CTPRP Certified Third-Party Risk Professional (CTPRP) Questions and Answers

TPRM vendor classification is the process of categorizing vendors based on their criticality, risk level, and service type. Vendor classification helps to prioritize and allocate resources for vendor assessment, monitoring, and remediation. Vendor classification should be updated periodically to reflect changes in the business environment, vendor performance, and regulatory requirements.

When updating TPRM vendor classification requirements with a focus on availability, the risk rating factors that provide the greatest impact to the analysis are the impact on operations and end users, the impact on revenue, and the impact on regulatory compliance. This is because:

Availability is the degree to which a system or service is accessible and functional when required by authorized users. Availability is a key component of information security and business continuity, as it ensures that the business can operate normally and deliver value to its customers and stakeholders.

Impact on operations and end users measures the extent to which a vendor’s service disruption or failure affects the business processes, functions, and activities that depend on the vendor’s service. A high impact on operations and end users means that the vendor’s service is essential for the business to perform its core functions and meet its objectives, and that any downtime or degradation of the service would cause significant operational delays, inefficiencies, or losses.

Impact on revenue measures the extent to which a vendor’s service disruption or failure affects the business’s income, profitability, and market share. A high impact on revenue means that the vendor’s service is directly or indirectly linked to the business’s revenue generation, and that any downtime or degradation of the service would cause substantial financial losses, reduced customer satisfaction, or competitive disadvantage.

Impact on regulatory compliance measures the extent to which a vendor’s service disruption or failure affects the business’s adherence to the laws, regulations, standards, and contractual obligations that govern its industry, sector, or jurisdiction. A high impact on regulatory compliance means that the vendor’s service is subject to strict regulatory requirements, and that any downtime or degradation of the service would cause serious legal penalties, fines, sanctions, or reputational damage.

Therefore, these three factors are the most important to consider when updating TPRM vendor classification requirements with a focus on availability, as they reflect the potential consequences and risks of vendor unavailability for the business.

References:

CTPRP Job Guide

Criticality and Risk Rating Vendors 101

The Third-Party Vendor Risk Management Lifecycle

What Is Third-Party Risk Management (TPRM)? 2024 Guide

Third-Party Risk Management and ISO Requirements for 2022

An Information Security Incident Management Program is a set of policies, procedures, and tools that enable an organization to prevent, detect, respond to, and recover from information security incidents.  An information security incident is any event that compromises the confidentiality, integrity, or availability of information assets, systems, or services 1 2 .  A formal Information Security Incident Management Program typically includes the following components 1 2 :

The definition of internal escalation processes: This component defines the roles and responsibilities, communication channels, and reporting mechanisms for escalating and managing information security incidents within the organization. It also establishes the criteria and thresholds for determining the severity and impact of incidents, and the appropriate level of response and escalation.

The protocols for disclosure of information to external parties: This component defines the rules and guidelines for disclosing information about information security incidents to external stakeholders, such as customers, regulators, law enforcement, media, or other third parties. It also specifies the legal and contractual obligations, the timing and frequency, the format and content, and the approval and authorization processes for disclosure.

The mechanisms for notification to clients: This component defines the methods and procedures for notifying clients or customers who may be affected by information security incidents. It also specifies the objectives, scope, and content of notification, as well as the timing and frequency, the delivery channels, and the feedback and follow-up mechanisms.

The processes in support of disaster recovery: This component defines the steps and actions for restoring the normal operations of the organization after a major information security incident that causes significant disruption or damage to the information assets, systems, or services. It also specifies the roles and responsibilities, the resources and tools, the backup and recovery plans, and the testing and validation procedures for disaster recovery.

The statement that reflects a requirement that is NOT typically found in a formal Information Security Incident Management Program is D. The program includes processes in support of disaster recovery. While disaster recovery is an important aspect of information security, it is not a specific component of an Information Security Incident Management Program.  Rather, it is a separate program that covers the broader scope of business continuity and resilience, and may involve other types of disasters besides information security incidents, such as natural disasters, power outages, or pandemics 3  . Therefore, the correct answer is D.  The program includes processes in support of disaster recovery.  References:   1 : Computer Security Incident Handling Guide  2 : Develop and Implement a Security Incident Management Program  3 : Business Continuity Management vs Disaster Recovery : What is the difference between disaster recovery and security incident response?

Single Sign-On (SSO) is a convenient and efficient way of authenticating users across multiple applications and platforms with a single set of credentials. However, it also poses some security risks and challenges that need to be considered and addressed. One of the main disadvantages of SSO is that it creates a single point of failure and a high-value target for attackers. If an end-user credential is compromised, the attacker can gain access to all the systems and resources that the user is authorized to access, potentially causing significant damage and data breaches. Therefore, SSO requires strong security measures to protect the user credentials, such as encryption, multifactor authentication, password policies, and monitoring. Additionally, SSO users need to be aware of the risks and follow best practices to safeguard their credentials, such as using strong and unique passwords, changing them regularly, and avoiding phishing and social engineering attacks.  References:

1 : What are the disadvantages of single sign-on authentication? - Information Security Stack Exchange

2 : Single Sign-On Disadvantages: 6 Advantages and Disadvantages [What You Need to Know] - Mostly Blogging

3 : SSO Security Risks: The Drawbacks of SSO (And What Can You Do About it) - Zluri

A secure SDLC is a framework that integrates security best practices and standards throughout the software development life cycle, from planning to deployment and maintenance. A secure SDLC aims to ensure that security is considered and implemented at every stage of the development process, not just as an afterthought or a compliance check.  A secure SDLC can help organizations to achieve the following benefits 1 2 :

Reduce the risk of security breaches and incidents by identifying and mitigating vulnerabilities early and continuously

Improve the quality and reliability of software products by ensuring that they meet both the functional and the security requirements

Save time and money by avoiding costly rework, remediation, and reputation damage caused by security flaws

Enhance customer trust and satisfaction by delivering secure and compliant software solutions

Foster a culture of security awareness and responsibility among developers, testers, and other stakeholders  References:

Secure SDLC | Secure Software Development Life Cycle | Snyk

What is Secure Software Development Life Cycle (SSDLC )? - GeeksforGeeks

External continuous monitoring solutions are tools or services that provide objective and timely data on the cybersecurity posture and performance of third-party vendors. They typically include components such as:

Status updates on localized events based on geolocation, which can alert the organization to potential disruptions or incidents affecting the vendor’s operations or infrastructure in a specific region or country 1 2 .

Alerts on legal and regulatory actions involving the vendor, which can indicate the vendor’s compliance status, reputation, or liability exposure 1 3 .

Reports that identify changes in vendor financial viability, which can signal the vendor’s ability to sustain its business operations, invest in security, or honor its contractual obligations 1 4 .

