New Year Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

CTPRP Questions and Answers

Question # 6

Upon completion of a third party assessment, a meeting should be scheduled with which

of the following resources prior to sharing findings with the vendor/service provider to

approve remediation plans:

A.

CISO/CIO

B.

Business Unit Relationship Owner

C.

internal Audit

D.

C&O

Full Access
Question # 7

For services with system-to-system access, which change management requirement

MOST effectively reduces the risk of business disruption to the outsourcer?

A.

Approval of the change by the information security department

B.

Documenting sufficient time for quality assurance testing

C.

Communicating the change to customers prior ta deployment to enable external acceptance testing

D.

Documenting and legging change approvals

Full Access
Question # 8

When measuring the operational performance of implementing a TPRM program, which example is MOST likely to provide meaningful metrics?

A.

logging the number of exceptions to existing due diligence standards

B.

Measuring the time spent by resources for task and corrective action plan completion

C.

Calculating the average time to remediate identified corrective actions

D.

Tracking the number of outstanding findings

Full Access
Question # 9

Which statement BEST describes the methods of performing due diligence during third party risk assessments?

A.

Inspecting physical and environmental security controls by conducting a facility tour

B.

Reviewing status of findings from the questionnaire and defining remediation plans

C.

interviewing subject matter experts or control owners, reviewing compliance artifacts, and validating controls

D.

Reviewing and assessing only the obligations that are specifically defined in the contract

Full Access
Question # 10

In which phase of the TPRM lifecycle should terms for return or destruction of data be defined and agreed upon?

A.

During contract negotiation

B.

At third party selection and initial due diligence

C.

When deploying ongoing monitoring

D.

At termination and exit

Full Access
Question # 11

Which of the following statements is FALSE regarding a virtual assessment:

A.

Virtual assessment agendas and planning should identify who should be available for interviews

B.

Virtual assessment planning should identify what documentation is available for review prior to and during the assessment

C.

Virtual assessments should be used to validate or confirm understanding of key controls, and not be used simply to review questionnaire responses

D.

Virtual assessments include using interviews with subject matter experts since controls evaluation and testing cannot be performed virtually

Full Access
Question # 12

Which of the following is a component of evaluating a third party's use of Remote Access within their information security policy?

A.

Maintaining blocked IP address ranges

B.

Reviewing the testing and deployment procedures to networking components

C.

Providing guidelines to configuring ports on a router

D.

Identifying the use of multifactor authentication

Full Access
Question # 13

Which of the following factors is MOST important when assessing the risk of shadow IT in organizational security?

A.

The organization maintains adequate policies and procedures that communicate required controls for security functions

B.

The organization requires security training and certification for security personnel

C.

The organization defines staffing levels to address impact of any turnover in security roles

D.

The organization's resources and investment are sufficient to meet security requirements

Full Access
Question # 14

A visual representation of locations, users, systems and transfer of personal information between outsourcers and third parties is defined as:

A.

Configuration standard

B.

Audit log report

C.

Network diagram

D.

Data flow diagram

Full Access
Question # 15

Which cloud deployment model is primarily focused on the application layer?

A.

Infrastructure as a Service

B.

Software as a Service

C.

Function a3 a Service

D.

Platform as a Service

Full Access
Question # 16

What attribute is MOST likely to be included in the software development lifecycle (SDLC) process?

A.

Scheduling the frequency of automated vulnerability scans

B.

Scanning for data input validation in production

C.

Conducting peer code reviews

D.

Defining the scope of annual penetration tests

Full Access
Question # 17

At which level of reporting are changes in TPRM program metrics rare and exceptional?

A.

Business unit

B.

Executive management

C.

Risk committee

D.

Board of Directors

Full Access
Question # 18

Which of the following is NOT a key component of TPRM requirements in the software development life cycle (SDLC)?

A.

Maintenance of artifacts that provide proof that SOLC gates are executed

B.

Process for data destruction and disposal

C.

Software security testing

D.

Process for fixing security defects

Full Access
Question # 19

Which requirement is the MOST important for managing risk when the vendor contract terminates?

A.

The responsibility to perform a financial review of outstanding invoices

B.

The commitment to perform a final assessment based upon due diligence standards

C.

The requirement to ensure secure data destruction and asset return

D.

The obligation to define contract terms for transition services

Full Access
Question # 20

You are reviewing assessment results of workstation and endpoint security. Which result should trigger more investigation due to greater risk potential?

A.

Use of multi-tenant laptops

B.

Disabled printing and USB devices

C.

Use of desktop virtualization

D.

Disabled or blocked access to internet

Full Access
Question # 21

Which statement is TRUE regarding a vendor's approach to Environmental, Social, and Governance (ESG) programs?

A.

ESG expectations are driven by a company's executive team for internal commitments end not external entities

B.

ESG requirements and programs may be directed by regulatory obligations or in response to company commitments

C.

ESG commitments can only be measured qualitatively so it cannot be included in vendor due diligence standards

D.

ESG obligations only apply to a company with publicly traded stocks

Full Access
Question # 22

Which statement is TRUE regarding the use of questionnaires in third party risk assessments?

A.

The total number of questions included in the questionnaire assigns the risk tier

B.

Questionnaires are optional since reliance on contract terms is a sufficient control

C.

