CTPRP Shared Assessments Certified Third-Party Risk Professional (CTPRP) Free Practice Exam Questions (2025 Updated)
Prepare effectively for your Shared Assessments CTPRP Certified Third-Party Risk Professional (CTPRP) certification with our extensive collection of free, high-quality practice questions. Each question is designed to mirror the actual exam format and objectives, complete with comprehensive answers and detailed explanations. Our materials are regularly updated for 2025, ensuring you have the most current resources to build confidence and succeed on your first attempt.
When updating TPRM vendor classification requirements with a focus on availability, which
risk rating factors provide the greatest impact to the analysis?
Type of data by classification; volume of records included in data processing
Financial viability of the vendor; ability to meet performance metrics
Network connectivity; remote access to applications
impact on operations and end users; impact on revenue; impact on regulatory compliance
The Answer Is:
DExplanation:
TPRM vendor classification is the process of categorizing vendors based on their criticality, risk level, and service type. Vendor classification helps to prioritize and allocate resources for vendor assessment, monitoring, and remediation. Vendor classification should be updated periodically to reflect changes in the business environment, vendor performance, and regulatory requirements.
When updating TPRM vendor classification requirements with a focus on availability, the risk rating factors that provide the greatest impact to the analysis are the impact on operations and end users, the impact on revenue, and the impact on regulatory compliance. This is because:
Availability is the degree to which a system or service is accessible and functional when required by authorized users. Availability is a key component of information security and business continuity, as it ensures that the business can operate normally and deliver value to its customers and stakeholders.
Impact on operations and end users measures the extent to which a vendor’s service disruption or failure affects the business processes, functions, and activities that depend on the vendor’s service. A high impact on operations and end users means that the vendor’s service is essential for the business to perform its core functions and meet its objectives, and that any downtime or degradation of the service would cause significant operational delays, inefficiencies, or losses.
Impact on revenue measures the extent to which a vendor’s service disruption or failure affects the business’s income, profitability, and market share. A high impact on revenue means that the vendor’s service is directly or indirectly linked to the business’s revenue generation, and that any downtime or degradation of the service would cause substantial financial losses, reduced customer satisfaction, or competitive disadvantage.
Impact on regulatory compliance measures the extent to which a vendor’s service disruption or failure affects the business’s adherence to the laws, regulations, standards, and contractual obligations that govern its industry, sector, or jurisdiction. A high impact on regulatory compliance means that the vendor’s service is subject to strict regulatory requirements, and that any downtime or degradation of the service would cause serious legal penalties, fines, sanctions, or reputational damage.
Therefore, these three factors are the most important to consider when updating TPRM vendor classification requirements with a focus on availability, as they reflect the potential consequences and risks of vendor unavailability for the business.
References:
CTPRP Job Guide
Criticality and Risk Rating Vendors 101
The Third-Party Vendor Risk Management Lifecycle
What Is Third-Party Risk Management (TPRM)? 2024 Guide
Third-Party Risk Management and ISO Requirements for 2022
The primary disadvantage of Single Sign-On (SSO) access control is:
The impact of a compromise of the end-user credential that provides access to multiple systems is greater
A single password is easier to guess and be exploited
Users store multiple passwords in a single repository limiting the ability to change the password
Vendors must develop multiple methods to integrate system access adding cost and complexity
The Answer Is:
AExplanation:
Single Sign-On (SSO) is a convenient and efficient way of authenticating users across multiple applications and platforms with a single set of credentials. However, it also poses some security risks and challenges that need to be considered and addressed. One of the main disadvantages of SSO is that it creates a single point of failure and a high-value target for attackers. If an end-user credential is compromised, the attacker can gain access to all the systems and resources that the user is authorized to access, potentially causing significant damage and data breaches. Therefore, SSO requires strong security measures to protect the user credentials, such as encryption, multifactor authentication, password policies, and monitoring. Additionally, SSO users need to be aware of the risks and follow best practices to safeguard their credentials, such as using strong and unique passwords, changing them regularly, and avoiding phishing and social engineering attacks. References:
1: What are the disadvantages of single sign-on authentication? - Information Security Stack Exchange
2: Single Sign-On Disadvantages: 6 Advantages and Disadvantages [What You Need to Know] - Mostly Blogging
3: SSO Security Risks: The Drawbacks of SSO (And What Can You Do About it) - Zluri
Which cloud deployment model is primarily focused on the application layer?
