A.  

Change in network

B.  

Change in systems

C.  

Change to administrator access

D.  

Update to application

A.  

The program includes the definition of internal escalation processes

B.  

The program includes protocols for disclosure of information to external parties

C.  

The program includes mechanisms for notification to clients

D.  

The program includes processes in support of disaster recovery

A.  

A security defect is a security flaw identified in an application due to poor coding practices

B.  

Security defects should be treated as exploitable vulnerabilities

C.  

Security vulnerabilities and security defects are synonymous

D.  

A security defect can become a security vulnerability if undetected after migration into production

A.  

Regulatory/supervisory termination

B.  

Termination for convenience

C.  

Normal termination

D.  

Termination for cause

A.  

A statement specifying the owner of data on the end-user device

B.  

A statement that defines the process to remove all organizational data, settings and accounts alt offboarding

C.  

A statement detailing user responsibility in ensuring the security of the end-user device

D.  

A statement that specifies the ability to synchronize mobile device data with enterprise systems

A.  

Leveraging periodic reporting to schedule facility inspections based on reported events

B.  

Providing a checklist for self-assessment

C.  

Maintaining a standardized scheduled for confirming controls to defined standards

D.  

Conducting unannounced checks an an ac-hac basis

A.  

Type of data by classification; volume of records included in data processing

B.  

Financial viability of the vendor; ability to meet performance metrics

C.  

Network connectivity; remote access to applications

D.  

impact on operations and end users; impact on revenue; impact on regulatory compliance

A.  

Firewall settings

B.  

Unauthorized device detection

C.  

Website privacy consent banners

D.  

Remote access

A.  

Include a provision in the vender contract requiring the vendor to provide notice and obtain written consent before outsourcing any service

B.  

Include a provision in the contract prohibiting the vendor from outsourcing any service which includes access to confidential data or systems

C.  

Incorporate notification and approval contract provisions for subcontracting that require evidence of due diligence as defined by a TPRM program

D.  

Require the vendor to maintain a cyber-insurance policy for any service that is outsourced which includes access to confidential data or systems

A.  

Business unit

B.  

Executive management

C.  

Risk committee

D.  

Board of Directors

A.  

The capability of the vendor to apply priority patching of high-risk systems

B.  

Established procedures for testing of patches, service packs, and hot fixes prior to installation

C.  

A documented process to gain approvals for use of open source applications

D.  

The existence of a formal process for evaluation and prioritization of known vulnerabilities

A.  

Cookie consent scanning

B.  

Interactive testing

C.  

Static testing

D.  

Dynamic testing

A.  

Implementing processes for emergency change control approvals

B.  

Requiring periodic changes to the vendor's contract for breach notification

C.  

Assessing the vendor's Business Impact Analysis (BIA) for resuming operations

D.  

Initiating an investigation of the unauthorized disclosure of data

A.  

CISO/CIO

B.  

Business Unit Relationship Owner

C.  

internal Audit

D.  

C&O

A.  

Scheduling testing of building access and intrusion systems

B.  

Remote monitoring of HVAC, Smoke, Fire, Water or Power

C.  

Auditing the CCTV backup process and card-key access process

D.  

Conducting periodic reviews of personnel access controls and building intrusion systems

A.  

All findings and remediation plans should be reviewed with internal audit prior to issuing the assessment report

B.  

All findings and remediation plans should be reviewed with the vendor prior to sharing results with the line of business

C.  

All findings and need for remediation should be reviewed with the line of business for risk acceptance prior to sharing the remediation plan with the vendor

D.  

All findings should be shared with the vendor as quickly as possible so that remediation steps can be taken as quickly as possible

A.  

Vendor classification and risk tiers are based upon residual risk calculations

B.  

Vendor classification and risk tiering should only be used for critical third party relationships

C.  

Vendor classification and corresponding risk tiers utilize the same due diligence standards for controls evaluation based upon policy

D.  

Vendor classification and risk tier is determined by calculating the inherent risk associated with outsourcing a specific product or service

A.  

“Shadow IT" functions often fail to detect unauthorized use of information assets

B.  

