EMT Practice Test

1. Question Content...


Question List

Question1: Which of the following techniques would be used during a risk assessment to demonstrate to stakeholders that all known alternatives were evaluated?

Question2: Which of the following is MOST important when discussing risk within an organization?

Question3: Which of the following IT key risk indicators (KRIs) provides management with the BEST feedback on IT capacity?

Question4: A risk owner has identified a risk with high impact and very low likelihood. The potential loss is covered by insurance. Which of the following should the risk practitioner do NEXT?

Question5: Which of the following would BEST help an enterprise prioritize risk scenarios?

Question6: Which of the following is MOST helpful in verifying that the implementation of a risk mitigation control has been completed as intended?

Question7: The BEST key performance indicator (KPI) to measure the effectiveness of a vendor risk management program is the percentage of:

Question8: Which of the following would be the BEST justification to invest in the development of a governance, risk, and compliance (GRC) solution?

Question9: Which stakeholders are PRIMARILY responsible for determining enterprise IT risk appetite?

Question10: Which of the following is the PRIMARY reason to perform ongoing risk assessments?

Question11: A risk practitioner learns that the organization s industry is experiencing a trend of rising security incidents.
Which of the following is the BEST course of action?

Question12: Which of the following would be MOST useful when measuring the progress of a risk response action plan?

Question13: Which of the following would present the GREATEST challenge when assigning accountability for control ownership?

Question14: An organization has initiated a project to launch an IT-based service to customers and take advantage of being the first to market. Which of the following should be of GREATEST concern to senior management?

Question15: An organization's internal audit department is considering the implementation of robotics process automation (RPA) to automate certain continuous auditing tasks. Who would own the risk associated with ineffective design of the software bots?

Question16: Which of the following is the MOST common concern associated with outsourcing to a service provider?

Question17: Which of the following is the FIRST step in risk assessment?

Question18: Which of the following is the PRIMARY reason to have the risk management process reviewed by a third party?

Question19: Which of the following should be the PRIMARY input when designing IT controls?

Question20: Who should be responsible for implementing and maintaining security controls?

Question21: Which of the following conditions presents the GREATEST risk to an application?

Question22: Which of The following should be the FIRST step when a company is made aware of new regulatory requirements impacting IT?

Question23: A business unit is updating a risk register with assessment results for a key project. Which of the following is MOST important to capture in the register?

Question24: Which of the following is the MAIN benefit of involving stakeholders in the selection of key risk indicators (KRIs)?

Question25: Which of the following is the MOST important consideration when selecting either a qualitative or quantitative risk analysis?

Question26: Which of the following attributes of a key risk indicator (KRI) is MOST important?

Question27: Which of the following should be the risk practitioner s PRIMARY focus when determining whether controls are adequate to mitigate risk?

Question28: A risk manager has determined there is excessive risk with a particular technology. Who is the BEST person to own the unmitigated risk of the technology?

Question29: Which of the following is MOST critical when designing controls?

Question30: Controls should be defined during the design phase of system development because:

Question31: Which of the following roles would be MOST helpful in providing a high-level view of risk related to customer data loss?

Question32: When evaluating enterprise IT risk management it is MOST important to:

Question33: Which of the following provides The BEST information when determining whether to accept residual risk of a critical system to be implemented?

Question34: Which of the following controls would BEST reduce the likelihood of a successful network attack through social engineering?

Question35: Which of the following elements of a risk register is MOST likely to change as a result of change in management's risk appetite?

Question36: The MOST effective way to increase the likelihood that risk responses will be implemented is to:

Question37: A data processing center operates in a jurisdiction where new regulations have significantly increased penalties for data breaches. Which of the following elements of the risk register is MOST important to update to reflect this change?

Question38: An unauthorized individual has socially engineered entry into an organization's secured physical premises.
Which of the following is the BEST way to prevent future occurrences?

Question39: Which of the following is the MOST important consideration when developing an organization's risk taxonomy?

Question40: Which of the following can be used to assign a monetary value to risk?

Question41: An organization has decided to outsource a web application, and customer data will be stored in the vendor's public cloud. To protect customer data, it is MOST important to ensure which of the following?

Question42: When presenting risk, the BEST method to ensure that the risk is measurable against the organization's risk appetite is through the use of a:

Question43: Prudent business practice requires that risk appetite not exceed:

Question44: Which of the following BEST describes the role of the IT risk profile in strategic IT-related decisions?

Question45: Which of the following is the MOST important factor when deciding on a control to mitigate risk exposure?

Question46: The BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability remediation program is the number of:

Question47: Which of the following tools is MOST effective in identifying trends in the IT risk profile?