Infrastructure as a Service
Software as a Service
Function a3 a Service
Platform as a Service
The Answer Is:
BExplanation:
Software as a Service (SaaS) is a cloud deployment model that provides users with access to software applications over the internet, without requiring them to install, maintain, or update the software on their own devices. SaaS is primarily focused on the application layer, as it delivers the complete functionality of the software to the end users, while abstracting away the underlying infrastructure, platform, and middleware layers. SaaS providers are responsible for managing the servers, databases, networks, security, and scalability of the software, as well as ensuring its availability, performance, and compliance. SaaS users only pay for the software usage, usually on a subscription or pay-per-use basis, and can access the software from any device and location, as long as they have an internet connection. Some examples of SaaS applications are Gmail, Salesforce, Dropbox, and Netflix. References:
Shared Assessments CTPRP Study Guide, page 15, section 2.2.2
Cloud Computing Deployment Models and Architectures, section on Cloud Computing Models
Layered Architecture of Cloud, section on Application Layer
An IT change management approval process includes all of the following components EXCEPT:
Application version control standards for software release updates
Documented audit trail for all emergency changes
Defined roles between business and IT functions
Guidelines that restrict approval of changes to only authorized personnel
The Answer Is:
AExplanation:
Application version control standards for software release updates are not part of the IT change management approval process, but rather a technical aspect of the software development lifecycle. The IT change management approval process is a formal and structured way of evaluating, authorizing and scheduling changes to IT systems and infrastructure, based on predefined criteria and roles. The IT change management approval process typically includes the following components123:
A change request form that captures the details, rationale, impact, risk and benefits of the proposed change
A change approval board (CAB) or other authorized approvers who review and approve or reject the change request based on the business case, feasibility and alignment with the organization’s objectives and policies
A documented audit trail for all changes, especially emergency changes, that records the date, time, reason, approver and outcome of each change
A defined roles and responsibilities matrix that clarifies the expectations and accountabilities of each stakeholder involved in the change management process, such as the change manager, change owner, change coordinator, change implementer and change requester
A set of guidelines that restrict the approval of changes to only authorized personnel who have the appropriate knowledge, skills and authority to make decisions about the changes References:
1: Change Approval Process in ITIL Change Management
2: Guide to the IT Change Requests Approval Process
3: Overview of the change management approval process
Which statement is TRUE regarding the use of questionnaires in third party risk assessments?
The total number of questions included in the questionnaire assigns the risk tier
Questionnaires are optional since reliance on contract terms is a sufficient control
Assessment questionnaires should be configured based on the risk rating and type of service being evaluated
All topic areas included in the questionnaire require validation during the assessment
The Answer Is:
CExplanation:
Questionnaires are one of the most common and effective tools for conducting third party risk assessments. They help organizations gather information about the security and compliance practices of their vendors and service providers, as well as identify any gaps or weaknesses that may pose a risk to the organization. However, not all questionnaires are created equal. Depending on the nature and scope of the third party relationship, different types and levels of questions may be required to adequately assess the risk. Therefore, it is important to configure the assessment questionnaires based on the risk rating and type of service being evaluated12.
The risk rating of a third party is determined by various factors, such as the criticality of the service they provide, the sensitivity of the data they handle, the regulatory requirements they must comply with, and the potential impact of a breach or disruption on the organization. The higher the risk rating, the more detailed and comprehensive the questionnaire should be. For example, a high-risk third party that processes personal or financial data may require a questionnaire that covers multiple domains of security and privacy, such as data protection, encryption, access control, incident response, and audit. A low-risk third party that provides a non-critical service or does not handle sensitive data may require a questionnaire that covers only the basic security controls, such as firewall, antivirus, and password policy12.
