Winter Special Sale Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 713PS592

CTPRP Certified Third-Party Risk Professional (CTPRP) Questions and Answers

Questions 4

Which statement provides the BEST example of the purpose of scoping in third party assessments?

Options:

A.

Scoping is used to reduce the number of questions the vendor has to complete based on vendor “classification

B.

Scoping is the process an outsourcer uses to configure a third party assessment based on the risk the vendor presents to the organization

C.

Scoping is an assessment technique only used for high risk or critical vendors that require on-site assessments

D.

Scoping is used primarily to limit the inclusion of supply chain vendors in third party assessments

Buy Now
Questions 5

A contract clause that enables each party to share the amount of information security risk is known as:

Options:

A.

Limitation of liability

B.

Cyber Insurance

C.

Force majeure

D.

Mutual indemnification

Buy Now
Questions 6

An IT change management approval process includes all of the following components EXCEPT:

Options:

A.

Application version control standards for software release updates

B.

Documented audit trail for all emergency changes

C.

Defined roles between business and IT functions

D.

Guidelines that restrict approval of changes to only authorized personnel

Buy Now
Questions 7

You receive a call from a vendor that two laptops and a tablet are missing that were used to process your company data. The asset loss occurred two years ago, but was only recently discovered. That statement may indicate that this vendor is lacking an adequate:

Options:

A.

Asset Management Program

B.

Physical and Environmental Security Program

C.

Data Loss Prevention Program

D.

Information Security Incident Notification Policy

Buy Now
Questions 8

Which of the following is NOT an attribute in the vendor inventory used to assign risk rating and vendor classification?

Options:

A.

Type of data accessed, processed, or retained

B.

Type of systems accessed

C.

Type of contract addendum

D.

Type of network connectivity

Buy Now
Questions 9

You are updating program requirements due to shift in use of technologies by vendors to enable hybrid work. Which statement is LEAST likely to represent components of an Asset

Management Program?

Options:

A.

Asset inventories should include connections to external parties, networks, or systems that process data

B.

Each asset should include an organizational owner who is responsible for the asset throughout its life cycle

C.

Assets should be classified based on criticality or data sensitivity

D.

Asset inventories should track the flow or distribution of items used to fulfill products and Services across production lines

Buy Now
Questions 10

Which statement is FALSE regarding background check requirements for vendors or service providers?

Options:

A.

Background check requirements are not applicable for vendors or service providers based outside the United States

B.

Background checks should be performed prior to employment and may be updated after employment based upon criteria in HR policies

C.

Background check requirements should be applied to employees, contract workers and temporary workers

D.

Background check requirements may differ based on level of authority, risk, or job role

Buy Now
Questions 11

Which example of a response to external environmental factors is LEAST likely to be managed directly within the BCP or IT DR plan?

Options:

A.

Protocols for social media channels and PR communication

B.

Response to a natural or man-made disruption

C.

Dependency on key employee or supplier issues

D.

Response to a large scale illness or health outbreak

Buy Now
Questions 12

Your company has been alerted that an IT vendor began utilizing a subcontractor located in a country restricted by company policy. What is the BEST approach to handle this situation?

Options:

A.

Notify management to approve an exception and ensure that contract provisions require prior “notification and evidence of subcontractor due diligence

B.

inform the business unit and recommend that the company cease future work with the IT vendor due to company policy

C.

Update the vender inventory with the mew location information in order to schedule a reassessment

D.

Inform the business unit and ask the vendor to replace the subcontractor at their expense in “order to move the processing back to an approved country

Buy Now
Questions 13

Which statement is NOT an accurate reflection of an organizations requirements within an enterprise information security policy?

Options:

A.

Security policies should define the organizational structure and accountabilities for oversight

B.

Security policies should have an effective date and date of last review by management

C.

Security policies should be changed on an annual basis due to technology changes

D.

Security policies should be organized based upon an accepted control framework

Buy Now
Questions 14

Which statement provides the BEST description of inherent risk?

Options:

A.

inherent risk is the amount of risk an organization can incur when there is an absence of controls

B.

Inherent risk is the level of risk triggered by outsourcing & product or service

C.

Inherent risk is the amount of risk an organization can accept based on their risk tolerance

D.

Inherent risk is the level of risk that exists with all of the necessary controls in place

Buy Now
Questions 15

Which of the following indicators is LEAST likely to trigger a reassessment of an existing vendor?