Question48: A risk practitioner has identified that the organization's secondary data center does not provide redundancy for a critical application. Who should have the authority to accept the associated risk?

Question49: A large organization is replacing its enterprise resource planning (ERP) system and has decided not to deploy the payroll module of the new system. Instead, the current payroll system will continue to be used. Of the following, who should own the risk if the ERP and payroll system fail to operate as expected?

Question50: A risk practitioner recently discovered that sensitive data from the production environment is required for testing purposes in non-production environments. Which of the following i the BEST recommendation to address this situation?

Question51: Which of the following would be MOST important for a risk practitioner to provide to the internal audit department during the audit planning process?

Question52: The PRIMARY goal of a risk management program is to:

Question53: Which of the following issues should be of GREATEST concern when evaluating existing controls during a risk assessment?

Question54: Which of the following will be MOST effective to mitigate the risk associated with the loss of company data stored on personal devices?

Question55: An organization has opened a subsidiary in a foreign country. Which of the following would be the BEST way to measure the effectiveness of the subsidiary's IT systems controls?

Question56: When reporting risk assessment results to senior management, which of the following is MOST important to include to enable risk-based decision making?

Question57: The MAIN purpose of a risk register is to:

Question58: Which of the following is the MOST important data source for monitoring key risk indicators (KRIs)?

Question59: The MOST effective approach to prioritize risk scenarios is by:

Question60: Performing a background check on a new employee candidate before hiring is an example of what type of control?

Question61: An organization that has been the subject of multiple social engineering attacks is developing a risk awareness program. The PRIMARY goal of this program should be to:

Question62: As part of an overall IT risk management plan, an IT risk register BEST helps management:

Question63: Implementing which of the following controls would BEST reduce the impact of a vulnerability that has been exploited?

Question64: Which of the following is the MOST effective way to integrate business risk management with IT operations?

Question65: Which of the following is the GREATEST risk associated with the transition of a sensitive data backup solution from on-premise to a cloud service provider?

Question66: Which of the following is the MOST useful indicator to measure the efficiency of an identity and access management process?

Question67: Which of the following is the PRIMARY reason to establish the root cause of an IT security incident?

Question68: To communicate the risk associated with IT in business terms, which of the following MUST be defined?

Question69: A risk practitioners PRIMARY focus when validating a risk response action plan should be that risk response:

Question70: A risk owner has accepted a high-impact risk because the control was adversely affecting process efficiency.
Before updating the risk register, it is MOST important for the risk practitioner to:

Question71: Which of the following will BEST help in communicating strategic risk priorities?

Question72: The PRIMARY reason to have risk owners assigned to entries in the risk register is to ensure:

Question73: A control owner identifies that the organization's shared drive contains personally identifiable information (Pll) that can be accessed by all personnel. Which of the following is the MOST effective risk response?

Question74: Who is accountable for risk treatment?

Question75: Which of the following should be an element of the risk appetite of an organization?

Question76: While reviewing a contract of a cloud services vendor, it was discovered that the vendor refuses to accept liability for a sensitive data breach. Which of the following controls will BES reduce the risk associated with such a data breach?

Question77: An organization has identified that terminated employee accounts are not disabled or deleted within the time required by corporate policy. Unsure of the reason, the organization has decided to monitor the situation for three months to obtain more information. As a result of this decision, the risk has been:

Question78: Which of the following roles would provide the MOST important input when identifying IT risk scenarios?

Question79: An organization operates in a jurisdiction where heavy fines are imposed for leakage of customer data. Which of the following provides the BEST input to assess the inherent risk impact?

Question80: Which of the following is the MOST important consideration when performing a risk assessment of a fire suppression system within a data center?

Question81: An application runs a scheduled job that compiles financial data from multiple business systems and updates the financial reporting system. If this job runs too long, it can delay financial reporting. Which of the following is the risk practitioner's BEST recommendation?

Question82: Which of the following is MOST important when defining controls?

Question83: A peer review of a risk assessment finds that a relevant threat community was not included. Mitigation of the risk will require substantial changes to a software application. Which of the following is the BEST course of action?

Question84: A department has been granted an exception to bypass the existing approval process for purchase orders. The risk practitioner should verify the exception has been approved by which of the following?

Question85: Which of the following is MOST important to review when determining whether a potential IT service provider s control environment is effective?

Question86: Malware has recently affected an organization, The MOST effective way to resolve this situation and define a comprehensive risk treatment plan would be to perform:

Question87: An IT operations team implements disaster recovery controls based on decisions from application owners regarding the level of resiliency needed. Who is the risk owner in this scenario?

