Labour Day Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dumps65

Shared Assessments CTPRP Dumps

Page: 1 / 13
Total 125 questions

Certified Third-Party Risk Professional (CTPRP) Questions and Answers

Question 1

The BEST time in the SDLC process for an application service provider to perform Threat Modeling analysis is:

Options:

A.

Before the application design and development activities begin

B.

After the application vulnerability or penetration test is completed

C.

After testing and before the deployment of the final code into production

D.

Prior to the execution of a contract with each client

Question 2

Which of the following BEST reflects the risk of a ‘shadow IT" function?

Options:

A.

“Shadow IT" functions often fail to detect unauthorized use of information assets

B.

“Shadow IT" functions often lack governance and security oversight

C.

inability to prevent "shadow IT’ functions from using unauthorized software solutions

D.

Failure to implement strong security controls because IT is executed remotely

Question 3

Which statement is NOT an example of the purpose of internal communications and information sharing using TPRM performance metrics?

Options:

A.

To communicate the status of findings identified in vendor assessments and escalate issues es needed

B.

To communicate the status of policy compliance with TPRM onboarding, periodic assessment and off-boarding requirements

C.

To document the agreed upon corrective action plan between external parties based on the severity of findings

D.

To develop and provide periodic reporting to management based on TPRM results

Question 4

Which example of a response to external environmental factors is LEAST likely to be managed directly within the BCP or IT DR plan?

Options:

A.

Protocols for social media channels and PR communication

B.

Response to a natural or man-made disruption

C.

Dependency on key employee or supplier issues

D.

Response to a large scale illness or health outbreak

Question 5

Which statement is TRUE regarding defining vendor classification or risk tiering in a TPRM program?

Options:

A.

Vendor classification and risk tiers are based upon residual risk calculations

B.

Vendor classification and risk tiering should only be used for critical third party relationships

C.

Vendor classification and corresponding risk tiers utilize the same due diligence standards for controls evaluation based upon policy

D.

Vendor classification and risk tier is determined by calculating the inherent risk associated with outsourcing a specific product or service

Question 6

Which of the following is LEAST likely to be included in an organization's mobile device policy?

Options:

A.

Language on restricting the use of the mobile device to only business purposes

B.

Language to require a mutual Non Disclosure Agreement (NDA)

C.

Language detailing the user's responsibility to not bypass security settings or monitoring applications

D.

Language detailing specific actions that an organization may take in the event of an information security incident

Question 7

Which statement is TRUE regarding the use of questionnaires in third party risk assessments?

Options:

A.

The total number of questions included in the questionnaire assigns the risk tier

B.

Questionnaires are optional since reliance on contract terms is a sufficient control

C.

Assessment questionnaires should be configured based on the risk rating and type of service being evaluated

D.

All topic areas included in the questionnaire require validation during the assessment

Question 8

Select the risk type that is defined as: “A third party may not be able to meet its obligations due to inadequate systems or processes”.

Options:

A.

Reliability risk

B.

Performance risk

C.

Competency risk

D.

Availability risk

Question 9

Which statement is FALSE when describing the third party risk assessors’ role when conducting a controls evaluation using an industry framework?

Options:

A.

The Assessor's role is to conduct discovery with subject matter experts to understand the control environment

B.

The Assessor's role is to conduct discovery and validate responses from the risk assessment questionnaire by testing or validating controls

C.

The Assessor's role is to provide an opinion on the effectiveness of controls conducted over a period of time in their report

D.

The Assessor's role is to review compliance artifacts and identify potential control gaps based on evaluation of the presence of control attributes

Question 10

Which of the following is a positive aspect of adhering to a secure SDLC?

Options:

A.

Promotes a “check the box" compliance approach

B.

A process that defines and meets both the business requirements and the security requirements

C.

A process that forces quality code repositories management

D.

Enables the process if system code is managed in different IT silos

Question 11

Which vendor statement provides the BEST description of the concept of least privilege?

Options:

A.

We require dual authorization for restricted areas

B.

We grant people access to the minimum necessary to do their job

C.

We require separation of duties for performance of high risk activities

D.

We limit root and administrator access to only a few personnel

Question 12

Which of the following factors is MOST important when assessing the risk of shadow IT in organizational security?

