EMT Practice Test

1. Question Content...


Question List

Question1: After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
After a high-profile systems breach at an organization s key vendor, the vendor has implemented additional mitigating controls. The vendor has voluntarily shared the following set of assessments:
Which of the assessments provides the MOST reliable input to evaluate residual risk in the vendor's control environment?

Question2: Which of The following is the MOST relevant information to include in a risk management strategy?

Question3: Which of the following should an organization perform to forecast the effects of a disaster?

Question4: Which of the following MUST be assessed before considering risk treatment options for a scenario with significant impact?

Question5: Which of the following is the MOST effective control to maintain the integrity of system configuration files?

Question6: Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

Question7: Which of the following would require updates to an organization's IT risk register?

Question8: An organization striving to be on the leading edge in regard to risk monitoring would MOST likely implement:

Question9: During the risk assessment of an organization that processes credit cards, a number of existing controls have been found to be ineffective and do not meet industry standards. The overall control environment may still be effective if:

Question10: When communicating changes in the IT risk profile, which of the following should be included to BEST enable stakeholder decision making?

Question11: An organization has recently updated its disaster recovery plan (DRP). Which of the following would be the GREATEST risk if the new plan is not tested?

Question12: Prudent business practice requires that risk appetite not exceed:

Question13: A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments. Which of the following i the BEST recommendation to address this situation?

Question14: Which of the following BEST indicates the efficiency of a process for granting access privileges?

Question15: Which of the following would BEST help minimize the risk associated with social engineering threats?

Question16: Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Question17: Which of the following changes would be reflected in an organization's risk profile after the failure of a critical patch implementation?

Question18: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

Question19: The effectiveness of a control has decreased. What is the MOST likely effect on the associated risk?

Question20: An organization has outsourced its IT security operations to a third party. Who is ULTIMATELY accountable for the risk associated with the outsourced operations?

Question21: To reduce the risk introduced when conducting penetration tests, the BEST mitigating control would be to:

Question22: After the review of a risk record, internal audit questioned why the risk was lowered from medium to low.
Which of the following is the BEST course of action in responding to this inquiry?

Question23: Which of the following is the PRIMARY benefit of using an entry in the risk register to track the aggregate risk associated with server failure?

Question24: An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?

Question25: An organization plans to migrate sensitive information to a public cloud infrastructure. Which of the following is the GREATEST security risk in this scenario?

Question26: Which of the following should be included in a risk assessment report to BEST facilitate senior management's understanding of the results?

Question27: Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

Question28: Which of the following is MOST important for a risk practitioner to consider when determining the control requirements for data privacy arising from emerging technologies?

Question29: All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness., the BEST course of action would be to:

Question30: Which of the following is MOST important for an organization that wants to reduce IT operational risk?

Question31: Which of the following is the BEST way to determine the ongoing efficiency of control processes?

Question32: Which of the following activities should be performed FIRST when establishing IT risk management processes?

Question33: A control owner responsible for the access management process has developed a machine learning model to automatically identify excessive access privileges. What is the risk practitioner's BEST course of action?

Question34: The PRIMARY objective of testing the effectiveness of a new control before implementation is to:

Question35: Which of the following BEST measures the impact of business interruptions caused by an IT service outage?

Question36: Which of the following can be used to assign a monetary value to risk?

Question37: Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?

Question38: Which of the following should a risk practitioner do FIRST when an organization decides to use a cloud service?

Question39: Which of the following is MOST important when discussing risk within an organization?

Question40: Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?

Question41: Within the three lines of defense model, the accountability for the system of internal control resides with:

Question42: An upward trend in which of the following metrics should be of MOST concern?

Question43: Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?

Question44: Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

Question45: Controls should be defined during the design phase of system development because:

Question46: Which of The following would offer the MOST insight with regard to an organization's risk culture?

Question47: An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?

Question48: A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

Question49: A risk practitioner is summarizing the results of a high-profile risk assessment sponsored by senior management. The BEST way to support risk-based decisions by senior management would be to:

Question50: Which of the following would prompt changes in key risk indicator {KRI) thresholds?