Options:

A.

Change in vendor location or use of new fourth parties

B.

Change in scope of existing work (e.g., new data or system access)

C.

Change in regulation that impacts service provider requirements

D.

Change at outsourcer due to M&A

Buy Now
Questions 16

Which type of external event does NOT trigger an organization ta prompt a third party contract provisions review?

Options:

A.

Change in company point of contact

B.

Business continuity event

C.

Data breach/privacy incident

D.

Change in regulations

Buy Now
Questions 17

Which set of procedures is typically NOT addressed within data privacy policies?

Options:

A.

Procedures to limit access and disclosure of personal information to third parties

B.

Procedures for handling data access requests from individuals

C.

Procedures for configuration settings in identity access management

D.

Procedures for incident reporting and notification

Buy Now
Questions 18

Which capability is LEAST likely to be included in the annual testing activities for Business Continuity or Disaster Recovery plans?

Options:

A.

Plans to enable technology and business operations to be resumed at a back-up site

B.

Process to validate that specific databases can be accessed by applications at the designated location

C.

Ability for business personnel to perform their functions at an alternate work space location

D.

Require participation by third party service providers in collaboration with industry exercises

Buy Now
Questions 19

Which of the following is a positive aspect of adhering to a secure SDLC?

Options:

A.

Promotes a “check the box" compliance approach

B.

A process that defines and meets both the business requirements and the security requirements

C.

A process that forces quality code repositories management

D.

Enables the process if system code is managed in different IT silos

Buy Now
Questions 20

The BEST time in the SDLC process for an application service provider to perform Threat Modeling analysis is:

Options:

A.

Before the application design and development activities begin

B.

After the application vulnerability or penetration test is completed

C.

After testing and before the deployment of the final code into production

D.

Prior to the execution of a contract with each client

Buy Now
Questions 21

Upon completion of a third party assessment, a meeting should be scheduled with which

of the following resources prior to sharing findings with the vendor/service provider to

approve remediation plans:

Options:

A.

CISO/CIO

B.

Business Unit Relationship Owner

C.

internal Audit

D.

C&O

Buy Now
Questions 22

Which cloud deployment model is primarily used for load balancing?

Options:

A.

Public Cloud

B.

Community Cloud

C.

Hybrid Cloud

D.

Private Cloud

Buy Now
Questions 23

Which action statement BEST describes an assessor calculating residual risk?

Options:

A.

The assessor adjusts the vendor risk rating prior to reporting the findings to the business unit

B.

The assessor adjusts the vendor risk rating based on changes to the risk level after analyzing the findings and mitigating controls

C.

The business unit closes out the finding prior to the assessor submitting the final report

D.

The assessor recommends implementing continuous monitoring for the next 18 months

Buy Now
Questions 24

During the contract negotiation process for a new vendor, the vendor states they have legal obligations to retain data for tax purposes. However, your company policy requires data

return or destruction at contract termination. Which statement provides the BEST approach to address this conflict?

Options:

A.

Determine if a policy exception and approval is required, and require that data safeguarding obligations continue after termination

B.

Change the risk rating of the vendor to reflect a higher risk tier

C.

Insist the vendor adheres to the policy and contract provisions without exception

D.

Conduct an assessment of the vendor's data governance and records management program

Buy Now
Questions 25

Which of the following is typically NOT included within the scape of an organization's network access policy?

Options:

A.

Firewall settings

B.

Unauthorized device detection

C.

Website privacy consent banners

D.

Remote access

Buy Now
Questions 26

Which statement is TRUE regarding a vendor's approach to Environmental, Social, and Governance (ESG) programs?

Options:

A.

ESG expectations are driven by a company's executive team for internal commitments end not external entities

B.

ESG requirements and programs may be directed by regulatory obligations or in response to company commitments

C.

ESG commitments can only be measured qualitatively so it cannot be included in vendor due diligence standards

D.

ESG obligations only apply to a company with publicly traded stocks

Buy Now
Questions 27

Minimum risk assessment standards for third party due diligence should be:

Options:

A.

Set by each business unit based on the number of vendors to be assessed

B.

Defined in the vendor/service provider contract or statement of work

C.

Established by the TPRM program based on the company’s risk tolerance and risk appetite

D.

Identified by procurement and required for all vendors and suppliers

Buy Now
Questions 28

Which statement reflects a requirement that is NOT typically found in a formal Information Security Incident Management Program?

