Shared Assessments CTPRP Certified Third-Party Risk Professional (CTPRP) Exam Practice Test

The contract is not the only enforceable control to stipulate third party service provider obligations for DR/BCP, nor are both programs necessarily triggered by the pandemic. According to the Shared Assessments Program, third party risk management (TPRM) is a continuous process that requires ongoing monitoring and assessment of third parties’ performance, compliance, and resilience. Therefore, the contract should be complemented by other controls, such as due diligence, audits, reviews, and reporting, to ensure that third parties meet the organization’s expectations and standards for DR/BCP. Moreover, DR/BCP are not only relevant for pandemic scenarios, but also for other types of disasters, such as natural disasters, cyberattacks, power outages, or human errors. Therefore, the contract should reflect the organization’s risk appetite and tolerance for different types of disruptions and scenarios, and not be limited to pandemic-related events. 

A well-defined third party risk management program does not require conducting onsite or virtual assessments for all third parties, as this would be impractical, costly, and inefficient. Instead, a TPRM program should adopt a risk-based approach to determine the frequency, scope, and depth of assessments based on the inherent and residual risks posed by each third party. This means that some third parties may require more frequent and comprehensive assessments than others, depending on factors such as the nature, scope, and criticality of their services, the sensitivity and volume of data they access or process, the regulatory and contractual obligations they must comply with, and the results of previous assessments and monitoring activities. A risk-based approach to assessments allows an organization to allocate its resources and efforts more effectively and efficiently, while also ensuring that the most significant risks are adequately addressed and mitigated. References:

• Shared Assessments, CTPRP Job Guide, page 9: “The frequency, scope, and depth of assessments should be determined by the inherent and residual risks posed by each third party.”
• OneTrust, [What is Third-Party Risk Management?]: “A risk-based approach to third-party risk management means that you prioritize your efforts and resources based on the level of risk each vendor poses to your organization.”
• [Deloitte], [Third Party Risk Management: Managing Risk]: “A risk-based approach to third-party risk management helps organizations prioritize their efforts and resources based on the level of risk each third party poses to the organization.”

A Zero Trust approach to access management is based on the principle of verifying every access request as if it originates from an open network, regardless of the source, destination, or context. This means that no implicit trust is granted based on network location, user identity, or device status. Instead, every access request is evaluated based on multiple factors, such as user credentials, device health, data sensitivity, and threat intelligence. A Zero Trust approach also requires that all communication is encrypted and protected, and that access is granted on a per session basis with the least privilege principle123.

Utilizing a solution that allows direct access by third parties to the organization’s network does not reflect a Zero Trust approach, because it implies that the network perimeter is a reliable boundary for security and trust. This assumption is risky, because it exposes the organization to potential breaches and attacks from compromised or malicious third parties, who may have access to sensitive data and resources without proper verification or protection. A Zero Trust approach would require that third parties use secure and isolated channels to access the organization’s network, such as VPNs, proxies, or gateways, and that their access is monitored and controlled based on granular policies and conditions123. References:

• Zero Trust part 1: Identity and access management
• Zero Trust Model - Modern Security Architecture | Microsoft Security
• Zero Trust identity and access management development best practices …

 The three lines of defense model is a way of explaining the relationship between functions and roles of risk management and control in an organization. It involves the first line of defense (owning and managing risks), the second line of defense (overseeing or specialising in risk), and the third line of defense (providing independent assurance)1. The third line of defense is typically the internal audit function, which provides objective and independent assurance to the governing body, management, regulators, and external auditors that the control culture across the organization is effective in its design and operation2. The third line of defense must have independence from the business unit, meaning that it is not involved in the execution of business activities or the design and implementation of controls, and that it reports to the highest level of governance, such as the board or the audit committee3. The third line of defense is not limited to an external assessment firm, although external assurance providers may complement or supplement the work of the internal audit function2. References:

• 1: Internal audit: three lines of defence model explained | ICAS
• 2: Modernizing The Three Lines of Defense Model | Deloitte US
• 3: THE IIA S THREE LINES MODEL

Termination for cause is the type of contract termination that is most likely to occur after failure to remediate assessment findings. This is because termination for cause is based on a breach of contract by the third-party, such as non-compliance, poor performance, fraud, or misconduct. Failure to remediate assessment findings indicates that the third-party has not met the contractual obligations or expectations of the entity, and thus exposes the entity to increased risk and liability. Termination for cause allows the entity to end the contract immediately or after a notice period, and to seek damages or remedies from the third-party. Termination for cause is different from other types of contract termination, such as:

• Regulatory/supervisory termination, which is triggered by a change in law or regulation that affects the legality or feasibility of the contract.
• Termination for convenience, which is exercised by the entity without any fault or breach by the third-party, usually for strategic or operational reasons.
• Normal termination, which is the natural expiration of the contract term or the completion of the contract scope. References:
• Shared Assessments. (2020). Certified Third Party Risk Professional (CTPRP) Study Guide1
• Fusion Risk Management. (2021). Exit Strategy for Terminating a Third Party2
• Volkov, M. (2016). Third-Party Risk Management – Part 2: Contract Termination3

Application version control standards for software release updates are not part of the IT change management approval process, but rather a technical aspect of the software development lifecycle. The IT change management approval process is a formal and structured way of evaluating, authorizing and scheduling changes to IT systems and infrastructure, based on predefined criteria and roles. The IT change management approval process typically includes the following components123:

• A change request form that captures the details, rationale, impact, risk and benefits of the proposed change
• A change approval board (CAB) or other authorized approvers who review and approve or reject the change request based on the business case, feasibility and alignment with the organization’s objectives and policies
• A documented audit trail for all changes, especially emergency changes, that records the date, time, reason, approver and outcome of each change
• A defined roles and responsibilities matrix that clarifies the expectations and accountabilities of each stakeholder involved in the change management process, such as the change manager, change owner, change coordinator, change implementer and change requester
• A set of guidelines that restrict the approval of changes to only authorized personnel who have the appropriate knowledge, skills and authority to make decisions about the changes References:
• 1: Change Approval Process in ITIL Change Management
• 2: Guide to the IT Change Requests Approval Process
• 3: Overview of the change management approval process