The type of service that a third party provides also influences the configuration of the questionnaire. Different services may have different security and compliance standards and best practices that need to be addressed. For example, a third party that provides cloud-based services may require a questionnaire that covers topics such as cloud security architecture, data residency, service level agreements, and disaster recovery. A third party that provides software development services may require a questionnaire that covers topics such as software development life cycle, code review, testing, and vulnerability management12.
By configuring the assessment questionnaires based on the risk rating and type of service being evaluated, organizations can ensure that they ask the right questions to the right third parties, and obtain relevant and meaningful information to support their risk management decisions. Therefore, the statement that assessment questionnaires should be configured based on the risk rating and type of service being evaluated is TRUE12. References: 1: How to Use SIG Questionnaires for Better Third-Party Risk Management 2: Third-party risk assessment questionnaires - KPMG India
The BEST way to manage Fourth-Nth Party risk is:
Include a provision in the vender contract requiring the vendor to provide notice and obtain written consent before outsourcing any service
Include a provision in the contract prohibiting the vendor from outsourcing any service which includes access to confidential data or systems
Incorporate notification and approval contract provisions for subcontracting that require evidence of due diligence as defined by a TPRM program
Require the vendor to maintain a cyber-insurance policy for any service that is outsourced which includes access to confidential data or systems
The Answer Is:
CExplanation:
Fourth-Nth party risk refers to the potential threats and vulnerabilities associated with the subcontractors, vendors, or service providers of an organization’s direct third-party partners. This can create a complex network of dependencies and exposures that can affect the organization’s security, data protection, and business resilience. To manage this risk effectively, organizations should conduct comprehensive due diligence on their extended vendor and supplier network, and include contractual stipulations that require notification and approval for any subcontracting activities. This way, the organization can ensure that the subcontractors meet the same standards and expectations as the direct third-party partners, and that they have adequate controls and safeguards in place to protect the organization’s data and systems. Additionally, the organization should monitor and assess the performance and compliance of the subcontractors on a regular basis, and update the contract provisions as needed to reflect any changes in the risk environment. References:
Understanding 4th- and Nth-Party Risk: What Do You Need to Know?
Best Practices for Fourth and Nth Party Management
Fourth-Party Risk Management: Best Practices
Which statement is FALSE regarding the risk factors an organization may include when defining TPRM compliance requirements?
Organizations include TPRM compliance requirements within vendor contracts, and periodically review and update mandatory contract provisions
Organizations rely on regulatory mandates to define and structure TPRM compliance requirements
Organizations incorporate the use of external standards and frameworks to align and map TPRM compliance requirements to industry practice
Organizations define TPRM policies based on the company’s risk appetite to shape requirements based on the services being outsourced
The Answer Is:
BExplanation:
TPRM compliance requirements are the rules and expectations that an organization must follow when engaging with third parties, such as vendors, suppliers, partners, or contractors. These requirements are derived from various sources, such as laws, regulations, standards, frameworks, contracts, policies, and best practices. However, relying solely on regulatory mandates to define and structure TPRM compliance requirements is a false statement, because123:
Regulatory mandates are not the only source of TPRM compliance requirements. Organizations may also need to consider other factors, such as industry benchmarks, customer expectations, stakeholder interests, ethical principles, and social responsibility.
Regulatory mandates are not always comprehensive, clear, or consistent. Organizations may face different or conflicting regulations across jurisdictions, sectors, or domains. Organizations may also need to interpret and apply the regulations to their specific context and risk profile, which may require additional guidance or expertise.
Regulatory mandates are not always sufficient, effective, or efficient. Organizations may need to go beyond the minimum requirements of the regulations to achieve their business objectives, mitigate their risks, or enhance their performance. Organizations may also need to adopt more flexible, scalable, and innovative approaches to TPRM compliance, rather than following a rigid, one-size-fits-all, or check-the-box model.
