New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Shared Assessments > Third Party Risk Management > CTPRP

CTPRP Certified Third-Party Risk Professional (CTPRP) Question and Answers

Question # 4

Which statement is TRUE regarding the tools used in TPRM risk analyses?

A.

Risk treatment plans define the due diligence standards for third party assessments

B.

Risk ratings summarize the findings in vendor remediation plans

C.

Vendor inventories provide an up-to-date record of high risk relationships across an organization

D.

Risk registers are used for logging and tracking third party risks

Full Access
Question # 5

Which approach for managing end-user device security is typically used for lost or stolen company-owned devices?

A.

Remotely enable lost mode status on the device

B.

Deletion of data after a pre-defined number of failed login attempts

C.

Enterprise wipe of all company data and contacts

D.

Remote wipe of the device and restore to factory settings

Full Access
Question # 6

Which policy requirement is typically NOT defined in an Asset Management program?

A.

The Policy states requirements for the reuse of physical media (e.9., devices, servers, disk drives, etc.)

B.

The Policy requires that employees and contractors return all company data and assets upon termination of their employment, contract or agreement

C.

The Policy defines requirements for the inventory, identification, and disposal of equipment “and/or physical media

D.

The Policy requires visitors (including other tenants and maintenance personnel) to sign-in and sign-out of the facility, and to be escorted at all times

Full Access
Question # 7

Which statement is FALSE when describing the third party risk assessors’ role when conducting a controls evaluation using an industry framework?

A.

The Assessor's role is to conduct discovery with subject matter experts to understand the control environment

B.

The Assessor's role is to conduct discovery and validate responses from the risk assessment questionnaire by testing or validating controls

C.

The Assessor's role is to provide an opinion on the effectiveness of controls conducted over a period of time in their report

D.

The Assessor's role is to review compliance artifacts and identify potential control gaps based on evaluation of the presence of control attributes

Full Access
Question # 8

Which factor is less important when reviewing application risk for application service providers?

A.

Remote connectivity

B.

The number of software releases

C.

The functionality and type of data the application processes

D.

APl integration

Full Access
Question # 9

Which type of external event does NOT trigger an organization ta prompt a third party contract provisions review?

A.

Change in company point of contact

B.

Business continuity event

C.

Data breach/privacy incident

D.

Change in regulations

Full Access
Question # 10

Which statement BEST describes the use of risk based decisioning in prioritizing gaps identified at a critical vendor when defining the corrective action plan?

A.

The assessor determined that gaps should be analyzed, documented, reviewed for compensating controls, and submitted to the business owner to approve risk treatment plan

B.

The assessor decided that the critical gaps should be discussed in the closing meeting so that the vendor can begin to implement corrective actions immediately

C.

The assessor concluded that all gaps should be logged and treated as high severity findings since the assessment was performed on a critical vendor

D.

The assessor determined that all gaps should be logged and communicated that if the gaps were corrected immediately they would not need to be included in the findings report

Full Access
Question # 11

Your company has been alerted that an IT vendor began utilizing a subcontractor located in a country restricted by company policy. What is the BEST approach to handle this situation?

A.

Notify management to approve an exception and ensure that contract provisions require prior “notification and evidence of subcontractor due diligence

B.

inform the business unit and recommend that the company cease future work with the IT vendor due to company policy

C.

Update the vender inventory with the mew location information in order to schedule a reassessment

D.

Inform the business unit and ask the vendor to replace the subcontractor at their expense in “order to move the processing back to an approved country

Full Access
Question # 12

Which of the following changes to the production environment is typically NOT subject to the change control process?

A.

Change in network

B.

Change in systems

C.

Change to administrator access

D.

Update to application

Full Access
Question # 13

Which factor is MOST important when scoping assessments of cloud-based third parties that access, process, and retain personal data?

A.

The geographic location of the vendor's outsourced datacenters since assessments are only required for international data transfers

B.

The identification of the type of cloud hosting deployment or service model in order to confirm responsibilities between the third party and the cloud hosting provider

C.

The definition of requirements for backup capabilities for power generation and redundancy in the resilience plan

D.

The contract terms for the configuration of the environment which may prevent conducting the assessment

Full Access
Question # 14

When measuring the operational performance of implementing a TPRM program, which example is MOST likely to provide meaningful metrics?

A.

logging the number of exceptions to existing due diligence standards

B.

Measuring the time spent by resources for task and corrective action plan completion

C.

Calculating the average time to remediate identified corrective actions

D.

Tracking the number of outstanding findings

Full Access
Question # 15

Which cloud deployment model is focused on the management of hardware equipment?

A.

Function as a service

B.

Platform as a service

C.

Software as a service

D.

Infrastructure as a service

Full Access
Question # 16

Physical access procedures and activity logs should require all of the following EXCEPT:

A.

Require multiple access controls for server rooms and data centers

B.

Require physical access logs to be retained indefinitely for audit purposes

C.

Record successful and unsuccessful attempts including investigation of unsuccessful access attempts

D.

Include a process to trigger review of the logs after security events

Full Access
Question # 17

Which statement is FALSE when describing the differences between security vulnerabilities and security defects?

A.

A security defect is a security flaw identified in an application due to poor coding practices

B.

Security defects should be treated as exploitable vulnerabilities

C.

Security vulnerabilities and security defects are synonymous

D.

A security defect can become a security vulnerability if undetected after migration into production

Full Access
Question # 18

Select the risk type that is defined as: “A third party may not be able to meet its obligations due to inadequate systems or processes”.

A.

Reliability risk

B.

Performance risk

C.

Competency risk

D.

Availability risk

Full Access
Question # 19

Which of the following BEST reflects components of an environmental controls testing program?

A.

Scheduling testing of building access and intrusion systems

B.

Remote monitoring of HVAC, Smoke, Fire, Water or Power

C.

Auditing the CCTV backup process and card-key access process

D.

Conducting periodic reviews of personnel access controls and building intrusion systems

Full Access
Question # 20

Which type of contract termination is MOST likely to occur after failure to remediate assessment findings?

A.

Regulatory/supervisory termination

B.

Termination for convenience

C.

Normal termination

D.

Termination for cause

Full Access
Question # 21

Which action statement BEST describes an assessor calculating residual risk?

A.

The assessor adjusts the vendor risk rating prior to reporting the findings to the business unit

B.

The assessor adjusts the vendor risk rating based on changes to the risk level after analyzing the findings and mitigating controls

C.

The business unit closes out the finding prior to the assessor submitting the final report

D.

The assessor recommends implementing continuous monitoring for the next 18 months

Full Access
Question # 22

Which statement is FALSE regarding analyzing results from a vendor risk assessment?

A.

The frequency for conducting a vendor reassessment is defined by regulatory obligations

B.

Findings from a vendor risk assessment may be defined at the entity level, and are based o na Specific topic or control

C.

Identifying findings from a vendor risk assessment can occur at any stage in the contract lifecycle

D.

Risk assessment findings identified by controls testing or validation should map back to the information gathering questionnaire and agreed upon framework

Full Access
Question # 23

Which of the following actions is an early step when triggering an Information Security

Incident Response Program?

A.

Implementing processes for emergency change control approvals

B.

Requiring periodic changes to the vendor's contract for breach notification

C.

Assessing the vendor's Business Impact Analysis (BIA) for resuming operations

D.

Initiating an investigation of the unauthorized disclosure of data

Full Access
Question # 24

Which statement is TRUE regarding the onboarding process far new hires?

A.

New employees and contractors should not be on-boarded until the results of applicant screening are approved

B.

it is not necessary to have employees, contractors, and third party users sign confidentiality or non-disclosure agreements

C.

All job roles should require employees to sign non-compete agreements

D.