Multi-factor authentication (MFA) is an electronic authentication method that requires a user to present two or more pieces of evidence (or factors) to an authentication mechanism. The factors can be something the user knows (such as a password or a PIN), something the user has (such as a smartphone or a security token), or something the user is (such as a fingerprint or a facial recognition). MFA enhances the security of online accounts and applications by making it harder for attackers to gain access with stolen or guessed credentials. MFA is recommended as a best practice for third-party risk management, as it can reduce the risk of unauthorized access, data breaches, and identity theft. MFA is also a requirement for some regulatory standards and frameworks, such as PCI DSS, HIPAA, and NIST 800-63. References:

• What is: Multifactor Authentication
• Set up your Microsoft 365 sign-in for multi-factor authentication
• Multi-factor authentication - Wikipedia
• Shared Assessments CTPRP Study Guide, page 19
• Shared Assessments CTPRP Job Guide, page 14
• Best Practices Guidance for Third Party Risk, page 9

  Performance risk, defined as the risk that a third party may not be able to meet its obligations due to inadequate systems or processes, accurately describes the situation. This type of risk involves concerns about the third party's ability to deliver services or products at the required performance level, potentially due to limitations in their technology infrastructure, operational procedures, or management practices. Identifying and managing performance risk is essential in Third-Party Risk Management (TPRM) to ensure that third-party vendors can reliably meet contractual and service-level agreements, thereby minimizing the impact on the organization's operations and service delivery.

References:

• TPRM guidelines, such as those from the Office of the Comptroller of the Currency (OCC) and the Federal Financial Institutions Examination Council (FFIEC), highlight the importance of assessing and managing performance risks associated with third-party relationships.
• The "Third-Party Risk Management Guide" by ISACA discusses various types of risks, including performance risk, associated with engaging third-party service providers, emphasizing the need for thorough due diligence and ongoing monitoring.

For services with system-to-system access, ensuring sufficient time for quality assurance (QA) testing before implementing changes is crucial to reducing the risk of business disruption to the outsourcer. This requirement ensures that any modifications to the system are thoroughly vetted for potential issues that could impact the outsourcer's operations. QA testing allows for the identification and remediation of bugs, compatibility issues, and other potential problems that could lead to operational disruptions or security vulnerabilities. By allocating adequate time for QA testing, organizations can ensure that changes are fully functional and secure, thereby maintaining the integrity and availability of services provided to the outsourcer. This practice is aligned with industry standards for change management, which advocate for comprehensive testing and validation processes to ensure the reliability and stability of system changes.

References:

• Industry standards such as ITIL (Information Technology Infrastructure Library) emphasize the importance of thorough testing and validation within the change management process to minimize the risk of disruptions and ensure the smooth operation of services.
• Guides like "Managing Change in IT Outsourcing Arrangements: The TPRM Perspective" provide insights into best practices for change management in third-party relationships, including the critical role of QA testing in mitigating risks associated with system changes.

The purpose of internal communications and information sharing using TPRM performance metrics is to inform and align the organization’s stakeholders on the status, progress, and outcomes of the TPRM program. This includes communicating the results of vendor assessments, the compliance level of the organization’s policies and procedures, and the periodic reporting to management and other relevant parties. However, documenting the corrective action plan between external parties is not an internal communication, but rather an external one. This is because the corrective action plan is a formal agreement between the organization and the vendor to address and resolve the issues identified in the assessment. Therefore, this statement is not an example of the purpose of internal communications and information sharing using TPRM performance metrics. References:

• 15 KPIs & Metrics to Measure the Success of Your TPRM Program
• Third-party risk management metrics: Best practices to enhance your program
• 3 Best Third-Party Risk Management Software Solutions (2024)

In the ‘Defense in Depth’ security model, the innermost layer typically focuses on protecting the most sensitive and critical assets, which are often categorized as 'Private internal'. This layer includes security controls and measures that are designed to safeguard the core, confidential aspects of an organization's infrastructure and data. It encompasses controls such as access controls, encryption, and monitoring of sensitive systems and data to prevent unauthorized access and ensure data integrity and confidentiality. The 'Private internal' layer is crucial for maintaining the security of critical information and systems that are essential to the organization's operations and could have the most significant impact if compromised. Implementing robust security measures at this layer is vital for mitigating risks associated with physical access to critical infrastructure and sensitive information.

References:

• Security frameworks and standards, including NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) and the SANS Institute's guidelines on implementing 'Defense in Depth', provide detailed recommendations on securing the innermost layers of an organization's information systems.
• Publications such as "Physical Security Principles" by ASIS International offer insights into best practices for securing the private internal layer, including access control systems, surveillance, and intrusion detection mechanisms.

Personally identifiable information (PII) is any data that can be used to identify, contact, or locate an individual, such as name, address, email, phone number, social security number, etc. PII is subject to various legal and regulatory requirements, such as the GDPR, HIPAA, PCI DSS, and others, depending on the industry and jurisdiction. PII also poses significant security and privacy risks, as it can be exploited by malicious actors for identity theft, fraud, phishing, or other cyberattacks. Therefore, organizations that collect, store, process, or transmit PII must implement appropriate safeguards to protect it from unauthorized access, disclosure, modification, or loss.

One of the key safeguards for PII protection is encryption, which is the process of transforming data into an unreadable format using a secret key. Encryption ensures that only authorized parties who have the key can access the original data. Encryption can be applied to data at rest (stored on a device or a server) or data in transit (moving across a network or the internet). Encryption can also be symmetric (using the same key for encryption and decryption) or asymmetric (using a public key for encryption and a private key for decryption).