Therefore, the correct answer is B. Organizations rely on regulatory mandates to define and structure TPRM compliance requirements, as this is a false statement regarding the risk factors an organization may include when defining TPRM compliance requirements. References:
1: Understanding TPRM Compliance: A Comprehensive Guide | Prevalent
2: What Is Third-Party Risk Management (TPRM)? 2024 Guide | UpGuard
3: Third-Party Risk Management and ISO Requirements for 2022 | Reciprocity
Which statement is FALSE regarding analyzing results from a vendor risk assessment?
The frequency for conducting a vendor reassessment is defined by regulatory obligations
Findings from a vendor risk assessment may be defined at the entity level, and are based o na Specific topic or control
Identifying findings from a vendor risk assessment can occur at any stage in the contract lifecycle
Risk assessment findings identified by controls testing or validation should map back to the information gathering questionnaire and agreed upon framework
The Answer Is:
AExplanation:
The frequency for conducting a vendor reassessment is not necessarily defined by regulatory obligations, but rather by the risk rating and criticality of the vendor, as well as the changes in the vendor’s environment, performance, and controls. Regulatory obligations may provide some guidance or minimum requirements for vendor reassessment, but they are not the sole determinant of the reassessment frequency. According to the Shared Assessments Program Tools User Guide, "The frequency of reassessment should be based on the risk rating and criticality of the vendor, as well as any changes in the vendor’s environment, performance, or controls. Regulatory guidance may also influence the frequency of reassessment."1 Similarly, the CTPRP Study Guide states, "The frequency of reassessment should be based on the risk rating and criticality of the vendor, as well as any changes in the vendor’s environment, performance, or controls. Regulatory guidance may also influence the frequency of reassessment."2
References:
Shared Assessments Program Tools User Guide
CTPRP Study Guide
An IT asset management program should include all of the following components EXCEPT:
Maintaining inventories of systems, connections, and software applications
Defining application security standards for internally developed applications
Tracking and monitoring availability of vendor updates and any timelines for end of support
Identifying and tracking adherence to IT asset end-of-life policy
The Answer Is:
BExplanation:
An IT asset management program is a set of processes and tools that help an organization manage its IT assets throughout their lifecycle, from acquisition to disposal. An IT asset management program should include the following components1234:
Maintaining inventories of systems, connections, and software applications: This component involves creating and updating a comprehensive and accurate list of all IT assets owned or used by the organization, including their location, ownership, configuration, and status. This helps the organization optimize the use of its IT resources, reduce costs, and ensure compliance with licensing and regulatory requirements.
Tracking and monitoring availability of vendor updates and any timelines for end of support: This component involves keeping track of the latest updates, patches, and security fixes provided by the vendors of the IT assets, as well as the end-of-life dates and support options for the assets. This helps the organization maintain the security, performance, and functionality of its IT assets, and plan for timely replacement or migration of obsolete or unsupported assets.
Identifying and tracking adherence to IT asset end-of-life policy: This component involves defining and implementing a policy for retiring and disposing of IT assets that are no longer needed, useful, or supported by the organization. This helps the organization reduce risks, costs, and environmental impacts associated with IT asset disposal, and ensure compliance with data protection and disposal regulations.
Defining application security standards for internally developed applications is not a component of an IT asset management program, but rather a component of an application development and security program. An application development and security program is a set of processes and tools that help an organization design, develop, test, deploy, and maintain secure and reliable applications, whether they are internally developed or acquired from external sources. An application development and security program should include the following components5 :
Defining application security standards for internally developed applications: This component involves establishing and enforcing a set of security requirements and best practices for the applications developed by the organization, such as secure coding, testing, and deployment methodologies, security controls, and vulnerability management. This helps the organization ensure the confidentiality, integrity, and availability of its applications and data, and prevent or mitigate security breaches and incidents.
