Third Party Risk Management CTPRP Passing Score

 Risk culture is the term used to describe the collective way that an organization thinks about, manages, and responds to risk. It is influenced by the organization’s values, beliefs, norms, and practices, as well as the external environment and stakeholders. Risk culture affects how employees perceive, communicate, and act on risk issues, and how they balance risk and reward in their decision making. A strong risk culture is one that supports the organization’s strategic objectives, fosters accountability and transparency, and promotes learning and improvement. A weak risk culture is one that undermines the organization’s risk management framework, creates silos and conflicts, and exposes the organization to excessive or unnecessary risks. References:

• Shared Assessments CTPRP Study Guide, page 13, section 2.1.1
• GARP Best Practices Guidance for Third Party Risk, page 5, section 2.1
• Organizational culture | Definition, Benefits and Challenges

A cloud hosting vendor assessment program is a process of evaluating the security, compliance, and performance of a cloud service provider (CSP) that hosts an organization’s data or applications. A cloud hosting vendor assessment program typically includes the following components123:

• Reviewing the entity’s image snapshot approval and management process: This component involves verifying how the CSP creates, approves, stores, and deletes image snapshots of the virtual machines or containers that run the organization’s workloads. Image snapshots can contain sensitive data or configuration settings that need to be protected from unauthorized access or modification.
• Requiring security services documentation and audit attestation reports: This component involves requesting and reviewing the CSP’s documentation and reports that demonstrate the security controls and practices that the CSP implements to protect the organization’s data and applications. These may include service level agreements (SLAs), security policies and procedures, security certifications and standards, vulnerability scanning and patching reports, incident response and disaster recovery plans, and independent audit reports such as SOC 2 or ISO 27001.
• Requiring compliance evidence that provides the definition of patching responsibilities: This component involves asking and verifying how the CSP handles the patching of the operating systems, applications, and libraries that run on the cloud infrastructure. Patching is a critical activity to prevent security breaches and ensure compliance with regulatory requirements. The organization needs to understand the roles and responsibilities of the CSP and the organization in patching the cloud environment, and the frequency and scope of patching activities.

The component that is typically NOT part of a cloud hosting vendor assessment program is conducting customer performed penetration tests. Penetration testing is a method of simulating a cyberattack on a system or network to identify and exploit vulnerabilities and weaknesses. While penetration testing can be a valuable tool to assess the security posture of a CSP, it is not usually included in a cloud hosting vendor assessment program for the following reasons :

• Penetration testing may violate the CSP’s terms of service or acceptable use policy, which may prohibit or restrict the customer from performing any unauthorized or disruptive activities on the cloud infrastructure. The customer may face legal or contractual consequences if they conduct penetration testing without the CSP’s consent or knowledge.
• Penetration testing may interfere with the CSP’s normal operations or affect the availability and performance of the cloud services for other customers. The customer may cause unintended damage or disruption to the CSP’s systems or networks, or trigger false alarms or alerts that may divert the CSP’s resources or attention.
• Penetration testing may not provide a comprehensive or accurate assessment of the CSP’s security, as the customer may have limited visibility or access to the CSP’s internal systems or networks, or may encounter security mechanisms or countermeasures that prevent or limit the penetration testing activities. The customer may also face ethical or legal issues if they access or compromise the data or systems of other customers or the CSP.

Therefore, the verified answer to the question is D. Conducting customer performed penetration tests.

References:

• Four Important Best Practices for Assessing Cloud Vendors
• Top 11 Questionnaires for IT Vendor Assessment in 2024
• Cloud Vendor Assessments | Done The Right Way
• [Penetration Testing in the Cloud: What You Need to Know]
• [Cloud Penetration Testing: Challenges and Best Practices]

In the ‘Defense in Depth’ security model, the innermost layer typically focuses on protecting the most sensitive and critical assets, which are often categorized as 'Private internal'. This layer includes security controls and measures that are designed to safeguard the core, confidential aspects of an organization's infrastructure and data. It encompasses controls such as access controls, encryption, and monitoring of sensitive systems and data to prevent unauthorized access and ensure data integrity and confidentiality. The 'Private internal' layer is crucial for maintaining the security of critical information and systems that are essential to the organization's operations and could have the most significant impact if compromised. Implementing robust security measures at this layer is vital for mitigating risks associated with physical access to critical infrastructure and sensitive information.

References:

• Security frameworks and standards, including NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) and the SANS Institute's guidelines on implementing 'Defense in Depth', provide detailed recommendations on securing the innermost layers of an organization's information systems.
• Publications such as "Physical Security Principles" by ASIS International offer insights into best practices for securing the private internal layer, including access control systems, surveillance, and intrusion detection mechanisms.

Application security design standards are a set of principles for software development that address the top application security risks and industry web requirements. They provide guidance on how to design, develop, and deploy secure applications that meet the security objectives of the organization and the expectations of the customers and regulators. Application security design standards cover topics such as secure design principles, threat modeling, encryption, identity and access management, logging and auditing, coding standards and conventions, safe functions, data handling, error handling, third-party components, and testing and validation. Application security design standards help developers avoid common security pitfalls, reduce vulnerabilities, and enhance the quality and reliability of the software. Application security design standards also facilitate the alignment of the software development lifecycle with the third-party risk management framework, by ensuring that security requirements are defined, implemented, verified, and maintained throughout the development process. References:

• Fundamental Practices for Secure Software Development
• Secure Coding Practices
• Secure Software Development Best Practices
• Certified Third Party Risk Professional (CTPRP) Study Guide