Summer Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: bestgeek

CTPRP Certified Third-Party Risk Professional (CTPRP) Questions and Answers

Questions 4

Which statement is NOT an accurate reflection of an organizations requirements within an enterprise information security policy?

Options:

A.

Security policies should define the organizational structure and accountabilities for oversight

B.

Security policies should have an effective date and date of last review by management

C.

Security policies should be changed on an annual basis due to technology changes

D.

Security policies should be organized based upon an accepted control framework

Buy Now
Questions 5

The following statements reflect user obligations defined in end-user device policies

EXCEPT:

Options:

A.

A statement specifying the owner of data on the end-user device

B.

A statement that defines the process to remove all organizational data, settings and accounts alt offboarding

C.

A statement detailing user responsibility in ensuring the security of the end-user device

D.

A statement that specifies the ability to synchronize mobile device data with enterprise systems

Buy Now
Questions 6

Which of the following is a component of evaluating a third party's use of Remote Access within their information security policy?

Options:

A.

Maintaining blocked IP address ranges

B.

Reviewing the testing and deployment procedures to networking components

C.

Providing guidelines to configuring ports on a router

D.

Identifying the use of multifactor authentication

Buy Now
Questions 7

When measuring the operational performance of implementing a TPRM program, which example is MOST likely to provide meaningful metrics?

Options:

A.

logging the number of exceptions to existing due diligence standards

B.

Measuring the time spent by resources for task and corrective action plan completion

C.

Calculating the average time to remediate identified corrective actions

D.

Tracking the number of outstanding findings

Buy Now
Questions 8

Which statement is FALSE when describing the third party risk assessors’ role when conducting a controls evaluation using an industry framework?

Options:

A.

The Assessor's role is to conduct discovery with subject matter experts to understand the control environment

B.

The Assessor's role is to conduct discovery and validate responses from the risk assessment questionnaire by testing or validating controls

C.

The Assessor's role is to provide an opinion on the effectiveness of controls conducted over a period of time in their report

D.

The Assessor's role is to review compliance artifacts and identify potential control gaps based on evaluation of the presence of control attributes

Buy Now
Questions 9

When conducting an assessment of a third party's physical security controls, which of the following represents the innermost layer in a ‘Defense in Depth’ model?

Options:

A.

Public internal

B.

Restricted entry

C.

Private internal

D.

Public external

Buy Now
Questions 10

When evaluating remote access risk, which of the following is LEAST applicable to your analysis?

Options:

A.

Logging of remote access authentication attempts

B.

Limiting access by job role of business justification

C.

Monitoring device activity usage volumes

D.

Requiring application whitelisting

Buy Now
Questions 11

Which type of contract termination is MOST likely to occur after failure to remediate assessment findings?

Options:

A.

Regulatory/supervisory termination

B.

Termination for convenience

C.

Normal termination

D.

Termination for cause

Buy Now
Questions 12

You are updating program requirements due to shift in use of technologies by vendors to enable hybrid work. Which statement is LEAST likely to represent components of an Asset

Management Program?

Options:

A.

Asset inventories should include connections to external parties, networks, or systems that process data

B.

Each asset should include an organizational owner who is responsible for the asset throughout its life cycle

C.

Assets should be classified based on criticality or data sensitivity

D.

Asset inventories should track the flow or distribution of items used to fulfill products and Services across production lines

Buy Now
Questions 13

Which of the following data types would be classified as low risk data?

Options:

A.

Sanitized customer data used for aggregated profiling

B.

Non personally identifiable, but sensitive to an organizations significant process

C.

Government-issued number, credit card number or bank account information

D.

Personally identifiable data but stored in a test environment cloud container

Buy Now
Questions 14

Your organization has recently acquired a set of new global third party relationships due to M&A. You must define your risk assessment process based on your due diligence

standards. Which risk factor is LEAST important in defining your requirements?

Options:

A.

The risk of increased expense to conduct vendor assessments based on client contractual requirements

B.

The risk of natural disasters and physical security risk based on geolocation

C.

The risk of increased government regulation and decreased political stability based on country risk

D.

The financial risk due to local economic factors and country infrastructure

Buy Now
Questions 15

A set of principles for software development that address the top application security risks and industry web requirements is known as:

Options:

A.

Application security design standards

B.

Security testing methodology

C.

Secure code reviews

D.