However, metrics that track SLAs for performance management are not typically included in external continuous monitoring solutions, as they are more relevant for internal monitoring and reporting. SLAs are service level agreements that define the expected quality, availability, and reliability of the vendor’s services or products, as well as the penalties or remedies for non-compliance. SLAs are usually measured and reported by the vendor itself, or by a third-party auditor or assessor, based on the specific criteria and frequency agreed upon by the parties . Therefore, option C is the correct answer.  References:

Third Party Risk Management Framework , Module 5: Program Implementation, Section 5.2: Ongoing Monitoring, p. 32

Bitsight Continuous Monitoring , Section: Uncover hidden risks

Best-Practices Guidance for Third-Party Risk , Section: Monitor Third-Party Compliance with Regulations and Standards, p. 3

Five Best Practices to Manage and Control Third-Party Risk , Section: Monitor Third-Party Financial Health, p. 4

[Third Party Risk Management Framework], Module 4: Program Components, Section 4.3: Contracting, p. 24

[A Better Way to Manage Third-Party Risk], Section: Establish clear service level agreements (SLAs) and key performance indicators (KPIs), p. 2

According to the Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, the third party risk assessor’s role is to evaluate the design and operating effectiveness of the third party’s controls based on an industry framework, such as ISO, NIST, COBIT, or COSO 1 .  The assessor’s role is not to provide an opinion on the effectiveness of controls, but rather to report the results of the evaluation in a factual and objective manner 2 .  The assessor’s role is also to conduct discovery with subject matter experts to understand the control environment, to conduct discovery and validate responses from the risk assessment questionnaire by testing or validating controls, and to review compliance artifacts and identify potential control gaps based on evaluation of the presence of control attributes 1 . These are all true statements that describe the assessor’s role when conducting a controls evaluation using an industry framework.

References:

1 : Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, page 29

2 : What is a Third-Party Risk Assessment? — RiskOptics

Remote wipe is a security feature that allows an administrator or a user to remotely erase all the data and settings on a device in case it is lost or stolen. This prevents unauthorized access to sensitive information and reduces the risk of data breaches. Remote wipe is typically used for company-owned devices, as it ensures that no company data remains on the device after it is lost or stolen. Remote wipe also restores the device to its factory settings, making it unusable for the thief or finder. Remote wipe can be performed through various methods, such as using a mobile device management (MDM) solution, a cloud service, or a built-in feature of the device’s operating system.  References:

1 : How to protect your company from data breaches caused by lost or stolen devices

2 : BYOD vs Company-Owned Devices: How to Maintain Security

3 : Lost or Stolen Business Device? Here’s What to do Next

 Questionnaires are one of the most common and effective tools for conducting third party risk assessments. They help organizations gather information about the security and compliance practices of their vendors and service providers, as well as identify any gaps or weaknesses that may pose a risk to the organization. However, not all questionnaires are created equal. Depending on the nature and scope of the third party relationship, different types and levels of questions may be required to adequately assess the risk.  Therefore, it is important to configure the assessment questionnaires based on the risk rating and type of service being evaluated 1 2 .

The risk rating of a third party is determined by various factors, such as the criticality of the service they provide, the sensitivity of the data they handle, the regulatory requirements they must comply with, and the potential impact of a breach or disruption on the organization. The higher the risk rating, the more detailed and comprehensive the questionnaire should be. For example, a high-risk third party that processes personal or financial data may require a questionnaire that covers multiple domains of security and privacy, such as data protection, encryption, access control, incident response, and audit.  A low-risk third party that provides a non-critical service or does not handle sensitive data may require a questionnaire that covers only the basic security controls, such as firewall, antivirus, and password policy 1 2 .

The type of service that a third party provides also influences the configuration of the questionnaire. Different services may have different security and compliance standards and best practices that need to be addressed. For example, a third party that provides cloud-based services may require a questionnaire that covers topics such as cloud security architecture, data residency, service level agreements, and disaster recovery.  A third party that provides software development services may require a questionnaire that covers topics such as software development life cycle, code review, testing, and vulnerability management 1 2 .

By configuring the assessment questionnaires based on the risk rating and type of service being evaluated, organizations can ensure that they ask the right questions to the right third parties, and obtain relevant and meaningful information to support their risk management decisions.  Therefore, the statement that assessment questionnaires should be configured based on the risk rating and type of service being evaluated is TRUE 1 2 .  References:   1 : How to Use SIG Questionnaires for Better Third-Party Risk Management  2 : Third-party risk assessment questionnaires - KPMG India

Application security design standards are a set of principles for software development that address the top application security risks and industry web requirements. They provide guidance on how to design, develop, and deploy secure applications that meet the security objectives of the organization and the expectations of the customers and regulators. Application security design standards cover topics such as secure design principles, threat modeling, encryption, identity and access management, logging and auditing, coding standards and conventions, safe functions, data handling, error handling, third-party components, and testing and validation. Application security design standards help developers avoid common security pitfalls, reduce vulnerabilities, and enhance the quality and reliability of the software. Application security design standards also facilitate the alignment of the software development lifecycle with the third-party risk management framework, by ensuring that security requirements are defined, implemented, verified, and maintained throughout the development process.  References:

Fundamental Practices for Secure Software Development

Secure Coding Practices

Secure Software Development Best Practices

Certified Third Party Risk Professional (CTPRP) Study Guide

Data privacy policies are documents that outline how an organization collects, uses, stores, shares, and protects personal information from its customers, employees, partners, and other stakeholders 1 .  Data privacy policies should address the following key elements 2 :

The purpose and scope of data collection and processing

The legal basis and consent mechanism for data processing

The types and categories of personal data collected and processed

The data retention and deletion policies and practices

The data security and encryption measures and standards

The data sharing and disclosure practices and procedures, including the use of third parties and cross-border transfers

The data access, correction, and deletion rights and requests of individuals

The data breach and incident response and notification procedures and responsibilities

The data protection officer and contact details

The data privacy policy review and update process and frequency

Procedures for configuration settings in identity access management are typically not addressed within data privacy policies, as they are more related to the technical and operational aspects of data security and access control.  Identity access management (IAM) is a framework of policies, processes, and technologies that enable an organization to manage and verify the identities and access rights of its users and devices 3 . IAM configuration settings determine how users and devices are authenticated, authorized, and audited when accessing data and resources. IAM configuration settings should be aligned with the data privacy policies and principles, but they are not part of the data privacy policies themselves.  IAM configuration settings should be documented and maintained separately from data privacy policies, and should be reviewed and updated regularly to ensure compliance and security.  References:   1 :  What is a Data Privacy Policy? | OneTrust   2 :  Privacy Policy Checklist: What to Include in Your Privacy Policy   3 :  What is identity and access management? | IBM  : [Identity and Access Management Configuration Settings] : [Why data privacy and third-party risk teams need to work … - OneTrust] : [Privacy Risk Management - ISACA] : [What Every Chief Privacy Officer Should Know About Third-Party Risk …]

In the context of Third-Party Risk Management (TPRM) requirements within the Software Development Life Cycle (SDLC), a process for data destruction and disposal is not typically considered a key component. The primary focus within SDLC in TPRM is on ensuring secure software development practices, which includes maintaining artifacts to prove that SDLC gates are executed, conducting software security testing, and having processes in place for fixing security defects. While data destruction and disposal are important security considerations, they are generally associated with data lifecycle management and information security management practices rather than being integral to the SDLC process itself.