Question51: An organization's financial analysis department uses an in-house forecasting application for business projections. Who is responsible for defining access roles to protect the sensitive data within this application?

Question52: Which of the following approaches BEST identifies information systems control deficiencies?

Question53: Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

Question54: It is MOST important for a risk practitioner to have an awareness of an organization s processes in order to:

Question55: Which of the following is MOST useful when communicating risk to management?

Question56: Which of the following is the BEST way to support communication of emerging risk?

Question57: Which of the following is performed after a risk assessment is completed?

Question58: Which of the following data would be used when performing a business impact analysis (BIA)?

Question59: A company has located its computer center on a moderate earthquake fault. Which of the following is the MOST important consideration when establishing a contingency plan and an alternate processing site?

Question60: An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

Question61: When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?

Question62: As part of an overall IT risk management plan, an IT risk register BEST helps management:

Question63: A bank has outsourced its statement printing function to an external service provider. Which of the following is the MOST critical requirement to include in the contract?

Question64: When prioritizing risk response, management should FIRST:

Question65: Which of the following should be initiated when a high number of noncompliant conditions are observed during review of a control procedure?

Question66: The PRIMARY reason for periodically monitoring key risk indicators (KRIs) is to:

Question67: The BEST key performance indicator (KPI) to measure the effectiveness of a backup process would be the number of:

Question68: Who should be accountable for monitoring the control environment to ensure controls are effective?

Question69: Which of the following is the BEST indication that an organization's risk management program has not reached the desired maturity level?

Question70: Which of the following would be the GREATEST concern related to data privacy when implementing an Internet of Things (loT) solution that collects personally identifiable information (Pll)?

Question71: Which of the following conditions presents the GREATEST risk to an application?

Question72: Which of the following is MOST important to review when determining whether a potential IT service provider s control environment is effective?

Question73: Which of the following BEST enables the identification of trends in risk levels?

Question74: A risk practitioner has just learned about new done FIRST?

Question75: Which of the following would BEST enable a risk practitioner to embed risk management within the organization?

Question76: Which of the following will MOST improve stakeholders' understanding of the effect of a potential threat?

Question77: Which of the following is the MOST important benefit of key risk indicators (KRIs)'

Question78: Which of the following will BEST ensure that information security risk factors are mitigated when developing in-house applications?

Question79: An organization's HR department has implemented a policy requiring staff members to take a minimum of five consecutive days leave per year to mitigate the risk of malicious insider activities. Which of the following is the BEST key performance indicator (KPI) of the effectiveness of this policy?

Question80: Which of the following is MOST helpful to review when identifying risk scenarios associated with the adoption of Internet of Things (loT) technology in an organization?

Question81: Senior management has asked a risk practitioner to develop technical risk scenarios related to a recently developed enterprise resource planning (ERP) system. These scenarios will be owned by the system manager.
Which of the following would be the BEST method to use when developing the scenarios?

Question82: Which of the following approaches would BEST help to identify relevant risk scenarios?

Question83: Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process?

Question84: A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

Question85: To help identify high-risk situations, an organization should:

Question86: The analysis of which of the following will BEST help validate whether suspicious network activity is malicious?

Question87: Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

Question88: Following a review of a third-party vendor, it is MOST important for an organization to ensure:

Question89: Which of the following is MOST helpful in identifying gaps between the current and desired state of the IT risk environment?

Question90: Improvements in the design and implementation of a control will MOST likely result in an update to:

Question91: When evaluating enterprise IT risk management it is MOST important to:

Question92: Which of the following is MOST important for an organization to have in place when developing a risk management framework?

Question93: Which of the following would BEST help secure online financial transactions from improper users?

Question94: Which of the following is the MOST cost-effective way to test a business continuity plan?

Question95: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

Question96: An organization has identified a risk exposure due to weak technical controls in a newly implemented HR system. The risk practitioner is documenting the risk in the risk register. The risk should be owned by the:

Question97: A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?