Question88: Which of the following is the PRIMARY reason to update a risk register with risk assessment results?

Question89: An organization is preparing to transfer a large number of customer service representatives to the sales department. Of the following, who is responsible for mitigating the risk associated with residual system access?

Question90: It is MOST important to the effectiveness of an IT risk management function that the associated processes are:

Question91: Who is MOST likely to be responsible for the coordination between the IT risk strategy and the business risk strategy?

Question92: Which of the following is a detective control?

Question93: Which of the following would provide the BEST guidance when selecting an appropriate risk treatment plan?

Question94: Which of the following would MOST likely result in updates to an IT risk appetite statement?

Question95: The BEST criteria when selecting a risk response is the:

Question96: Which of the following is the BEST way to identify changes in the risk profile of an organization?

Question97: Employees are repeatedly seen holding the door open for others, so that trailing employees do not have to stop and swipe their own ID badges. This behavior BEST represents:

Question98: An organization has initiated a project to implement an IT risk management program for the first time. The BEST time for the risk practitioner to start populating the risk register is when:

Question99: Which of the following BEST measures the efficiency of an incident response process?

Question100: An IT risk practitioner has determined that mitigation activities differ from an approved risk action plan.
Which of the following is the risk practitioner's BEST course of action?

Question101: A risk practitioner has just learned about new done FIRST?

Question102: The BEST key performance indicator (KPI) for monitoring adherence to an organization's user accounts provisioning practices is the percentage of:

Question103: Which of the following is a crucial component of a key risk indicator (KRI) to ensure appropriate action is taken to mitigate risk?

Question104: Which of the following is the BEST indication of the effectiveness of a business continuity program?

Question105: Which of the following is the BEST indication of an improved risk-aware culture following the implementation of a security awareness training program for all employees?

Question106: Which of the following should be considered when selecting a risk response?

Question107: Risk management strategies are PRIMARILY adopted to:

Question108: The PRIMARY purpose of IT control status reporting is to:

Question109: Which of the following is MOST influential when management makes risk response decisions?

Question110: When collecting information to identify IT-related risk, a risk practitioner should FIRST focus on IT:

Question111: The BEST way to test the operational effectiveness of a data backup procedure is to:

Question112: Periodically reviewing and updating a risk register with details on identified risk factors PRIMARILY helps to:

Question113: Which of The following will BEST communicate the importance of risk mitigation initiatives to senior management?

Question114: Sensitive data has been lost after an employee inadvertently removed a file from the premises, in violation of organizational policy. Which of the following controls MOST likely failed?

Question115: Which of the following is the PRIMARY objective for automating controls?

Question116: A risk assessment has identified that an organization may not be in compliance with industry regulations. The BEST course of action would be to:

Question117: The GREATEST concern when maintaining a risk register is that:

Question118: To help ensure all applicable risk scenarios are incorporated into the risk register, it is MOST important to review the:

Question119: The PRIMARY objective of testing the effectiveness of a new control before implementation is to:

Question120: Which of the following will MOST improve stakeholders' understanding of the effect of a potential threat?

Question121: Which of the following controls will BEST detect unauthorized modification of data by a database administrator?

Question122: Which of the following should be the MAIN consideration when validating an organization's risk appetite?

Question123: Which of the following is the MOST important consideration when sharing risk management updates with executive management?

Question124: Which of the following is the MOST important reason to create risk scenarios?

Question125: An organization has outsourced its lease payment process to a service provider who lacks evidence of compliance with a necessary regulatory standard. Which risk treatment was adopted by the organization?

Question126: A key risk indicator (KRI) indicates a reduction in the percentage of appropriately patched servers. Which of the following is the risk practitioner's BEST course of action?

Question127: The purpose of requiring source code escrow in a contractual agreement is to:

Question128: What should be the PRIMARY objective for a risk practitioner performing a post-implementation review of an IT risk mitigation project?

Question129: Which of the following is the PRIMARY responsibility of the first line of defense related to computer-enabled fraud?

Question130: An organization's financial analysis department uses an in-house forecasting application for business projections. Who is responsible for defining access roles to protect the sensitive data within this application?

Question131: A risk practitioner notices that a particular key risk indicator (KRI) has remained below its established trigger point for an extended period of time. Which of the following should be done FIRST?

Question132: Which of the following is the MOST effective way to mitigate identified risk scenarios?

Question133: When determining which control deficiencies are most significant, which of the following would provide the MOST useful information?

Question134: An organization has engaged a third party to provide an Internet gateway encryption service that protects sensitive data uploaded to a cloud service. This is an example of risk:

Question135: Business areas within an organization have engaged various cloud service providers directly without assistance from the IT department. What should the risk practitioner do?