References:

Best practices in secure software development, as outlined in frameworks like the Secure Software Development Framework (SSDF) by NIST, emphasize the importance of secure coding, vulnerability testing, and remediation processes rather than data disposal practices.

The " Software Security Framework (SSF) " by the Open Web Application Security Project (OWASP) provides guidance on integrating security practices into the SDLC, focusing on areas like threat modeling, secure coding, and security testing.

 Risk culture is the term used to describe the collective way that an organization thinks about, manages, and responds to risk. It is influenced by the organization’s values, beliefs, norms, and practices, as well as the external environment and stakeholders. Risk culture affects how employees perceive, communicate, and act on risk issues, and how they balance risk and reward in their decision making. A strong risk culture is one that supports the organization’s strategic objectives, fosters accountability and transparency, and promotes learning and improvement. A weak risk culture is one that undermines the organization’s risk management framework, creates silos and conflicts, and exposes the organization to excessive or unnecessary risks.  References:

Shared Assessments CTPRP Study Guide , page 13, section 2.1.1

GARP Best Practices Guidance for Third Party Risk , page 5, section 2.1

Organizational culture | Definition, Benefits and Challenges

Change management is the process of controlling and documenting any changes to the scope, objectives, requirements, deliverables, or resources of a project or a program. Change management ensures that the impact of any change is assessed and communicated to all stakeholders, and that the changes are implemented in a controlled and coordinated manner. Compliance artifacts are the documents, records, or reports that demonstrate the adherence to the change management process and the regulatory or industry standards.

A robust change management process should include the following attributes:

Logging : This means that any change request or proposal is recorded in a change log or a change register, along with the details of the change initiator, the change description, the change category, the change priority, the change status, and the change history. Logging helps to track and monitor the progress and outcome of each change, and to provide an audit trail for compliance purposes.

Approvals : This means that any change request or proposal is reviewed and approved by the appropriate authority or stakeholder, such as the project manager, the sponsor, the customer, the steering committee, or the regulatory body. Approvals help to ensure that the change is justified, feasible, aligned with the project or program objectives, and acceptable to the affected parties.

Validation : This means that any change request or proposal is verified and tested to ensure that it meets the quality standards, the functional and non-functional requirements, and the expected benefits and outcomes. Validation helps to ensure that the change is implemented correctly, effectively, and efficiently, and that it does not introduce any errors, defects, or risks.

Back-out and exception procedures : This means that any change request or proposal has a contingency plan or a rollback plan in case the change fails, causes problems, or is rejected. Back-out and exception procedures help to minimize the negative impact of the change, and to restore the original state or the baseline of the project or program. They also help to handle any deviations or issues that may arise during the change implementation or the change review.

References:

CTPRP Job Guide

An Agile Approach to Change Management

CM Overview

Management Artifacts and its Types

Achieving Regulatory and Industry Standards Compliance with the Scaled Agile Framework

8 Steps for an Effective Change Management Process

 Personal information is any information that can be used to identify an individual, either directly or indirectly, such as name, address, email, phone number, ID number, etc. Personal data is a term used in some jurisdictions, such as the European Union, to refer to personal information that is subject to data protection laws and regulations. However, the scope and definition of personal data may vary depending on the jurisdiction and the context. For example, the GDPR defines personal data as “any information relating to an identified or identifiable natural person” and includes online identifiers, such as IP addresses, cookies, or device IDs, as well as special categories of data, such as biometric, genetic, health, or political data. On the other hand, the US does not have a single federal law that regulates personal data, but rather a patchwork of sector-specific and state-level laws that may have different definitions and requirements. For example, the California Consumer Privacy Act (CCPA) defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and excludes publicly available information from its scope. Therefore, from a privacy perspective, it is important to understand the different legal definitions and obligations that may apply to personal information or personal data depending on the jurisdiction and the context of the data processing activity.  References:

GDPR personal data – what information does this cover?

Personal Information, Data Classification, Life Cycle and Best Practices

5 Types of Data Classification (With Examples)

 ESG programs are initiatives that aim to improve the environmental, social, and governance performance of a vendor or service provider. ESG programs may be driven by various factors, such as regulatory obligations, customer expectations, stakeholder pressure, industry standards, or company commitments. Therefore, statement B is true and the correct answer is B. Statement A is false because ESG expectations may come from external entities, such as regulators, investors, customers, or civil society. Statement C is false because ESG commitments can be measured both qualitatively and quantitatively, using indicators such as carbon emissions, diversity, ethics, or compliance. Statement D is false because ESG obligations may apply to any company, regardless of its size, ownership, or sector.  References:

Third-party risk management and the ESG agenda

ESG third-party risk

The Role of Third-Party Risk Management in ESG Compliance

Application whitelisting is a security technique that allows only authorized applications to run on a device or network, preventing malware or unauthorized software from executing. While this can be a useful security measure, it is not directly related to remote access risk evaluation, which focuses on the security of the connection and the access rights of the remote users. The other options are more relevant to remote access risk evaluation, as they help to monitor, control, and audit the remote access activities and prevent unauthorized or malicious access.  References:

1 : Secure Remote Access: Risks, Auditing, and Best Practices

2 : 5 Common Vulnerabilities Associated With Remote Access

Vendor inventory is a list of all the third-party vendors that an organization engages with, along with relevant information about their products, services, contracts, and risks. Vendor inventory is a crucial tool for vendor risk management, as it helps an organization identify, assess, monitor, and mitigate the potential risks associated with its vendors.  Vendor inventory also helps an organization prioritize its vendor oversight activities, allocate its resources efficiently, and comply with its regulatory obligations 1 2 .

One of the key steps in creating and maintaining a vendor inventory is to assign a risk rating and a vendor classification to each vendor, based on various attributes that reflect the level of risk and criticality they pose to the organization.  The risk rating and vendor classification help an organization determine the frequency and depth of its vendor due diligence, review, and audit processes, as well as the appropriate controls and remediation actions to implement 3  .

Some of the common attributes used to assign risk rating and vendor classification are :

Type of data accessed, processed, or retained : This attribute indicates the sensitivity and confidentiality of the data that the vendor handles on behalf of the organization, such as personally identifiable information (PII), protected health information (PHI), financial information, intellectual property, etc. The more sensitive and confidential the data, the higher the risk rating and vendor classification, as the vendor must comply with strict security and privacy standards and regulations, and the organization must protect itself from data breaches, leaks, or losses.

