Shared Assessments CTPRP - Certified Third-Party Risk Professional (CTPRP)
Information classification of personal information may trigger specific regulatory obligations. Which statement is the BEST response from a privacy perspective:
Personally identifiable financial information includes only consumer report information
Public personal information includes only web or online identifiers
Personally identifiable information and personal data are similar in context, but may have different legal definitions based upon jurisdiction
Personally Identifiable Information and Protected Healthcare Information require the exact same data protection safequards
The Answer Is:
CExplanation:
 Personal information is any information that can be used to identify an individual, either directly or indirectly, such as name, address, email, phone number, ID number, etc. Personal data is a term used in some jurisdictions, such as the European Union, to refer to personal information that is subject to data protection laws and regulations. However, the scope and definition of personal data may vary depending on the jurisdiction and the context. For example, the GDPR defines personal data as “any information relating to an identified or identifiable natural person†and includes online identifiers, such as IP addresses, cookies, or device IDs, as well as special categories of data, such as biometric, genetic, health, or political data. On the other hand, the US does not have a single federal law that regulates personal data, but rather a patchwork of sector-specific and state-level laws that may have different definitions and requirements. For example, the California Consumer Privacy Act (CCPA) defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household†and excludes publicly available information from its scope. Therefore, from a privacy perspective, it is important to understand the different legal definitions and obligations that may apply to personal information or personal data depending on the jurisdiction and the context of the data processing activity. References:
GDPR personal data – what information does this cover?
Personal Information, Data Classification, Life Cycle and Best Practices
5 Types of Data Classification (With Examples)
Which statement does NOT reflect current practice in addressing fourth party risk or subcontracting risk?
Third party contracts and agreements should require prior notice and approval for subcontracting
Outsourcers should rely on requesting and reviewing external audit reports to address subcontracting risk
Outsourcers should inspect the vendor's TPRM program and require evidence of the assessments of subcontractors
Third party contracts should include capturing, maintaining, and tracking authorized subcontractors
The Answer Is:
BExplanation:
This statement does not reflect current practice in addressing fourth party risk or subcontracting risk because it is not sufficient to rely on external audit reports alone. Outsourcers should also perform their own due diligence and monitoring of the subcontractors, as well as ensure that the third party has a robust TPRM program in place. External audit reports may not cover all the relevant aspects of subcontracting risk, such as data security, compliance, performance, and quality. Moreover, external audit reports may not be timely, accurate, or consistent, and may not reflect the current state of the subcontractor’s operations. Therefore, outsourcers should adopt a more proactive and comprehensive approach to managing subcontracting risk, rather than relying on external audit reports. References:
Shared Assessments Program, page 13: “Outsourcers should not rely solely on external audit reports to address subcontracting risk. Outsourcers should also inspect the vendor’s TPRM program and require evidence of the assessments of subcontractors.â€
Five Best Practices to Manage and Control Third-Party Risk, page 3: "Restricting privileged accounts
Which of the following methods of validating pre-employment screening attributes is appropriate due to limitations of international or state regulation?
Reviewing evidence of web search of social media sites
Providing and sampling complete personnel files to demonstrate unique screening results
Requiring evidence of drug testing
Requesting evidence of the performance of pre-employment screening when permitted by law
The Answer Is:
DExplanation:
 it is the most appropriate and compliant method of validating pre-employment screening attributes among the given options. Requesting evidence of the performance of pre-employment screening when permitted by law means that the organization respects the legal and regulatory boundaries of different jurisdictions and does not impose unnecessary or unlawful requirements on its third parties. It also ensures that the organization obtains relevant and reliable information about the third parties’ screening processes and outcomes, which can help assess their suitability and risk level.
The other options are incorrect because they are either inappropriate or ineffective methods of validating pre-employment screening attributes. Reviewing evidence of web search of social media sites (A) is inappropriate because it may violate the privacy and data protection rights of the third parties and their employees, as well as expose the organization to potential bias and discrimination claims. Providing and sampling complete personnel files to demonstrate unique screening results (B) is ineffective because it may not reflect the actual screening attributes of the third parties, as they may have different screening criteria, standards, and methods than the organization. Requiring evidence of drug testing © is inappropriate because it may not be relevant or necessary for the nature and scope of the third-party relationship, and it may also conflict with the laws and regulations of different jurisdictions that prohibit or limit such testing. References:
https://www.onetrust.com/blog/third-party-risk-management/
Which of the following components is NOT typically included in external continuous monitoring solutions?