Another key safeguard for PII protection is authentication, which is the process of verifying the identity of a user or a system that requests access to data. Authentication ensures that only legitimate and authorized parties can access the data. Authentication can be based on something the user knows (such as a password or a PIN), something the user has (such as a token or a smart card), something the user is (such as a fingerprint or a face scan), or a combination of these factors. Authentication can also be enhanced by using additional methods, such as one-time passwords, challenge-response questions, or multi-factor authentication.

When defining third party requirements for transmitting PII, the factors that provide stronger controls are the strength of encryption cipher and authentication method. These factors determine how secure and reliable the data transmission is, and how resistant it is to potential attacks or breaches. The strength of encryption cipher refers to the algorithm and the key size used to encrypt the data. The stronger the cipher, the more difficult it is to break or crack the encryption. The strength of authentication method refers to the type and the number of factors used to verify the identity of the user or the system. The stronger the authentication method, the more difficult it is to impersonate or compromise the user or the system.

The other factors, such as full disk encryption and backup, available bandwidth and redundancy, and logging and monitoring, are also important for PII protection, but they do not directly affect the data transmission process. Full disk encryption and backup are relevant for data at rest, not data in transit. They provide protection in case of device theft, loss, or damage, but they do not prevent data interception or modification during transmission. Available bandwidth and redundancy are relevant for data availability and performance, not data security and privacy. They ensure that the data transmission is fast and reliable, but they do not prevent data exposure or corruption during transmission. Logging and monitoring are relevant for data audit and compliance, not data encryption and authentication. They provide visibility and accountability for the data transmission activities, but they do not prevent data access or misuse during transmission. References:

• : What is Data Encryption? | Definition and Examples | Imperva
• : What is Authentication? | Definition and Examples | Imperva
• : Personally Identifiable Information (PII) - Imperva
• : Data Protection - Shared Assessments

Change management is the process of controlling and documenting any changes to the scope, objectives, requirements, deliverables, or resources of a project or a program. Change management ensures that the impact of any change is assessed and communicated to all stakeholders, and that the changes are implemented in a controlled and coordinated manner. Compliance artifacts are the documents, records, or reports that demonstrate the adherence to the change management process and the regulatory or industry standards.

A robust change management process should include the following attributes:

• Logging: This means that any change request or proposal is recorded in a change log or a change register, along with the details of the change initiator, the change description, the change category, the change priority, the change status, and the change history. Logging helps to track and monitor the progress and outcome of each change, and to provide an audit trail for compliance purposes.
• Approvals: This means that any change request or proposal is reviewed and approved by the appropriate authority or stakeholder, such as the project manager, the sponsor, the customer, the steering committee, or the regulatory body. Approvals help to ensure that the change is justified, feasible, aligned with the project or program objectives, and acceptable to the affected parties.
• Validation: This means that any change request or proposal is verified and tested to ensure that it meets the quality standards, the functional and non-functional requirements, and the expected benefits and outcomes. Validation helps to ensure that the change is implemented correctly, effectively, and efficiently, and that it does not introduce any errors, defects, or risks.
• Back-out and exception procedures: This means that any change request or proposal has a contingency plan or a rollback plan in case the change fails, causes problems, or is rejected. Back-out and exception procedures help to minimize the negative impact of the change, and to restore the original state or the baseline of the project or program. They also help to handle any deviations or issues that may arise during the change implementation or the change review.

References:

• CTPRP Job Guide
• An Agile Approach to Change Management
• CM Overview
• Management Artifacts and its Types
• Achieving Regulatory and Industry Standards Compliance with the Scaled Agile Framework
• 8 Steps for an Effective Change Management Process

When reviewing application risk for application service providers, the most important factors are the functionality and type of data the application processes, the remote connectivity options, and the APl integration methods. These factors determine the level of exposure, sensitivity, and complexity of the application, and thus the potential impact and likelihood of a security breach or a compliance violation. The number of software releases is less important, as it does not directly affect the application’s security or functionality. However, it may indicate the maturity and quality of the software development process, which is another aspect of application risk assessment. References:

• Application Security Risk: Assessment and Modeling, ISACA Journal, Volume 2, 2016

Data classification is the process of categorizing data according to its type, sensitivity, and value to the organization if altered, stolen, or destroyed1. Data classification helps an organization understand the risk level of its data and implement appropriate controls to protect it. Data can be classified into three risk levels: low, moderate, and high23. Low risk data are data that are intended for public disclosure or have no adverse impact on the organization’s mission, safety, finances, or reputation if compromised23. Sanitized customer data used for aggregated profiling are an example of low risk data, as they do not contain any personally identifiable or sensitive information that could be exploited for criminal or other wrongful purposes. Sanitized data are data that have been modified to remove or obscure any confidential or identifying information, such as names, addresses, phone numbers, etc. Aggregated data are data that have been combined or summarized from multiple sources to provide statistical or analytical insights, such as trends, patterns, averages, etc. Sanitized and aggregated data are often used for research, marketing, or business intelligence purposes, and do not pose a significant threat to the organization or the customers if exposed. References:

• 1: What is Data Classification? | Best Practices & Data Types | Imperva
• 2: Data Classification Guideline (1604 GD.01) - Yale University
• 3: Risk Classifications | University IT
• : Data Classification Policy - Shared Assessments
• : What is Data Sanitization? | Definition and Examples | Imperva
• : What is Data Aggregation? | Definition and Examples | Imperva

The frequency for conducting a vendor reassessment is not necessarily defined by regulatory obligations, but rather by the risk rating and criticality of the vendor, as well as the changes in the vendor’s environment, performance, and controls. Regulatory obligations may provide some guidance or minimum requirements for vendor reassessment, but they are not the sole determinant of the reassessment frequency. According to the Shared Assessments Program Tools User Guide, "The frequency of reassessment should be based on the risk rating and criticality of the vendor, as well as any changes in the vendor’s environment, performance, or controls. Regulatory guidance may also influence the frequency of reassessment."1 Similarly, the CTPRP Study Guide states, "The frequency of reassessment should be based on the risk rating and criticality of the vendor, as well as any changes in the vendor’s environment, performance, or controls. Regulatory guidance may also influence the frequency of reassessment."2

References:

• Shared Assessments Program Tools User Guide
• CTPRP Study Guide

Remote monitoring of HVAC, Smoke, Fire, Water, or Power systems best reflects components of an environmental controls testing program. These systems are critical to ensuring the physical security and operational integrity of data centers and IT facilities. Environmental controls testing programs are designed to verify that these systems are functioning correctly and can effectively respond to environmental threats. This includes monitoring temperature and humidity (HVAC), detecting smoke or fire, preventing water damage, and ensuring uninterrupted power supply. Regular testing and monitoring of these systems help prevent equipment damage, data loss, and downtime due to environmental factors.