Type of systems accessed : This attribute indicates the access level and privileges that the vendor has to the organization’s systems, such as networks, servers, databases, applications, etc. The more access and privileges the vendor has, the higher the risk rating and vendor classification, as the vendor must adhere to the organization’s policies and procedures, and the organization must safeguard itself from unauthorized or malicious activities, such as cyberattacks, sabotage, or espionage.

Type of network connectivity : This attribute indicates the mode and frequency of the data transmission and communication between the vendor and the organization, such as online, offline, real-time, batch, etc. The more network connectivity the vendor has, the higher the risk rating and vendor classification, as the vendor must ensure the availability, integrity, and reliability of the data, and the organization must prevent data interception, modification, or disruption.

The type of contract addendum is NOT an attribute used to assign risk rating and vendor classification, as it is not directly related to the risk or criticality of the vendor. The type of contract addendum is a legal document that modifies or supplements the original contract between the vendor and the organization, such as adding or deleting terms, clauses, or provisions. The type of contract addendum may reflect the changes or updates in the vendor relationship, such as scope, duration, price, service level, etc., but it does not indicate the level of risk or impact that the vendor has on the organization. Therefore, the type of contract addendum is not a relevant factor for vendor risk assessment and management .  References:

1 :  Vendor Inventory - Shared Assessments

2 :  Vendor Inventory Management: A Guide to Third-Party Risk Management

3 :  Vendor Risk Rating - Shared Assessments

: [Vendor Risk Rating: How to Rate Your Vendors | Smartsheet]

: [Vendor Classification - Shared Assessments]

: [Vendor Tiering: How to Classify Your Vendors | Smartsheet]

: Contract Addendum - Shared Assessments

: What is a Contract Addendum? | Definition and Examples | Imperva

Background check requirements are applicable for vendors or service providers based outside the United States, as well as those based within the country.  According to the Shared Assessments Program, background checks are a key component of third-party risk management and should be conducted for all third parties that have access to sensitive data, systems, or facilities, regardless of their location 1 . The FCRA also applies to background checks performed by U.S. employers on foreign nationals who work outside the U.S. for a U.S.  employer or its affiliates 2 . Therefore, statement A is false and the correct answer is A.  References:

Shared Assessments Program: Third Party Risk Management Fundamentals

Background Checks for Contractors or Vendors

Vendor classification or risk tiering is a process of categorizing vendors based on the level of security risk they introduce to an organization 1 2 .  It is a key component of a third-party risk management (TPRM) program, as it helps to prioritize and allocate resources for vendor assessment, monitoring, and remediation 1 2 .  The statement D is true, as it reflects the first step of vendor classification or risk tiering, which is to determine the inherent risk of each vendor relationship based on the nature, scope, and complexity of the product or service being outsourced 3  .  Inherent risk is the risk that exists before any controls or mitigating factors are applied 3  .  By calculating the inherent risk, an organization can assign each vendor to a risk tier that reflects the potential impact and likelihood of a security breach or incident involving the vendor 3  .

The other statements are false, as they do not accurately describe the vendor classification or risk tiering process. The statement A is false, as vendor classification and risk tiers are not based on residual risk calculations, but on inherent risk calculations.  Residual risk is the risk that remains after controls or mitigating factors are applied 3  .  Residual risk is used to evaluate the effectiveness of the controls and the need for further action, but not to classify or tier vendors 3  . The statement B is false, as vendor classification and risk tiering should be used for all third party relationships, not only for critical ones.  Vendor classification and risk tiering helps to identify and prioritize the critical vendors, but also to manage the low and medium risk vendors according to their respective risk profiles 1 2 . The statement C is false, as vendor classification and corresponding risk tiers do not utilize the same due diligence standards for controls evaluation based upon policy, but different ones. Due diligence standards are the criteria and methods used to assess the security posture and performance of vendors. Due diligence standards should vary according to the risk tier of the vendor, as higher risk vendors require more rigorous and frequent evaluation than lower risk vendors.

References :

1 : What is Vendor Tiering? Optimize Your Vendor Risk Management | UpGuard Blog

2 : Vendor Tiering Best Practices: Categorizing Vendor Risks | UpGuard Blog

3 : Third-Party Risk Management (TPRM): A Complete Guide - BlueVoyant

[4]: Supplemental Examination Procedures for Risk Management of Third-Party Relationships

[5]: Third Party Risk Management: Why It’s Important And What Features To Look For - Expert Insights

A BCP or IT DR plan is a set of procedures and actions that an organization takes to ensure the continuity and recovery of its critical business functions and IT systems in the event of a disruption.  A BCP or IT DR plan typically covers the following aspects 1 2 :

Identification and prioritization of critical business functions and IT systems

Assessment and mitigation of risks and threats to the organization

Allocation and mobilization of resources and personnel

Communication and coordination with internal and external stakeholders

Testing and updating of the plan

Among the four examples of a response to external environmental factors, protocols for social media channels and PR communication are the least likely to be managed directly within the BCP or IT DR plan. This is because social media and PR communication are not critical business functions or IT systems that need to be restored or maintained during a disruption.  They are rather supplementary tools that can be used to inform and engage with the public, customers, partners, and media about the organization’s situation and actions 3 . Therefore, protocols for social media and PR communication are more likely to be part of a crisis communication plan, which is a separate but related document that outlines the strategies and tactics for communicating with various audiences during a crisis.

The other three examples are more likely to be managed directly within the BCP or IT DR plan, as they directly affect the organization’s ability to perform its critical business functions and IT systems. For instance, a response to a natural or man-made disruption would involve activating the BCP or IT DR plan, assessing the impact and extent of the damage, deploying backup and recovery solutions, and restoring normal operations as soon as possible. A response to a dependency on key employee or supplier issues would involve identifying and managing the single points of failure, implementing contingency plans, and ensuring the availability and redundancy of essential skills and resources. A response to a large scale illness or health outbreak would involve implementing health and safety measures, enabling remote work arrangements, and ensuring the resilience and continuity of the workforce.  References:

Business continuity vs. disaster recovery: Which plan is right … - IBM

Business Continuity vs Disaster Recovery: What’s The Difference?

Disaster recovery plan vs. business continuity plan: Is there a difference?

