Summer Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: takeit60

CTPRP Certified Third-Party Risk Professional (CTPRP) Questions and Answers

Questions 4

Which set of procedures is typically NOT addressed within data privacy policies?

Options:

A.

Procedures to limit access and disclosure of personal information to third parties

B.

Procedures for handling data access requests from individuals

C.

Procedures for configuration settings in identity access management

D.

Procedures for incident reporting and notification

Buy Now
Questions 5

Which statement is FALSE regarding problem or issue management?

Options:

A.

Problems or issues are the root cause of an actual or potential incident

B.

Problem or issue management involves managing workarounds or known errors

C.

Problems or issues typically lead to systemic failures

D.

Problem or issue management may reduce the likelihood and impact of incidents

Buy Now
Questions 6

Which statement BEST represents the primary objective of a third party risk assessment:

Options:

A.

To assess the appropriateness of non-disclosure agreements regarding the organization's systems/data

B.

To validate that the vendor/service provider has adequate controls in place based on the organization's risk posture

C.

To determine the scope of the business relationship

D.

To evaluate the risk posture of all vendors/service providers in the vendor inventory

Buy Now
Questions 7

Your company has been alerted that an IT vendor began utilizing a subcontractor located in a country restricted by company policy. What is the BEST approach to handle this situation?

Options:

A.

Notify management to approve an exception and ensure that contract provisions require prior “notification and evidence of subcontractor due diligence

B.

inform the business unit and recommend that the company cease future work with the IT vendor due to company policy

C.

Update the vender inventory with the mew location information in order to schedule a reassessment

D.

Inform the business unit and ask the vendor to replace the subcontractor at their expense in “order to move the processing back to an approved country

Buy Now
Questions 8

Which of the following is typically NOT included within the scape of an organization's network access policy?

Options:

A.

Firewall settings

B.

Unauthorized device detection

C.

Website privacy consent banners

D.

Remote access

Buy Now
Questions 9

During the contract negotiation process for a new vendor, the vendor states they have legal obligations to retain data for tax purposes. However, your company policy requires data

return or destruction at contract termination. Which statement provides the BEST approach to address this conflict?

Options:

A.

Determine if a policy exception and approval is required, and require that data safeguarding obligations continue after termination

B.

Change the risk rating of the vendor to reflect a higher risk tier

C.

Insist the vendor adheres to the policy and contract provisions without exception

D.

Conduct an assessment of the vendor's data governance and records management program

Buy Now
Questions 10

Information classification of personal information may trigger specific regulatory obligations. Which statement is the BEST response from a privacy perspective:

Options:

A.

Personally identifiable financial information includes only consumer report information

B.

Public personal information includes only web or online identifiers

C.

Personally identifiable information and personal data are similar in context, but may have different legal definitions based upon jurisdiction

D.

Personally Identifiable Information and Protected Healthcare Information require the exact same data protection safequards

Buy Now
Questions 11

Upon completion of a third party assessment, a meeting should be scheduled with which

of the following resources prior to sharing findings with the vendor/service provider to

approve remediation plans:

Options:

A.

CISO/CIO

B.

Business Unit Relationship Owner

C.

internal Audit

D.

C&O

Buy Now
Questions 12

The set of shared values and beliefs that govern a company’s attitude toward risk is known as:

Options:

A.

Risk tolerance

B.

Risk treatment

C.

Risk culture

D.

Risk appetite

Buy Now
Questions 13

The primary disadvantage of Single Sign-On (SSO) access control is:

Options:

A.

The impact of a compromise of the end-user credential that provides access to multiple systems is greater

B.

A single password is easier to guess and be exploited

C.

Users store multiple passwords in a single repository limiting the ability to change the password

D.

Vendors must develop multiple methods to integrate system access adding cost and complexity

Buy Now
Questions 14

Which type of contract provision is MOST important in managing Fourth-Nth party risk after contract signing and on-boarding due diligence is complete?

Options:

A.

Subcontractor notice and approval

B.

Indemnification and liability

C.

Breach notification

D.

Right to audit

Buy Now
Questions 15

All of the following processes are components of controls evaluation in the Third Party Risk Assessment process EXCEPT:

Options:

A.

Reviewing compliance artifacts for the presence of control attributes

B.

Negotiating contract terms for the right to audit

C.

Analyzing assessment results to identify and report risk

D.

Scoping the assessment based on identified risk factors

Buy Now
Questions 16

The following statements reflect user obligations defined in end-user device policies

EXCEPT:

Options:

A.

