Summer Special Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 60certs

Shared Assessments CTPRP Dumps

Page: 1 / 9
Total 125 questions

Certified Third-Party Risk Professional (CTPRP) Questions and Answers

Question 1

Which of the following is a component of evaluating a third party's use of Remote Access within their information security policy?

Options:

A.

Maintaining blocked IP address ranges

B.

Reviewing the testing and deployment procedures to networking components

C.

Providing guidelines to configuring ports on a router

D.

Identifying the use of multifactor authentication

Question 2

Which requirement is the MOST important for managing risk when the vendor contract terminates?

Options:

A.

The responsibility to perform a financial review of outstanding invoices

B.

The commitment to perform a final assessment based upon due diligence standards

C.

The requirement to ensure secure data destruction and asset return

D.

The obligation to define contract terms for transition services

Question 3

Which approach demonstrates GREATER maturity of physical security compliance?

Options:

A.

Leveraging periodic reporting to schedule facility inspections based on reported events

B.

Providing a checklist for self-assessment

C.

Maintaining a standardized scheduled for confirming controls to defined standards

D.

Conducting unannounced checks an an ac-hac basis

Question 4

Minimum risk assessment standards for third party due diligence should be:

Options:

A.

Set by each business unit based on the number of vendors to be assessed

B.

Defined in the vendor/service provider contract or statement of work

C.

Established by the TPRM program based on the company’s risk tolerance and risk appetite

D.

Identified by procurement and required for all vendors and suppliers

Question 5

An IT asset management program should include all of the following components EXCEPT:

Options:

A.

Maintaining inventories of systems, connections, and software applications

B.

Defining application security standards for internally developed applications

C.

Tracking and monitoring availability of vendor updates and any timelines for end of support

D.

Identifying and tracking adherence to IT asset end-of-life policy

Question 6

Which of the following statements is FALSE about Data Loss Prevention Programs?

Options:

A.

DLP programs include the policy, tool configuration requirements, and processes for the identification, blocking or monitoring of data

B.

DLP programs define the consequences for non-compliance to policies

C.

DLP programs define the required policies based on default tool configuration

D.

DLP programs include acknowledgement the company can apply controls to remove any data

Question 7

Which statement reflects a requirement that is NOT typically found in a formal Information Security Incident Management Program?

Options:

A.

The program includes the definition of internal escalation processes

B.

The program includes protocols for disclosure of information to external parties

C.

The program includes mechanisms for notification to clients

D.

The program includes processes in support of disaster recovery

Question 8

Which statement is NOT a method of securing web applications?

Options:

A.

Ensure appropriate logging and review of access and events

B.

Conduct periodic penetration tests

C.

Adhere to web content accessibility guidelines

D.

Include validation checks in SDLC for cross site scripting and SOL injections

Question 9

Which factor is MOST important when scoping assessments of cloud-based third parties that access, process, and retain personal data?

Options:

A.

The geographic location of the vendor's outsourced datacenters since assessments are only required for international data transfers

B.

The identification of the type of cloud hosting deployment or service model in order to confirm responsibilities between the third party and the cloud hosting provider

C.

The definition of requirements for backup capabilities for power generation and redundancy in the resilience plan

D.

The contract terms for the configuration of the environment which may prevent conducting the assessment

Question 10

Which action statement BEST describes an assessor calculating residual risk?

Options:

A.

The assessor adjusts the vendor risk rating prior to reporting the findings to the business unit

B.

The assessor adjusts the vendor risk rating based on changes to the risk level after analyzing the findings and mitigating controls

C.

The business unit closes out the finding prior to the assessor submitting the final report

D.

The assessor recommends implementing continuous monitoring for the next 18 months

Question 11

Which cloud deployment model is focused on the management of hardware equipment?

Options:

A.

Function as a service

B.

Platform as a service

C.

Software as a service

D.

Infrastructure as a service

Question 12

Which type of external event does NOT trigger an organization ta prompt a third party contract provisions review?

Options:

A.

Change in company point of contact

B.

Business continuity event

C.

Data breach/privacy incident

D.

Change in regulations

Question 13

You are updating program requirements due to shift in use of technologies by vendors to enable hybrid work. Which statement is LEAST likely to represent components of an Asset

Management Program?

Options:

A.

Asset inventories should include connections to external parties, networks, or systems that process data

B.