[Crisis Communication Plan: A PR Blue Print by Sandra K. Clawson Freeo]

[Disaster Recovery Planning (DRP) | Business Continuity Plan (BCP) | Disaster Recovery Journal]

[Managing Third Party Risk in a Disrupted World]

[Business Continuity Planning for a Pandemic]

The Cardholder Data Environment (CDE) is the part of the network that stores, processes, or transmits cardholder data or sensitive authentication data, as well as any connected or security-impacting systems 1 2 3 .  The CDE is subject to the Payment Card Industry Data Security Standard (PCI DSS), which is a set of requirements and guidelines for ensuring the security and compliance of payment card transactions 1 2 3 . The PCI DSS defines various artifacts that are reviewed when assessing the CDE, such as:

The Data Security Standards (DSS) framework: This is the document that specifies the 12 high-level requirements and the corresponding sub-requirements and testing procedures for PCI DSS compliance 1 2 3 .  The DSS framework should be used to scope the assessment, meaning to identify and document the systems and components that are in scope for PCI DSS, as well as the applicable requirements and controls for each system and component 1 2 3 . Therefore, option A is a true statement regarding artifacts reviewed when assessing the CDE.

The Report on Compliance (ROC): This is the report that provides the assessment results completed by a qualified security assessor (QSA) that includes an onsite audit of the CDE 1 2 3 .  The ROC is a detailed and comprehensive document that validates the organization’s compliance status and identifies any gaps or deficiencies that need to be remediated 1 2 3 .  The ROC is required for merchants and service providers that process more than 6 million transactions annually, or that have suffered a breach or been compromised in the past year 1 2 3 . Therefore, option B is a true statement regarding artifacts reviewed when assessing the CDE.

The Self-Assessment Questionnaire (SAQ): This is a questionnaire that provides a validation tool for merchants and service providers that are not required to submit a ROC 1 2 3 .  The SAQ is a self-assessment tool that allows the organization to evaluate its own compliance status and identify any gaps or deficiencies that need to be remediated 1 2 3 .  The SAQ does not provide independent testing of controls, as it is based on the organization’s self-reported answers and evidence 1 2 3 . Therefore, option C is a false statement regarding artifacts reviewed when assessing the CDE.

A System and Organization Controls (SOC) report: This is a report that provides an independent audit of the internal controls and processes of a service organization, such as a cloud provider, a data center, or a payment processor 4 5 .  The SOC report is not specific to PCI DSS, but rather to other standards and frameworks, such as SOC 1 (based on SSAE 18), SOC 2 (based on Trust Services Criteria), or SOC 3 (based on SOC 2) 4 5 .  A SOC report is not sufficient to demonstrate PCI DSS compliance, as it may not cover all the requirements and controls of the PCI DSS, or it may not address the same location or scope as the CDE 1 2 3 . Therefore, option D is a false statement regarding artifacts reviewed when assessing the CDE.

References:  The following resources support the verified answer and explanation:

1 :  PCI DSS Quick Reference Guide

2 :  PCI DSS FAQs

3 :  PCI DSS Glossary

4 :  What is a SOC report?

5 :  SOC Reports: What They Are, and Why They Matter

Incident response and incident notification are two related but distinct processes that organizations should follow when dealing with security incidents.  Incident response is the process of identifying, containing, analyzing, eradicating, and recovering from security incidents, while incident notification is the process of communicating the relevant information about the incident to the appropriate internal and external stakeholders, such as senior management, regulators, customers, and media 1 2 .

Not all security incidents are security breaches, which are defined as unauthorized access to or disclosure of sensitive or confidential information that could result in harm to the organization or individuals 3 . A security incident may become a security breach based on the analysis of the impact, scope, and severity of the incident, as well as the applicable legal and regulatory requirements. When a security breach is confirmed or suspected, the organization should trigger its incident notification or crisis communication process, which should include the following elements:

A clear definition of roles and responsibilities for notification and communication

A list of internal and external stakeholders who need to be notified and their contact information

A set of predefined templates and messages for different types of incidents and audiences

A communication strategy and timeline that aligns with the incident response plan and the business continuity plan

A feedback mechanism to monitor and measure the effectiveness of the communication and adjust as needed

Incident notification and communication are critical for managing the reputation, trust, and compliance of the organization, as well as for mitigating the potential legal, financial, and operational consequences of a security breach.  References:

1 : Incident Response Plan: Frameworks and Steps

2 : A Guide to Incident Response Plans, Playbooks, and Policy

3 : What is Incident Response? Plan and Steps

: Incident Response and Breach Notification

: Incident Response Communication: Best Practices

: The Importance of Incident Response Communication

Termination for cause is the type of contract termination that is most likely to occur after failure to remediate assessment findings. This is because termination for cause is based on a breach of contract by the third-party, such as non-compliance, poor performance, fraud, or misconduct. Failure to remediate assessment findings indicates that the third-party has not met the contractual obligations or expectations of the entity, and thus exposes the entity to increased risk and liability. Termination for cause allows the entity to end the contract immediately or after a notice period, and to seek damages or remedies from the third-party. Termination for cause is different from other types of contract termination, such as:

Regulatory/supervisory termination, which is triggered by a change in law or regulation that affects the legality or feasibility of the contract.

Termination for convenience, which is exercised by the entity without any fault or breach by the third-party, usually for strategic or operational reasons.

Normal termination, which is the natural expiration of the contract term or the completion of the contract scope.  References:

Shared Assessments. (2020).  Certified Third Party Risk Professional (CTPRP) Study Guide 1

Fusion Risk Management. (2021).  Exit Strategy for Terminating a Third Party 2

Volkov, M. (2016).  Third-Party Risk Management – Part 2: Contract Termination 3

Shadow IT is the use and management of any IT technologies, solutions, services, projects, and infrastructure without formal approval and support of internal IT departments. Shadow IT can pose significant security risks to the organization, such as data breaches, compliance violations, malware infections, or network disruptions. Therefore, assessing and mitigating the risk of shadow IT is an essential part of organizational security.

One of the most important factors when assessing the risk of shadow IT is whether the organization maintains adequate policies and procedures that communicate required controls for security functions. Policies and procedures are the documents that define the organization’s security objectives, standards, roles, responsibilities, and processes. They provide guidance and direction for the organization’s security activities, such as risk assessment, vendor management, incident response, data protection, access control, etc. They also establish the expectations and requirements for the organization’s employees, vendors, and other stakeholders regarding the use and management of IT resources.

By maintaining adequate policies and procedures that communicate required controls for security functions, the organization can:

Educate and inform its employees about the security risks and implications of shadow IT, and the benefits and advantages of using authorized and supported IT resources.

Establish and enforce clear and consistent rules and boundaries for the use and management of IT resources, and the consequences and penalties for violating them.

Monitor and audit the compliance and performance of its employees, vendors, and other stakeholders regarding the use and management of IT resources, and identify and address any deviations or issues.

Review and update its policies and procedures regularly, and communicate any changes or updates to its employees, vendors, and other stakeholders.

By doing so, the organization can reduce the likelihood and impact of shadow IT, and increase the visibility and accountability of its IT environment. The organization can also foster a culture of security awareness and responsibility among its employees, vendors, and other stakeholders, and encourage them to report and resolve any shadow IT incidents or problems.