A statement specifying the owner of data on the end-user device

B.

A statement that defines the process to remove all organizational data, settings and accounts alt offboarding

C.

A statement detailing user responsibility in ensuring the security of the end-user device

D.

A statement that specifies the ability to synchronize mobile device data with enterprise systems

Buy Now
Questions 17

Which TPRM risk assessment component would typically NOT be maintained in a Risk Register?

Options:

A.

An assessment of the impact and likelihood the risk will occur and the possible seriousness

B.

Vendor inventory of all suppliers, vendors, and service providers prioritized by contract value

C.

An outline of proposed mitigation actions and assignment of risk owner

D.

A grading of each risk according to a risk assessment table or hierarchy

Buy Now
Questions 18

Which statement is NOT an example of the purpose of internal communications and information sharing using TPRM performance metrics?

Options:

A.

To communicate the status of findings identified in vendor assessments and escalate issues es needed

B.

To communicate the status of policy compliance with TPRM onboarding, periodic assessment and off-boarding requirements

C.

To document the agreed upon corrective action plan between external parties based on the severity of findings

D.

To develop and provide periodic reporting to management based on TPRM results

Buy Now
Questions 19

Which of the following indicators is LEAST likely to trigger a reassessment of an existing vendor?

Options:

A.

Change in vendor location or use of new fourth parties

B.

Change in scope of existing work (e.g., new data or system access)

C.

Change in regulation that impacts service provider requirements

D.

Change at outsourcer due to M&A

Buy Now
Questions 20

Which activity BEST describes conducting due diligence of a lower risk vendor?

Options:

A.

Accepting a service providers self-assessment questionnaire responses

B.

Preparing reports to management regarding the status of third party risk management and remediation activities

C.

Reviewing a service provider's self-assessment questionnaire and external audit report(s)

D.

Requesting and filing a service provider's external audit report(s) for future reference

Buy Now
Questions 21

Which of the following methods of validating pre-employment screening attributes is appropriate due to limitations of international or state regulation?

Options:

A.

Reviewing evidence of web search of social media sites

B.

Providing and sampling complete personnel files to demonstrate unique screening results

C.

Requiring evidence of drug testing

D.

Requesting evidence of the performance of pre-employment screening when permitted by law

Buy Now
Questions 22

Which vendor statement provides the BEST description of the concept of least privilege?

Options:

A.

We require dual authorization for restricted areas

B.

We grant people access to the minimum necessary to do their job

C.

We require separation of duties for performance of high risk activities

D.

We limit root and administrator access to only a few personnel

Buy Now
Questions 23

When defining third party requirements for transmitting Pll, which factors provide stranger controls?

Options:

A.

Full disk encryption and backup

B.

Available bandwidth and redundancy

C.

Strength of encryption cipher and authentication method

D.

Logging and monitoring

Buy Now
Questions 24

Which factor is MOST important when scoping assessments of cloud-based third parties that access, process, and retain personal data?

Options:

A.

The geographic location of the vendor's outsourced datacenters since assessments are only required for international data transfers

B.

The identification of the type of cloud hosting deployment or service model in order to confirm responsibilities between the third party and the cloud hosting provider

C.

The definition of requirements for backup capabilities for power generation and redundancy in the resilience plan

D.

The contract terms for the configuration of the environment which may prevent conducting the assessment

Buy Now
Questions 25

Which statement is NOT a method of securing web applications?

Options:

A.

Ensure appropriate logging and review of access and events

B.

Conduct periodic penetration tests

C.

Adhere to web content accessibility guidelines

D.

Include validation checks in SDLC for cross site scripting and SOL injections

Buy Now
Questions 26

Which factor describes the concept of criticality of a service provider relationship when determining vendor classification?

Options:

A.

Criticality is limited to only the set of vendors involved in providing disaster recovery services

B.

Criticality is determined as all high risk vendors with access to personal information

C.

Criticality is assigned to the subset of vendor relationships that pose the greatest impact due to their unavailability

D.

Criticality is described as the set of vendors with remote access or network connectivity to company systems

Buy Now
Questions 27

Which statement BEST describes the use of risk based decisioning in prioritizing gaps identified at a critical vendor when defining the corrective action plan?

Options:

A.

The assessor determined that gaps should be analyzed, documented, reviewed for compensating controls, and submitted to the business owner to approve risk treatment plan

B.

The assessor decided that the critical gaps should be discussed in the closing meeting so that the vendor can begin to implement corrective actions immediately

C.