Performing application security assessments for externally acquired applications: This component involves conducting security reviews and audits of the applications acquired from external sources, such as vendors, partners, or open source communities, before integrating them into the organization’s IT environment. This helps the organization identify and address any security risks, gaps, or weaknesses in the applications, and ensure compatibility and compliance with the organization’s security policies and standards.
References:
ITAM: The ultimate guide to IT asset management
IT asset management: 10 best practices for success
Asset Management: The Five Core Components
The Fundamentals of Asset Management
Application Development and Security Program
Application Security Best Practices
The following statements reflect user obligations defined in end-user device policies
EXCEPT:
A statement specifying the owner of data on the end-user device
A statement that defines the process to remove all organizational data, settings and accounts alt offboarding
A statement detailing user responsibility in ensuring the security of the end-user device
A statement that specifies the ability to synchronize mobile device data with enterprise systems
The Answer Is:
DExplanation:
End-user device policies are policies that establish the rules and requirements for the use and management of devices that access organizational data, networks, and systems. These policies typically include user obligations that define the responsibilities and expectations of the users regarding the security, privacy, and compliance of the devices they use. According to the web search results from the search_web tool, some common user obligations defined in end-user device policies are:
A statement specifying the owner of data on the end-user device: This statement clarifies who owns the data stored on the device, whether it is the organization, the user, or a third party. This statement also defines the rights and obligations of the data owner and the data custodian, such as the access, retention, disposal, and protection of the data123.
A statement that defines the process to remove all organizational data, settings and accounts at offboarding: This statement outlines the steps and procedures that the user must follow to securely erase or transfer all organizational data, settings, and accounts from the device when they leave the organization or change their role. This statement also specifies the roles and responsibilities of the user, the organization, and the device manager in ensuring the proper offboarding of the device143.
A statement detailing user responsibility in ensuring the security of the end-user device: This statement describes the actions and measures that the user must take to protect the device from unauthorized access, theft, loss, damage, or compromise. This statement may include requirements such as enabling encryption, password, firewall, antivirus, updates, and backups, as well as reporting any incidents or issues related to the device1435.
However, option D, a statement that specifies the ability to synchronize mobile device data with enterprise systems, is not a user obligation defined in end-user device policies. Rather, this statement is a feature or functionality that may be enabled or disabled by the organization or the device manager, depending on the security and compliance needs of the organization. This statement may also be part of a device configuration policy or a mobile device management policy, which are different from end-user device policies. Therefore, option D is the correct answer, as it is the only one that does not reflect a user obligation defined in end-user device policies. References: The following resources support the verified answer and explanation:
1: End-User Device Policy | IT Services - University of Chicago
4: Device compliance policies in Microsoft Intune | Microsoft Learn
2: Basics of an End User Computing Policy - Apparity Blog
3: End-User Device Management Standard Operating Procedure
5: End-User Devices | Information Security - University of Chicago
Which of the following actions reflects the first step in developing an emergency response plan?
Conduct an assessment that includes an inventory of the types of events that have the greatest potential to trigger an emergency response plan
Consider work-from-home parameters in the emergency response plan
incorporate periodic crisis management team tabletop exercises to test different scenarios
Use the results of continuous monitoring tools to develop the emergency response plan
The Answer Is:
AExplanation:
An emergency response plan (ERP) is a document that outlines the procedures and actions to be taken by an organization in the event of a disruptive incident that threatens its operations, assets, reputation, or stakeholders1. An ERP should be aligned with the organization’s business continuity and disaster recovery plans, and should cover the roles and responsibilities, communication channels, escalation processes, resources, and recovery strategies for different types of emergencies2.