Options:

A.

The program includes the definition of internal escalation processes

B.

The program includes protocols for disclosure of information to external parties

C.

The program includes mechanisms for notification to clients

D.

The program includes processes in support of disaster recovery

Buy Now
Questions 29

Which statement is FALSE regarding the foundational requirements of a well-defined third party risk management program?

Options:

A.

We conduct onsite or virtual assessments for all third parties

B.

We have defined senior and executive management accountabilities for oversight of our TPRM program

C.

We have established vendor risk ratings and classifications based on a tiered hierarchy

D.

We have established Management and Board-level reporting to enable risk-based decisionmaking

Buy Now
Questions 30

Once a vendor questionnaire is received from a vendor what is the MOST important next step when evaluating the responses?

Options:

A.

Document your analysis and provide confirmation to the business unit regarding receipt of the questionnaire

B.

Update the vender risk registry and vendor inventory with the results in order to complete the assessment

C.

Calculate the total number of findings to rate the effectiveness of the vendor response

D.

Analyze the responses to identify adverse or high priority responses to prioritize controls that should be tested

Buy Now
Questions 31

Which statement is TRUE regarding the onboarding process far new hires?

Options:

A.

New employees and contractors should not be on-boarded until the results of applicant screening are approved

B.

it is not necessary to have employees, contractors, and third party users sign confidentiality or non-disclosure agreements

C.

All job roles should require employees to sign non-compete agreements

D.

New employees and contactors can opt-out of having to attend security and privacy awareness training if they hold existing certifications

Buy Now
Questions 32

When updating TPRM vendor classification requirements with a focus on availability, which

risk rating factors provide the greatest impact to the analysis?

Options:

A.

Type of data by classification; volume of records included in data processing

B.

Financial viability of the vendor; ability to meet performance metrics

C.

Network connectivity; remote access to applications

D.

impact on operations and end users; impact on revenue; impact on regulatory compliance

Buy Now
Questions 33

Which factor describes the concept of criticality of a service provider relationship when determining vendor classification?

Options:

A.

Criticality is limited to only the set of vendors involved in providing disaster recovery services

B.

Criticality is determined as all high risk vendors with access to personal information

C.

Criticality is assigned to the subset of vendor relationships that pose the greatest impact due to their unavailability

D.

Criticality is described as the set of vendors with remote access or network connectivity to company systems

Buy Now
Questions 34

Which activity BEST describes conducting due diligence of a lower risk vendor?

Options:

A.

Accepting a service providers self-assessment questionnaire responses

B.

Preparing reports to management regarding the status of third party risk management and remediation activities

C.

Reviewing a service provider's self-assessment questionnaire and external audit report(s)

D.

Requesting and filing a service provider's external audit report(s) for future reference

Buy Now
Questions 35

Which statement is FALSE when describing the third party risk assessors’ role when conducting a controls evaluation using an industry framework?

Options:

A.

The Assessor's role is to conduct discovery with subject matter experts to understand the control environment

B.

The Assessor's role is to conduct discovery and validate responses from the risk assessment questionnaire by testing or validating controls

C.

The Assessor's role is to provide an opinion on the effectiveness of controls conducted over a period of time in their report

D.

The Assessor's role is to review compliance artifacts and identify potential control gaps based on evaluation of the presence of control attributes

Buy Now
Questions 36

Which example is typically NOT included in a Business Impact Analysis (BIA)?

Options:

A.

Including any contractual or legal/regulatory requirements

B.

Prioritization of business functions and processes

C.

Identifying the criticality of applications

D.

Requiring vendor participation in testing

Buy Now
Questions 37

Which of the following factors is MOST important when assessing the risk of shadow IT in organizational security?

Options:

A.

The organization maintains adequate policies and procedures that communicate required controls for security functions

B.

The organization requires security training and certification for security personnel

C.

The organization defines staffing levels to address impact of any turnover in security roles

D.

The organization's resources and investment are sufficient to meet security requirements

Buy Now
Exam Code: CTPRP
Exam Name: Certified Third-Party Risk Professional (CTPRP)
Last Update: Dec 4, 2024
Questions: 125

PDF + Testing Engine

$66  $164.99

Testing Engine

$50  $124.99
buy now CTPRP testing engine

PDF (Q&A)

$42  $104.99
buy now CTPRP pdf