Exactprep CTPRP Questions

Physical access procedures and activity logs are important components of third-party risk management, as they help to ensure the security and integrity of the physical assets and data of the organization and its third parties. However, requiring physical access logs to be retained indefinitely for audit purposes is not a best practice, as it may pose legal, regulatory, and operational challenges. According to the Supplemental Examination Procedures for Risk Management of Third-Party Relationships, physical access logs should be retained for a reasonable period of time, consistent with the organization’s policies and procedures, and in compliance with applicable laws and regulations1. Retaining physical access logs indefinitely may increase the risk of unauthorized access, data breaches, privacy violations, and litigation2. Therefore, the statement B is the correct answer, as it is the only one that does not reflect a best practice for physical access procedures and activity logs.

References:

• 1: How to Write Third-Party Risk Management (TPRM) Policies and Procedures - SecurityScorecard Blog
• 2: Five Best Practices to Manage and Control Third-Party Risk - Broadcom Inc.
• 3: A checklist for third-party risk management platforms - Crowe LLP
• 4: Supplemental Examination Procedures for Risk Management of Third-Party Relationships
• 5: Third Party Risk Management: Why It’s Important And What Features To Look For - Expert Insights

A documented process to gain approvals for use of open source applications is typically not part of evaluating the vendor’s patch management controls, because it is not directly related to the patching process. Patch management controls are the policies, procedures, and tools that enable an organization to identify, acquire, install, and verify patches for software vulnerabilities. Patch management controls aim to reduce the risk of exploitation of known software flaws and ensure the functionality and compatibility of the patched systems. A documented process to gain approvals for use of open source applications is more relevant to the software development and procurement processes, as it involves assessing the legal, security, and operational implications of using open source software components in the vendor’s products or services. Open source software may have different licensing terms, quality standards, and support levels than proprietary software, and may introduce additional vulnerabilities or dependencies that need to be managed. Therefore, a documented process to gain approvals for use of open source applications is a good practice for vendors, but it is not a patch management control per se. References:

• Guide to Enterprise Patch Management Planning
• Governance of Key Aspects of System Patch Management
• Certified Third Party Risk Professional (CTPRP) Study Guide

Termination for cause is the type of contract termination that is most likely to occur after failure to remediate assessment findings. This is because termination for cause is based on a breach of contract by the third-party, such as non-compliance, poor performance, fraud, or misconduct. Failure to remediate assessment findings indicates that the third-party has not met the contractual obligations or expectations of the entity, and thus exposes the entity to increased risk and liability. Termination for cause allows the entity to end the contract immediately or after a notice period, and to seek damages or remedies from the third-party. Termination for cause is different from other types of contract termination, such as:

• Regulatory/supervisory termination, which is triggered by a change in law or regulation that affects the legality or feasibility of the contract.
• Termination for convenience, which is exercised by the entity without any fault or breach by the third-party, usually for strategic or operational reasons.
• Normal termination, which is the natural expiration of the contract term or the completion of the contract scope. References:
• Shared Assessments. (2020). Certified Third Party Risk Professional (CTPRP) Study Guide1
• Fusion Risk Management. (2021). Exit Strategy for Terminating a Third Party2
• Volkov, M. (2016). Third-Party Risk Management – Part 2: Contract Termination3

The primary objective of a third party risk assessment is to validate that the vendor/service provider has adequate controls in place based on the organization’s risk posture. A third party risk assessment (also known as supplier risk assessment) quantifies the risks associated with third-party vendors and suppliers that provide products or services to your organization1. This assessment is useful for analyzing both new and ongoing supplier relationships. The growing risk of supply chain attacks makes it critical to conduct thorough and regular risk assessments of your third parties. A third party risk assessment helps you identify, measure, and mitigate the potential risks that your third parties pose to your organization, such as data breaches, cyberattacks, compliance violations, operational disruptions, reputational damage, or financial losses. A third party risk assessment also helps you align your third party risk management (TPRM) program with your organization’s risk appetite, policies, standards, and procedures. A third party risk assessment typically involves the following steps1:

• Scoping: Define the scope of the assessment based on the type, nature, and criticality of the third party relationship. Determine the relevant risk domains, such as security, privacy, compliance, business continuity, etc.
• Data collection: Gather information from the third party using various methods, such as questionnaires, surveys, interviews, audits, tests, or evidence reviews.
• Analysis: Analyze the data collected and compare it with your organization’s risk criteria, benchmarks, and best practices. Identify any gaps, weaknesses, or issues in the third party’s controls, processes, or performance.
• Reporting: Document the findings and recommendations of the assessment in a clear and concise report. Communicate the results to the relevant stakeholders, such as senior management, business owners, or regulators.
• Remediation: Follow up with the third party to ensure that they implement the necessary actions to address the identified risks. Monitor and track the progress and effectiveness of the remediation plan.
• Review: Review and update the assessment periodically or whenever there are significant changes in the third party relationship, the risk environment, or the regulatory requirements.

The other statements are not the primary objective of a third party risk assessment, although they may be related or secondary objectives. Assessing the appropriateness of non-disclosure agreements regarding the organization’s systems/data is a legal objective that may be part of the contract negotiation or review process. Determining the scope of the business relationship is a strategic objective that may be part of the vendor selection or due diligence process. Evaluating the risk posture of all vendors/service providers in the vendor inventory is a holistic objective that may be part of the vendor risk management or governance process. References:

• 1: Third-Party Risk Assessment: A Practical Guide - BlueVoyant
• : What Is Third-Party Risk Management (TPRM)? 2024 Guide | UpGuard
• : What is Third-Party Risk Management? | Blog | OneTrust