EMT Practice Test

1. Question Content...


Question List

Question1: You receive a call from a vendor that two laptops and a tablet are missing that were used to process your company data. The asset loss occurred two years ago, but was only recently discovered. That statement may indicate that this vendor is lacking an adequate:

Question2: If a system requires ALL of the following for accessing its data: (1) a password, (2) a security token, and (3) a user's fingerprint, the system employs:

Question3: An outsourcer's vendor risk assessment process includes all of the following EXCEPT:

Question4: For services with system-to-system access, which change management requirement MOST effectively reduces the risk of business disruption to the outsourcer?

Question5: Which policy requirement is typically NOT defined in an Asset Management program?

Question6: The BEST way to manage Fourth-Nth Party risk is:

Question7: Once a vendor questionnaire is received from a vendor what is the MOST important next step when evaluating the responses?

Question8: Which risk treatment approach typically requires a negotiation of contract terms between parties?

Question9: Which of the following changes to the production environment is typically NOT subject to the change control process?

Question10: Which of the following BEST describes the distinction between a regulation and a standard?

Question11: A set of principles for software development that address the top application security risks and industry web requirements is known as:

Question12: Which example is typically NOT included in a Business Impact Analysis (BIA)?

Question13: At which level of reporting are changes in TPRM program metrics rare and exceptional?

Question14: An organization has experienced an unrecoverable data loss event after restoring a system. This is an example of:

Question15: Which statement is FALSE regarding the primary factors in determining vendor risk classification?

Question16: The set of shared values and beliefs that govern a company's attitude toward risk is known as:

Question17: Which of the following indicators is LEAST likely to trigger a reassessment of an existing vendor?

Question18: When measuring the operational performance of implementing a TPRM program, which example is MOST likely to provide meaningful metrics?

Question19: All of the following processes are components of controls evaluation in the Third Party Risk Assessment process EXCEPT:

Question20: Which factor in patch management is MOST important when conducting postcybersecurity incident analysis related to systems and applications?

Question21: Which of the following data safeguarding techniques provides the STRONGEST assurance that data does not identify an individual?

Question22: What attribute is MOST likely to be included in the software development lifecycle (SDLC) process?

Question23: When updating TPRM vendor classification requirements with a focus on availability, which risk rating factors provide the greatest impact to the analysis?

Question24: Which requirement is NOT included in IT asset end-of-life (EOL) processes?

Question25: Which of the following components are typically NOT part of a cloud hosting vendor assessment program?

Question26: An IT change management approval process includes all of the following components EXCEPT:

Question27: Which factor describes the concept of criticality of a service provider relationship when determining vendor classification?

Question28: Your organization has recently acquired a set of new global third party relationships due to M&A. You must define your risk assessment process based on your due diligence standards. Which risk factor is LEAST important in defining your requirements?

Question29: Which of the following topics is LEAST important when evaluating a service provider's Security and Privacy Awareness Program?

Question30: Which statement reflects a requirement that is NOT typically found in a formal Information Security Incident Management Program?

Question31: Which statement is TRUE regarding the tools used in TPRM risk analyses?

Question32: Which factor is MOST important when scoping assessments of cloud-based third parties that access, process, and retain personal data?

Question33: Which statement is TRUE regarding the use of questionnaires in third party risk assessments?

Question34: Which activity BEST describes conducting due diligence of a lower risk vendor?

Question35: When evaluating remote access risk, which of the following is LEAST applicable to your analysis?

Question36: Which of the following would be a component of an arganization's Ethics and Code of Conduct Program?

Question37: You are updating program requirements due to shift in use of technologies by vendors to enable hybrid work.
Which statement is LEAST likely to represent components of an Asset
Management Program?

Question38: Select the risk type that is defined as: "A third party may not be able to meet its obligations due to inadequate systems or processes".

Question39: Which factor is the LEAST important attribute when classifying personal data?

Question40: Which factor is less important when reviewing application risk for application service providers?

Question41: You are updating the inventory of regulations that impact your TPRM program during the company's annual risk assessment. Which statement provides the optimal approach to prioritizing the regulations?

Question42: When conducting an assessment of a third party's physical security controls, which of the following represents the innermost layer in a 'Defense in Depth' model?

Question43: Which approach for managing end-user device security is typically used for lost or stolen company-owned devices?

Question44: Your company has been alerted that an IT vendor began utilizing a subcontractor located in a country restricted by company policy. What is the BEST approach to handle this situation?

Question45: Which cloud deployment model is primarily focused on the application layer?

Question46: Upon completion of a third party assessment, a meeting should be scheduled with which of the following resources prior to sharing findings with the vendor/service provider to approve remediation plans:

Question47: Which of the following factors is LEAST likely to trigger notification obligations in incident response?

Question48: Which of the following statements is TRUE regarding the accountabilities in a three lines of defense model?

Question49: Which statement is NOT an accurate reflection of an organizations requirements within an enterprise information security policy?

Question50: Which of the following components is NOT typically included in external continuous monitoring solutions?

Question51: Which statement is NOT an example of the purpose of internal communications and information sharing using TPRM performance metrics?

Question52: Which of the following actions is an early step when triggering an Information Security Incident Response Program?

Question53: The following statements reflect user obligations defined in end-user device policies EXCEPT:

Question54: Which example BEST represents the set of restrictive areas that require an additional authentication factor for access control?

Question55: Which set of procedures is typically NOT addressed within data privacy policies?

Question56: Data loss prevention in endpoint security is the strategy for: