CTPRP Exam Dumps : Certified Third-Party Risk Professional (CTPRP)

 According to the CTPRP Job Guide, the TPRM program should establish minimum risk assessment standards for third party due diligence based on the company’s risk tolerance and risk appetite. This means that the TPRM program should define the scope, depth, frequency, and methodology of the risk assessment process for different categories of third parties, taking into account the potential impact and likelihood of various risks. The risk assessment standards should be consistent, transparent, and aligned with the company’s strategic objectives and regulatory obligations. The TPRM program should also monitor and update the risk assessment standards as needed to reflect changes in the business environment, risk profile, and best practices. The other options are not correct because they do not reflect a holistic and risk-based approach to third party due diligence. Setting the standards by each business unit may result in inconsistency, duplication, or gaps in the risk assessment process. Defining the standards in the contract or statement of work may limit the flexibility and adaptability of the risk assessment process to changing circumstances. Identifying the standards by procurement may overlook the input and involvement of other stakeholders and functions in the risk assessment process. References:

• CTPRP Job Guide, page 17
• Third-Party Risk Management and ISO Requirements for 2022, section “Benefits of Implementing Risk Management”
• Managing third-party risk through effective due diligence, section “Complying with regulators’ demands”
• Third-Party Due Diligence Checklist: 3 Essential Steps, section “Step 2: Conduct a Risk Assessment”

 Performing due diligence during third party risk assessments is a process of verifying and validating the information provided by the third parties, as well as identifying and assessing any potential risks or issues that may arise from the relationship. Due diligence methods may vary depending on the type, scope, and complexity of the third party engagement, but they generally involve the following steps123:

• Interviewing subject matter experts or control owners: This method involves engaging with the relevant stakeholders from both the organization and the third party, such as business owners, project managers, legal counsel, compliance officers, security analysts, etc. The purpose of the interviews is to gather more information about the third party’s capabilities, processes, policies, performance, and challenges, as well as to clarify any questions or concerns that may arise from the questionnaire or other sources. The interviews can also help to establish rapport and trust between the parties, and to identify any gaps or discrepancies in the information provided.
• Reviewing compliance artifacts: This method involves examining the evidence or documentation that supports the third party’s claims or assertions, such as certifications, accreditations, audit reports, policies, procedures, contracts, SLAs, etc. The purpose of the review is to verify the accuracy, completeness, and validity of the artifacts, as well as to assess the level of compliance with the applicable standards, regulations, and best practices. The review can also help to identify any areas of improvement or weakness in the third party’s controls or processes.
• Validating controls: This method involves testing or inspecting the actual implementation and effectiveness of the third party’s controls or processes, such as security measures, quality assurance, data protection, incident response, etc. The purpose of the validation is to confirm that the controls are operating as intended and expected, and that they are sufficient to mitigate the risks or issues identified in the assessment. The validation can also help to identify any vulnerabilities or gaps in the third party’s controls or processes.

The other options are not as comprehensive or accurate as the methods described above, as they may not cover all the aspects or dimensions of the third party risk assessment, or they may rely on incomplete or outdated information. Inspecting physical and environmental security controls by conducting a facility tour is only one part of the validation method, and it may not be applicable or feasible for all types of third parties, such as cloud service providers or remote workers. Reviewing status of findings from the questionnaire and defining remediation plans is more of a follow-up or monitoring activity, rather than a due diligence method, as it assumes that the questionnaire has already been completed and analyzed. Reviewing and assessing only the obligations that are specifically defined in the contract is a narrow and limited approach, as it may not capture the full scope or complexity of the third party relationship, or the dynamic and evolving nature of the risks or issues involved. References:

• Third Party Due Diligence – a vital but challenging process
• The guide to risk based third party due diligence - VinciWorks
• Third Party Risk Assessment – Checklist & Best Practices

Asset management is the process of identifying, tracking, and managing the physical and digital assets of an organization. An asset management program is a set of policies, procedures, and tools that help to ensure the optimal use, security, and disposal of assets. According to the Shared Assessments CTPRP Study Guide1, an asset management program should include the following components:

• Asset inventories: A comprehensive and accurate list of all assets owned, leased, or used by the organization, including hardware, software, data, and services. Asset inventories should include connections to external parties, networks, or systems that process data, as this may introduce additional risks and dependencies12.
• Asset owners: A clear assignment of roles and responsibilities for each asset, including an organizational owner who is accountable for the asset throughout its life cycle. Asset owners should ensure that assets are properly maintained, updated, secured, and disposed of in accordance with the organization’s policies and standards13.
• Asset classification: A consistent and objective method of categorizing assets based on their criticality or data sensitivity. Asset classification helps to determine the appropriate level of protection, monitoring, and testing for each asset, as well as the potential impact of asset loss or compromise1 .
• Asset controls: A set of measures and mechanisms that help to safeguard assets from unauthorized access, use, modification, disclosure, or destruction. Asset controls may include physical, technical, administrative, or contractual means, such as locks, encryption, passwords, policies, or agreements1 .

The statement that is least likely to represent a component of an asset management program is D. Asset inventories should track the flow or distribution of items used to fulfill products and Services across production lines. This statement describes a supply chain management function, not an asset management function. Supply chain management is the process of planning, coordinating, and controlling the flow of materials, information, and services from suppliers to customers. Supply chain management may involve some aspects of asset management, such as inventory control, quality assurance, or vendor risk management, but it is not the same as asset management . Asset management focuses on the assets that the organization owns or uses, not the assets that the organization produces or delivers.

References:

• 1: Shared Assessments. (2020). Certified Third Party Risk Professional (CTPRP) Study Guide.
• 2: ISACA. (2019). COBIT 2019 Framework: Governance and Management Objectives. APO03 Manage enterprise architecture.
• 3: ISO. (2018). ISO/IEC 27001:2018 Information technology — Security techniques — Information security management systems — Requirements. Clause 8.1.2 Asset management roles and responsibilities.
• : NIST. (2013). NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations. RA-2 Security Categorization.
• : NIST. (2013). NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations. CM-8 Information System Component Inventory.
• : APICS. (2018). APICS Dictionary, 16th edition. Supply chain management.
• : ISACA. (2019). COBIT 2019 Framework: Governance and Management Objectives. APO13 Manage security.