Question98: An effective control environment is BEST indicated by controls that:

Question99: Which of the following is the FIRST step when developing a business case to drive the adoption of a risk remediation project by senior management?

Question100: The MAIN purpose of a risk register is to:

Question101: Which of the following BEST indicates that an organizations risk management program is effective?

Question102: Which of the following should be considered when selecting a risk response?

Question103: The MOST significant benefit of using a consistent risk ranking methodology across an organization is that it enables:

Question104: Which of the following would provide the MOST comprehensive information for updating an organization's risk register?

Question105: Which of the following is the BEST way to identify changes to the risk landscape?

Question106: Which of the following attributes of a key risk indicator (KRI) is MOST important?

Question107: The PRIMARY reason to have risk owners assigned to entries in the risk register is to ensure:

Question108: Which of the following will BEST help in communicating strategic risk priorities?

Question109: Which of the following is the MOST important input when developing risk scenarios?

Question110: The BEST way to test the operational effectiveness of a data backup procedure is to:

Question111: Which of the following would be MOST helpful to a risk practitioner when ensuring that mitigated risk remains within acceptable limits?

Question112: In an organization where each division manages risk independently, which of the following would BEST enable management of risk at the enterprise level?

Question113: A recent internal risk review reveals the majority of core IT application recovery time objectives (RTOs) have exceeded the maximum time defined by the business application owners. Which of the following is MOST likely to change as a result?

Question114: Which of the following controls would BEST reduce the likelihood of a successful network attack through social engineering?

Question115: An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?

Question116: The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Question117: Which of the following would MOST likely result in updates to an IT risk appetite statement?

Question118: Management has noticed storage costs have increased exponentially over the last 10 years because most users do not delete their emails. Which of the following can BEST alleviate this issue while not sacrificing security?

Question119: Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

Question120: While evaluating control costs, management discovers that the annual cost exceeds the annual loss expectancy (ALE) of the risk. This indicates the:

Question121: A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

Question122: Who is the MOST appropriate owner for newly identified IT risk?

Question123: What is the PRIMARY reason to periodically review key performance indicators (KPIs)?

Question124: A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner's GREATEST concern?

Question125: A monthly payment report is generated from the enterprise resource planning (ERP) software to validate data against the old and new payroll systems. What is the BEST way to mitigate the risk associated with data integrity loss in the new payroll system after data migration?

Question126: The PRIMARY purpose of a maturity model is to compare the:

Question127: The MOST essential content to include in an IT risk awareness program is how to:

Question128: Which of the following BEST enables the risk profile to serve as an effective resource to support business objectives?

Question129: The risk associated with a high-risk vulnerability in an application is owned by the:

Question130: The PRIMARY benefit of classifying information assets is that it helps to:

Question131: Which of the following roles is BEST suited to help a risk practitioner understand the impact of IT-related events on business objectives?

Question132: An organization has four different projects competing for funding to reduce overall IT risk. Which project should management defer?

Question133: Which of the following is the GREATEST concern associated with the transmission of healthcare data across the internet?

Question134: Which of the following could BEST detect an in-house developer inserting malicious functions into a web-based application?

Question135: Which of the following would be a weakness in procedures for controlling the migration of changes to production libraries?

Question136: Which of the following risk scenarios would be the GREATEST concern as a result of a single sign-on implementation?

Question137: Which of the following is MOST likely to be impacted as a result of a new policy which allows staff members to remotely connect to the organization's IT systems via personal or public computers?

Question138: A risk practitioner observes that the fraud detection controls in an online payment system do not perform as expected. Which of the following will MOST likely change as a result?

Question139: Which of the following is the GREATEST concern when an organization uses a managed security service provider as a firewall administrator?

Question140: Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:

Question141: Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

Question142: Whose risk tolerance matters MOST when making a risk decision?

Question143: Which of the following is MOST important when developing key performance indicators (KPIs)?