References:

• Environmental control standards such as ISO/IEC 27001 (Information Security Management) include requirements for the testing and monitoring of physical and environmental security controls.
• The "Data Center Operations Manual" by the Uptime Institute provides detailed guidelines on the testing and maintenance of environmental control systems to ensure the resilience and reliability of data center operations.

Background check requirements are applicable for vendors or service providers based outside the United States, as well as those based within the country. According to the Shared Assessments Program, background checks are a key component of third-party risk management and should be conducted for all third parties that have access to sensitive data, systems, or facilities, regardless of their location1. The FCRA also applies to background checks performed by U.S. employers on foreign nationals who work outside the U.S. for a U.S. employer or its affiliates2. Therefore, statement A is false and the correct answer is A. References:

• Shared Assessments Program: Third Party Risk Management Fundamentals
• Background Checks for Contractors or Vendors

 Personal information is any information that can be used to identify an individual, either directly or indirectly, such as name, address, email, phone number, ID number, etc. Personal data is a term used in some jurisdictions, such as the European Union, to refer to personal information that is subject to data protection laws and regulations. However, the scope and definition of personal data may vary depending on the jurisdiction and the context. For example, the GDPR defines personal data as “any information relating to an identified or identifiable natural person” and includes online identifiers, such as IP addresses, cookies, or device IDs, as well as special categories of data, such as biometric, genetic, health, or political data. On the other hand, the US does not have a single federal law that regulates personal data, but rather a patchwork of sector-specific and state-level laws that may have different definitions and requirements. For example, the California Consumer Privacy Act (CCPA) defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and excludes publicly available information from its scope. Therefore, from a privacy perspective, it is important to understand the different legal definitions and obligations that may apply to personal information or personal data depending on the jurisdiction and the context of the data processing activity. References:

• GDPR personal data – what information does this cover?
• Personal Information, Data Classification, Life Cycle and Best Practices
• 5 Types of Data Classification (With Examples)

The primary objective of a third party risk assessment is to validate that the vendor/service provider has adequate controls in place based on the organization’s risk posture. A third party risk assessment (also known as supplier risk assessment) quantifies the risks associated with third-party vendors and suppliers that provide products or services to your organization1. This assessment is useful for analyzing both new and ongoing supplier relationships. The growing risk of supply chain attacks makes it critical to conduct thorough and regular risk assessments of your third parties. A third party risk assessment helps you identify, measure, and mitigate the potential risks that your third parties pose to your organization, such as data breaches, cyberattacks, compliance violations, operational disruptions, reputational damage, or financial losses. A third party risk assessment also helps you align your third party risk management (TPRM) program with your organization’s risk appetite, policies, standards, and procedures. A third party risk assessment typically involves the following steps1:

• Scoping: Define the scope of the assessment based on the type, nature, and criticality of the third party relationship. Determine the relevant risk domains, such as security, privacy, compliance, business continuity, etc.
• Data collection: Gather information from the third party using various methods, such as questionnaires, surveys, interviews, audits, tests, or evidence reviews.
• Analysis: Analyze the data collected and compare it with your organization’s risk criteria, benchmarks, and best practices. Identify any gaps, weaknesses, or issues in the third party’s controls, processes, or performance.
• Reporting: Document the findings and recommendations of the assessment in a clear and concise report. Communicate the results to the relevant stakeholders, such as senior management, business owners, or regulators.
• Remediation: Follow up with the third party to ensure that they implement the necessary actions to address the identified risks. Monitor and track the progress and effectiveness of the remediation plan.
• Review: Review and update the assessment periodically or whenever there are significant changes in the third party relationship, the risk environment, or the regulatory requirements.

The other statements are not the primary objective of a third party risk assessment, although they may be related or secondary objectives. Assessing the appropriateness of non-disclosure agreements regarding the organization’s systems/data is a legal objective that may be part of the contract negotiation or review process. Determining the scope of the business relationship is a strategic objective that may be part of the vendor selection or due diligence process. Evaluating the risk posture of all vendors/service providers in the vendor inventory is a holistic objective that may be part of the vendor risk management or governance process. References:

• 1: Third-Party Risk Assessment: A Practical Guide - BlueVoyant
• : What Is Third-Party Risk Management (TPRM)? 2024 Guide | UpGuard
• : What is Third-Party Risk Management? | Blog | OneTrust

According to the Certified Third Party Risk Professional (CTPRP) Job Guide, one of the key tasks of a third party risk professional is to “manage the corrective action process for identified issues and ensure timely resolution” (p. 10). This task involves the following steps:

• Document the findings and recommendations from the assessment and communicate them to the appropriate stakeholders
• Review the findings and recommendations with the line of business (LOB) and obtain their risk acceptance or rejection
• If the LOB accepts the risk, document the rationale and approval in the risk register
• If the LOB rejects the risk, work with the vendor to develop a remediation plan that addresses the root cause and mitigates the risk
• Monitor the progress and completion of the remediation plan and verify the effectiveness of the corrective actions
• Update the risk register and the vendor profile with the results of the remediation

Therefore, the statement that best represents the roles and responsibilities for managing corrective actions is C, as it reflects the need to review the findings and need for remediation with the LOB for risk acceptance before sharing the remediation plan with the vendor. This ensures that the LOB is aware of the risks and their impact, and that the vendor is committed to resolving the issues in a timely and satisfactory manner.

