Black Friday Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

ExamsBrite Dumps

Certified Third-Party Risk Professional (CTPRP) Question and Answers

Certified Third-Party Risk Professional (CTPRP)

Last Update Dec 2, 2024
Total Questions : 125

We are offering FREE CTPRP Shared Assessments exam questions. All you do is to just go and sign up. Give your details, prepare CTPRP free exam questions and then go for complete pool of Certified Third-Party Risk Professional (CTPRP) test questions that will help you more.

CTPRP pdf

CTPRP PDF

$36.75  $104.99
CTPRP Engine

CTPRP Testing Engine

$43.75  $124.99
CTPRP PDF + Engine

CTPRP PDF + Testing Engine

$57.75  $164.99
Questions 1

Which of the following changes to the production environment is typically NOT subject to the change control process?

Options:

A.  

Change in network

B.  

Change in systems

C.  

Change to administrator access

D.  

Update to application

Discussion 0
Questions 2

Which statement reflects a requirement that is NOT typically found in a formal Information Security Incident Management Program?

Options:

A.  

The program includes the definition of internal escalation processes

B.  

The program includes protocols for disclosure of information to external parties

C.  

The program includes mechanisms for notification to clients

D.  

The program includes processes in support of disaster recovery

Discussion 0
Questions 3

Which statement is FALSE when describing the differences between security vulnerabilities and security defects?

Options:

A.  

A security defect is a security flaw identified in an application due to poor coding practices

B.  

Security defects should be treated as exploitable vulnerabilities

C.  

Security vulnerabilities and security defects are synonymous

D.  

A security defect can become a security vulnerability if undetected after migration into production

Discussion 0
Questions 4

Which type of contract termination is MOST likely to occur after failure to remediate assessment findings?

Options:

A.  

Regulatory/supervisory termination

B.  

Termination for convenience

C.  

Normal termination

D.  

Termination for cause

Discussion 0
Questions 5

The following statements reflect user obligations defined in end-user device policies

EXCEPT:

Options:

A.  

A statement specifying the owner of data on the end-user device

B.  

A statement that defines the process to remove all organizational data, settings and accounts alt offboarding

C.  

A statement detailing user responsibility in ensuring the security of the end-user device

D.  

A statement that specifies the ability to synchronize mobile device data with enterprise systems

Discussion 0
Questions 6

Which approach demonstrates GREATER maturity of physical security compliance?

Options:

A.  

Leveraging periodic reporting to schedule facility inspections based on reported events

B.  

Providing a checklist for self-assessment

C.  

Maintaining a standardized scheduled for confirming controls to defined standards

D.  

Conducting unannounced checks an an ac-hac basis

Discussion 0
Questions 7

When updating TPRM vendor classification requirements with a focus on availability, which

risk rating factors provide the greatest impact to the analysis?

Options:

A.  

Type of data by classification; volume of records included in data processing

B.  

Financial viability of the vendor; ability to meet performance metrics

C.  

Network connectivity; remote access to applications

D.  

impact on operations and end users; impact on revenue; impact on regulatory compliance

Discussion 0
Questions 8

Which of the following is typically NOT included within the scape of an organization's network access policy?

Options:

A.  

Firewall settings

B.  

Unauthorized device detection

C.  

Website privacy consent banners

D.  

Remote access

Discussion 0
Questions 9

The BEST way to manage Fourth-Nth Party risk is:

Options:

A.  

Include a provision in the vender contract requiring the vendor to provide notice and obtain written consent before outsourcing any service

B.  

Include a provision in the contract prohibiting the vendor from outsourcing any service which includes access to confidential data or systems

C.  

Incorporate notification and approval contract provisions for subcontracting that require evidence of due diligence as defined by a TPRM program

D.  

Require the vendor to maintain a cyber-insurance policy for any service that is outsourced which includes access to confidential data or systems

Discussion 0
Questions 10

At which level of reporting are changes in TPRM program metrics rare and exceptional?

Options:

A.  

Business unit

B.  

Executive management

C.  

Risk committee

D.  

Board of Directors

Discussion 0
Questions 11

When defining due diligence requirements for the set of vendors that host web applications which of the following is typically NOT part of evaluating the vendor's patch

management controls?

Options:

A.  

The capability of the vendor to apply priority patching of high-risk systems

B.  

Established procedures for testing of patches, service packs, and hot fixes prior to installation

C.  

A documented process to gain approvals for use of open source applications

D.  