Each asset should include an organizational owner who is responsible for the asset throughout its life cycle

C.

Assets should be classified based on criticality or data sensitivity

D.

Asset inventories should track the flow or distribution of items used to fulfill products and Services across production lines

Question 14

Which of the following BEST describes the distinction between a regulation and a standard?

Options:

A.

A regulation must be adhered to by all companies subject to its requirements, but companies “can voluntarily choose to follow standards.

B.

There is no distinction, regulations and standards are the same and have equal impact

C.

Standards are always a subset of a regulation

D.

A standard must be adhered to by companies based on the industry they are in, while regulations are voluntary.

Question 15

Which statement BEST describes the methods of performing due diligence during third party risk assessments?

Options:

A.

Inspecting physical and environmental security controls by conducting a facility tour

B.

Reviewing status of findings from the questionnaire and defining remediation plans

C.

interviewing subject matter experts or control owners, reviewing compliance artifacts, and validating controls

D.

Reviewing and assessing only the obligations that are specifically defined in the contract

Question 16

Which statement is TRUE regarding the use of questionnaires in third party risk assessments?

Options:

A.

The total number of questions included in the questionnaire assigns the risk tier

B.

Questionnaires are optional since reliance on contract terms is a sufficient control

C.

Assessment questionnaires should be configured based on the risk rating and type of service being evaluated

D.

All topic areas included in the questionnaire require validation during the assessment

Question 17

The set of shared values and beliefs that govern a company’s attitude toward risk is known as:

Options:

A.

Risk tolerance

B.

Risk treatment

C.

Risk culture

D.

Risk appetite

Question 18

Which of the following components are typically NOT part of a cloud hosting vendor assessment program?

Options:

A.

Reviewing the entity's image snapshot approval and management process

B.

Requiring security services documentation and audit attestation reports

C.

Requiring compliance evidence that provides the definition of patching responsibilities

D.

Conducting customer performed penetration tests

Question 19

When conducting an assessment of a third party's physical security controls, which of the following represents the innermost layer in a ‘Defense in Depth’ model?

Options:

A.

Public internal

B.

Restricted entry

C.

Private internal

D.

Public external

Question 20

A set of principles for software development that address the top application security risks and industry web requirements is known as:

Options:

A.

Application security design standards

B.

Security testing methodology

C.

Secure code reviews

D.

Secure architecture risk analysis

Question 21

Physical access procedures and activity logs should require all of the following EXCEPT:

Options:

A.

Require multiple access controls for server rooms and data centers

B.

Require physical access logs to be retained indefinitely for audit purposes

C.

Record successful and unsuccessful attempts including investigation of unsuccessful access attempts

D.

Include a process to trigger review of the logs after security events

Question 22

When defining due diligence requirements for the set of vendors that host web applications which of the following is typically NOT part of evaluating the vendor's patch

management controls?

Options:

A.

The capability of the vendor to apply priority patching of high-risk systems

B.

Established procedures for testing of patches, service packs, and hot fixes prior to installation

C.

A documented process to gain approvals for use of open source applications

D.

The existence of a formal process for evaluation and prioritization of known vulnerabilities

Question 23

Which type of contract termination is MOST likely to occur after failure to remediate assessment findings?

Options:

A.

Regulatory/supervisory termination

B.

Termination for convenience

C.

Normal termination

D.

Termination for cause

Question 24

Which statement BEST represents the primary objective of a third party risk assessment:

Options:

A.

To assess the appropriateness of non-disclosure agreements regarding the organization's systems/data

B.

To validate that the vendor/service provider has adequate controls in place based on the organization's risk posture

C.

To determine the scope of the business relationship

D.

To evaluate the risk posture of all vendors/service providers in the vendor inventory

Question 25

An outsourcer's vendor risk assessment process includes all of the following EXCEPT:

Options:

A.

Establishing risk evaluation criteria based on company policy

B.

Developing risk-tiered due diligence standards

C.

Setting remediation timelines based on the severity level of findings

D.

Defining assessment frequency based on resource capacity

Question 26

Which type of contract provision is MOST important in managing Fourth-Nth party risk after contract signing and on-boarding due diligence is complete?

Options:

A.

Subcontractor notice and approval

B.

Indemnification and liability

C.

Breach notification

D.

Right to audit

Question 27

Which statement is FALSE regarding the methods of measuring third party risk?