Question144: Which of the following is the BEST way for a risk practitioner to help management prioritize risk response?

Question145: The PRIMARY purpose of IT control status reporting is to:

Question146: The BEST criteria when selecting a risk response is the:

Question147: What is the MOST important consideration when aligning IT risk management with the enterprise risk management (ERM) framework?

Question148: An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?

Question149: An organization has implemented a preventive control to lock user accounts after three unsuccessful login attempts. This practice has been proven to be unproductive, and a change in the control threshold value has been recommended. Who should authorize changing this threshold?

Question150: Calculation of the recovery time objective (RTO) is necessary to determine the:

Question151: Which of the following would be considered a vulnerability?

Question152: Which of the following BEST confirms the existence and operating effectiveness of information systems controls?

Question153: Mapping open risk issues to an enterprise risk heat map BEST facilitates:

Question154: The PRIMARY benefit of conducting continuous monitoring of access controls is the ability to identify:

Question155: While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach?

Question156: Which of the following is the PRIMARY reason for conducting peer reviews of risk analysis?

Question157: An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?

Question158: After a risk has been identified, who is in the BEST position to select the appropriate risk treatment option?

Question159: Which of the following BEST indicates the condition of a risk management program?

Question160: An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner's GREATEST concern?

Question161: Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?

Question162: Management has required information security awareness training to reduce the risk associated with credential compromise. What is the BEST way to assess the effectiveness of the training?

Question163: An organization has outsourced a critical process involving highly regulated data to a third party with servers located in a foreign country. Who is accountable for the confidentiality of this data?

Question164: The GREATEST concern when maintaining a risk register is that:

Question165: Which of the following provides The MOST useful information when determining a risk management program's maturity level?

Question166: An organization has introduced risk ownership to establish clear accountability for each process. To ensure effective risk ownership, it is MOST important that:

Question167: The MAIN reason for creating and maintaining a risk register is to:

Question168: The head of a business operations department asks to review the entire IT risk register. Which of the following would be the risk manager s BEST approach to this request before sharing the register?

Question169: An organization is unable to implement a multi-factor authentication requirement until the next fiscal year due to budget constraints. Consequently, a policy exception must be submitted. Which of the following is MOST important to include in the analysis of the exception?

Question170: IT risk assessments can BEST be used by management:

Question171: After undertaking a risk assessment of a production system, the MOST appropriate action is for the risk manager to:

Question172: Which of the following risk register updates is MOST important for senior management to review?

Question173: An organization delegates its data processing to the internal IT team to manage information through its applications. Which of the following is the role of the internal IT team in this situation?

Question174: An organization has implemented a system capable of comprehensive employee monitoring. Which of the following should direct how the system is used?

Question175: Which of the following should management consider when selecting a risk mitigation option?

Question176: In addition to the risk register, what should a risk practitioner review to develop an understanding of the organization's risk profile?

Question177: The PRIMARY reason a risk practitioner would be interested in an internal audit report is to:

Question178: Which of the following should be the HIGHEST priority when developing a risk response?

Question179: Which of the following BEST indicates effective information security incident management?

Question180: A bank wants to send a critical payment order via email to one of its offshore branches. Which of the following is the BEST way to ensure the message reaches the intended recipient without alteration?

Question181: Which of the following will BEST help an organization evaluate the control environment of several third-party vendors?

Question182: Which of the following would be MOST helpful when estimating the likelihood of negative events?

Question183: Which of the following is MOST helpful to ensure effective security controls for a cloud service provider?

Question184: The PRIMARY reason for periodic penetration testing of Internet-facing applications is to:

Question185: Which of the following is the BEST course of action to reduce risk impact?

Question186: Which of the following would BEST ensure that identified risk scenarios are addressed?

Question187: A risk practitioner is organizing risk awareness training for senior management. Which of the following is the MOST important topic to cover in the training session?

Question188: The BEST way to justify the risk mitigation actions recommended in a risk assessment would be to:

Question189: Which of the following is the MOST important element of a successful risk awareness training program?

