CTPRP Shared Assessments Certified Third-Party Risk Professional (CTPRP) Free Practice Exam Questions (2025 Updated)

In the ‘Defense in Depth’ security model, the innermost layer typically focuses on protecting the most sensitive and critical assets, which are often categorized as 'Private internal'. This layer includes security controls and measures that are designed to safeguard the core, confidential aspects of an organization's infrastructure and data. It encompasses controls such as access controls, encryption, and monitoring of sensitive systems and data to prevent unauthorized access and ensure data integrity and confidentiality. The 'Private internal' layer is crucial for maintaining the security of critical information and systems that are essential to the organization's operations and could have the most significant impact if compromised. Implementing robust security measures at this layer is vital for mitigating risks associated with physical access to critical infrastructure and sensitive information.

References:

Security frameworks and standards, including NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) and the SANS Institute's guidelines on implementing 'Defense in Depth', provide detailed recommendations on securing the innermost layers of an organization's information systems.

Publications such as "Physical Security Principles" by ASIS International offer insights into best practices for securing the private internal layer, including access control systems, surveillance, and intrusion detection mechanisms.

A well-defined third party risk management program does not require conducting onsite or virtual assessments for all third parties, as this would be impractical, costly, and inefficient. Instead, a TPRM program should adopt a risk-based approach to determine the frequency, scope, and depth of assessments based on the inherent and residual risks posed by each third party. This means that some third parties may require more frequent and comprehensive assessments than others, depending on factors such as the nature, scope, and criticality of their services, the sensitivity and volume of data they access or process, the regulatory and contractual obligations they must comply with, and the results of previous assessments and monitoring activities. A risk-based approach to assessments allows an organization to allocate its resources and efforts more effectively and efficiently, while also ensuring that the most significant risks are adequately addressed and mitigated. References:

Shared Assessments, CTPRP Job Guide, page 9: “The frequency, scope, and depth of assessments should be determined by the inherent and residual risks posed by each third party.”

OneTrust, [What is Third-Party Risk Management?]: “A risk-based approach to third-party risk management means that you prioritize your efforts and resources based on the level of risk each vendor poses to your organization.”

[Deloitte], [Third Party Risk Management: Managing Risk]: “A risk-based approach to third-party risk management helps organizations prioritize their efforts and resources based on the level of risk each third party poses to the organization.”

A documented process to gain approvals for use of open source applications is typically not part of evaluating the vendor’s patch management controls, because it is not directly related to the patching process. Patch management controls are the policies, procedures, and tools that enable an organization to identify, acquire, install, and verify patches for software vulnerabilities. Patch management controls aim to reduce the risk of exploitation of known software flaws and ensure the functionality and compatibility of the patched systems. A documented process to gain approvals for use of open source applications is more relevant to the software development and procurement processes, as it involves assessing the legal, security, and operational implications of using open source software components in the vendor’s products or services. Open source software may have different licensing terms, quality standards, and support levels than proprietary software, and may introduce additional vulnerabilities or dependencies that need to be managed. Therefore, a documented process to gain approvals for use of open source applications is a good practice for vendors, but it is not a patch management control per se. References:

Guide to Enterprise Patch Management Planning

Governance of Key Aspects of System Patch Management

Certified Third Party Risk Professional (CTPRP) Study Guide

 TPRM program metrics are the indicators that measure the performance, effectiveness, and maturity of the TPRM program. They help to monitor and communicate the progress, achievements, and challenges of the TPRM program to various stakeholders, such as business units, executive management, risk committees, and board of directors. However, the level of reporting and the frequency of changes in TPRM program metrics vary depending on the stakeholder’s role, responsibility, and interest123:

Business unit: This level of reporting is focused on the operational aspects of the TPRM program, such as the status of vendor assessments, remediation actions, issues, and incidents. The changes in TPRM program metrics at this level are frequent and granular, as they reflect the day-to-day activities and outcomes of the TPRM program.

Executive management: This level of reporting is focused on the strategic aspects of the TPRM program, such as the alignment with the business objectives, the compliance with the regulatory requirements, the management of the key risks, and the optimization of the resources and costs. The changes in TPRM program metrics at this level are less frequent and more aggregated, as they reflect the overall direction and performance of the TPRM program.