Options:

A.

Risk can be measured both qualitatively and quantitatively

B.

Risk can be quantified by calculating the severity of impact and likelihood of occurrence

C.

Assessing risk impact requires an analysis of prior events, frequency of occurrence, and external trends to analyze and predict the potential of a particular event happening

D.

Risk likelihood or probability is a critical element in quantifying inherent or residual risk

Question 28

Which statement is FALSE regarding the different types of contracts and agreements between outsourcers and service providers?

Options:

A.

Contract addendums are not sufficient for addressing third party risk obligations as each requirement must be outlined in the Master Services Agreement (MSA)

B.

Evergreen contracts are automatically renewed for each party after the maturity period, unless terminated under existing contract provisions

C.

Requests for Proposals (RFPs) for outsourced services should include mandatory requirements based on an organization's TPRM program policies, standards and procedures

D.

Statements of Work (SOWs) define operational requirements and obligations for each party

Question 29

Which policy requirement is typically NOT defined in an Asset Management program?

Options:

A.

The Policy states requirements for the reuse of physical media (e.9., devices, servers, disk drives, etc.)

B.

The Policy requires that employees and contractors return all company data and assets upon termination of their employment, contract or agreement

C.

The Policy defines requirements for the inventory, identification, and disposal of equipment “and/or physical media

D.

The Policy requires visitors (including other tenants and maintenance personnel) to sign-in and sign-out of the facility, and to be escorted at all times

Question 30

When evaluating compliance artifacts for change management, a robust process should include the following attributes:

Options:

A.

Approval, validation, auditable.

B.

Logging, approvals, validation, back-out and exception procedures

C.

Logging, approval, back-out.

D.

Communications, approval, auditable.

Question 31

For services with system-to-system access, which change management requirement

MOST effectively reduces the risk of business disruption to the outsourcer?

Options:

A.

Approval of the change by the information security department

B.

Documenting sufficient time for quality assurance testing

C.

Communicating the change to customers prior ta deployment to enable external acceptance testing

D.

Documenting and legging change approvals

Question 32

Information classification of personal information may trigger specific regulatory obligations. Which statement is the BEST response from a privacy perspective:

Options:

A.

Personally identifiable financial information includes only consumer report information

B.

Public personal information includes only web or online identifiers

C.

Personally identifiable information and personal data are similar in context, but may have different legal definitions based upon jurisdiction

D.

Personally Identifiable Information and Protected Healthcare Information require the exact same data protection safequards

Question 33

Which statement is TRUE regarding the onboarding process far new hires?

Options:

A.

New employees and contractors should not be on-boarded until the results of applicant screening are approved

B.

it is not necessary to have employees, contractors, and third party users sign confidentiality or non-disclosure agreements

C.

All job roles should require employees to sign non-compete agreements

D.

New employees and contactors can opt-out of having to attend security and privacy awareness training if they hold existing certifications

Question 34

Which set of procedures is typically NOT addressed within data privacy policies?

Options:

A.

Procedures to limit access and disclosure of personal information to third parties

B.

Procedures for handling data access requests from individuals

C.

Procedures for configuration settings in identity access management

D.

Procedures for incident reporting and notification

Question 35

Which of the following actions reflects the first step in developing an emergency response plan?

Options:

A.

Conduct an assessment that includes an inventory of the types of events that have the greatest potential to trigger an emergency response plan

B.

Consider work-from-home parameters in the emergency response plan

C.

incorporate periodic crisis management team tabletop exercises to test different scenarios

D.

Use the results of continuous monitoring tools to develop the emergency response plan

Question 36

Which statement BEST reflects the factors that help you determine the frequency of cyclical assessments?

Options:

A.

Vendor assessments should be conducted during onboarding and then be replaced by continuous monitoring

B.

Vendor assessment frequency should be based on the level of risk and criticality of the vendor to your operations as determined by their vendor risk score

C.

Vendor assessments should be scheduled based on the type of services/products provided

D.

Vendor assessment frequency may need to be changed if the vendor has disclosed a data breach

Question 37

In which phase of the TPRM lifecycle should terms for return or destruction of data be defined and agreed upon?

Options:

A.

During contract negotiation

B.

At third party selection and initial due diligence

C.

When deploying ongoing monitoring

D.

At termination and exit

Page: 1 / 9
Total 125 questions