The assessor concluded that all gaps should be logged and treated as high severity findings since the assessment was performed on a critical vendor

D.

The assessor determined that all gaps should be logged and communicated that if the gaps were corrected immediately they would not need to be included in the findings report

Buy Now
Questions 28

The BEST time in the SDLC process for an application service provider to perform Threat Modeling analysis is:

Options:

A.

Before the application design and development activities begin

B.

After the application vulnerability or penetration test is completed

C.

After testing and before the deployment of the final code into production

D.

Prior to the execution of a contract with each client

Buy Now
Questions 29

An IT asset management program should include all of the following components EXCEPT:

Options:

A.

Maintaining inventories of systems, connections, and software applications

B.

Defining application security standards for internally developed applications

C.

Tracking and monitoring availability of vendor updates and any timelines for end of support

D.

Identifying and tracking adherence to IT asset end-of-life policy

Buy Now
Questions 30

Which statement is TRUE regarding a vendor's approach to Environmental, Social, and Governance (ESG) programs?

Options:

A.

ESG expectations are driven by a company's executive team for internal commitments end not external entities

B.

ESG requirements and programs may be directed by regulatory obligations or in response to company commitments

C.

ESG commitments can only be measured qualitatively so it cannot be included in vendor due diligence standards

D.

ESG obligations only apply to a company with publicly traded stocks

Buy Now
Questions 31

Which statement is FALSE when describing the third party risk assessors’ role when conducting a controls evaluation using an industry framework?

Options:

A.

The Assessor's role is to conduct discovery with subject matter experts to understand the control environment

B.

The Assessor's role is to conduct discovery and validate responses from the risk assessment questionnaire by testing or validating controls

C.

The Assessor's role is to provide an opinion on the effectiveness of controls conducted over a period of time in their report

D.

The Assessor's role is to review compliance artifacts and identify potential control gaps based on evaluation of the presence of control attributes

Buy Now
Questions 32

You are reviewing assessment results of workstation and endpoint security. Which result should trigger more investigation due to greater risk potential?

Options:

A.

Use of multi-tenant laptops

B.

Disabled printing and USB devices

C.

Use of desktop virtualization

D.

Disabled or blocked access to internet

Buy Now
Questions 33

An organization has experienced an unrecoverable data loss event after restoring a system. This is an example of:

Options:

A.

A failure to conduct a Root Cause Analysis (RCA)

B.

A failure to meet the Recovery Time Objective (RTO)

C.

A failure to meet the Recovery Consistency Objective (RCO)

D.

A failure to meet the Recovery Point Objective (RPO)

Buy Now
Questions 34

When evaluating remote access risk, which of the following is LEAST applicable to your analysis?

Options:

A.

Logging of remote access authentication attempts

B.

Limiting access by job role of business justification

C.

Monitoring device activity usage volumes

D.

Requiring application whitelisting

Buy Now
Questions 35

For services with system-to-system access, which change management requirement

MOST effectively reduces the risk of business disruption to the outsourcer?

Options:

A.

Approval of the change by the information security department

B.

Documenting sufficient time for quality assurance testing

C.

Communicating the change to customers prior ta deployment to enable external acceptance testing

D.

Documenting and legging change approvals

Buy Now
Questions 36

Which capability is LEAST likely to be included in the annual testing activities for Business Continuity or Disaster Recovery plans?

Options:

A.

Plans to enable technology and business operations to be resumed at a back-up site

B.

Process to validate that specific databases can be accessed by applications at the designated location

C.

Ability for business personnel to perform their functions at an alternate work space location

D.

Require participation by third party service providers in collaboration with industry exercises

Buy Now
Questions 37

Which policy requirement is typically NOT defined in an Asset Management program?

Options:

A.

The Policy states requirements for the reuse of physical media (e.9., devices, servers, disk drives, etc.)

B.

The Policy requires that employees and contractors return all company data and assets upon termination of their employment, contract or agreement

C.

The Policy defines requirements for the inventory, identification, and disposal of equipment “and/or physical media

D.

The Policy requires visitors (including other tenants and maintenance personnel) to sign-in and sign-out of the facility, and to be escorted at all times

Buy Now
Exam Code: CTPRP
Exam Name: Certified Third-Party Risk Professional (CTPRP)
Last Update: Apr 11, 2024
Questions: 125
CTPRP pdf

CTPRP PDF

$32  $80
CTPRP Engine

CTPRP Testing Engine

$38  $95
CTPRP PDF + Engine

CTPRP PDF + Testing Engine

$52  $130