References:

• CTPRP Job Guide, Shared Assessments, 2020
• Best Practices Guidance for Third Party Risk, Global Association of Risk Professionals (GARP), 2019
• Simple Guide for Corrective and Preventative Action (CAPA), Qualcy eQMS, 2020
• [The Three Key Parts of an EHS Corrective Action Plan], EHS Daily Advisor, 2021

Contract addendums are supplementary documents that modify or amend the original contract terms. They can be used to address third party risk obligations, such as security, privacy, compliance, or performance standards, without having to rewrite the entire MSA. However, contract addendums should be consistent with the MSA and clearly specify the scope, duration, and responsibilities of each party. Contract addendums can also be used to update or revise the contract terms in response to changing business needs or regulatory requirements12.

The other statements are true regarding the different types of contracts and agreements between outsourcers and service providers. Evergreen contracts are contracts that do not have a fixed end date and are automatically renewed unless one party decides to terminate them under the existing contract provisions3. RFPs are documents that solicit proposals from potential service providers for a specific project or service. RFPs should include mandatory requirements based on an organization’s TPRM program policies, standards and procedures, such as risk assessment, due diligence, monitoring, reporting, and remediation . SOWs are documents that define the operational requirements and obligations for each party, such as the scope, deliverables, timelines, costs, quality, and performance metrics . References:

• 1: Contracts and third-party risk - KPMG UK
• 2: Third-Party Risk & Contract Management: A Comprehensive Beginner’s Guide - Trackado
• 3: What Is an Evergreen Contract? | Legal Beagle
• : [Best Practices Guidance for Third Party Risk - GARP]
• : Third-Party Risk Management: A Comprehensive Guide - UpGuard
• : Statement of Work (SOW) - Definition, Contents & Examples
• : How to Write a Statement of Work for Any Industry | Smartsheet

A BCP or IT DR plan is a set of procedures and actions that an organization takes to ensure the continuity and recovery of its critical business functions and IT systems in the event of a disruption. A BCP or IT DR plan typically covers the following aspects12:

• Identification and prioritization of critical business functions and IT systems
• Assessment and mitigation of risks and threats to the organization
• Allocation and mobilization of resources and personnel
• Communication and coordination with internal and external stakeholders
• Testing and updating of the plan

Among the four examples of a response to external environmental factors, protocols for social media channels and PR communication are the least likely to be managed directly within the BCP or IT DR plan. This is because social media and PR communication are not critical business functions or IT systems that need to be restored or maintained during a disruption. They are rather supplementary tools that can be used to inform and engage with the public, customers, partners, and media about the organization’s situation and actions3. Therefore, protocols for social media and PR communication are more likely to be part of a crisis communication plan, which is a separate but related document that outlines the strategies and tactics for communicating with various audiences during a crisis.

The other three examples are more likely to be managed directly within the BCP or IT DR plan, as they directly affect the organization’s ability to perform its critical business functions and IT systems. For instance, a response to a natural or man-made disruption would involve activating the BCP or IT DR plan, assessing the impact and extent of the damage, deploying backup and recovery solutions, and restoring normal operations as soon as possible. A response to a dependency on key employee or supplier issues would involve identifying and managing the single points of failure, implementing contingency plans, and ensuring the availability and redundancy of essential skills and resources. A response to a large scale illness or health outbreak would involve implementing health and safety measures, enabling remote work arrangements, and ensuring the resilience and continuity of the workforce. References:

• Business continuity vs. disaster recovery: Which plan is right … - IBM
• Business Continuity vs Disaster Recovery: What’s The Difference?
• Disaster recovery plan vs. business continuity plan: Is there a difference?
• [Crisis Communication Plan: A PR Blue Print by Sandra K. Clawson Freeo]
• [Disaster Recovery Planning (DRP) | Business Continuity Plan (BCP) | Disaster Recovery Journal]
• [Managing Third Party Risk in a Disrupted World]
• [Business Continuity Planning for a Pandemic]

In patch management, testing is the most crucial factor when conducting post-cybersecurity incident analysis related to systems and applications. Proper testing of patches before deployment ensures that they effectively address vulnerabilities without introducing new issues or incompatibilities that could impact system functionality or security. Testing allows organizations to verify that the patch resolves the identified security issue without adversely affecting the system or application's performance. It also helps in identifying potential conflicts with existing configurations or dependencies. Effective testing strategies include regression testing, performance testing, and security testing to ensure comprehensive validation of the patch's effectiveness and safety before widespread deployment. This approach aligns with best practices in patch management, emphasizing the importance of thorough testing to mitigate the risk of unintended consequences and ensure the continued security and stability of systems and applications.

References:

• Industry standards such as ISO/IEC 27001 (Information Security Management) highlight the importance of a systematic approach to managing patches, including the role of testing in assessing the effectiveness and impact of patches.
• Resources like "Patch Management Best Practices" from the Center for Internet Security (CIS) provide guidance on developing and implementing a patch management program that includes rigorous testing procedures to ensure patches are safely and effectively applied.

 Questionnaires are one of the most common and effective tools for conducting third party risk assessments. They help organizations gather information about the security and compliance practices of their vendors and service providers, as well as identify any gaps or weaknesses that may pose a risk to the organization. However, not all questionnaires are created equal. Depending on the nature and scope of the third party relationship, different types and levels of questions may be required to adequately assess the risk. Therefore, it is important to configure the assessment questionnaires based on the risk rating and type of service being evaluated12.