Question136: A maturity model will BEST indicate:

Question137: Which of the following should be of GREATEST concern to a risk practitioner when determining the effectiveness of IT controls?

Question138: A risk practitioner observes that hardware failure incidents have been increasing over the last few months.
However, due to built-in redundancy and fault-tolerant architecture, there have been no interruptions to business operations. The risk practitioner should conclude that:

Question139: Which of the following provides the BEST evidence that risk responses have been executed according to their risk action plans?

Question140: An organization is planning to engage a cloud-based service provider for some of its data-intensive business processes. Which of the following is MOST important to help define the IT risk associated with this outsourcing activity?

Question141: Which of the following is the GREATEST concern associated with redundant data in an organization's inventory system?

Question142: Deviation from a mitigation action plan's completion date should be determined by which of the following?

Question143: A software developer has administrative access to a production application. Which of the following should be of GREATEST concern to a risk practitioner?

Question144: Which of the following activities is PRIMARILY the responsibility of senior management?

Question145: Which of the following BEST indicates the condition of a risk management program?

Question146: Which of the following statements in an organization's current risk profile report is cause for further action by senior management?

Question147: An organization operates in an environment where reduced time-to-market for new software products is a top business priority. Which of the following should be the risk practitioner's GREATEST concern?

Question148: During an IT risk scenario review session, business executives question why they have been assigned ownership of IT-related risk scenarios. They feel IT risk is technical in nature and therefore should be owned by IT. Which of the following is the BEST way for the risk practitioner to address these concerns?

Question149: Accountability for a particular risk is BEST represented in a:

Question150: Which of the following could BEST detect an in-house developer inserting malicious functions into a web-based application?

Question151: The design of procedures to prevent fraudulent transactions within an enterprise resource planning (ERP) system should be based on:

Question152: Which of the following is the MOST important foundational element of an effective three lines of defense model for an organization?

Question153: Which of the following would provide executive management with the BEST information to make risk decisions as a result of a risk assessment?

Question154: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a vulnerability management process?

Question155: Which of the following activities would BEST contribute to promoting an organization-wide risk-aware culture?

Question156: An internally developed payroll application leverages Platform as a Service (PaaS) infrastructure from the cloud. Who owns the related data confidentiality risk?

Question157: The BEST reason to classify IT assets during a risk assessment is to determine the:

Question158: Which of the following is MOST important to ensure when continuously monitoring the performance of a client-facing application?

Question159: Which of the following should be a risk practitioner s MOST important consideration when developing IT risk scenarios?

Question160: Which of the following is a risk practitioner's BEST course of action upon learning that a control under internal review may no longer be necessary?

Question161: Which of the following is the BEST key performance indicator (KPI) to measure the effectiveness of a disaster recovery plan (DRP)?

Question162: A control for mitigating risk in a key business area cannot be implemented immediately. Which of the following is the risk practitioner's BEST course of action when a compensating control needs to be applied?

Question163: Which of the following is performed after a risk assessment is completed?

Question164: Which of the following is the MOST important consideration when identifying stakeholders to review risk scenarios developed by a risk analyst? The reviewers are:

Question165: Which of the following should be the HIGHEST priority when developing a risk response?

Question166: When reviewing a report on the performance of control processes, it is MOST important to verify whether the:

Question167: Which of the following would BEST provide early warning of a high-risk condition?

Question168: A web-based service provider with a low risk appetite for system outages is reviewing its current risk profile for online security. Which of the following observations would be MOST relevant to escalate to senior management?

Question169: Risk mitigation procedures should include:

Question170: An organization is considering allowing users to access company data from their personal devices. Which of the following is the MOST important factor when assessing the risk?

Question171: Who is BEST suited to determine whether a new control properly mitigates data loss risk within a system?

Question172: Which of the following is the BEST evidence that risk management is driving business decisions in an organization?

Question173: A third-party vendor has offered to perform user access provisioning and termination. Which of the following control accountabilities is BEST retained within the organization?

Question174: Which of the following is the BEST approach to use when creating a comprehensive set of IT risk scenarios?

Question175: Which of the following is the BEST way for a risk practitioner to verify that management has addressed control issues identified during a previous external audit?

Question176: Whether the results of risk analyses should be presented in quantitative or qualitative terms should be based PRIMARILY on the:

Question177: Which of the following is MOST important when developing risk scenarios?

Question178: Which of the following is the BEST metric to demonstrate the effectiveness of an organization's change management process?

Question179: A risk practitioner has observed that risk owners have approved a high number of exceptions to the information security policy. Which of the following should be the risk practitioner's GREATEST concern?

