CTPRP Questions Bank

The most important factor when scoping assessments of cloud-based third parties that access, process, and retain personal data is to identify the type of cloud hosting deployment or service model. This is because different cloud models have different implications for the allocation of security responsibilities between the third party and the cloud hosting provider. For example, in a Software as a Service (SaaS) model, the cloud provider is responsible for most of the security controls, while in an Infrastructure as a Service (IaaS) model, the third party is responsible for securing its own data and applications. Therefore, it is essential to understand the type of cloud model and the corresponding security roles and responsibilities before conducting an assessment. This will help to avoid gaps, overlaps, or conflicts in security controls and expectations. References:

• Guidance on Cloud Security Assessment and Authorization - ITSP.50.105, Canadian Centre for Cyber Security, May 2020, Section 2.1.1
• The Importance of Properly Scoping Cloud Environments, PCI Security Standards Council and Cloud Security Alliance, August 2021
• Third party and cloud: Regulatory challenges, KPMG, 2022, Section 2.1
• Certified Third Party Risk Professional (CTPRP) Study Guide, Shared Assessments, 2021, Section 4.2.2

When calculating residual risk, the best practice for an assessor is to adjust the vendor risk rating based on the changes to the risk level after analyzing the findings and considering the effectiveness of mitigating controls. Residual risk refers to the level of risk that remains after controls are applied to mitigate the initial (inherent) risk. By evaluating the findings from a third-party assessment and factoring in the mitigating controls implemented by the vendor, the assessor can more accurately determine the remaining risk level. This adjusted risk rating provides a more realistic view of the vendor's risk profile, aiding in informed decision-making regarding risk management and vendor oversight.

References:

• The concept of residual risk calculation is discussed in risk management frameworks such as ISO 31000 (Risk Management - Guidelines), which guides the assessment and treatment of risks.
• The "Third-Party Risk Management Guide" by ISACA outlines the process of assessing and managing risks associated with third parties, including the calculation of residual risk.

Infrastructure as a service (IaaS) is a cloud deployment model that provides users with access to virtualized hardware resources, such as servers, storage, and network devices. Users can install and run their own operating systems and applications on the cloud infrastructure, and have full control over the configuration and management of the hardware equipment. IaaS is suitable for organizations that need high scalability, flexibility, and customization of their cloud environment. IaaS is different from other cloud deployment models, such as function as a service (FaaS), platform as a service (PaaS), and software as a service (SaaS), which provide users with higher-level services and abstract away the underlying hardware details. References:

• Cloud Infrastructure: 4 Key Components and Deployment Models
• Cloud Deployment Models - GeeksforGeeks
• On-Premises Cloud Deployment Model: Organization-Owned Hardware Explained

A change in company point of contact does not necessarily trigger an organization to prompt a third party contract provisions review, unless the contract specifically requires such a notification or approval. A change in company point of contact may affect the communication and relationship between the parties, but it does not affect the legal terms and obligations of the contract. However, other types of external events, such as business continuity events, data breaches/privacy incidents, and changes in regulations, may have a significant impact on the performance, compliance, and risk of the contract, and therefore may require a review of the contract provisions to ensure that they are still valid, enforceable, and aligned with the parties’ expectations and objectives. For example, a business continuity event may disrupt the delivery of goods or services, a data breach/privacy incident may expose confidential or personal information, and a change in regulations may impose new obligations or liabilities on the parties. These events may trigger clauses such as force majeure, termination, indemnification, or dispute resolution, and may require the parties to renegotiate or amend the contract accordingly. References:

• Third-Party Contract Reviews: Determining Your Best Options
• Third party contracts: best practices for third party paper
• What to Look For When Reviewing Third-Party Contracts
• CTPRP Job Guide