CTPRP Exam Dumps : Certified Third-Party Risk Professional (CTPRP)

According to the Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, physical security compliance is the process of ensuring that the physical assets and personnel of an organization are protected from unauthorized access, theft, damage, or harm1. Physical security compliance can be achieved by implementing various measures, such as locks, alarms, cameras, guards, fences, badges, etc. However, these measures need to be regularly monitored, tested, and verified to ensure their effectiveness and alignment with the defined standards and policies2. Therefore, maintaining a standardized schedule for confirming controls to defined standards demonstrates a greater maturity of physical security compliance, as it indicates a proactive and consistent approach to assessing and improving the physical security posture of an organization3.

The other options do not reflect a high level of physical security compliance maturity, as they either rely on reactive or ad hoc methods, or lack sufficient verification and validation mechanisms. Leveraging periodic reporting to schedule facility inspections based on reported events may indicate a lack of preventive and predictive measures, as well as a dependency on external or internal incidents to trigger the inspections. Providing a checklist for self-assessment may indicate a lack of independent and objective evaluation, as well as a potential for bias or error in the self-assessment process. Conducting unannounced checks on an ad hoc basis may indicate a lack of planning and coordination, as well as a potential for disruption or inconsistency in the checks.

References:

• 1: Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, page 24
• 2: Physical Security: Planning, Measures & Examples + PDF - Avigilon
• 3: Security Maturity Models: Levels, Assessment, and Benefits
• [4]: Best Practices for Planning and Managing Physical Security Resources - CISA, page 10
• [5]: Self-Assessment vs. Independent Assessment: What’s the Difference? | Linford & Company LLP
• [6]: The Pros and Cons of Unannounced Audits | NQA

 Questionnaires are one of the most common and effective tools for conducting third party risk assessments. They help organizations gather information about the security and compliance practices of their vendors and service providers, as well as identify any gaps or weaknesses that may pose a risk to the organization. However, not all questionnaires are created equal. Depending on the nature and scope of the third party relationship, different types and levels of questions may be required to adequately assess the risk. Therefore, it is important to configure the assessment questionnaires based on the risk rating and type of service being evaluated12.

The risk rating of a third party is determined by various factors, such as the criticality of the service they provide, the sensitivity of the data they handle, the regulatory requirements they must comply with, and the potential impact of a breach or disruption on the organization. The higher the risk rating, the more detailed and comprehensive the questionnaire should be. For example, a high-risk third party that processes personal or financial data may require a questionnaire that covers multiple domains of security and privacy, such as data protection, encryption, access control, incident response, and audit. A low-risk third party that provides a non-critical service or does not handle sensitive data may require a questionnaire that covers only the basic security controls, such as firewall, antivirus, and password policy12.

The type of service that a third party provides also influences the configuration of the questionnaire. Different services may have different security and compliance standards and best practices that need to be addressed. For example, a third party that provides cloud-based services may require a questionnaire that covers topics such as cloud security architecture, data residency, service level agreements, and disaster recovery. A third party that provides software development services may require a questionnaire that covers topics such as software development life cycle, code review, testing, and vulnerability management12.

By configuring the assessment questionnaires based on the risk rating and type of service being evaluated, organizations can ensure that they ask the right questions to the right third parties, and obtain relevant and meaningful information to support their risk management decisions. Therefore, the statement that assessment questionnaires should be configured based on the risk rating and type of service being evaluated is TRUE12. References: 1: How to Use SIG Questionnaires for Better Third-Party Risk Management 2: Third-party risk assessment questionnaires - KPMG India

A documented process to gain approvals for use of open source applications is typically not part of evaluating the vendor’s patch management controls, because it is not directly related to the patching process. Patch management controls are the policies, procedures, and tools that enable an organization to identify, acquire, install, and verify patches for software vulnerabilities. Patch management controls aim to reduce the risk of exploitation of known software flaws and ensure the functionality and compatibility of the patched systems. A documented process to gain approvals for use of open source applications is more relevant to the software development and procurement processes, as it involves assessing the legal, security, and operational implications of using open source software components in the vendor’s products or services. Open source software may have different licensing terms, quality standards, and support levels than proprietary software, and may introduce additional vulnerabilities or dependencies that need to be managed. Therefore, a documented process to gain approvals for use of open source applications is a good practice for vendors, but it is not a patch management control per se. References:

• Guide to Enterprise Patch Management Planning
• Governance of Key Aspects of System Patch Management
• Certified Third Party Risk Professional (CTPRP) Study Guide