The existence of a formal process for evaluation and prioritization of known vulnerabilities

Discussion 0
Questions 12

Which of the following is NOT an example of a type of application security testing?

Options:

A.  

Cookie consent scanning

B.  

Interactive testing

C.  

Static testing

D.  

Dynamic testing

Discussion 0
Questions 13

Which of the following actions is an early step when triggering an Information Security

Incident Response Program?

Options:

A.  

Implementing processes for emergency change control approvals

B.  

Requiring periodic changes to the vendor's contract for breach notification

C.  

Assessing the vendor's Business Impact Analysis (BIA) for resuming operations

D.  

Initiating an investigation of the unauthorized disclosure of data

Discussion 0
Questions 14

Upon completion of a third party assessment, a meeting should be scheduled with which

of the following resources prior to sharing findings with the vendor/service provider to

approve remediation plans:

Options:

A.  

CISO/CIO

B.  

Business Unit Relationship Owner

C.  

internal Audit

D.  

C&O

Discussion 0
Questions 15

Which of the following BEST reflects components of an environmental controls testing program?

Options:

A.  

Scheduling testing of building access and intrusion systems

B.  

Remote monitoring of HVAC, Smoke, Fire, Water or Power

C.  

Auditing the CCTV backup process and card-key access process

D.  

Conducting periodic reviews of personnel access controls and building intrusion systems

Discussion 0
Questions 16

Which statement BEST represents the roles and responsibilities for managing corrective actions upon completion of an onsite or virtual assessment?

Options:

A.  

All findings and remediation plans should be reviewed with internal audit prior to issuing the assessment report

B.  

All findings and remediation plans should be reviewed with the vendor prior to sharing results with the line of business

C.  

All findings and need for remediation should be reviewed with the line of business for risk acceptance prior to sharing the remediation plan with the vendor

D.  

All findings should be shared with the vendor as quickly as possible so that remediation steps can be taken as quickly as possible

Discussion 0
Questions 17

Which statement is TRUE regarding defining vendor classification or risk tiering in a TPRM program?

Options:

A.  

Vendor classification and risk tiers are based upon residual risk calculations

B.  

Vendor classification and risk tiering should only be used for critical third party relationships

C.  

Vendor classification and corresponding risk tiers utilize the same due diligence standards for controls evaluation based upon policy

D.  

Vendor classification and risk tier is determined by calculating the inherent risk associated with outsourcing a specific product or service

Discussion 0
Questions 18

Which of the following BEST reflects the risk of a ‘shadow IT" function?

Options:

A.  

“Shadow IT" functions often fail to detect unauthorized use of information assets

B.  

“Shadow IT" functions often lack governance and security oversight

C.  

inability to prevent "shadow IT’ functions from using unauthorized software solutions

D.  

Failure to implement strong security controls because IT is executed remotely

Discussion 0
Questions 19

An IT change management approval process includes all of the following components EXCEPT:

Options:

A.  

Application version control standards for software release updates

B.  

Documented audit trail for all emergency changes

C.  

Defined roles between business and IT functions

D.  

Guidelines that restrict approval of changes to only authorized personnel

Discussion 0
Questions 20

What attribute is MOST likely to be included in the software development lifecycle (SDLC) process?

Options:

A.  

Scheduling the frequency of automated vulnerability scans

B.  

Scanning for data input validation in production

C.  

Conducting peer code reviews

D.  

Defining the scope of annual penetration tests

Discussion 0
Questions 21

Which example BEST represents the set of restrictive areas that require an additional authentication factor for access control?

Options:

A.  

Datacenters; telecom rooms; server rooms; exterior building entrance

B.  

Datacenters; telecom rooms; security operations centers; loading docks

C.  

Telecom rooms; parking garage; security operations centers; exterior building entrance

D.  

Exterior building entrance; datacenters; telecom rooms; printer rooms

Discussion 0
Questions 22

Which of the following data types would be classified as low risk data?

Options:

A.  

Sanitized customer data used for aggregated profiling

B.  

Non personally identifiable, but sensitive to an organizations significant process

C.  

Government-issued number, credit card number or bank account information

D.  

Personally identifiable data but stored in a test environment cloud container

Discussion 0
Questions 23

Which approach for managing end-user device security is typically used for lost or stolen company-owned devices?

Options:

A.  

Remotely enable lost mode status on the device

B.  

Deletion of data after a pre-defined number of failed login attempts

C.  

Enterprise wipe of all company data and contacts

D.  

Remote wipe of the device and restore to factory settings

Discussion 0
Questions 24

Tracking breach, credential exposure and insider fraud/theft alerts is an example of which continuous monitoring technique?