The risk rating of a third party is determined by various factors, such as the criticality of the service they provide, the sensitivity of the data they handle, the regulatory requirements they must comply with, and the potential impact of a breach or disruption on the organization. The higher the risk rating, the more detailed and comprehensive the questionnaire should be. For example, a high-risk third party that processes personal or financial data may require a questionnaire that covers multiple domains of security and privacy, such as data protection, encryption, access control, incident response, and audit. A low-risk third party that provides a non-critical service or does not handle sensitive data may require a questionnaire that covers only the basic security controls, such as firewall, antivirus, and password policy12.

The type of service that a third party provides also influences the configuration of the questionnaire. Different services may have different security and compliance standards and best practices that need to be addressed. For example, a third party that provides cloud-based services may require a questionnaire that covers topics such as cloud security architecture, data residency, service level agreements, and disaster recovery. A third party that provides software development services may require a questionnaire that covers topics such as software development life cycle, code review, testing, and vulnerability management12.

By configuring the assessment questionnaires based on the risk rating and type of service being evaluated, organizations can ensure that they ask the right questions to the right third parties, and obtain relevant and meaningful information to support their risk management decisions. Therefore, the statement that assessment questionnaires should be configured based on the risk rating and type of service being evaluated is TRUE12. References: 1: How to Use SIG Questionnaires for Better Third-Party Risk Management 2: Third-party risk assessment questionnaires - KPMG India

 A regulation is a rule of order having the force of law, prescribed by a superior or competent authority, relating to the actions of those under the authority’s control. Regulations are issued by various government departments and agencies to carry out the intent of legislation enacted by the legislature of the applicable jurisdiction. Regulations also function to ensure uniform application of the law. A standard is a guideline established generally by private-sector bodies and that are available for use by any person or organization, private or government. The term includes what are commonly referred to as ‘industry standards’ as well as ‘consensus standards’. Standards are developed through a voluntary process of collaboration and consensus among stakeholders, such as manufacturers, consumers, regulators, and experts. Standards may reflect best practices, technical specifications, performance criteria, or quality requirements. Standards do not have the force of law unless they are adopted or referenced by a regulation. Therefore, a regulation must be adhered to by all companies subject to its requirements, but companies can voluntarily choose to follow standards that are relevant and beneficial to their operations, products, or services. References:

• The Difference Between Regulations and Standards
• Regulations vs Standards: Clearing Up the Confusion - AEM
• Standards vs. Regulations
• Certified Third Party Risk Professional (CTPRP) Study Guide

Fourth-Nth party risk refers to the potential threats and vulnerabilities associated with the subcontractors, vendors, or service providers of an organization’s direct third-party partners12. After contract signing and on-boarding due diligence is complete, the most important type of contract provision to manage Fourth-Nth party risk is subcontractor notice and approval. This provision requires the third party to inform the organization of any subcontracting arrangements and obtain the organization’s consent before engaging any Fourth-Nth parties345. This provision enables the organization to have visibility and control over the extended network of suppliers and service providers, and to assess the potential risks and impacts of any outsourcing decisions. Subcontractor notice and approval also helps the organization to ensure that the Fourth-Nth parties comply with the same standards and expectations as the third party, and to hold the third party accountable for the performance and security of the Fourth-Nth parties345. References:

• 1: Understanding 4th- and Nth-Party Risk: What Do You Need to Know? | Mitratech
• 2: Understanding 4th- and Nth-Party Risk: What Do You Need to Know? | Mitratech Holdings, Inc - JDSupra
• 3: First, 2nd , 3rd , 4th, 5th Parties: How to Measure the Tiers of Risk
• 4: Managing 4th Party Risk with Vendor Insurance Verification - Evident ID
• 5: How to Write Fourth-Party Vendor Requirements Into the Contract - Venminder

A documented process to gain approvals for use of open source applications is typically not part of evaluating the vendor’s patch management controls, because it is not directly related to the patching process. Patch management controls are the policies, procedures, and tools that enable an organization to identify, acquire, install, and verify patches for software vulnerabilities. Patch management controls aim to reduce the risk of exploitation of known software flaws and ensure the functionality and compatibility of the patched systems. A documented process to gain approvals for use of open source applications is more relevant to the software development and procurement processes, as it involves assessing the legal, security, and operational implications of using open source software components in the vendor’s products or services. Open source software may have different licensing terms, quality standards, and support levels than proprietary software, and may introduce additional vulnerabilities or dependencies that need to be managed. Therefore, a documented process to gain approvals for use of open source applications is a good practice for vendors, but it is not a patch management control per se. References:

• Guide to Enterprise Patch Management Planning
• Governance of Key Aspects of System Patch Management
• Certified Third Party Risk Professional (CTPRP) Study Guide

End-user device policies are policies that establish the rules and requirements for the use and management of devices that access organizational data, networks, and systems. These policies typically include user obligations that define the responsibilities and expectations of the users regarding the security, privacy, and compliance of the devices they use. According to the web search results from the search_web tool, some common user obligations defined in end-user device policies are:

• A statement specifying the owner of data on the end-user device: This statement clarifies who owns the data stored on the device, whether it is the organization, the user, or a third party. This statement also defines the rights and obligations of the data owner and the data custodian, such as the access, retention, disposal, and protection of the data123.
• A statement that defines the process to remove all organizational data, settings and accounts at offboarding: This statement outlines the steps and procedures that the user must follow to securely erase or transfer all organizational data, settings, and accounts from the device when they leave the organization or change their role. This statement also specifies the roles and responsibilities of the user, the organization, and the device manager in ensuring the proper offboarding of the device143.
• A statement detailing user responsibility in ensuring the security of the end-user device: This statement describes the actions and measures that the user must take to protect the device from unauthorized access, theft, loss, damage, or compromise. This statement may include requirements such as enabling encryption, password, firewall, antivirus, updates, and backups, as well as reporting any incidents or issues related to the device1435.