Options:

A.

The organization maintains adequate policies and procedures that communicate required controls for security functions

B.

The organization requires security training and certification for security personnel

C.

The organization defines staffing levels to address impact of any turnover in security roles

D.

The organization's resources and investment are sufficient to meet security requirements

Question 13

At which level of reporting are changes in TPRM program metrics rare and exceptional?

Options:

A.

Business unit

B.

Executive management

C.

Risk committee

D.

Board of Directors

Question 14

Which example is typically NOT included in a Business Impact Analysis (BIA)?

Options:

A.

Including any contractual or legal/regulatory requirements

B.

Prioritization of business functions and processes

C.

Identifying the criticality of applications

D.

Requiring vendor participation in testing

Question 15

The set of shared values and beliefs that govern a company’s attitude toward risk is known as:

Options:

A.

Risk tolerance

B.

Risk treatment

C.

Risk culture

D.

Risk appetite

Question 16

Which example of analyzing a vendor's response should trigger further investigation of their information security policies?

Options:

A.

Determination that the security policies include contract or temporary workers

B.

Determination that the security policies do not specify any requirements for third party governance and oversight

C.

Determination that the security policies are approved by management and available to constituents including employees and contract workers

D.

Determination that the security policies are communicated to constituents including full and part-time employees

Question 17

Which of the following is typically NOT included within the scape of an organization's network access policy?

Options:

A.

Firewall settings

B.

Unauthorized device detection

C.

Website privacy consent banners

D.

Remote access

Question 18

Which of the following topics is LEAST important when evaluating a service provider's Security and Privacy Awareness Program?

Options:

A.

Training on phishing and social engineering risks and expected actions for employees and contractors

B.

Training on whistleblower compliance issue reporting mechanisms

C.

Training that is designed based on role, job scope, or level of access

D.

Training on acceptable use and data safeguards based on organization's policies

Question 19

Which of the following components is NOT typically included in external continuous monitoring solutions?

Options:

A.

Status updates on localized events based on geolocation

B.

Alerts on legal and regulatory actions involving the vendor

C.

Metrics that track SLAs for performance management

D.

Reports that identify changes in vendor financial viability

Question 20

Which cloud deployment model is primarily used for load balancing?

Options:

A.

Public Cloud

B.

Community Cloud

C.

Hybrid Cloud

D.

Private Cloud

Question 21

When evaluating compliance artifacts for change management, a robust process should include the following attributes:

Options:

A.

Approval, validation, auditable.

B.

Logging, approvals, validation, back-out and exception procedures

C.

Logging, approval, back-out.

D.

Communications, approval, auditable.

Question 22

Which of the following is NOT a key component of TPRM requirements in the software development life cycle (SDLC)?

Options:

A.

Maintenance of artifacts that provide proof that SOLC gates are executed

B.

Process for data destruction and disposal

C.

Software security testing

D.

Process for fixing security defects

Question 23

Which statement is FALSE regarding the methods of measuring third party risk?

Options:

A.

Risk can be measured both qualitatively and quantitatively

B.

Risk can be quantified by calculating the severity of impact and likelihood of occurrence

C.

Assessing risk impact requires an analysis of prior events, frequency of occurrence, and external trends to analyze and predict the potential of a particular event happening

D.

Risk likelihood or probability is a critical element in quantifying inherent or residual risk

Question 24

Which statement is FALSE regarding the risk factors an organization may include when defining TPRM compliance requirements?

Options:

A.

Organizations include TPRM compliance requirements within vendor contracts, and periodically review and update mandatory contract provisions

B.

Organizations rely on regulatory mandates to define and structure TPRM compliance requirements

C.

Organizations incorporate the use of external standards and frameworks to align and map TPRM compliance requirements to industry practice

D.

Organizations define TPRM policies based on the company’s risk appetite to shape requirements based on the services being outsourced

Question 25

Which of the following data safeguarding techniques provides the STRONGEST assurance that data does not identify an individual?

Options:

A.

Data masking

B.

Data encryption

C.

Data anonymization

D.

Data compression

Question 26

An organization has experienced an unrecoverable data loss event after restoring a system. This is an example of:

Options:

A.

A failure to conduct a Root Cause Analysis (RCA)

B.