Risk committee: This level of reporting is focused on the oversight aspects of the TPRM program, such as the evaluation of the risk appetite, the review of the risk profile, the approval of the risk policies, and the escalation of the risk issues. The changes in TPRM program metrics at this level are occasional and more analytical, as they reflect the governance and assurance of the TPRM program.

Board of Directors: This level of reporting is focused on the advisory aspects of the TPRM program, such as the endorsement of the risk strategy, the awareness of the risk trends, the guidance of the risk culture, and the support of the risk initiatives. The changes in TPRM program metrics at this level are rare and exceptional, as they reflect the high-level and long-term vision and value of the TPRM program.

Therefore, the correct answer is D. Board of Directors, as this is the level of reporting where changes in TPRM program metrics are rare and exceptional. References:

1: 15 KPIs & Metrics to Measure the Success of Your TPRM Program | UpGuard

2: Third-party risk management metrics: Best practices to enhance your … | Diligent

3: TPRM Metrics - Telling Your Risk Story - Shared Assessments | Shared Assessments

Data anonymization is the process of removing or altering any information that can be used to identify an individual from a data set. This technique provides the strongest assurance that data does not identify an individual, as it makes it impossible or extremely difficult to link the data back to the original source. Data anonymization can be achieved by various methods, such as generalization, suppression, perturbation, or pseudonymization12. Data anonymization is often used for privacy protection, compliance with data protection regulations, and data sharing purposes3. References:

1: Data Security: Definition, Importance, and Types | Fortinet

2: Data Security Best Practices: Top 10 Data Protection Methods - Ekran System

3: Data anonymization - Wikipedia

One of the key objectives of a TPRM program is to identify and mitigate the risks posed by third parties throughout the relationship life cycle. Therefore, measuring the operational performance of implementing a TPRM program requires tracking the effectiveness and efficiency of the risk management processes and activities. Among the four examples given, calculating the average time to remediate identified corrective actions is the most likely to provide meaningful metrics for this purpose. This metric indicates how quickly and consistently the organization and its third parties can resolve the issues and gaps that are discovered during the risk assessment and monitoring phases. It also reflects the level of collaboration and communication between the parties, as well as the alignment of expectations and standards. A lower average time to remediate implies a higher operational performance of the TPRM program, as it demonstrates a proactive and responsive approach to risk management12.

The other three examples are less likely to provide meaningful metrics for measuring the operational performance of implementing a TPRM program, as they do not directly measure the outcomes or impacts of the risk management activities. Logging the number of exceptions to existing due diligence standards may indicate the level of compliance and consistency of the TPRM program, but it does not show how the exceptions are handled or justified. Measuring the time spent by resources for task and corrective action plan completion may indicate the level of effort and resource allocation of the TPRM program, but it does not show how the tasks and plans contribute to the risk reduction or mitigation. Tracking the number of outstanding findings may indicate the level of exposure and vulnerability of the TPRM program, but it does not show how the findings are prioritized or addressed. References:

1: 15 KPIs & Metrics to Measure the Success of Your TPRM Program | UpGuard Blog

2: Third-Party Risk Management Reporting: What You Need to Know - Venminder

 This answer is correct because a change at outsourcer due to merger and acquisition (M&A) is the least likely indicator to trigger a reassessment of an existing vendor. This is because the outsourcer is not the direct vendor of the organization, but rather a third party that the vendor uses to perform some of its services. Therefore, the impact of the change at the outsourcer on the vendor’s performance and risk level may not be significant or immediate. However, the other indicators (A, B, and C) are more likely to trigger a reassessment of an existing vendor, as they directly affect the vendor’s operations, capabilities, and compliance status. For example:

A change in vendor location or use of new fourth parties may introduce new risks such as geopolitical, regulatory, or cybersecurity risks that need to be evaluated and mitigated.

A change in scope of existing work may alter the vendor’s access to the organization’s data or systems, which may require additional security measures and controls to protect the confidentiality, integrity, and availability of the information assets.