Question190: Which of the following should be the MAIN consideration when validating an organization's risk appetite?

Question191: An organization with a large number of applications wants to establish a security risk assessment program.
Which of the following would provide the MOST useful information when determining the frequency of risk assessments?

Question192: Which of the following provides the BEST evidence of the effectiveness of an organization's account provisioning process?

Question193: Which of the following is MOST helpful in aligning IT risk with business objectives?

Question194: Which of the following is the BEST way to promote adherence to the risk tolerance level set by management?

Question195: Which of the following should be an element of the risk appetite of an organization?

Question196: Which of the following is the BEST indication of a mature organizational risk culture?

Question197: Which of the following is the PRIMARY role of a data custodian in the risk management process?

Question198: Which of the following would provide the MOST objective assessment of the effectiveness of an organization's security controls?

Question199: A PRIMARY advantage of involving business management in evaluating and managing risk is that management:

Question200: Which of the following would MOST effectively enable a business operations manager to identify events exceeding risk thresholds?

Question201: The PRIMARY objective of The board of directors periodically reviewing the risk profile is to help ensure:

Question202: Which of the following would be the BEST key performance indicator (KPI) for monitoring the effectiveness of the IT asset management process?

Question203: Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?

Question204: From a risk management perspective, which of the following is the PRIMARY benefit of using automated system configuration validation tools?

Question205: What is the BEST information to present to business control owners when justifying costs related to controls?

Question206: Which of the following is the MOST important consideration for a risk practitioner when making a system implementation go-live recommendation?

Question207: Which of the following is the MOST important consideration when determining whether to accept residual risk after security controls have been implemented on a critical system?

Question208: Which of the following would be MOST useful to senior management when determining an appropriate risk response?

Question209: Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

Question210: To mitigate the risk of using a spreadsheet to analyze financial data, IT has engaged a third-party vendor to deploy a standard application to automate the process. Which of the following parties should own the risk associated with calculation errors?

Question211: Which of the following is a KEY outcome of risk ownership?

Question212: A risk assessment has identified increased losses associated with an IT risk scenario. It is MOST important for the risk practitioner to:

Question213: Which of the following would be MOST beneficial as a key risk indicator (KRI)?

Question214: The BEST way to determine the likelihood of a system availability risk scenario is by assessing the:

Question215: A risk practitioner is reviewing the status of an action plan to mitigate an emerging IT risk and finds the risk level has increased. The BEST course of action would be to:

Question216: Accountability for a particular risk is BEST represented in a:

Question217: The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:

Question218: From a business perspective, which of the following is the MOST important objective of a disaster recovery test?

Question219: A risk practitioner observes that hardware failure incidents have been increasing over the last few months.
However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:

Question220: Which of the following is MOST influential when management makes risk response decisions?

Question221: Which of the following will BEST help to ensure that information system controls are effective?

Question222: A newly hired risk practitioner finds that the risk register has not been updated in the past year. What is the risk practitioner's BEST course of action?

Question223: Which of the following is a PRIMARY benefit of engaging the risk owner during the risk assessment process?

Question224: An organization is planning to acquire a new financial system. Which of the following stakeholders would provide the MOST relevant information for analyzing the risk associated with the new IT solution?

Question225: Which of the following activities is PRIMARILY the responsibility of senior management?

Question226: Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

Question227: Reviewing which of the following provides the BEST indication of an organizations risk tolerance?

Question228: Which of the following provides the BEST evidence that risk mitigation plans have been implemented effectively?

Question229: Which of the following BEST helps to balance the costs and benefits of managing IT risk?

Question230: An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

Question231: The number of tickets to rework application code has significantly exceeded the established threshold. Which of the following would be the risk practitioner s BEST recommendation?

Question232: Deviation from a mitigation action plan's completion date should be determined by which of the following?

Question233: Which of the following is the BEST way to detect zero-day malware on an end user's workstation?

Question234: Which of the following is the MOST effective way to help ensure an organization's current risk scenarios are relevant?