Third Party Risk Management CTPRP Syllabus Exam Questions Answers

The most important next step after receiving a vendor questionnaire is to analyze the responses and identify any gaps, issues, or risks that may pose a threat to the organization or its customers. This analysis should be based on the inherent risk profile of the vendor, the criticality of the service or product they provide, and the applicable regulatory and contractual requirements. The analysis should also highlight any adverse or high priority responses that indicate a lack of adequate controls, policies, or procedures on the vendor’s part. These responses should be prioritized for further validation, testing, or remediation. The analysis should also document any assumptions, limitations, or dependencies that may affect the accuracy or completeness of the vendor’s responses. References:

• Shared Assessments CTPRP Study Guide, Section 4.2.2, page 43
• Third-Party Risk Management: Managing Risk, Section “Assessing and monitoring third-party risk”
• What Is Third-Party Risk Management (TPRM)? 2024 Guide, Section “Third-Party Risk Management Process”

An Information Security Incident Management Program is a set of policies, procedures, and tools that enable an organization to prevent, detect, respond to, and recover from information security incidents. An information security incident is any event that compromises the confidentiality, integrity, or availability of information assets, systems, or services12. A formal Information Security Incident Management Program typically includes the following components12:

• The definition of internal escalation processes: This component defines the roles and responsibilities, communication channels, and reporting mechanisms for escalating and managing information security incidents within the organization. It also establishes the criteria and thresholds for determining the severity and impact of incidents, and the appropriate level of response and escalation.
• The protocols for disclosure of information to external parties: This component defines the rules and guidelines for disclosing information about information security incidents to external stakeholders, such as customers, regulators, law enforcement, media, or other third parties. It also specifies the legal and contractual obligations, the timing and frequency, the format and content, and the approval and authorization processes for disclosure.
• The mechanisms for notification to clients: This component defines the methods and procedures for notifying clients or customers who may be affected by information security incidents. It also specifies the objectives, scope, and content of notification, as well as the timing and frequency, the delivery channels, and the feedback and follow-up mechanisms.
• The processes in support of disaster recovery: This component defines the steps and actions for restoring the normal operations of the organization after a major information security incident that causes significant disruption or damage to the information assets, systems, or services. It also specifies the roles and responsibilities, the resources and tools, the backup and recovery plans, and the testing and validation procedures for disaster recovery.

The statement that reflects a requirement that is NOT typically found in a formal Information Security Incident Management Program is D. The program includes processes in support of disaster recovery. While disaster recovery is an important aspect of information security, it is not a specific component of an Information Security Incident Management Program. Rather, it is a separate program that covers the broader scope of business continuity and resilience, and may involve other types of disasters besides information security incidents, such as natural disasters, power outages, or pandemics3 . Therefore, the correct answer is D. The program includes processes in support of disaster recovery. References: 1: Computer Security Incident Handling Guide 2: Develop and Implement a Security Incident Management Program 3: Business Continuity Management vs Disaster Recovery : What is the difference between disaster recovery and security incident response?

Vendor inventory is a list of all the third-party vendors that an organization engages with, along with relevant information about their products, services, contracts, and risks. Vendor inventory is a crucial tool for vendor risk management, as it helps an organization identify, assess, monitor, and mitigate the potential risks associated with its vendors. Vendor inventory also helps an organization prioritize its vendor oversight activities, allocate its resources efficiently, and comply with its regulatory obligations12.

One of the key steps in creating and maintaining a vendor inventory is to assign a risk rating and a vendor classification to each vendor, based on various attributes that reflect the level of risk and criticality they pose to the organization. The risk rating and vendor classification help an organization determine the frequency and depth of its vendor due diligence, review, and audit processes, as well as the appropriate controls and remediation actions to implement3 .

Some of the common attributes used to assign risk rating and vendor classification are :

• Type of data accessed, processed, or retained: This attribute indicates the sensitivity and confidentiality of the data that the vendor handles on behalf of the organization, such as personally identifiable information (PII), protected health information (PHI), financial information, intellectual property, etc. The more sensitive and confidential the data, the higher the risk rating and vendor classification, as the vendor must comply with strict security and privacy standards and regulations, and the organization must protect itself from data breaches, leaks, or losses.
• Type of systems accessed: This attribute indicates the access level and privileges that the vendor has to the organization’s systems, such as networks, servers, databases, applications, etc. The more access and privileges the vendor has, the higher the risk rating and vendor classification, as the vendor must adhere to the organization’s policies and procedures, and the organization must safeguard itself from unauthorized or malicious activities, such as cyberattacks, sabotage, or espionage.
• Type of network connectivity: This attribute indicates the mode and frequency of the data transmission and communication between the vendor and the organization, such as online, offline, real-time, batch, etc. The more network connectivity the vendor has, the higher the risk rating and vendor classification, as the vendor must ensure the availability, integrity, and reliability of the data, and the organization must prevent data interception, modification, or disruption.

The type of contract addendum is NOT an attribute used to assign risk rating and vendor classification, as it is not directly related to the risk or criticality of the vendor. The type of contract addendum is a legal document that modifies or supplements the original contract between the vendor and the organization, such as adding or deleting terms, clauses, or provisions. The type of contract addendum may reflect the changes or updates in the vendor relationship, such as scope, duration, price, service level, etc., but it does not indicate the level of risk or impact that the vendor has on the organization. Therefore, the type of contract addendum is not a relevant factor for vendor risk assessment and management . References:

• 1: Vendor Inventory - Shared Assessments
• 2: Vendor Inventory Management: A Guide to Third-Party Risk Management
• 3: Vendor Risk Rating - Shared Assessments
• : [Vendor Risk Rating: How to Rate Your Vendors | Smartsheet]
• : [Vendor Classification - Shared Assessments]
• : [Vendor Tiering: How to Classify Your Vendors | Smartsheet]
• : Contract Addendum - Shared Assessments
• : What is a Contract Addendum? | Definition and Examples | Imperva

According to the Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, the third party risk assessor’s role is to evaluate the design and operating effectiveness of the third party’s controls based on an industry framework, such as ISO, NIST, COBIT, or COSO1. The assessor’s role is not to provide an opinion on the effectiveness of controls, but rather to report the results of the evaluation in a factual and objective manner2. The assessor’s role is also to conduct discovery with subject matter experts to understand the control environment, to conduct discovery and validate responses from the risk assessment questionnaire by testing or validating controls, and to review compliance artifacts and identify potential control gaps based on evaluation of the presence of control attributes1. These are all true statements that describe the assessor’s role when conducting a controls evaluation using an industry framework.

References:

• 1: Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, page 29
• 2: What is a Third-Party Risk Assessment? — RiskOptics