The first step in developing an ERP is to conduct an assessment that includes an inventory of the types of events that have the greatest potential to trigger an ERP3. This assessment should consider the likelihood and impact of various scenarios, such as natural disasters, cyberattacks, pandemics, civil unrest, terrorism, or supply chain disruptions, and identify the critical functions, processes, assets, and dependencies that could be affected by these events4. The assessment should also evaluate the existing capabilities and gaps in the organization’s preparedness and response, and prioritize the areas that need improvement or enhancement5. The assessment should be based on a comprehensive risk analysis and a business impact analysis, and should involve input from relevant stakeholders, such as senior management, business units, IT, security, legal, compliance, human resources, and third parties.
The other options are not the first step in developing an ERP, but rather subsequent or complementary steps that should be performed after the initial assessment. Considering work-from-home parameters, incorporating periodic crisis management team tabletop exercises, and using the results of continuous monitoring tools are all important aspects of an ERP, but they are not the starting point for creating one. These steps should be based on the findings and recommendations of the assessment, and should be updated and tested regularly to ensure the effectiveness and relevance of the ERP. References: 1: What is an Emergency Response Plan? | IBM 2: Emergency Response Plan | Ready.gov 3: 8 Steps to Building a Third-Party Incident Response Plan | Prevalent 4: How to create an effective business continuity plan | CIO 5: Emergency Response Planning: 4 Steps to Creating a Plan : Third-Party Risk Management: Final Interagency Guidance : Improving Third-Party Incident Response | Prevalent
The BEST time in the SDLC process for an application service provider to perform Threat Modeling analysis is:
Before the application design and development activities begin
After the application vulnerability or penetration test is completed
After testing and before the deployment of the final code into production
Prior to the execution of a contract with each client
The Answer Is:
AExplanation:
Threat modeling is a core element of the Microsoft Security Development Lifecycle (SDL) and a structured approach to identify, quantify, and address the security risks associated with an application12. Threat modeling helps to shape the application’s design, meet the security objectives, and reduce risk1. The best time to perform threat modeling analysis is before the application design and development activities begin, as this allows the application service provider to:
Communicate about the security design of their systems1.
Analyze the design for potential security issues using a proven methodology1.
Suggest and manage mitigations for security issues1.
Incorporate security requirements into the design2.
Avoid costly rework or redesign later in the SDLC2.
Identify the most critical and relevant threats to focus on2. References: 1: Microsoft Security Development Lifecycle Threat Modelling1 2: Threat Modeling Process | OWASP Foundation2
Your company has been alerted that an IT vendor began utilizing a subcontractor located in a country restricted by company policy. What is the BEST approach to handle this situation?
Notify management to approve an exception and ensure that contract provisions require prior “notification and evidence of subcontractor due diligence
inform the business unit and recommend that the company cease future work with the IT vendor due to company policy
Update the vender inventory with the mew location information in order to schedule a reassessment
Inform the business unit and ask the vendor to replace the subcontractor at their expense in “order to move the processing back to an approved country
The Answer Is:
DExplanation:
This answer is the best approach because it aligns with the principles of third-party risk management, which include ensuring compliance with company policies, contractual obligations, and regulatory requirements. By asking the vendor to replace the subcontractor, the company is exercising its right to terminate or modify the relationship if the vendor fails to meet the agreed-upon standards or poses unacceptable risks. This also minimizes the potential impact of the vendor’s non-compliance on the company’s reputation, operations, and data security. The other options are less effective because they either ignore the issue, compromise the company’s policy, or rely on the vendor’s self-assessment without verification. References:
Third Party Risk Management Framework, Module 3: Program Governance, Section 3.2: Policies and Procedures, p. 14
Third Party Risk Management Framework, Module 4: Program Components, Section 4.3: Contracting, p. 24
Third Party Risk Management Framework, Module 5: Program Implementation, Section 5.2: Ongoing Monitoring, p. 32
Best-Practices Guidance for Third-Party Risk, Section: Defend Against Privileged User Risks, p. 2
Five Best Practices to Manage and Control Third-Party Risk, Section: Best Practices for Controlling Third-Party Vendor Risks, p. 3
You are updating program requirements due to shift in use of technologies by vendors to enable hybrid work. Which statement is LEAST likely to represent components of an Asset
Management Program?