Assessment questionnaires should be configured based on the risk rating and type of service being evaluated

D.

All topic areas included in the questionnaire require validation during the assessment

Full Access
Question # 23

Which of the following statements BEST represent the relationship between incident response and incident notification plans?

A.

Cybersecurity incident response programs have the same scope and objectives as privacy incident notification procedures

B.

All privacy and security incidents should be treated alike until analysis is performed to quantify the number of records impacted

C.

Security incident response management is only included in crisis communication for externally reported events

D.

A security incident may become a security breach based upon analysis and trigger the organization's incident notification or crisis communication process

Full Access
Question # 24

Which statement is NOT an example of the purpose of internal communications and information sharing using TPRM performance metrics?

A.

To communicate the status of findings identified in vendor assessments and escalate issues es needed

B.

To communicate the status of policy compliance with TPRM onboarding, periodic assessment and off-boarding requirements

C.

To document the agreed upon corrective action plan between external parties based on the severity of findings

D.

To develop and provide periodic reporting to management based on TPRM results

Full Access
Question # 25

Which of the following actions reflects the first step in developing an emergency response plan?

A.

Conduct an assessment that includes an inventory of the types of events that have the greatest potential to trigger an emergency response plan

B.

Consider work-from-home parameters in the emergency response plan

C.

incorporate periodic crisis management team tabletop exercises to test different scenarios

D.

Use the results of continuous monitoring tools to develop the emergency response plan

Full Access
Question # 26

Which risk treatment approach typically requires a negotiation of contract terms between parties?

A.

Monitor the risk

B.

Mitigate the risk

C.

Accept the risk

D.

Transfer the risk

Full Access
Question # 27

When defining due diligence requirements for the set of vendors that host web applications which of the following is typically NOT part of evaluating the vendor's patch

management controls?

A.

The capability of the vendor to apply priority patching of high-risk systems

B.

Established procedures for testing of patches, service packs, and hot fixes prior to installation

C.

A documented process to gain approvals for use of open source applications

D.

The existence of a formal process for evaluation and prioritization of known vulnerabilities

Full Access
Question # 28

Which statement is NOT a method of securing web applications?

A.

Ensure appropriate logging and review of access and events

B.

Conduct periodic penetration tests

C.

Adhere to web content accessibility guidelines

D.

Include validation checks in SDLC for cross site scripting and SOL injections

Full Access
Question # 29

Which set of procedures is typically NOT addressed within data privacy policies?

A.

Procedures to limit access and disclosure of personal information to third parties

B.

Procedures for handling data access requests from individuals

C.

Procedures for configuration settings in identity access management

D.

Procedures for incident reporting and notification

Full Access
Question # 30

Which of the following BEST reflects the risk of a ‘shadow IT" function?

A.

“Shadow IT" functions often fail to detect unauthorized use of information assets

B.

“Shadow IT" functions often lack governance and security oversight

C.

inability to prevent "shadow IT’ functions from using unauthorized software solutions

D.

Failure to implement strong security controls because IT is executed remotely

Full Access
Question # 31

Which type of contract provision is MOST important in managing Fourth-Nth party risk after contract signing and on-boarding due diligence is complete?

A.

Subcontractor notice and approval

B.

Indemnification and liability

C.

Breach notification

D.

Right to audit

Full Access
Question # 32

Which of the following components are typically NOT part of a cloud hosting vendor assessment program?

A.

Reviewing the entity's image snapshot approval and management process

B.

Requiring security services documentation and audit attestation reports

C.

Requiring compliance evidence that provides the definition of patching responsibilities

D.

Conducting customer performed penetration tests

Full Access
Question # 33

Which statement is FALSE regarding background check requirements for vendors or service providers?

A.

Background check requirements are not applicable for vendors or service providers based outside the United States

B.

Background checks should be performed prior to employment and may be updated after employment based upon criteria in HR policies

C.

Background check requirements should be applied to employees, contract workers and temporary workers

D.

Background check requirements may differ based on level of authority, risk, or job role

Full Access
Question # 34

Which of the following changes to the production environment is typically NOT subject to the change control process?

A.

Change in network

B.

Change in systems

C.

Change to administrator access

D.

Update to application

Full Access
Question # 35

Once a vendor questionnaire is received from a vendor what is the MOST important next step when evaluating the responses?

A.

Document your analysis and provide confirmation to the business unit regarding receipt of the questionnaire

B.

Update the vender risk registry and vendor inventory with the results in order to complete the assessment

C.

Calculate the total number of findings to rate the effectiveness of the vendor response

D.

Analyze the responses to identify adverse or high priority responses to prioritize controls that should be tested

Full Access
Question # 36

Which approach for managing end-user device security is typically used for lost or stolen company-owned devices?

A.

Remotely enable lost mode status on the device

B.

Deletion of data after a pre-defined number of failed login attempts

C.

Enterprise wipe of all company data and contacts

D.

Remote wipe of the device and restore to factory settings

Full Access
Question # 37

Which of the following indicators is LEAST likely to trigger a reassessment of an existing vendor?

A.

Change in vendor location or use of new fourth parties

B.

Change in scope of existing work (e.g., new data or system access)

C.

Change in regulation that impacts service provider requirements

D.

Change at outsourcer due to M&A

Full Access