies?

Question211: The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Question212: Which of the following would BEST help minimize the risk associated with social engineering threats?

Question213: An organization is making significant changes to an application. At what point should the application risk profile be updated?

Question214: Which of the following is the MOST important reason to revisit a previously accepted risk?

Question215: Which of the following is the MOST important requirement for monitoring key risk indicators (KRls) using log analysis?

Question216: IT stakeholders have asked a risk practitioner for IT risk profile reports associated with specific departments to allocate resources for risk mitigation. The BEST way to address this request would be to use:

Question217: An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?

Question218: Which of the following is MOST important for a risk practitioner to update when a software upgrade renders an existing key control ineffective?

Question219: Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?

Question220: Who should be accountable for monitoring the control environment to ensure controls are effective?

Question221: A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

Question222: It is MOST appropriate for changes to be promoted to production after they are;

Question223: The PRIMARY purpose of a maturity model is to compare the:

Question224: Which of the following BEST helps to balance the costs and benefits of managing IT risk?

Question225: The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:

Question226: Which of the following is the BEST way to identify changes in the risk profile of an organization?

Question227: Which of the following statements in an organization's current risk profile report is cause for further action by senior management?

Question228: During an IT department reorganization, the manager of a risk mitigation action plan was replaced. The new manager has begun implementing a new control after identifying a more effective option. Which of the following is the risk practitioner's BEST course of action?

Question229: Which of the following IT controls is MOST useful in mitigating the risk associated with inaccurate data?

Question230: Which of the following is the MAIN reason to continuously monitor IT-related risk?

Question231: A payroll manager discovers that fields in certain payroll reports have been modified without authorization.
Which of the following control weaknesses could have contributed MOST to this problem?

Question232: Which of the following is the BEST method for identifying vulnerabilities?

Question233: What should a risk practitioner do FIRST upon learning a risk treatment owner has implemented a different control than what was specified in the IT risk action plan?

Question234: A risk practitioner has just learned about new done FIRST?