However, option D, a statement that specifies the ability to synchronize mobile device data with enterprise systems, is not a user obligation defined in end-user device policies. Rather, this statement is a feature or functionality that may be enabled or disabled by the organization or the device manager, depending on the security and compliance needs of the organization. This statement may also be part of a device configuration policy or a mobile device management policy, which are different from end-user device policies. Therefore, option D is the correct answer, as it is the only one that does not reflect a user obligation defined in end-user device policies. References: The following resources support the verified answer and explanation:

• 1: End-User Device Policy | IT Services - University of Chicago
• 4: Device compliance policies in Microsoft Intune | Microsoft Learn
• 2: Basics of an End User Computing Policy - Apparity Blog
• 3: End-User Device Management Standard Operating Procedure
• 5: End-User Devices | Information Security - University of Chicago

 TPRM program metrics are the indicators that measure the performance, effectiveness, and maturity of the TPRM program. They help to monitor and communicate the progress, achievements, and challenges of the TPRM program to various stakeholders, such as business units, executive management, risk committees, and board of directors. However, the level of reporting and the frequency of changes in TPRM program metrics vary depending on the stakeholder’s role, responsibility, and interest123:

• Business unit: This level of reporting is focused on the operational aspects of the TPRM program, such as the status of vendor assessments, remediation actions, issues, and incidents. The changes in TPRM program metrics at this level are frequent and granular, as they reflect the day-to-day activities and outcomes of the TPRM program.
• Executive management: This level of reporting is focused on the strategic aspects of the TPRM program, such as the alignment with the business objectives, the compliance with the regulatory requirements, the management of the key risks, and the optimization of the resources and costs. The changes in TPRM program metrics at this level are less frequent and more aggregated, as they reflect the overall direction and performance of the TPRM program.
• Risk committee: This level of reporting is focused on the oversight aspects of the TPRM program, such as the evaluation of the risk appetite, the review of the risk profile, the approval of the risk policies, and the escalation of the risk issues. The changes in TPRM program metrics at this level are occasional and more analytical, as they reflect the governance and assurance of the TPRM program.
• Board of Directors: This level of reporting is focused on the advisory aspects of the TPRM program, such as the endorsement of the risk strategy, the awareness of the risk trends, the guidance of the risk culture, and the support of the risk initiatives. The changes in TPRM program metrics at this level are rare and exceptional, as they reflect the high-level and long-term vision and value of the TPRM program.

Therefore, the correct answer is D. Board of Directors, as this is the level of reporting where changes in TPRM program metrics are rare and exceptional. References:

• 1: 15 KPIs & Metrics to Measure the Success of Your TPRM Program | UpGuard
• 2: Third-party risk management metrics: Best practices to enhance your … | Diligent
• 3: TPRM Metrics - Telling Your Risk Story - Shared Assessments | Shared Assessments

Controls evaluation is the process of verifying and validating the effectiveness of the controls implemented by the third party to mitigate the identified risks. It involves reviewing the evidence provided by the third party, such as policies, procedures, certifications, attestations, or test results, to determine if the controls are adequate, consistent, and compliant with the requirements and standards of the organization. Controls evaluation also involves analyzing the assessment results to identify any gaps, weaknesses, or issues in the third party’s controls, and reporting the findings and recommendations to the relevant stakeholders. Negotiating contract terms for the right to audit is not a component of controls evaluation, but rather a component of contract management. Contract management is the process of establishing, maintaining, and enforcing the contractual agreements between the organization and the third party. It involves defining the roles, responsibilities, expectations, and obligations of both parties, as well as the terms and conditions for service delivery, performance measurement, risk management, dispute resolution, and termination. Negotiating contract terms for the right to audit is a key aspect of contract management, as it allows the organization to monitor and verify the third party’s compliance with the contract and the applicable regulations and standards. It also enables the organization to conduct independent audits or assessments of the third party’s controls, processes, and performance, and to request remediation actions if necessary. References:

• 1: Shared Assessments, a leading provider of third party risk management solutions, offers a comprehensive guide for Certified Third Party Risk Professional (CTPRP) candidates, which covers the core concepts and best practices of third party risk management, including controls evaluation and contract management.
• 2: UpGuard, a platform for cybersecurity and third party risk management, provides a detailed overview of the best practices for third party risk assessment, which includes the steps and criteria for evaluating the controls of third parties.
• 3: Deloitte, a global professional services firm, offers an end-to-end managed service for third party risk management, which includes controls evaluation and contract management as key components of the service.

Virtual assessments are a method of conducting third party risk assessments remotely, using various tools and techniques to collect and verify information about the third party’s controls, processes, and performance. Virtual assessments can be used to evaluate various risk domains, such as information security, privacy, resiliency, and compliance, depending on the scope and objectives of the assessment. Virtual assessments can also be used to complement or supplement onsite assessments, especially when travel or access restrictions are in place.

One of the key components of virtual assessments is the use of interviews with subject matter experts (SMEs) from the third party, who can provide insights and clarifications on the third party’s policies, procedures, practices, and evidence. Interviews can also be used to validate or confirm the understanding of key controls, and not just to review questionnaire responses. However, interviews are not the only way to perform controls evaluation and testing in virtual assessments. Other methods include:

• Requesting and reviewing documentation and artifacts from the third party, such as policies, standards, certifications, attestations, test results, audit reports, or incident logs, that demonstrate the implementation and effectiveness of the controls.
• Performing live or recorded demonstrations of the controls, such as showing how the third party monitors, detects, and responds to security incidents, or how the third party encrypts, backs up, and restores data.
• Using remote access tools or platforms, such as screen sharing, video conferencing, or web portals, to observe and verify the controls in action, such as checking the configuration settings, access rights, or patch levels of the third party’s systems or applications.
• Using independent or external sources of information, such as ratings, benchmarks, or feedback, to validate and compare the third party’s performance, compliance, or reputation.

Therefore, the statement that virtual assessments include using interviews with SMEs since controls evaluation and testing cannot be performed virtually is false, as there are other ways to perform controls evaluation and testing in virtual assessments, besides interviews.