Status updates on localized events based on geolocation
Alerts on legal and regulatory actions involving the vendor
Metrics that track SLAs for performance management
Reports that identify changes in vendor financial viability
The Answer Is:
CExplanation:
External continuous monitoring solutions are tools or services that provide objective and timely data on the cybersecurity posture and performance of third-party vendors. They typically include components such as:
Status updates on localized events based on geolocation, which can alert the organization to potential disruptions or incidents affecting the vendor’s operations or infrastructure in a specific region or country12.
Alerts on legal and regulatory actions involving the vendor, which can indicate the vendor’s compliance status, reputation, or liability exposure13.
Reports that identify changes in vendor financial viability, which can signal the vendor’s ability to sustain its business operations, invest in security, or honor its contractual obligations14.
However, metrics that track SLAs for performance management are not typically included in external continuous monitoring solutions, as they are more relevant for internal monitoring and reporting. SLAs are service level agreements that define the expected quality, availability, and reliability of the vendor’s services or products, as well as the penalties or remedies for non-compliance. SLAs are usually measured and reported by the vendor itself, or by a third-party auditor or assessor, based on the specific criteria and frequency agreed upon by the parties . Therefore, option C is the correct answer. References:
Third Party Risk Management Framework, Module 5: Program Implementation, Section 5.2: Ongoing Monitoring, p. 32
Bitsight Continuous Monitoring, Section: Uncover hidden risks
Best-Practices Guidance for Third-Party Risk, Section: Monitor Third-Party Compliance with Regulations and Standards, p. 3
Five Best Practices to Manage and Control Third-Party Risk, Section: Monitor Third-Party Financial Health, p. 4
[Third Party Risk Management Framework], Module 4: Program Components, Section 4.3: Contracting, p. 24
[A Better Way to Manage Third-Party Risk], Section: Establish clear service level agreements (SLAs) and key performance indicators (KPIs), p. 2
Which of the following is a positive aspect of adhering to a secure SDLC?
Promotes a “check the box" compliance approach
A process that defines and meets both the business requirements and the security requirements
A process that forces quality code repositories management
Enables the process if system code is managed in different IT silos
The Answer Is:
BExplanation:
A secure SDLC is a framework that integrates security best practices and standards throughout the software development life cycle, from planning to deployment and maintenance. A secure SDLC aims to ensure that security is considered and implemented at every stage of the development process, not just as an afterthought or a compliance check. A secure SDLC can help organizations to achieve the following benefits12:
Reduce the risk of security breaches and incidents by identifying and mitigating vulnerabilities early and continuously
Improve the quality and reliability of software products by ensuring that they meet both the functional and the security requirements
Save time and money by avoiding costly rework, remediation, and reputation damage caused by security flaws
Enhance customer trust and satisfaction by delivering secure and compliant software solutions
Foster a culture of security awareness and responsibility among developers, testers, and other stakeholders References:
Secure SDLC | Secure Software Development Life Cycle | Snyk
What is Secure Software Development Life Cycle (SSDLC )? - GeeksforGeeks
Which statement BEST describes the use of risk based decisioning in prioritizing gaps identified at a critical vendor when defining the corrective action plan?
The assessor determined that gaps should be analyzed, documented, reviewed for compensating controls, and submitted to the business owner to approve risk treatment plan
The assessor decided that the critical gaps should be discussed in the closing meeting so that the vendor can begin to implement corrective actions immediately
The assessor concluded that all gaps should be logged and treated as high severity findings since the assessment was performed on a critical vendor
The assessor determined that all gaps should be logged and communicated that if the gaps were corrected immediately they would not need to be included in the findings report
The Answer Is:
AExplanation:
According to the Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, risk based decisioning is the process of applying risk criteria to prioritize and address the gaps identified during a third-party risk assessment1. The assessor should analyze the gaps based on the impact, likelihood, and urgency of the risk, and document the findings and recommendations in a report. The assessor should also review the existing or proposed compensating controls that could mitigate the risk, and submit the report to the business owner for approval of the risk treatment plan. The risk treatment plan could include accepting, transferring, avoiding, or reducing the risk, depending on the risk appetite and tolerance of the organization1.