Question180: The PRIMARY objective of a risk identification process is to:

Question181: An organization wants to assess the maturity of its internal control environment. The FIRST step should be to:

Question182: A risk practitioner is organizing a training session lo communicate risk assessment methodologies to ensure a consistent risk view within the organization Which of the following i< the MOST important topic to cover in this training?

Question183: Which of the following will BEST help ensure that risk factors identified during an information systems review are addressed?

Question184: Which of the following is the FIRST step in managing the risk associated with the leakage of confidential data?

Question185: Which of the following is the BEST indicator of the effectiveness of a control action plan's implementation?

Question186: Quantifying the value of a single asset helps the organization to understand the:

Question187: When reviewing management's IT control self-assessments, a risk practitioner noted an ineffective control that links to several low residual risk scenarios. What should be the NEXT course of action?

Question188: Which of the following is the PRIMARY reason for an organization to ensure the risk register is updated regularly?

Question189: Which of the following would MOST likely cause a risk practitioner to reassess risk scenarios?

Question190: A management team is on an aggressive mission to launch a new product to penetrate new markets and overlooks IT risk factors, threats, and vulnerabilities. This scenario BEST demonstrates an organization's risk:

Question191: An organization uses a vendor to destroy hard drives. Which of the following would BEST reduce the risk of data leakage?

Question192: Improvements in the design and implementation of a control will MOST likely result in an update to:

Question193: Which of the following BEST confirms the existence and operating effectiveness of information systems controls?

Question194: Which of the following BEST indicates whether security awareness training is effective?

Question195: What is MOST important for the risk practitioner to understand when creating an initial IT risk register?

Question196: The PRIMARY basis for selecting a security control is:

Question197: The PRIMARY advantage of implementing an IT risk management framework is the:

Question198: Of the following, who should be responsible for determining the inherent risk rating of an application?

Question199: Which of the following is a KEY outcome of risk ownership?

Question200: Which of the following would be of GREATEST concern to a risk practitioner reviewing current key risk indicators (KRIs)?

Question201: All business units within an organization have the same risk response plan for creating local disaster recovery plans. In an effort to achieve cost effectiveness., the BEST course of action would be to:

Question202: Which of the following would be MOST useful to senior management when determining an appropriate risk response?

Question203: Which of the following is MOST helpful in developing key risk indicator (KRl) thresholds?

Question204: A risk practitioner has determined that a key control does not meet design expectations. Which of the following should be done NEXT?

Question205: Which of the following activities should be performed FIRST when establishing IT risk management processes?

Question206: A risk practitioner observes that the fraud detection controls in an online payment system do not perform as expected. Which of the following will MOST likely change as a result?

Question207: An organization has determined a risk scenario is outside the defined risk tolerance level. What should be the NEXT course of action?

Question208: Which of the following is the MOST important element of a successful risk awareness training program?

Question209: An external security audit has reported multiple findings related to control noncompliance. Which of the following would be MOST important for the risk practitioner to communicate to senior management?

Question210: Which of the following is the MAIN reason for documenting the performance of controls?

Question211: A global organization is considering the acquisition of a competitor. Senior management has requested a review of the overall risk profile from the targeted organization. Which of the following components of this review would provide the MOST useful information?

Question212: An organization has granted a vendor access to its data in order to analyze customer behavior. Which of the following would be the MOST effective control to mitigate the risk of customer data leakage?

Question213: Which of the following is the MOST important consideration when selecting key risk indicators (KRIs) to monitor risk trends over time?

Question214: The acceptance of control costs that exceed risk exposure is MOST likely an example of:

Question215: The MOST important reason to aggregate results from multiple risk assessments on interdependent information systems is to:

Question216: Who should be responsible for strategic decisions on risk management?

Question217: Which of the following BEST enables the identification of trends in risk levels?

Question218: Which of the following would be MOST helpful to a risk owner when making risk-aware decisions?

Question219: An organization is planning to outsource its payroll function to an external service provider Which of the following should be the MOST important consideration when selecting the provider?

Question220: When a high-risk security breach occurs, which of the following would be MOST important to the person responsible for managing the incident?

Question221: During the initial risk identification process for a business application, it is MOST important to include which of the following stakeholders?

Question222: It is MOST appropriate for changes to be promoted to production after they are;

Question223: Which of the following would be MOST relevant to stakeholders regarding ineffective control implementation?

Question224: An organization is increasingly concerned about loss of sensitive data and asks the risk practitioner to assess the current risk level. Which of the following should the risk practitioner do FIRST?

Question225: Which of the following should be the PRIMARY focus of a risk owner once a decision is made to mitigate a risk?