A change in regulation that impacts service provider requirements may impose new obligations or standards on the vendor that need to be verified and monitored to ensure compliance and avoid penalties or fines. References:

How to Conduct a Successful Vendor Risk Assessment in 9 Steps, Case IQ

Why You Need to Reassess Vendor Risk on an Ongoing Basis, ThirdPartyTrust

Vendor Assessment and Evaluation Guide, Smartsheet

Terms for return or destruction of data should be defined and agreed upon during contract negotiation, as this is the phase where the organization and the third party establish the expectations, obligations, and responsibilities for the relationship, including the handling of data. According to the Shared Assessments CTPRP Study Guide, contract negotiation is the phase where "the organization and the third party negotiate and execute a contract that clearly defines the expectations and responsibilities of both parties, including the scope of work, service level agreements, performance measures, reporting requirements, compliance obligations, security and privacy controls, incident response procedures, dispute resolution mechanisms, termination rights, and other relevant terms and conditions."1 One of the key contractual terms that should be addressed is the return or destruction of data, which specifies how the third party will return or dispose of the organization’s data at the end of the relationship, or upon request, in a secure and timely manner. This term is important for ensuring the organization’s data protection, confidentiality, and compliance, as well as reducing the risk of data breaches, leaks, or misuse by the third party or unauthorized parties.

The other phases of the TPRM lifecycle are not the best choices for defining and agreeing upon terms for return or destruction of data, because:

B. At third party selection and initial due diligence: This is the phase where the organization identifies, evaluates, and selects the third party that best meets its needs, objectives, and risk appetite. This phase involves conducting due diligence on the third party’s capabilities, qualifications, reputation, performance, security, and compliance, as well as assessing the inherent risk of the relationship. While this phase is important for screening and choosing the right third party, it does not involve defining and agreeing upon the specific terms and conditions of the relationship, such as the return or destruction of data, which are usually done in the contract negotiation phase.

C. When deploying ongoing monitoring: This is the phase where the organization monitors and reviews the third party’s performance, service delivery, risk management, and compliance on a regular basis, as well as identifies and addresses any issues, gaps, or changes that may arise during the relationship. This phase involves collecting and analyzing data and information from various sources, such as reports, audits, assessments, surveys, feedback, incidents, and metrics, as well as communicating and collaborating with the third party to ensure alignment and improvement. While this phase is important for ensuring the quality and security of the relationship, it does not involve defining and agreeing upon the terms and conditions of the relationship, such as the return or destruction of data, which are usually done in the contract negotiation phase.

D. At termination and exit: This is the phase where the organization terminates and exits the relationship with the third party, either by mutual agreement, expiration of contract, breach of contract, or other reasons. This phase involves executing the termination and exit plan, which may include notifying the third party, transferring or discontinuing the services, settling the financial obligations, returning or destroying the data, revoking the access rights, and conducting a post-termination review. While this phase is important for ensuring a smooth and secure transition and closure of the relationship, it does not involve defining and agreeing upon the terms and conditions of the relationship, such as the return or destruction of data, which are usually done in the contract negotiation phase.

References:

1: Shared Assessments CTPRP Study Guide, page 59, section 5.1: TPRM Lifecycle

: Third-Party Risk Management: Vendor Contract Terms and Conditions, section: Data Ownership, Return and Destruction

: [Third-Party Risk Management: The 3rd Party Ecosystem: How to Manage the Risk While Keeping the Benefit], section: Contract Negotiation

: [Third-Party Risk Management: The 3rd Party Ecosystem: How to Manage the Risk While Keeping the Benefit], section: Termination and Exit

The onboarding process for new hires is a key part of the third-party risk management program, as it ensures that the right people are hired and trained to perform their roles effectively and securely. One of the best practices for onboarding new hires is to conduct applicant screening, which may include background checks, reference checks, verification of credentials, and assessment of skills and competencies. Applicant screening helps to identify and mitigate potential risks such as fraud, theft, corruption, or data breaches that may arise from hiring unqualified, dishonest, or malicious individuals. Therefore, it is important to wait for the results of applicant screening before onboarding new employees and contractors, as this can prevent costly and damaging incidents in the future.