The other statements do not reflect the best use of risk based decisioning, as they either ignore the risk analysis and documentation process, or apply a uniform or arbitrary approach to prioritizing and addressing the gaps. The assessor should not decide or conclude on the risk treatment plan without consulting the business owner, as the business owner is ultimately responsible for the third-party relationship and the risk management decisions1. The assessor should also not communicate that the gaps would not be included in the report if they were corrected immediately, as this could compromise the integrity and transparency of the assessment process and the report2.
References:
1: Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, pages 29-30, 33-34
2: Third-Party Risk Management: Final Interagency Guidance, page 10
Which statement is TRUE regarding artifacts reviewed when assessing the Cardholder Data Environment (CDE) in payment card processing?
The Data Security Standards (DSS) framework should be used to scope the assessment
The Report on Compliance (ROC) provides the assessment results completed by a qualified security assessor that includes an onsite audit
The Self-Assessment Questionnaire (SAQ) provides independent testing of controls
A System and Organization Controls (SOC) report is sufficient if the report addresses the same location
The Answer Is:
BExplanation:
The Cardholder Data Environment (CDE) is the part of the network that stores, processes, or transmits cardholder data or sensitive authentication data, as well as any connected or security-impacting systems123. The CDE is subject to the Payment Card Industry Data Security Standard (PCI DSS), which is a set of requirements and guidelines for ensuring the security and compliance of payment card transactions123. The PCI DSS defines various artifacts that are reviewed when assessing the CDE, such as:
The Data Security Standards (DSS) framework: This is the document that specifies the 12 high-level requirements and the corresponding sub-requirements and testing procedures for PCI DSS compliance123. The DSS framework should be used to scope the assessment, meaning to identify and document the systems and components that are in scope for PCI DSS, as well as the applicable requirements and controls for each system and component123. Therefore, option A is a true statement regarding artifacts reviewed when assessing the CDE.
The Report on Compliance (ROC): This is the report that provides the assessment results completed by a qualified security assessor (QSA) that includes an onsite audit of the CDE123. The ROC is a detailed and comprehensive document that validates the organization’s compliance status and identifies any gaps or deficiencies that need to be remediated123. The ROC is required for merchants and service providers that process more than 6 million transactions annually, or that have suffered a breach or been compromised in the past year123. Therefore, option B is a true statement regarding artifacts reviewed when assessing the CDE.
The Self-Assessment Questionnaire (SAQ): This is a questionnaire that provides a validation tool for merchants and service providers that are not required to submit a ROC123. The SAQ is a self-assessment tool that allows the organization to evaluate its own compliance status and identify any gaps or deficiencies that need to be remediated123. The SAQ does not provide independent testing of controls, as it is based on the organization’s self-reported answers and evidence123. Therefore, option C is a false statement regarding artifacts reviewed when assessing the CDE.
A System and Organization Controls (SOC) report: This is a report that provides an independent audit of the internal controls and processes of a service organization, such as a cloud provider, a data center, or a payment processor45. The SOC report is not specific to PCI DSS, but rather to other standards and frameworks, such as SOC 1 (based on SSAE 18), SOC 2 (based on Trust Services Criteria), or SOC 3 (based on SOC 2)45. A SOC report is not sufficient to demonstrate PCI DSS compliance, as it may not cover all the requirements and controls of the PCI DSS, or it may not address the same location or scope as the CDE123. Therefore, option D is a false statement regarding artifacts reviewed when assessing the CDE.
References:Â The following resources support the verified answer and explanation:
1:Â PCI DSS Quick Reference Guide
2:Â PCI DSS FAQs
3:Â PCI DSS Glossary
4:Â What is a SOC report?
5:Â SOC Reports: What They Are, and Why They Matter
Which cloud deployment model is primarily used for load balancing?