Secure architecture risk analysis

Buy Now
Questions 16

Tracking breach, credential exposure and insider fraud/theft alerts is an example of which continuous monitoring technique?

Options:

A.

Monitoring surface

B.

Vulnerabilities

C.

Passive and active indicators of compromise

D.

Business intelligence

Buy Now
Questions 17

Which TPRM risk assessment component would typically NOT be maintained in a Risk Register?

Options:

A.

An assessment of the impact and likelihood the risk will occur and the possible seriousness

B.

Vendor inventory of all suppliers, vendors, and service providers prioritized by contract value

C.

An outline of proposed mitigation actions and assignment of risk owner

D.

A grading of each risk according to a risk assessment table or hierarchy

Buy Now
Questions 18

Which statement is TRUE regarding defining vendor classification or risk tiering in a TPRM program?

Options:

A.

Vendor classification and risk tiers are based upon residual risk calculations

B.

Vendor classification and risk tiering should only be used for critical third party relationships

C.

Vendor classification and corresponding risk tiers utilize the same due diligence standards for controls evaluation based upon policy

D.

Vendor classification and risk tier is determined by calculating the inherent risk associated with outsourcing a specific product or service

Buy Now
Questions 19

Once a vendor questionnaire is received from a vendor what is the MOST important next step when evaluating the responses?

Options:

A.

Document your analysis and provide confirmation to the business unit regarding receipt of the questionnaire

B.

Update the vender risk registry and vendor inventory with the results in order to complete the assessment

C.

Calculate the total number of findings to rate the effectiveness of the vendor response

D.

Analyze the responses to identify adverse or high priority responses to prioritize controls that should be tested

Buy Now
Questions 20

Which statement provides the BEST example of the purpose of scoping in third party assessments?

Options:

A.

Scoping is used to reduce the number of questions the vendor has to complete based on vendor “classification

B.

Scoping is the process an outsourcer uses to configure a third party assessment based on the risk the vendor presents to the organization

C.

Scoping is an assessment technique only used for high risk or critical vendors that require on-site assessments

D.

Scoping is used primarily to limit the inclusion of supply chain vendors in third party assessments

Buy Now
Questions 21

At which level of reporting are changes in TPRM program metrics rare and exceptional?

Options:

A.

Business unit

B.

Executive management

C.

Risk committee

D.

Board of Directors

Buy Now
Questions 22

Which statement is NOT a method of securing web applications?

Options:

A.

Ensure appropriate logging and review of access and events

B.

Conduct periodic penetration tests

C.

Adhere to web content accessibility guidelines

D.

Include validation checks in SDLC for cross site scripting and SOL injections

Buy Now
Questions 23

Which approach for managing end-user device security is typically used for lost or stolen company-owned devices?

Options:

A.

Remotely enable lost mode status on the device

B.

Deletion of data after a pre-defined number of failed login attempts

C.

Enterprise wipe of all company data and contacts

D.

Remote wipe of the device and restore to factory settings

Buy Now
Questions 24

Which of the following BEST reflects components of an environmental controls testing program?

Options:

A.

Scheduling testing of building access and intrusion systems

B.

Remote monitoring of HVAC, Smoke, Fire, Water or Power

C.

Auditing the CCTV backup process and card-key access process

D.

Conducting periodic reviews of personnel access controls and building intrusion systems

Buy Now
Questions 25

Which statement is TRUE regarding a vendor's approach to Environmental, Social, and Governance (ESG) programs?

Options:

A.

ESG expectations are driven by a company's executive team for internal commitments end not external entities

B.

ESG requirements and programs may be directed by regulatory obligations or in response to company commitments

C.

ESG commitments can only be measured qualitatively so it cannot be included in vendor due diligence standards

D.

ESG obligations only apply to a company with publicly traded stocks

Buy Now
Questions 26

Which statement is TRUE regarding the onboarding process far new hires?

Options:

A.

New employees and contractors should not be on-boarded until the results of applicant screening are approved

B.

it is not necessary to have employees, contractors, and third party users sign confidentiality or non-disclosure agreements

C.

All job roles should require employees to sign non-compete agreements

D.

New employees and contactors can opt-out of having to attend security and privacy awareness training if they hold existing certifications

Buy Now
Questions 27

Which action statement BEST describes an assessor calculating residual risk?

Options:

A.

The assessor adjusts the vendor risk rating prior to reporting the findings to the business unit

B.