The other statements are false regarding the onboarding process for new hires. It is necessary to have employees, contractors, and third-party users sign confidentiality or non-disclosure agreements, as this protects the company’s sensitive information and intellectual property from unauthorized disclosure or misuse. Non-compete agreements may not be required for all job roles, as they may limit the employee’s ability to work for other companies or in the same industry after leaving the current employer. They may also be subject to legal challenges depending on the jurisdiction and the scope of the agreement. Security and privacy awareness training is essential for all new employees and contractors, regardless of their existing certifications, as it educates them on the company’s policies, procedures, and standards for protecting data and systems from cyber threats. It also helps to foster a culture of security and compliance within the organization. References:

5 Steps to Effective Third-Party Onboarding

Using a third-party onboarding tool to address new challenges in third-party risk

Onboarding and terminating third parties

CTPRP Job Guide

A data flow diagram (DFD) is a graphical representation of the flow of information between outsourcers and third parties, as well as within a system or process. It shows the sources and destinations of data, the processes that transform data, the data stores that hold data, and the data flows that connect them. A DFD can help to understand and refine the business processes or systems that involve data exchange with external entities. A DFD can also help to identify potential risks and vulnerabilities in the data flows, such as data leakage, data corruption, data loss, or unauthorized access.

The other options are incorrect because they do not match the definition of a visual representation of data flows. A configuration standard (A) is a set of rules or guidelines that define how a system or process should be configured, such as hardware, software, or network settings. An audit log report (B) is a record of the activities or events that occurred in a system or process, such as user actions, system changes, or security incidents. A network diagram © is a graphical representation of the physical or logical connections between devices or nodes in a network, such as routers, switches, servers, or computers. References:

https://www.visual-paradigm.com/tutorials/data-flow-diagram-dfd.jsp

https://www.lucidchart.com/pages/data-flow-diagram

An enterprise information security policy (EISP) is a management-level document that details the organization’s philosophy, objectives, and expectations regarding information security. It sets the direction, scope, and tone for all security efforts and provides a framework for developing and implementing security programs and controls. According to the web search results from the search_web tool, some of the key elements of an EISP are:

A statement of the organization’s security vision, mission, and principles that align with its business goals and values123.

A definition of the organizational structure and accountabilities for oversight, governance, and management of information security, including roles and responsibilities of senior executives, security officers, business units, and users123 .

A specification of the legal and regulatory compliance requirements and obligations that the organization must adhere to, such as data protection, privacy, and breach notification laws123 .

A description of the scope and applicability of the EISP, including the types of information, systems, and assets that are covered, and the exclusions or exceptions that may apply123 .

A declaration of the effective date and date of last review by management, as well as the frequency and criteria for reviewing and updating the EISP to ensure its relevance and adequacy123 .

A statement of the organization’s risk appetite and tolerance, and the process for identifying, assessing, and treating information security risks123 .

A provision of the authority and responsibility for implementing, enforcing, monitoring, and auditing the EISP and its related policies, standards, procedures, and guidelines123 .

A determination of the access control policy and the rules for granting, revoking, and reviewing access rights and privileges to information, systems, and assets123 .

An organization of the EISP based on an accepted control framework, such as ISO 27001, NIST SP 800-53, or COBIT, that defines the security domains, objectives, and controls that the organization must implement and maintain123 .

However, option C, a statement that security policies should be changed on an annual basis due to technology changes, is not an accurate reflection of an organization’s requirements within an EISP. While technology changes may affect the security environment and the threats and vulnerabilities that the organization faces, they are not the only factor that determines the need for changing security policies. Other factors, such as business changes, legal changes, risk changes, audit findings, incident reports, and best practices, may also trigger the need for reviewing and updating security policies. Therefore, option C is the correct answer, as it is the only one that does not reflect an organization’s requirements within an EISP. References: The following resources support the verified answer and explanation:

1: What Is The Purpose Of An Enterprise Information Security Policy?

2: Enterprise Information Security Policies and Standards

3: Key Elements Of An Enterprise Information Security Policy

: Enterprise Information Security Policy (EISP) - SANS

In the context of Third-Party Risk Management (TPRM) requirements within the Software Development Life Cycle (SDLC), a process for data destruction and disposal is not typically considered a key component. The primary focus within SDLC in TPRM is on ensuring secure software development practices, which includes maintaining artifacts to prove that SDLC gates are executed, conducting software security testing, and having processes in place for fixing security defects. While data destruction and disposal are important security considerations, they are generally associated with data lifecycle management and information security management practices rather than being integral to the SDLC process itself.

References:

Best practices in secure software development, as outlined in frameworks like the Secure Software Development Framework (SSDF) by NIST, emphasize the importance of secure coding, vulnerability testing, and remediation processes rather than data disposal practices.

The "Software Security Framework (SSF)" by the Open Web Application Security Project (OWASP) provides guidance on integrating security practices into the SDLC, focusing on areas like threat modeling, secure coding, and security testing.