The other factors, such as the organization’s security training and certification, staffing levels, and resources and investment, are also relevant for assessing the risk of shadow IT, but they are not as important as the organization’s policies and procedures. Security training and certification can help the organization’s security personnel to acquire and maintain the necessary skills and knowledge to deal with shadow IT, but they do not address the root causes or motivations of shadow IT. Staffing levels can affect the organization’s ability to detect and respond to shadow IT, but they do not prevent or deter shadow IT from occurring. Resources and investment can enable the organization to provide adequate and appropriate IT resources to its employees, vendors, and other stakeholders, but they do not guarantee the satisfaction or compliance of those parties.  References:

:  Shadow IT Explained: Risks & Opportunities - BMC Software

:  What is Shadow IT? | IBM

:  Shadow IT: What Are the Risks and How Can You Mitigate Them? - Ekran System

: Policies and Procedures - Shared Assessments

An outsourcer’s vendor risk assessment process should include all the steps mentioned in options A, B, and C, as they are essential for ensuring a consistent, comprehensive, and effective evaluation of the vendor’s performance, compliance, and risk profile. However, option D is not a necessary or recommended part of the vendor risk assessment process, as it does not reflect the actual level of risk posed by the vendor, but rather the availability of resources within the outsourcer’s organization. Defining assessment frequency based on resource capacity could lead to under-assessing or over-assessing vendors, depending on the outsourcer’s workload, budget, and staff. This could result in missing critical issues, wasting time and money, or creating gaps in the vendor oversight program. Therefore, option D is the correct answer, as it is the only one that does not belong to the vendor risk assessment process.  References:  The following resources support the verified answer and explanation:

Shared Assessments’ CTPRP Job Guide, page 10, section 2.1.1, states that “The frequency of assessments should be based on the risk tier of the third party, not on the availability of resources.”

Guide to Vendor Risk Assessment , section “Step 3: Determine the Frequency of Vendor Risk Assessments”, explains that “The frequency of vendor risk assessments should be based on the level of risk each vendor poses to your organization, not on the availability of resources or convenience.”

How to Conduct a Successful Vendor Risk Assessment in 9 Steps , section “Step 8: Determine the Frequency of Vendor Risk Assessments”, advises that “The frequency of vendor risk assessments should be based on the level of risk each vendor poses to your organization, not on the availability of resources or convenience.”

Contract addendums are supplementary documents that modify or amend the original contract terms. They can be used to address third party risk obligations, such as security, privacy, compliance, or performance standards, without having to rewrite the entire MSA. However, contract addendums should be consistent with the MSA and clearly specify the scope, duration, and responsibilities of each party.  Contract addendums can also be used to update or revise the contract terms in response to changing business needs or regulatory requirements 1 2 .

The other statements are true regarding the different types of contracts and agreements between outsourcers and service providers.  Evergreen contracts are contracts that do not have a fixed end date and are automatically renewed unless one party decides to terminate them under the existing contract provisions 3 . RFPs are documents that solicit proposals from potential service providers for a specific project or service. RFPs should include mandatory requirements based on an organization’s TPRM program policies, standards and procedures, such as risk assessment, due diligence, monitoring, reporting, and remediation . SOWs are documents that define the operational requirements and obligations for each party, such as the scope, deliverables, timelines, costs, quality, and performance metrics .  References:

1 :  Contracts and third-party risk - KPMG UK

2 :  Third-Party Risk & Contract Management: A Comprehensive Beginner’s Guide - Trackado

3 : What Is an Evergreen Contract? | Legal Beagle

: [Best Practices Guidance for Third Party Risk - GARP]

:  Third-Party Risk Management: A Comprehensive Guide - UpGuard

: Statement of Work (SOW) - Definition, Contents & Examples

: How to Write a Statement of Work for Any Industry | Smartsheet

Hybrid cloud is the cloud deployment model that is primarily used for load balancing.  Load balancing is the process of distributing workloads and network traffic across multiple servers or resources to optimize performance, reliability, and scalability 1 . Load balancing can help prevent overloading or underutilizing any single server or resource, as well as improve fault tolerance and availability.  Hybrid cloud is a mix of two or more different deployment models, such as public cloud, private cloud, or community cloud 2 .  Hybrid cloud allows organizations to leverage the benefits of both public and private clouds, such as cost efficiency, scalability, security, and control 3 . Hybrid cloud can also enable load balancing across different cloud environments, depending on the demand, cost, and performance requirements of each workload. For example, an organization can use a private cloud for sensitive or mission-critical applications that require high security and performance, and a public cloud for less sensitive or variable applications that require more scalability and flexibility. By using a hybrid cloud, the organization can balance the load between the private and public clouds, and optimize the resource utilization and cost efficiency of each cloud.

The other cloud deployment models are not primarily used for load balancing, although they may have some load balancing capabilities within their own environments. Public cloud is the infrastructure that is shared by multiple tenants and open to the public. Anyone can use the public cloud by subscribing to it.  Public cloud offers high scalability, elasticity, and cost-effectiveness, but may have lower security, privacy, and control than private cloud 2 . Community cloud is the infrastructure that is shared by similar consumers who collaborate to set up a cloud for their exclusive use. For example, government organizations can form a cloud for their exclusive use.  Community cloud offers some benefits of both public and private clouds, such as shared costs, common standards, and enhanced security, but may have lower scalability and flexibility than public cloud 2 . Private cloud is the infrastructure that is for the exclusive use of a single organization. The cloud may or may not be operated by the organization.  Private cloud offers high security, privacy, and control, but may have lower scalability, elasticity, and cost-effectiveness than public cloud 2 .  References:

1 :  What is Load Balancing? | How Load Balancing Works | F5

2 : The NIST Definition of Cloud Computing

3 :  What is Hybrid Cloud? | IBM

:  Hybrid Cloud Load Balancing - Kemp Technologies

: [Hybrid Cloud Load Balancing: What You Need to Know - CloudHealth by VMware]

One of the key elements of a robust information security policy is the definition and implementation of requirements for third party governance and oversight. This means that the vendor should have clear and consistent processes and procedures for managing and monitoring the information security risks and controls of their subcontractors, suppliers, or service providers.  Third party governance and oversight should include the following aspects 1 2 :

Establishing criteria and standards for selecting and evaluating third parties based on their information security capabilities and performance

Conducting regular and comprehensive assessments and audits of third parties’ information security policies, practices, and incidents

Ensuring contractual agreements and service level agreements (SLAs) with third parties include information security clauses and obligations

Maintaining visibility and communication with third parties regarding their information security status and issues

Implementing corrective actions and remediation plans for any identified information security gaps or weaknesses

Terminating or suspending the relationship with third parties that fail to meet the information security expectations or requirements If a vendor’s response does not specify any requirements for third party governance and oversight, it should trigger further investigation of their information security policies. This indicates that the vendor may not have a comprehensive and effective approach to managing the information security risks and impacts of their extended network of partners. This could expose the vendor and their clients to potential data breaches, cyberattacks, compliance violations, or reputational damages. Therefore, the vendor should be asked to provide more details and evidence of how they ensure the information security of their third parties, and how they address any information security incidents or issues involving their third parties.  References:

1 : Third-Party Information Security Risk Management Policy - SecurityStudio

2 : Ensuring Data Protection for Third Parties: Best Practices | UpGuard Blog

Terms for return or destruction of data should be defined and agreed upon during contract negotiation, as this is the phase where the organization and the third party establish the expectations, obligations, and responsibilities for the relationship, including the handling of data.  According to the Shared Assessments CTPRP Study Guide, contract negotiation is the phase where " the organization and the third party negotiate and execute a contract that clearly defines the expectations and responsibilities of both parties, including the scope of work, service level agreements, performance measures, reporting requirements, compliance obligations, security and privacy controls, incident response procedures, dispute resolution mechanisms, termination rights, and other relevant terms and conditions. " 1  One of the key contractual terms that should be addressed is the return or destruction of data, which specifies how the third party will return or dispose of the organization’s data at the end of the relationship, or upon request, in a secure and timely manner. This term is important for ensuring the organization’s data protection, confidentiality, and compliance, as well as reducing the risk of data breaches, leaks, or misuse by the third party or unauthorized parties.

The other phases of the TPRM lifecycle are not the best choices for defining and agreeing upon terms for return or destruction of data, because:

B. At third party selection and initial due diligence: This is the phase where the organization identifies, evaluates, and selects the third party that best meets its needs, objectives, and risk appetite. This phase involves conducting due diligence on the third party’s capabilities, qualifications, reputation, performance, security, and compliance, as well as assessing the inherent risk of the relationship. While this phase is important for screening and choosing the right third party, it does not involve defining and agreeing upon the specific terms and conditions of the relationship, such as the return or destruction of data, which are usually done in the contract negotiation phase.

C. When deploying ongoing monitoring: This is the phase where the organization monitors and reviews the third party’s performance, service delivery, risk management, and compliance on a regular basis, as well as identifies and addresses any issues, gaps, or changes that may arise during the relationship. This phase involves collecting and analyzing data and information from various sources, such as reports, audits, assessments, surveys, feedback, incidents, and metrics, as well as communicating and collaborating with the third party to ensure alignment and improvement. While this phase is important for ensuring the quality and security of the relationship, it does not involve defining and agreeing upon the terms and conditions of the relationship, such as the return or destruction of data, which are usually done in the contract negotiation phase.

D. At termination and exit: This is the phase where the organization terminates and exits the relationship with the third party, either by mutual agreement, expiration of contract, breach of contract, or other reasons. This phase involves executing the termination and exit plan, which may include notifying the third party, transferring or discontinuing the services, settling the financial obligations, returning or destroying the data, revoking the access rights, and conducting a post-termination review. While this phase is important for ensuring a smooth and secure transition and closure of the relationship, it does not involve defining and agreeing upon the terms and conditions of the relationship, such as the return or destruction of data, which are usually done in the contract negotiation phase.

References:

1 :  Shared Assessments CTPRP Study Guide , page 59, section 5.1: TPRM Lifecycle

:  Third-Party Risk Management: Vendor Contract Terms and Conditions , section: Data Ownership, Return and Destruction

: [Third-Party Risk Management: The 3rd Party Ecosystem: How to Manage the Risk While Keeping the Benefit], section: Contract Negotiation

: [Third-Party Risk Management: The 3rd Party Ecosystem: How to Manage the Risk While Keeping the Benefit], section: Termination and Exit

Risk registers are tools that help organizations document, monitor, and manage their third party risks. They typically include information such as the risk description, category, source, impact, likelihood, rating, owner, status, and action plan. Risk registers enable organizations to prioritize their risks, assign responsibilities, track progress, and report on their risk posture. According to the CTPRP Study Guide, " A risk register is a tool for capturing and managing risks throughout the third-party lifecycle.  It provides a comprehensive view of the organization’s third-party risk profile and facilitates risk reporting and communication. " 1  Similarly, the GARP Best Practices Guidance for Third-Party Risk states, " A risk register is a tool that records and tracks the risks associated with third parties.  It helps to identify, assess, and prioritize risks, as well as to assign ownership, mitigation actions, and target dates. " 2

References :

CTPRP Study Guide

GARP Best Practices Guidance for Third-Party Risk

 TPRM program metrics are the indicators that measure the performance, effectiveness, and maturity of the TPRM program. They help to monitor and communicate the progress, achievements, and challenges of the TPRM program to various stakeholders, such as business units, executive management, risk committees, and board of directors.  However, the level of reporting and the frequency of changes in TPRM program metrics vary depending on the stakeholder’s role, responsibility, and interest 1 2 3 :

Business unit: This level of reporting is focused on the operational aspects of the TPRM program, such as the status of vendor assessments, remediation actions, issues, and incidents. The changes in TPRM program metrics at this level are frequent and granular, as they reflect the day-to-day activities and outcomes of the TPRM program.

Executive management: This level of reporting is focused on the strategic aspects of the TPRM program, such as the alignment with the business objectives, the compliance with the regulatory requirements, the management of the key risks, and the optimization of the resources and costs. The changes in TPRM program metrics at this level are less frequent and more aggregated, as they reflect the overall direction and performance of the TPRM program.

Risk committee: This level of reporting is focused on the oversight aspects of the TPRM program, such as the evaluation of the risk appetite, the review of the risk profile, the approval of the risk policies, and the escalation of the risk issues. The changes in TPRM program metrics at this level are occasional and more analytical, as they reflect the governance and assurance of the TPRM program.

Board of Directors: This level of reporting is focused on the advisory aspects of the TPRM program, such as the endorsement of the risk strategy, the awareness of the risk trends, the guidance of the risk culture, and the support of the risk initiatives. The changes in TPRM program metrics at this level are rare and exceptional, as they reflect the high-level and long-term vision and value of the TPRM program.