Options:

A.  

Monitoring surface

B.  

Vulnerabilities

C.  

Passive and active indicators of compromise

D.  

Business intelligence

Discussion 0
Questions 25

Which statement BEST represents the primary objective of a third party risk assessment:

Options:

A.  

To assess the appropriateness of non-disclosure agreements regarding the organization's systems/data

B.  

To validate that the vendor/service provider has adequate controls in place based on the organization's risk posture

C.  

To determine the scope of the business relationship

D.  

To evaluate the risk posture of all vendors/service providers in the vendor inventory

Discussion 0
Questions 26

When defining third party requirements for transmitting Pll, which factors provide stranger controls?

Options:

A.  

Full disk encryption and backup

B.  

Available bandwidth and redundancy

C.  

Strength of encryption cipher and authentication method

D.  

Logging and monitoring

Discussion 0
Questions 27

Which example of analyzing a vendor's response should trigger further investigation of their information security policies?

Options:

A.  

Determination that the security policies include contract or temporary workers

B.  

Determination that the security policies do not specify any requirements for third party governance and oversight

C.  

Determination that the security policies are approved by management and available to constituents including employees and contract workers

D.  

Determination that the security policies are communicated to constituents including full and part-time employees

Discussion 0
Questions 28

Which factor in patch management is MOST important when conducting postcybersecurity incident analysis related to systems and applications?

Options:

A.  

Configuration

B.  

Log retention

C.  

Approvals

D.  

Testing

Discussion 0
Questions 29

Which example of a response to external environmental factors is LEAST likely to be managed directly within the BCP or IT DR plan?

Options:

A.  

Protocols for social media channels and PR communication

B.  

Response to a natural or man-made disruption

C.  

Dependency on key employee or supplier issues

D.  

Response to a large scale illness or health outbreak

Discussion 0
Questions 30

Which action statement BEST describes an assessor calculating residual risk?

Options:

A.  

The assessor adjusts the vendor risk rating prior to reporting the findings to the business unit

B.  

The assessor adjusts the vendor risk rating based on changes to the risk level after analyzing the findings and mitigating controls

C.  

The business unit closes out the finding prior to the assessor submitting the final report

D.  

The assessor recommends implementing continuous monitoring for the next 18 months

Discussion 0
Questions 31

Minimum risk assessment standards for third party due diligence should be:

Options:

A.  

Set by each business unit based on the number of vendors to be assessed

B.  

Defined in the vendor/service provider contract or statement of work

C.  

Established by the TPRM program based on the company’s risk tolerance and risk appetite

D.  

Identified by procurement and required for all vendors and suppliers

Discussion 0
Questions 32

Data loss prevention in endpoint security is the strategy for:

Options:

A.  

Assuring there are adequate data backups in the event of a disaster

B.  

Preventing exfiltration of confidential information by users who access company systems

C.  

Enabling high-availability to prevent data transactions from loss

D.  

Preventing malware from entering secure systems used for processing confidential information

Discussion 0
Questions 33

Which example is typically NOT included in a Business Impact Analysis (BIA)?

Options:

A.  

Including any contractual or legal/regulatory requirements

B.  

Prioritization of business functions and processes

C.  

Identifying the criticality of applications

D.  

Requiring vendor participation in testing

Discussion 0
Questions 34

Which of the following factors is LEAST likely to trigger notification obligations in incident response?

Options:

A.  

Regulatory requirements

B.  

Data classification or sensitivity

C.  

Encryption of data

D.  

Contractual terms

Discussion 0
Questions 35

When measuring the operational performance of implementing a TPRM program, which example is MOST likely to provide meaningful metrics?

Options:

A.  

logging the number of exceptions to existing due diligence standards

B.  

Measuring the time spent by resources for task and corrective action plan completion

C.  

Calculating the average time to remediate identified corrective actions

D.  

Tracking the number of outstanding findings

Discussion 0
Questions 36

Select the risk type that is defined as: “A third party may not be able to meet its obligations due to inadequate systems or processes”.

Options:

A.  

Reliability risk

B.  

Performance risk

C.  

Competency risk

D.  

Availability risk

Discussion 0
Questions 37

Which of the following is NOT a key component of TPRM requirements in the software development life cycle (SDLC)?

Options:

A.  

Maintenance of artifacts that provide proof that SOLC gates are executed

B.  

Process for data destruction and disposal

C.  

Software security testing

D.  

Process for fixing security defects

Discussion 0