Risk treatment is the process of selecting and implementing measures to modify risk, according to the organization’s risk appetite and tolerance. There are four main risk treatment options: avoid, reduce, transfer, or retain the risk123. Among these options, risk transfer typically requires a negotiation of contract terms between parties, as it involves shifting the responsibility or burden of the risk to another entity, such as an insurer, a supplier, a partner, or a customer1234. Risk transfer can be achieved through various contractual arrangements, such as insurance policies, indemnity clauses, warranties, guarantees, service level agreements, or outsourcing agreements1234. These arrangements usually involve a cost-benefit analysis, a due diligence process, and a mutual agreement on the terms and conditions of the risk transfer1234. Therefore, option D is the correct answer, as it is the only one that reflects a risk treatment approach that typically requires a negotiation of contract terms between parties. References: The following resources support the verified answer and explanation:

1: Risk Treatment — ENISA

2: Four Basic Risk Treatment Planning Approaches - DigiLEAF

3: 3 Steps to Treating Your Organizational Risks - American Society of …

4: Risk Management Framework - Treat Risks - Chartered Accountants ANZ

The contract is not the only enforceable control to stipulate third party service provider obligations for DR/BCP, nor are both programs necessarily triggered by the pandemic. According to the Shared Assessments Program, third party risk management (TPRM) is a continuous process that requires ongoing monitoring and assessment of third parties’ performance, compliance, and resilience. Therefore, the contract should be complemented by other controls, such as due diligence, audits, reviews, and reporting, to ensure that third parties meet the organization’s expectations and standards for DR/BCP. Moreover, DR/BCP are not only relevant for pandemic scenarios, but also for other types of disasters, such as natural disasters, cyberattacks, power outages, or human errors. Therefore, the contract should reflect the organization’s risk appetite and tolerance for different types of disruptions and scenarios, and not be limited to pandemic-related events. 

Vendor classification or risk tiering is a process of categorizing vendors based on the level of security risk they introduce to an organization12. It is a key component of a third-party risk management (TPRM) program, as it helps to prioritize and allocate resources for vendor assessment, monitoring, and remediation12. The statement D is true, as it reflects the first step of vendor classification or risk tiering, which is to determine the inherent risk of each vendor relationship based on the nature, scope, and complexity of the product or service being outsourced3 . Inherent risk is the risk that exists before any controls or mitigating factors are applied3 . By calculating the inherent risk, an organization can assign each vendor to a risk tier that reflects the potential impact and likelihood of a security breach or incident involving the vendor3 .

The other statements are false, as they do not accurately describe the vendor classification or risk tiering process. The statement A is false, as vendor classification and risk tiers are not based on residual risk calculations, but on inherent risk calculations. Residual risk is the risk that remains after controls or mitigating factors are applied3 . Residual risk is used to evaluate the effectiveness of the controls and the need for further action, but not to classify or tier vendors3 . The statement B is false, as vendor classification and risk tiering should be used for all third party relationships, not only for critical ones. Vendor classification and risk tiering helps to identify and prioritize the critical vendors, but also to manage the low and medium risk vendors according to their respective risk profiles12. The statement C is false, as vendor classification and corresponding risk tiers do not utilize the same due diligence standards for controls evaluation based upon policy, but different ones. Due diligence standards are the criteria and methods used to assess the security posture and performance of vendors. Due diligence standards should vary according to the risk tier of the vendor, as higher risk vendors require more rigorous and frequent evaluation than lower risk vendors.

References:

1: What is Vendor Tiering? Optimize Your Vendor Risk Management | UpGuard Blog

2: Vendor Tiering Best Practices: Categorizing Vendor Risks | UpGuard Blog

3: Third-Party Risk Management (TPRM): A Complete Guide - BlueVoyant

[4]: Supplemental Examination Procedures for Risk Management of Third-Party Relationships

[5]: Third Party Risk Management: Why It’s Important And What Features To Look For - Expert Insights