Asset inventories should include connections to external parties, networks, or systems that process data
Each asset should include an organizational owner who is responsible for the asset throughout its life cycle
Assets should be classified based on criticality or data sensitivity
Asset inventories should track the flow or distribution of items used to fulfill products and Services across production lines
The Answer Is:
DExplanation:
Asset management is the process of identifying, tracking, and managing the physical and digital assets of an organization. An asset management program is a set of policies, procedures, and tools that help to ensure the optimal use, security, and disposal of assets. According to the Shared Assessments CTPRP Study Guide1, an asset management program should include the following components:
Asset inventories: A comprehensive and accurate list of all assets owned, leased, or used by the organization, including hardware, software, data, and services. Asset inventories should include connections to external parties, networks, or systems that process data, as this may introduce additional risks and dependencies12.
Asset owners: A clear assignment of roles and responsibilities for each asset, including an organizational owner who is accountable for the asset throughout its life cycle. Asset owners should ensure that assets are properly maintained, updated, secured, and disposed of in accordance with the organization’s policies and standards13.
Asset classification: A consistent and objective method of categorizing assets based on their criticality or data sensitivity. Asset classification helps to determine the appropriate level of protection, monitoring, and testing for each asset, as well as the potential impact of asset loss or compromise1 .
Asset controls: A set of measures and mechanisms that help to safeguard assets from unauthorized access, use, modification, disclosure, or destruction. Asset controls may include physical, technical, administrative, or contractual means, such as locks, encryption, passwords, policies, or agreements1 .
The statement that is least likely to represent a component of an asset management program is D. Asset inventories should track the flow or distribution of items used to fulfill products and Services across production lines. This statement describes a supply chain management function, not an asset management function. Supply chain management is the process of planning, coordinating, and controlling the flow of materials, information, and services from suppliers to customers. Supply chain management may involve some aspects of asset management, such as inventory control, quality assurance, or vendor risk management, but it is not the same as asset management . Asset management focuses on the assets that the organization owns or uses, not the assets that the organization produces or delivers.
References:
1: Shared Assessments. (2020). Certified Third Party Risk Professional (CTPRP) Study Guide.
2: ISACA. (2019). COBIT 2019 Framework: Governance and Management Objectives. APO03 Manage enterprise architecture.
3: ISO. (2018). ISO/IEC 27001:2018 Information technology — Security techniques — Information security management systems — Requirements. Clause 8.1.2 Asset management roles and responsibilities.
: NIST. (2013). NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations. RA-2 Security Categorization.
: NIST. (2013). NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations. CM-8 Information System Component Inventory.
: APICS. (2018). APICS Dictionary, 16th edition. Supply chain management.
: ISACA. (2019). COBIT 2019 Framework: Governance and Management Objectives. APO13 Manage security.
Which example of a response to external environmental factors is LEAST likely to be managed directly within the BCP or IT DR plan?
Protocols for social media channels and PR communication
Response to a natural or man-made disruption
Dependency on key employee or supplier issues
Response to a large scale illness or health outbreak
The Answer Is:
AExplanation:
A BCP or IT DR plan is a set of procedures and actions that an organization takes to ensure the continuity and recovery of its critical business functions and IT systems in the event of a disruption. A BCP or IT DR plan typically covers the following aspects12:
Identification and prioritization of critical business functions and IT systems
Assessment and mitigation of risks and threats to the organization
Allocation and mobilization of resources and personnel
Communication and coordination with internal and external stakeholders
Testing and updating of the plan
Among the four examples of a response to external environmental factors, protocols for social media channels and PR communication are the least likely to be managed directly within the BCP or IT DR plan. This is because social media and PR communication are not critical business functions or IT systems that need to be restored or maintained during a disruption. They are rather supplementary tools that can be used to inform and engage with the public, customers, partners, and media about the organization’s situation and actions3. Therefore, protocols for social media and PR communication are more likely to be part of a crisis communication plan, which is a separate but related document that outlines the strategies and tactics for communicating with various audiences during a crisis.