“Shadow IT" functions often lack governance and security oversight

C.  

inability to prevent "shadow IT’ functions from using unauthorized software solutions

D.  

Failure to implement strong security controls because IT is executed remotely

A.  

Application version control standards for software release updates

B.  

Documented audit trail for all emergency changes

C.  

Defined roles between business and IT functions

D.  

Guidelines that restrict approval of changes to only authorized personnel

A.  

Scheduling the frequency of automated vulnerability scans

B.  

Scanning for data input validation in production

C.  

Conducting peer code reviews

D.  

Defining the scope of annual penetration tests

A.  

Datacenters; telecom rooms; server rooms; exterior building entrance

B.  

Datacenters; telecom rooms; security operations centers; loading docks

C.  

Telecom rooms; parking garage; security operations centers; exterior building entrance

D.  

Exterior building entrance; datacenters; telecom rooms; printer rooms

A.  

Sanitized customer data used for aggregated profiling

B.  

Non personally identifiable, but sensitive to an organizations significant process

C.  

Government-issued number, credit card number or bank account information

D.  

Personally identifiable data but stored in a test environment cloud container

A.  

Remotely enable lost mode status on the device

B.  

Deletion of data after a pre-defined number of failed login attempts

C.  

Enterprise wipe of all company data and contacts

D.  

Remote wipe of the device and restore to factory settings

A.  

Monitoring surface

B.  

Vulnerabilities

C.  

Passive and active indicators of compromise

D.  

Business intelligence

A.  

To assess the appropriateness of non-disclosure agreements regarding the organization's systems/data

B.  

To validate that the vendor/service provider has adequate controls in place based on the organization's risk posture

C.  

To determine the scope of the business relationship

D.  

To evaluate the risk posture of all vendors/service providers in the vendor inventory

A.  

Full disk encryption and backup

B.  

Available bandwidth and redundancy

C.  

Strength of encryption cipher and authentication method

D.  

Logging and monitoring

A.  

Determination that the security policies include contract or temporary workers

B.  

Determination that the security policies do not specify any requirements for third party governance and oversight

C.  

Determination that the security policies are approved by management and available to constituents including employees and contract workers

D.  

Determination that the security policies are communicated to constituents including full and part-time employees

A.  

Configuration

B.  

Log retention

C.  

Approvals

D.  

Testing

A.  

Protocols for social media channels and PR communication

B.  

Response to a natural or man-made disruption

C.  

Dependency on key employee or supplier issues

D.  

Response to a large scale illness or health outbreak

A.  

The assessor adjusts the vendor risk rating prior to reporting the findings to the business unit

B.  

The assessor adjusts the vendor risk rating based on changes to the risk level after analyzing the findings and mitigating controls

C.  

The business unit closes out the finding prior to the assessor submitting the final report

D.  

The assessor recommends implementing continuous monitoring for the next 18 months

A.  

Set by each business unit based on the number of vendors to be assessed

B.  

Defined in the vendor/service provider contract or statement of work

C.  

Established by the TPRM program based on the company’s risk tolerance and risk appetite

D.  

Identified by procurement and required for all vendors and suppliers

A.  

Assuring there are adequate data backups in the event of a disaster

B.  

Preventing exfiltration of confidential information by users who access company systems

C.  

Enabling high-availability to prevent data transactions from loss

D.  

Preventing malware from entering secure systems used for processing confidential information

A.  

Including any contractual or legal/regulatory requirements

B.  

Prioritization of business functions and processes

C.  

Identifying the criticality of applications

D.  

Requiring vendor participation in testing

A.  

Regulatory requirements

B.  

Data classification or sensitivity

C.  

Encryption of data

D.  

Contractual terms

A.  

logging the number of exceptions to existing due diligence standards

B.  

Measuring the time spent by resources for task and corrective action plan completion

C.  

Calculating the average time to remediate identified corrective actions

D.  

Tracking the number of outstanding findings

A.  

Reliability risk

B.  

Performance risk

C.  

Competency risk

D.  

Availability risk

A.  

Maintenance of artifacts that provide proof that SOLC gates are executed

B.  

Process for data destruction and disposal

C.  

Software security testing

D.  

Process for fixing security defects