New employees and contactors can opt-out of having to attend security and privacy awareness training if they hold existing certifications

Full Access
Question # 25

Which of the following factors is LEAST likely to trigger notification obligations in incident response?

A.

Regulatory requirements

B.

Data classification or sensitivity

C.

Encryption of data

D.

Contractual terms

Full Access
Question # 26

Which factor is the LEAST important attribute when classifying personal data?

A.

The volume of data records processed or retained

B.

The data subject category that identifies the data owner

C.

The sensitivity level of specific data elements that could identify an individual

D.

The assignment of a confidentiality level that differentiates public or non-public information

Full Access
Question # 27

Which of the following components is NOT typically included in external continuous monitoring solutions?

A.

Status updates on localized events based on geolocation

B.

Alerts on legal and regulatory actions involving the vendor

C.

Metrics that track SLAs for performance management

D.

Reports that identify changes in vendor financial viability

Full Access
Question # 28

Which of the following is NOT a key component of TPRM requirements in the software development life cycle (SDLC)?

A.

Maintenance of artifacts that provide proof that SOLC gates are executed

B.

Process for data destruction and disposal

C.

Software security testing

D.

Process for fixing security defects

Full Access
Question # 29

For services with system-to-system access, which change management requirement

MOST effectively reduces the risk of business disruption to the outsourcer?

A.

Approval of the change by the information security department

B.

Documenting sufficient time for quality assurance testing

C.

Communicating the change to customers prior ta deployment to enable external acceptance testing

D.

Documenting and legging change approvals

Full Access
Question # 30

Which type of contract provision is MOST important in managing Fourth-Nth party risk after contract signing and on-boarding due diligence is complete?

A.

Subcontractor notice and approval

B.

Indemnification and liability

C.

Breach notification

D.

Right to audit

Full Access
Question # 31

In which phase of the TPRM lifecycle should terms for return or destruction of data be defined and agreed upon?

A.

During contract negotiation

B.

At third party selection and initial due diligence

C.

When deploying ongoing monitoring

D.

At termination and exit

Full Access
Question # 32

Which of the following would be a component of an arganization’s Ethics and Code of Conduct Program?

A.

Participation in the company's annual privacy awareness program

B.

A disciplinary process for non-compliance with key policies, including formal termination or change of status process based on non-compliance

C.

Signing acknowledgement of Acceptable Use policy for use of company assets

D.

A process to conduct periodic access reviews of critical Human Resource files

Full Access
Question # 33

Which activity reflects the concept of vendor management?

A.

Managing service level agreements

B.

Scanning and collecting information from third party web sites

C.

Reviewing and analyzing external audit reports

D.

Receiving and analyzing a vendor's response to & questionnaire

Full Access
Question # 34

The set of shared values and beliefs that govern a company’s attitude toward risk is known as:

A.

Risk tolerance

B.

Risk treatment

C.

Risk culture

D.

Risk appetite

Full Access
Question # 35

Which risk treatment approach typically requires a negotiation of contract terms between parties?

A.

Monitor the risk

B.

Mitigate the risk

C.

Accept the risk

D.

Transfer the risk

Full Access
Question # 36

Which of the following is LEAST likely to be included in an organization's mobile device policy?

A.

Language on restricting the use of the mobile device to only business purposes

B.

Language to require a mutual Non Disclosure Agreement (NDA)

C.

Language detailing the user's responsibility to not bypass security settings or monitoring applications

D.

Language detailing specific actions that an organization may take in the event of an information security incident

Full Access
Question # 37

Which example BEST represents the set of restrictive areas that require an additional authentication factor for access control?

A.

Datacenters; telecom rooms; server rooms; exterior building entrance

B.

Datacenters; telecom rooms; security operations centers; loading docks

C.

Telecom rooms; parking garage; security operations centers; exterior building entrance

D.

Exterior building entrance; datacenters; telecom rooms; printer rooms

Full Access