The other three examples are more likely to be managed directly within the BCP or IT DR plan, as they directly affect the organization’s ability to perform its critical business functions and IT systems. For instance, a response to a natural or man-made disruption would involve activating the BCP or IT DR plan, assessing the impact and extent of the damage, deploying backup and recovery solutions, and restoring normal operations as soon as possible. A response to a dependency on key employee or supplier issues would involve identifying and managing the single points of failure, implementing contingency plans, and ensuring the availability and redundancy of essential skills and resources. A response to a large scale illness or health outbreak would involve implementing health and safety measures, enabling remote work arrangements, and ensuring the resilience and continuity of the workforce. References:
Business continuity vs. disaster recovery: Which plan is right … - IBM
Business Continuity vs Disaster Recovery: What’s The Difference?
Disaster recovery plan vs. business continuity plan: Is there a difference?
[Crisis Communication Plan: A PR Blue Print by Sandra K. Clawson Freeo]
[Disaster Recovery Planning (DRP) | Business Continuity Plan (BCP) | Disaster Recovery Journal]
[Managing Third Party Risk in a Disrupted World]
[Business Continuity Planning for a Pandemic]
Which type of contract provision is MOST important in managing Fourth-Nth party risk after contract signing and on-boarding due diligence is complete?
Subcontractor notice and approval
Indemnification and liability
Breach notification
Right to audit
The Answer Is:
AExplanation:
Fourth-Nth party risk refers to the potential threats and vulnerabilities associated with the subcontractors, vendors, or service providers of an organization’s direct third-party partners12. After contract signing and on-boarding due diligence is complete, the most important type of contract provision to manage Fourth-Nth party risk is subcontractor notice and approval. This provision requires the third party to inform the organization of any subcontracting arrangements and obtain the organization’s consent before engaging any Fourth-Nth parties345. This provision enables the organization to have visibility and control over the extended network of suppliers and service providers, and to assess the potential risks and impacts of any outsourcing decisions. Subcontractor notice and approval also helps the organization to ensure that the Fourth-Nth parties comply with the same standards and expectations as the third party, and to hold the third party accountable for the performance and security of the Fourth-Nth parties345. References:
1: Understanding 4th- and Nth-Party Risk: What Do You Need to Know? | Mitratech
2: Understanding 4th- and Nth-Party Risk: What Do You Need to Know? | Mitratech Holdings, Inc - JDSupra
3: First, 2nd , 3rd , 4th, 5th Parties: How to Measure the Tiers of Risk
4: Managing 4th Party Risk with Vendor Insurance Verification - Evident ID
5: How to Write Fourth-Party Vendor Requirements Into the Contract - Venminder
Which statement is TRUE regarding the tools used in TPRM risk analyses?
Risk treatment plans define the due diligence standards for third party assessments
Risk ratings summarize the findings in vendor remediation plans
Vendor inventories provide an up-to-date record of high risk relationships across an organization
Risk registers are used for logging and tracking third party risks
The Answer Is:
DExplanation:
Risk registers are tools that help organizations document, monitor, and manage their third party risks. They typically include information such as the risk description, category, source, impact, likelihood, rating, owner, status, and action plan. Risk registers enable organizations to prioritize their risks, assign responsibilities, track progress, and report on their risk posture. According to the CTPRP Study Guide, "A risk register is a tool for capturing and managing risks throughout the third-party lifecycle. It provides a comprehensive view of the organization’s third-party risk profile and facilitates risk reporting and communication."1 Similarly, the GARP Best Practices Guidance for Third-Party Risk states, "A risk register is a tool that records and tracks the risks associated with third parties. It helps to identify, assess, and prioritize risks, as well as to assign ownership, mitigation actions, and target dates."2
References:
CTPRP Study Guide
GARP Best Practices Guidance for Third-Party Risk