The assessor adjusts the vendor risk rating based on changes to the risk level after analyzing the findings and mitigating controls

C.

The business unit closes out the finding prior to the assessor submitting the final report

D.

The assessor recommends implementing continuous monitoring for the next 18 months

Buy Now
Questions 28

Which activity reflects the concept of vendor management?

Options:

A.

Managing service level agreements

B.

Scanning and collecting information from third party web sites

C.

Reviewing and analyzing external audit reports

D.

Receiving and analyzing a vendor's response to & questionnaire

Buy Now
Questions 29

A visual representation of locations, users, systems and transfer of personal information between outsourcers and third parties is defined as:

Options:

A.

Configuration standard

B.

Audit log report

C.

Network diagram

D.

Data flow diagram

Buy Now
Questions 30

Which statement does NOT reflect current practice in addressing fourth party risk or subcontracting risk?

Options:

A.

Third party contracts and agreements should require prior notice and approval for subcontracting

B.

Outsourcers should rely on requesting and reviewing external audit reports to address subcontracting risk

C.

Outsourcers should inspect the vendor's TPRM program and require evidence of the assessments of subcontractors

D.

Third party contracts should include capturing, maintaining, and tracking authorized subcontractors

Buy Now
Questions 31

Which of the following actions is an early step when triggering an Information Security

Incident Response Program?

Options:

A.

Implementing processes for emergency change control approvals

B.

Requiring periodic changes to the vendor's contract for breach notification

C.

Assessing the vendor's Business Impact Analysis (BIA) for resuming operations

D.

Initiating an investigation of the unauthorized disclosure of data

Buy Now
Questions 32

Which statement BEST reflects the factors that help you determine the frequency of cyclical assessments?

Options:

A.

Vendor assessments should be conducted during onboarding and then be replaced by continuous monitoring

B.

Vendor assessment frequency should be based on the level of risk and criticality of the vendor to your operations as determined by their vendor risk score

C.

Vendor assessments should be scheduled based on the type of services/products provided

D.

Vendor assessment frequency may need to be changed if the vendor has disclosed a data breach

Buy Now
Questions 33

In which phase of the TPRM lifecycle should terms for return or destruction of data be defined and agreed upon?

Options:

A.

During contract negotiation

B.

At third party selection and initial due diligence

C.

When deploying ongoing monitoring

D.

At termination and exit

Buy Now
Questions 34

Which of the following actions reflects the first step in developing an emergency response plan?

Options:

A.

Conduct an assessment that includes an inventory of the types of events that have the greatest potential to trigger an emergency response plan

B.

Consider work-from-home parameters in the emergency response plan

C.

incorporate periodic crisis management team tabletop exercises to test different scenarios

D.

Use the results of continuous monitoring tools to develop the emergency response plan

Buy Now
Questions 35

Which requirement is NOT included in IT asset end-of-life (EOL) processes?

Options:

A.

The requirement to conduct periodic risk assessments to determine end-of-life

B.

The requirement to track status using a change initiation request form

C.

The requirement to track updates to third party provided systems or applications for any planned end-of-life support

D.

The requirement to establish defined procedures for secure destruction al sunset of asset

Buy Now
Questions 36

Which capability is LEAST likely to be included in the annual testing activities for Business Continuity or Disaster Recovery plans?

Options:

A.

Plans to enable technology and business operations to be resumed at a back-up site

B.

Process to validate that specific databases can be accessed by applications at the designated location

C.

Ability for business personnel to perform their functions at an alternate work space location

D.

Require participation by third party service providers in collaboration with industry exercises

Buy Now
Questions 37

Which statement is TRUE regarding the use of questionnaires in third party risk assessments?

Options:

A.

The total number of questions included in the questionnaire assigns the risk tier

B.

Questionnaires are optional since reliance on contract terms is a sufficient control

C.

Assessment questionnaires should be configured based on the risk rating and type of service being evaluated

D.

All topic areas included in the questionnaire require validation during the assessment

Buy Now
Exam Code: CTPRP
Exam Name: Certified Third-Party Risk Professional (CTPRP)
Last Update: Apr 16, 2024
Questions: 125
CTPRP pdf

CTPRP PDF

$32  $80
CTPRP Engine

CTPRP Testing Engine

$38  $95
CTPRP PDF + Engine

CTPRP PDF + Testing Engine

$52  $130