Therefore, the correct answer is D. Board of Directors, as this is the level of reporting where changes in TPRM program metrics are rare and exceptional.  References:

1 : 15 KPIs & Metrics to Measure the Success of Your TPRM Program | UpGuard

2 : Third-party risk management metrics: Best practices to enhance your … | Diligent

3 : TPRM Metrics - Telling Your Risk Story - Shared Assessments | Shared Assessments

The most important next step after receiving a vendor questionnaire is to analyze the responses and identify any gaps, issues, or risks that may pose a threat to the organization or its customers. This analysis should be based on the inherent risk profile of the vendor, the criticality of the service or product they provide, and the applicable regulatory and contractual requirements. The analysis should also highlight any adverse or high priority responses that indicate a lack of adequate controls, policies, or procedures on the vendor’s part. These responses should be prioritized for further validation, testing, or remediation. The analysis should also document any assumptions, limitations, or dependencies that may affect the accuracy or completeness of the vendor’s responses.  References:

Shared Assessments CTPRP Study Guide , Section 4.2.2, page 43

Third-Party Risk Management: Managing Risk , Section “Assessing and monitoring third-party risk”

What Is Third-Party Risk Management (TPRM)? 2024 Guide , Section “Third-Party Risk Management Process”

Indemnification is a contractual obligation by which one party agrees to compensate another party for any losses or damages that may arise from a specified event or circumstance. Mutual indemnification means that both parties agree to indemnify each other for certain losses or damages, such as those caused by a breach of contract, negligence, or violation of law. Mutual indemnification can enable each party to share the amount of information security risk, as it can provide a mechanism for allocating the responsibility and liability for any security incidents or breaches that may affect either party or their customers. Mutual indemnification can also incentivize each party to maintain adequate security controls and practices, as well as to cooperate and communicate effectively in the event of a security incident or breach.

The other options are not contract clauses that enable each party to share the amount of information security risk, because:

A. Limitation of liability is a contract clause that limits the amount or type of damages that one party can claim from another party in the event of a breach of contract or other legal action. Limitation of liability does not enable each party to share the amount of information security risk, as it can reduce or cap the liability of one party, but not necessarily distribute or balance the risk between both parties.

B. Cyber insurance is a type of insurance policy that covers the costs and losses resulting from cyberattacks, data breaches, or other cyber incidents. Cyber insurance does not enable each party to share the amount of information security risk, as it can transfer or mitigate the risk to a third-party insurer, but not necessarily allocate or share the risk between both parties.

C. Force majeure is a contract clause that excuses one or both parties from performing their contractual obligations in the event of an unforeseen or unavoidable event or circumstance that is beyond their control, such as a natural disaster, war, or pandemic. Force majeure does not enable each party to share the amount of information security risk, as it can suspend or terminate the contract in the event of a force majeure event, but not necessarily distribute or balance the risk between both parties.

References:

Shared Assessments CTPRP Study Guide , page 62, section 5.2.2: Contractual Terms

Third-Party Risk Management: Vendor Contract Terms and Conditions , section: Indemnification

Cybersecurity risks from third party vendors: PwC , section: Contractual terms and conditions

[Third-Party Risk Management: The 3rd Party Ecosystem: How to Manage the Risk While Keeping the Benefit], section: Contractual Terms and Conditions

 An Asset Management program is a set of policies, procedures, and practices that aim to optimize the value, performance, and lifecycle of the organization’s assets, such as physical, financial, human, or information assets 1 2 3 . An Asset Management program typically defines policy requirements for the following aspects of asset management:

The Policy states requirements for the reuse of physical media (e.g., devices, servers, disk drives, etc.): This requirement ensures that the organization follows proper procedures for sanitizing, wiping, or destroying physical media that contain sensitive or confidential data before reusing, recycling, or disposing of them 1 2 3 .  This requirement helps prevent data leakage, theft, or loss, and protects the organization’s reputation and compliance 1 2 3 .

The Policy requires that employees and contractors return all company data and assets upon termination of their employment, contract or agreement: This requirement ensures that the organization recovers all the data and assets that were assigned, loaned, or accessed by the employees and contractors during their employment, contract, or agreement 1 2 3 .  This requirement helps maintain the security, integrity, and availability of the organization’s data and assets, and prevents unauthorized or inappropriate use or disclosure of them 1 2 3 .

The Policy defines requirements for the inventory, identification, and disposal of equipment and/or physical media: This requirement ensures that the organization maintains an accurate and up-to-date record of all the equipment and physical media that it owns, leases, or uses, and assigns unique identifiers to them 1 2 3 .  This requirement also ensures that the organization follows proper procedures for disposing of equipment and physical media that are no longer needed, useful, or functional 1 2 3 .  This requirement helps improve the efficiency, effectiveness, and accountability of the organization’s asset management processes, and reduces the risks of waste, fraud, or misuse of the organization’s resources 1 2 3 .

However, option D, a policy requirement that requires visitors (including other tenants and maintenance personnel) to sign-in and sign-out of the facility, and to be escorted at all times, is typically not defined in an Asset Management program. Rather, this requirement is more likely to be defined in a Physical Security program, which is a set of policies, procedures, and practices that aim to protect the organization’s premises, assets, and personnel from unauthorized access, damage, or harm . A Physical Security program typically defines policy requirements for the following aspects of physical security:

The Policy requires visitors (including other tenants and maintenance personnel) to sign-in and sign-out of the facility, and to be escorted at all times: This requirement ensures that the organization controls and monitors the access of visitors to the facility, and verifies their identity, purpose, and authorization . This requirement also ensures that the organization prevents visitors from accessing restricted or sensitive areas, equipment, or information, and escorts them throughout their visit . This requirement helps enhance the security, safety, and compliance of the organization’s facility, assets, and personnel, and prevents potential threats, incidents, or breaches .

The Policy defines requirements for the locking, alarming, and surveillance of the facility and its entrances and exits: This requirement ensures that the organization secures the perimeter and the interior of the facility, and detects and responds to any unauthorized or suspicious activity or intrusion . This requirement also ensures that the organization uses appropriate and effective physical security measures, such as locks, alarms, cameras, guards, or barriers, to deter, prevent, or delay unauthorized access . This requirement helps protect the organization’s facility, assets, and personnel from theft, vandalism, sabotage, or attack .

The Policy specifies requirements for the emergency preparedness and response of the facility and its occupants: This requirement ensures that the organization plans and implements procedures for dealing with emergencies, such as fire, flood, earthquake, power outage, or active shooter, that may affect the facility and its occupants . This requirement also ensures that the organization provides adequate and accessible equipment, resources, and training for the emergency preparedness and response, such as fire extinguishers, first aid kits, evacuation routes, emergency contacts, or drills . This requirement helps ensure the safety, health, and continuity of the organization’s facility, assets, and personnel, and minimizes the impact and damage of emergencies .

Therefore, option D is the correct answer, as it is the only one that does not reflect a policy requirement that is typically defined in an Asset Management program.  References:  The following resources support the verified answer and explanation:

1 :  Asset Management Policy Guide + Free Template | Fiix

2 :  Asset Management Policy: How to Build One From Scratch - Limble CMMS

3 :  How to develop an asset management policy, strategy and governance framework: Set up a consistent approach to asset management in your municipality

: Physical Security Policy - SANS

: Physical Security Policy - IT Governance