Public Cloud
Community Cloud
Hybrid Cloud
Private Cloud
The Answer Is:
CExplanation:
Hybrid cloud is the cloud deployment model that is primarily used for load balancing. Load balancing is the process of distributing workloads and network traffic across multiple servers or resources to optimize performance, reliability, and scalability1. Load balancing can help prevent overloading or underutilizing any single server or resource, as well as improve fault tolerance and availability. Hybrid cloud is a mix of two or more different deployment models, such as public cloud, private cloud, or community cloud2. Hybrid cloud allows organizations to leverage the benefits of both public and private clouds, such as cost efficiency, scalability, security, and control3. Hybrid cloud can also enable load balancing across different cloud environments, depending on the demand, cost, and performance requirements of each workload. For example, an organization can use a private cloud for sensitive or mission-critical applications that require high security and performance, and a public cloud for less sensitive or variable applications that require more scalability and flexibility. By using a hybrid cloud, the organization can balance the load between the private and public clouds, and optimize the resource utilization and cost efficiency of each cloud.
The other cloud deployment models are not primarily used for load balancing, although they may have some load balancing capabilities within their own environments. Public cloud is the infrastructure that is shared by multiple tenants and open to the public. Anyone can use the public cloud by subscribing to it. Public cloud offers high scalability, elasticity, and cost-effectiveness, but may have lower security, privacy, and control than private cloud2. Community cloud is the infrastructure that is shared by similar consumers who collaborate to set up a cloud for their exclusive use. For example, government organizations can form a cloud for their exclusive use. Community cloud offers some benefits of both public and private clouds, such as shared costs, common standards, and enhanced security, but may have lower scalability and flexibility than public cloud2. Private cloud is the infrastructure that is for the exclusive use of a single organization. The cloud may or may not be operated by the organization. Private cloud offers high security, privacy, and control, but may have lower scalability, elasticity, and cost-effectiveness than public cloud2. References:
1:Â What is Load Balancing? | How Load Balancing Works | F5
2: The NIST Definition of Cloud Computing
3:Â What is Hybrid Cloud? | IBM
:Â Hybrid Cloud Load Balancing - Kemp Technologies
: [Hybrid Cloud Load Balancing: What You Need to Know - CloudHealth by VMware]
Physical access procedures and activity logs should require all of the following EXCEPT:
Require multiple access controls for server rooms and data centers
Require physical access logs to be retained indefinitely for audit purposes
Record successful and unsuccessful attempts including investigation of unsuccessful access attempts
Include a process to trigger review of the logs after security events
The Answer Is:
BExplanation:
Physical access procedures and activity logs are important components of third-party risk management, as they help to ensure the security and integrity of the physical assets and data of the organization and its third parties. However, requiring physical access logs to be retained indefinitely for audit purposes is not a best practice, as it may pose legal, regulatory, and operational challenges. According to the Supplemental Examination Procedures for Risk Management of Third-Party Relationships, physical access logs should be retained for a reasonable period of time, consistent with the organization’s policies and procedures, and in compliance with applicable laws and regulations1. Retaining physical access logs indefinitely may increase the risk of unauthorized access, data breaches, privacy violations, and litigation2. Therefore, the statement B is the correct answer, as it is the only one that does not reflect a best practice for physical access procedures and activity logs.
References:
1: How to Write Third-Party Risk Management (TPRM) Policies and Procedures - SecurityScorecard Blog
2: Five Best Practices to Manage and Control Third-Party Risk - Broadcom Inc.
3: A checklist for third-party risk management platforms - Crowe LLP
4: Supplemental Examination Procedures for Risk Management of Third-Party Relationships
5: Third Party Risk Management: Why It’s Important And What Features To Look For - Expert Insights
Which approach for managing end-user device security is typically used for lost or stolen company-owned devices?
Remotely enable lost mode status on the device
Deletion of data after a pre-defined number of failed login attempts
Enterprise wipe of all company data and contacts
Remote wipe of the device and restore to factory settings
The Answer Is:
DExplanation:
Remote wipe is a security feature that allows an administrator or a user to remotely erase all the data and settings on a device in case it is lost or stolen. This prevents unauthorized access to sensitive information and reduces the risk of data breaches. Remote wipe is typically used for company-owned devices, as it ensures that no company data remains on the device after it is lost or stolen. Remote wipe also restores the device to its factory settings, making it unusable for the thief or finder. Remote wipe can be performed through various methods, such as using a mobile device management (MDM) solution, a cloud service, or a built-in feature of the device’s operating system. References:
1: How to protect your company from data breaches caused by lost or stolen devices
2: BYOD vs Company-Owned Devices: How to Maintain Security
3: Lost or Stolen Business Device? Here’s What to do Next