References:

• 1: Shared Assessments, a leading provider of third party risk management solutions, offers a comprehensive guide for Certified Third Party Risk Professional (CTPRP) candidates, which covers the core concepts and best practices of third party risk management, including virtual assessments.
• 2: Schneider Downs, a professional services firm, provides a blog post on the best practices for conducting third party risk management virtual assessments, which includes the methods and steps for performing controls evaluation and testing remotely.
• 3: Shared Assessments, a leading provider of third party risk management solutions, offers a blog post on the value and challenges of virtual assessments, which includes the benefits and drawbacks of using interviews and other techniques for controls evaluation and testing.

In IT asset end-of-life (EOL) processes, the requirement to conduct periodic risk assessments specifically to determine end-of-life is not typically included. EOL processes generally focus on managing the decommissioning and secure disposal of IT assets that have reached the end of their useful life or support period. This includes tracking the status of assets, managing updates and support for third-party systems and applications, and establishing procedures for the secure destruction of assets at sunset. While risk assessments are crucial in overall IT asset management, they are not usually a direct component of determining an asset's EOL status, which is more often based on operational effectiveness, manufacturer support, and technological obsolescence.

References:

• IT asset management and disposal best practices, such as those outlined in the NIST Guidelines for Media Sanitization (NIST SP 800-88), focus on the secure and environmentally responsible disposal of IT assets without specifically mandating periodic risk assessments for EOL determination.
• The "IT Asset Disposal (ITAD) Best Practice Guide" by the International Association of IT Asset Managers (IAITAM) provides insights into effective EOL processes, including tracking, updating, and securely destroying IT assets.

According to the Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, physical security compliance is the process of ensuring that the physical assets and personnel of an organization are protected from unauthorized access, theft, damage, or harm1. Physical security compliance can be achieved by implementing various measures, such as locks, alarms, cameras, guards, fences, badges, etc. However, these measures need to be regularly monitored, tested, and verified to ensure their effectiveness and alignment with the defined standards and policies2. Therefore, maintaining a standardized schedule for confirming controls to defined standards demonstrates a greater maturity of physical security compliance, as it indicates a proactive and consistent approach to assessing and improving the physical security posture of an organization3.

The other options do not reflect a high level of physical security compliance maturity, as they either rely on reactive or ad hoc methods, or lack sufficient verification and validation mechanisms. Leveraging periodic reporting to schedule facility inspections based on reported events may indicate a lack of preventive and predictive measures, as well as a dependency on external or internal incidents to trigger the inspections. Providing a checklist for self-assessment may indicate a lack of independent and objective evaluation, as well as a potential for bias or error in the self-assessment process. Conducting unannounced checks on an ad hoc basis may indicate a lack of planning and coordination, as well as a potential for disruption or inconsistency in the checks.

References:

• 1: Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, page 24
• 2: Physical Security: Planning, Measures & Examples + PDF - Avigilon
• 3: Security Maturity Models: Levels, Assessment, and Benefits
• [4]: Best Practices for Planning and Managing Physical Security Resources - CISA, page 10
• [5]: Self-Assessment vs. Independent Assessment: What’s the Difference? | Linford & Company LLP
• [6]: The Pros and Cons of Unannounced Audits | NQA

 This answer is correct because a change at outsourcer due to merger and acquisition (M&A) is the least likely indicator to trigger a reassessment of an existing vendor. This is because the outsourcer is not the direct vendor of the organization, but rather a third party that the vendor uses to perform some of its services. Therefore, the impact of the change at the outsourcer on the vendor’s performance and risk level may not be significant or immediate. However, the other indicators (A, B, and C) are more likely to trigger a reassessment of an existing vendor, as they directly affect the vendor’s operations, capabilities, and compliance status. For example:

• A change in vendor location or use of new fourth parties may introduce new risks such as geopolitical, regulatory, or cybersecurity risks that need to be evaluated and mitigated.
• A change in scope of existing work may alter the vendor’s access to the organization’s data or systems, which may require additional security measures and controls to protect the confidentiality, integrity, and availability of the information assets.
• A change in regulation that impacts service provider requirements may impose new obligations or standards on the vendor that need to be verified and monitored to ensure compliance and avoid penalties or fines. References:
• How to Conduct a Successful Vendor Risk Assessment in 9 Steps, Case IQ
• Why You Need to Reassess Vendor Risk on an Ongoing Basis, ThirdPartyTrust
• Vendor Assessment and Evaluation Guide, Smartsheet

Data anonymization is the process of removing or altering any information that can be used to identify an individual from a data set. This technique provides the strongest assurance that data does not identify an individual, as it makes it impossible or extremely difficult to link the data back to the original source. Data anonymization can be achieved by various methods, such as generalization, suppression, perturbation, or pseudonymization12. Data anonymization is often used for privacy protection, compliance with data protection regulations, and data sharing purposes3. References:

• 1: Data Security: Definition, Importance, and Types | Fortinet
• 2: Data Security Best Practices: Top 10 Data Protection Methods - Ekran System
• 3: Data anonymization - Wikipedia

Fourth-Nth party risk refers to the potential threats and vulnerabilities associated with the subcontractors, vendors, or service providers of an organization’s direct third-party partners. This can create a complex network of dependencies and exposures that can affect the organization’s security, data protection, and business resilience. To manage this risk effectively, organizations should conduct comprehensive due diligence on their extended vendor and supplier network, and include contractual stipulations that require notification and approval for any subcontracting activities. This way, the organization can ensure that the subcontractors meet the same standards and expectations as the direct third-party partners, and that they have adequate controls and safeguards in place to protect the organization’s data and systems. Additionally, the organization should monitor and assess the performance and compliance of the subcontractors on a regular basis, and update the contract provisions as needed to reflect any changes in the risk environment. References:

• Understanding 4th- and Nth-Party Risk: What Do You Need to Know?
• Best Practices for Fourth and Nth Party Management
• Fourth-Party Risk Management: Best Practices