PDF CTPRP Study Guide

Asset management is the process of identifying, tracking, and managing the physical and digital assets of an organization. An asset management program is a set of policies, procedures, and tools that help to ensure the optimal use, security, and disposal of assets. According to the Shared Assessments CTPRP Study Guide1, an asset management program should include the following components:

• Asset inventories: A comprehensive and accurate list of all assets owned, leased, or used by the organization, including hardware, software, data, and services. Asset inventories should include connections to external parties, networks, or systems that process data, as this may introduce additional risks and dependencies12.
• Asset owners: A clear assignment of roles and responsibilities for each asset, including an organizational owner who is accountable for the asset throughout its life cycle. Asset owners should ensure that assets are properly maintained, updated, secured, and disposed of in accordance with the organization’s policies and standards13.
• Asset classification: A consistent and objective method of categorizing assets based on their criticality or data sensitivity. Asset classification helps to determine the appropriate level of protection, monitoring, and testing for each asset, as well as the potential impact of asset loss or compromise1 .
• Asset controls: A set of measures and mechanisms that help to safeguard assets from unauthorized access, use, modification, disclosure, or destruction. Asset controls may include physical, technical, administrative, or contractual means, such as locks, encryption, passwords, policies, or agreements1 .

The statement that is least likely to represent a component of an asset management program is D. Asset inventories should track the flow or distribution of items used to fulfill products and Services across production lines. This statement describes a supply chain management function, not an asset management function. Supply chain management is the process of planning, coordinating, and controlling the flow of materials, information, and services from suppliers to customers. Supply chain management may involve some aspects of asset management, such as inventory control, quality assurance, or vendor risk management, but it is not the same as asset management . Asset management focuses on the assets that the organization owns or uses, not the assets that the organization produces or delivers.

References:

• 1: Shared Assessments. (2020). Certified Third Party Risk Professional (CTPRP) Study Guide.
• 2: ISACA. (2019). COBIT 2019 Framework: Governance and Management Objectives. APO03 Manage enterprise architecture.
• 3: ISO. (2018). ISO/IEC 27001:2018 Information technology — Security techniques — Information security management systems — Requirements. Clause 8.1.2 Asset management roles and responsibilities.
• : NIST. (2013). NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations. RA-2 Security Categorization.
• : NIST. (2013). NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations. CM-8 Information System Component Inventory.
• : APICS. (2018). APICS Dictionary, 16th edition. Supply chain management.
• : ISACA. (2019). COBIT 2019 Framework: Governance and Management Objectives. APO13 Manage security.

 A regulation is a rule of order having the force of law, prescribed by a superior or competent authority, relating to the actions of those under the authority’s control. Regulations are issued by various government departments and agencies to carry out the intent of legislation enacted by the legislature of the applicable jurisdiction. Regulations also function to ensure uniform application of the law. A standard is a guideline established generally by private-sector bodies and that are available for use by any person or organization, private or government. The term includes what are commonly referred to as ‘industry standards’ as well as ‘consensus standards’. Standards are developed through a voluntary process of collaboration and consensus among stakeholders, such as manufacturers, consumers, regulators, and experts. Standards may reflect best practices, technical specifications, performance criteria, or quality requirements. Standards do not have the force of law unless they are adopted or referenced by a regulation. Therefore, a regulation must be adhered to by all companies subject to its requirements, but companies can voluntarily choose to follow standards that are relevant and beneficial to their operations, products, or services. References:

• The Difference Between Regulations and Standards
• Regulations vs Standards: Clearing Up the Confusion - AEM
• Standards vs. Regulations
• Certified Third Party Risk Professional (CTPRP) Study Guide

 Performing due diligence during third party risk assessments is a process of verifying and validating the information provided by the third parties, as well as identifying and assessing any potential risks or issues that may arise from the relationship. Due diligence methods may vary depending on the type, scope, and complexity of the third party engagement, but they generally involve the following steps123:

• Interviewing subject matter experts or control owners: This method involves engaging with the relevant stakeholders from both the organization and the third party, such as business owners, project managers, legal counsel, compliance officers, security analysts, etc. The purpose of the interviews is to gather more information about the third party’s capabilities, processes, policies, performance, and challenges, as well as to clarify any questions or concerns that may arise from the questionnaire or other sources. The interviews can also help to establish rapport and trust between the parties, and to identify any gaps or discrepancies in the information provided.
• Reviewing compliance artifacts: This method involves examining the evidence or documentation that supports the third party’s claims or assertions, such as certifications, accreditations, audit reports, policies, procedures, contracts, SLAs, etc. The purpose of the review is to verify the accuracy, completeness, and validity of the artifacts, as well as to assess the level of compliance with the applicable standards, regulations, and best practices. The review can also help to identify any areas of improvement or weakness in the third party’s controls or processes.
• Validating controls: This method involves testing or inspecting the actual implementation and effectiveness of the third party’s controls or processes, such as security measures, quality assurance, data protection, incident response, etc. The purpose of the validation is to confirm that the controls are operating as intended and expected, and that they are sufficient to mitigate the risks or issues identified in the assessment. The validation can also help to identify any vulnerabilities or gaps in the third party’s controls or processes.

The other options are not as comprehensive or accurate as the methods described above, as they may not cover all the aspects or dimensions of the third party risk assessment, or they may rely on incomplete or outdated information. Inspecting physical and environmental security controls by conducting a facility tour is only one part of the validation method, and it may not be applicable or feasible for all types of third parties, such as cloud service providers or remote workers. Reviewing status of findings from the questionnaire and defining remediation plans is more of a follow-up or monitoring activity, rather than a due diligence method, as it assumes that the questionnaire has already been completed and analyzed. Reviewing and assessing only the obligations that are specifically defined in the contract is a narrow and limited approach, as it may not capture the full scope or complexity of the third party relationship, or the dynamic and evolving nature of the risks or issues involved. References:

• Third Party Due Diligence – a vital but challenging process
• The guide to risk based third party due diligence - VinciWorks
• Third Party Risk Assessment – Checklist & Best Practices

 Questionnaires are one of the most common and effective tools for conducting third party risk assessments. They help organizations gather information about the security and compliance practices of their vendors and service providers, as well as identify any gaps or weaknesses that may pose a risk to the organization. However, not all questionnaires are created equal. Depending on the nature and scope of the third party relationship, different types and levels of questions may be required to adequately assess the risk. Therefore, it is important to configure the assessment questionnaires based on the risk rating and type of service being evaluated12.

The risk rating of a third party is determined by various factors, such as the criticality of the service they provide, the sensitivity of the data they handle, the regulatory requirements they must comply with, and the potential impact of a breach or disruption on the organization. The higher the risk rating, the more detailed and comprehensive the questionnaire should be. For example, a high-risk third party that processes personal or financial data may require a questionnaire that covers multiple domains of security and privacy, such as data protection, encryption, access control, incident response, and audit. A low-risk third party that provides a non-critical service or does not handle sensitive data may require a questionnaire that covers only the basic security controls, such as firewall, antivirus, and password policy12.

The type of service that a third party provides also influences the configuration of the questionnaire. Different services may have different security and compliance standards and best practices that need to be addressed. For example, a third party that provides cloud-based services may require a questionnaire that covers topics such as cloud security architecture, data residency, service level agreements, and disaster recovery. A third party that provides software development services may require a questionnaire that covers topics such as software development life cycle, code review, testing, and vulnerability management12.

By configuring the assessment questionnaires based on the risk rating and type of service being evaluated, organizations can ensure that they ask the right questions to the right third parties, and obtain relevant and meaningful information to support their risk management decisions. Therefore, the statement that assessment questionnaires should be configured based on the risk rating and type of service being evaluated is TRUE12. References: 1: How to Use SIG Questionnaires for Better Third-Party Risk Management 2: Third-party risk assessment questionnaires - KPMG India