Data classification is the process of categorizing data according to its type, sensitivity, and value to the organization if altered, stolen, or destroyed1. Data classification helps an organization understand the risk level of its data and implement appropriate controls to protect it. Data can be classified into three risk levels: low, moderate, and high23. Low risk data are data that are intended for public disclosure or have no adverse impact on the organization’s mission, safety, finances, or reputation if compromised23. Sanitized customer data used for aggregated profiling are an example of low risk data, as they do not contain any personally identifiable or sensitive information that could be exploited for criminal or other wrongful purposes. Sanitized data are data that have been modified to remove or obscure any confidential or identifying information, such as names, addresses, phone numbers, etc. Aggregated data are data that have been combined or summarized from multiple sources to provide statistical or analytical insights, such as trends, patterns, averages, etc. Sanitized and aggregated data are often used for research, marketing, or business intelligence purposes, and do not pose a significant threat to the organization or the customers if exposed. References:

1: What is Data Classification? | Best Practices & Data Types | Imperva

2: Data Classification Guideline (1604 GD.01) - Yale University

3: Risk Classifications | University IT

: Data Classification Policy - Shared Assessments

: What is Data Sanitization? | Definition and Examples | Imperva

: What is Data Aggregation? | Definition and Examples | Imperva

One of the key elements of a robust information security policy is the definition and implementation of requirements for third party governance and oversight. This means that the vendor should have clear and consistent processes and procedures for managing and monitoring the information security risks and controls of their subcontractors, suppliers, or service providers. Third party governance and oversight should include the following aspects12:

Establishing criteria and standards for selecting and evaluating third parties based on their information security capabilities and performance

Conducting regular and comprehensive assessments and audits of third parties’ information security policies, practices, and incidents

Ensuring contractual agreements and service level agreements (SLAs) with third parties include information security clauses and obligations

Maintaining visibility and communication with third parties regarding their information security status and issues

Implementing corrective actions and remediation plans for any identified information security gaps or weaknesses

Terminating or suspending the relationship with third parties that fail to meet the information security expectations or requirements If a vendor’s response does not specify any requirements for third party governance and oversight, it should trigger further investigation of their information security policies. This indicates that the vendor may not have a comprehensive and effective approach to managing the information security risks and impacts of their extended network of partners. This could expose the vendor and their clients to potential data breaches, cyberattacks, compliance violations, or reputational damages. Therefore, the vendor should be asked to provide more details and evidence of how they ensure the information security of their third parties, and how they address any information security incidents or issues involving their third parties. References:

1: Third-Party Information Security Risk Management Policy - SecurityStudio

2: Ensuring Data Protection for Third Parties: Best Practices | UpGuard Blog

According to the NIST Computer Security Incident Handling Guide1, one of the first steps in responding to an incident is to identify the scope, nature, and source of the incident. This involves gathering evidence, analyzing logs, interviewing witnesses, and performing forensic analysis. The goal is to determine the extent of the compromise, the type of attack, the identity or location of the attacker, and the potential impact on the organization and its stakeholders. This step is essential for containing the incident, mitigating the damage, and preventing further escalation or recurrence. References:

NIST Computer Security Incident Handling Guide1, Section 3.2.2 Identification

Cisco What Is an Incident Response Plan for IT?2, Section 2. Respond

CrowdStrike Incident Response [Beginner’s Guide]3, Section 3. Incident Response Steps

 According to the CTPRP Job Guide, the TPRM program should establish minimum risk assessment standards for third party due diligence based on the company’s risk tolerance and risk appetite. This means that the TPRM program should define the scope, depth, frequency, and methodology of the risk assessment process for different categories of third parties, taking into account the potential impact and likelihood of various risks. The risk assessment standards should be consistent, transparent, and aligned with the company’s strategic objectives and regulatory obligations. The TPRM program should also monitor and update the risk assessment standards as needed to reflect changes in the business environment, risk profile, and best practices. The other options are not correct because they do not reflect a holistic and risk-based approach to third party due diligence. Setting the standards by each business unit may result in inconsistency, duplication, or gaps in the risk assessment process. Defining the standards in the contract or statement of work may limit the flexibility and adaptability of the risk assessment process to changing circumstances. Identifying the standards by procurement may overlook the input and involvement of other stakeholders and functions in the risk assessment process. References:

CTPRP Job Guide, page 17

Third-Party Risk Management and ISO Requirements for 2022, section “Benefits of Implementing Risk Management”

Managing third-party risk through effective due diligence, section “Complying with regulators’ demands”

Third-Party Due Diligence Checklist: 3 Essential Steps, section “Step 2: Conduct a Risk Assessment”