A failure to meet the Recovery Time Objective (RTO)

C.

A failure to meet the Recovery Consistency Objective (RCO)

D.

A failure to meet the Recovery Point Objective (RPO)

Question 27

You are assessing your organization's Disaster Recovery and Business Continuity (BR/BCP) requirements based on the shift to remote work. Which statement is LEAST reflective of current practices in business resiliency?

Options:

A.

Third party service providers should be included in the company’s exercise and testing program based on the criticality of the outsourced business function

B.

The right to require participation in testing with third party service providers should be included in the contract

C.

The contract is the only enforceable control to stipulate third party service provider obligations for DR/BCP since both programs were triggered by the pandemic

D.

Management should request and receive artifacts that Gemonstrate successful test results and any remediation action plans

Question 28

A contract clause that enables each party to share the amount of information security risk is known as:

Options:

A.

Limitation of liability

B.

Cyber Insurance

C.

Force majeure

D.

Mutual indemnification

Question 29

Which of the following methods of validating pre-employment screening attributes is appropriate due to limitations of international or state regulation?

Options:

A.

Reviewing evidence of web search of social media sites

B.

Providing and sampling complete personnel files to demonstrate unique screening results

C.

Requiring evidence of drug testing

D.

Requesting evidence of the performance of pre-employment screening when permitted by law

Question 30

Which factor is the LEAST important attribute when classifying personal data?

Options:

A.

The volume of data records processed or retained

B.

The data subject category that identifies the data owner

C.

The sensitivity level of specific data elements that could identify an individual

D.

The assignment of a confidentiality level that differentiates public or non-public information

Question 31

Which statement provides the BEST description of inherent risk?

Options:

A.

inherent risk is the amount of risk an organization can incur when there is an absence of controls

B.

Inherent risk is the level of risk triggered by outsourcing & product or service

C.

Inherent risk is the amount of risk an organization can accept based on their risk tolerance

D.

Inherent risk is the level of risk that exists with all of the necessary controls in place

Question 32

Which statement BEST represents the primary objective of a third party risk assessment:

Options:

A.

To assess the appropriateness of non-disclosure agreements regarding the organization's systems/data

B.

To validate that the vendor/service provider has adequate controls in place based on the organization's risk posture

C.

To determine the scope of the business relationship

D.

To evaluate the risk posture of all vendors/service providers in the vendor inventory

Question 33

An outsourcer's vendor risk assessment process includes all of the following EXCEPT:

Options:

A.

Establishing risk evaluation criteria based on company policy

B.

Developing risk-tiered due diligence standards

C.

Setting remediation timelines based on the severity level of findings

D.

Defining assessment frequency based on resource capacity

Question 34

Which activity BEST describes conducting due diligence of a lower risk vendor?

Options:

A.

Accepting a service providers self-assessment questionnaire responses

B.

Preparing reports to management regarding the status of third party risk management and remediation activities

C.

Reviewing a service provider's self-assessment questionnaire and external audit report(s)

D.

Requesting and filing a service provider's external audit report(s) for future reference

Question 35

Which of the following BEST describes the distinction between a regulation and a standard?

Options:

A.

A regulation must be adhered to by all companies subject to its requirements, but companies “can voluntarily choose to follow standards.

B.

There is no distinction, regulations and standards are the same and have equal impact

C.

Standards are always a subset of a regulation

D.

A standard must be adhered to by companies based on the industry they are in, while regulations are voluntary.

Question 36

All of the following processes are components of controls evaluation in the Third Party Risk Assessment process EXCEPT:

Options:

A.

Reviewing compliance artifacts for the presence of control attributes

B.

Negotiating contract terms for the right to audit

C.

Analyzing assessment results to identify and report risk

D.

Scoping the assessment based on identified risk factors

Question 37

Which of the following would be a component of an arganization’s Ethics and Code of Conduct Program?

Options:

A.

Participation in the company's annual privacy awareness program

B.

A disciplinary process for non-compliance with key policies, including formal termination or change of status process based on non-compliance

C.

Signing acknowledgement of Acceptable Use policy for use of company assets

D.

A process to conduct periodic access reviews of critical Human Resource files

Page: 1 / 13
Total 125 questions