Summer Special Sale - Limited Time 60% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 575363r9

Welcome To DumpsPedia

CTPRP Sample Questions Answers

Questions 4

Which of the following statements is TRUE regarding the accountabilities in a three lines of defense model?

Options:

A.

The second line of defense is management within the business unit

B.

The first line of defense is the risk or compliance team that provides an oversight or governance function

C.

The third line of defense is an assurance function that has independence from the business unit

D.

The third line of defense must be limited to an external assessment firm

Buy Now
Questions 5

Which statement is TRUE regarding the tools used in TPRM risk analyses?

Options:

A.

Risk treatment plans define the due diligence standards for third party assessments

B.

Risk ratings summarize the findings in vendor remediation plans

C.

Vendor inventories provide an up-to-date record of high risk relationships across an organization

D.

Risk registers are used for logging and tracking third party risks

Buy Now
Questions 6

Which set of procedures is typically NOT addressed within data privacy policies?

Options:

A.

Procedures to limit access and disclosure of personal information to third parties

B.

Procedures for handling data access requests from individuals

C.

Procedures for configuration settings in identity access management

D.

Procedures for incident reporting and notification

Buy Now
Questions 7

When measuring the operational performance of implementing a TPRM program, which example is MOST likely to provide meaningful metrics?

Options:

A.

logging the number of exceptions to existing due diligence standards

B.

Measuring the time spent by resources for task and corrective action plan completion

C.

Calculating the average time to remediate identified corrective actions

D.

Tracking the number of outstanding findings

Buy Now
Questions 8

Once a vendor questionnaire is received from a vendor what is the MOST important next step when evaluating the responses?

Options:

A.

Document your analysis and provide confirmation to the business unit regarding receipt of the questionnaire

B.

Update the vender risk registry and vendor inventory with the results in order to complete the assessment

C.

Calculate the total number of findings to rate the effectiveness of the vendor response

D.

Analyze the responses to identify adverse or high priority responses to prioritize controls that should be tested

Buy Now
Questions 9

If a system requires ALL of the following for accessing its data: (1) a password, (2) a

security token, and (3) a user's fingerprint, the system employs:

Options:

A.

Biometric authentication

B.

Challenge/Response authentication

C.

One-Time Password (OTP) authentication

D.

Multi-factor authentication

Buy Now
Questions 10

Which of the following statements is FALSE about Data Loss Prevention Programs?

Options:

A.

DLP programs include the policy, tool configuration requirements, and processes for the identification, blocking or monitoring of data

B.

DLP programs define the consequences for non-compliance to policies

C.

DLP programs define the required policies based on default tool configuration

D.

DLP programs include acknowledgement the company can apply controls to remove any data

Buy Now
Questions 11

When evaluating compliance artifacts for change management, a robust process should include the following attributes:

Options:

A.

Approval, validation, auditable.

B.

Logging, approvals, validation, back-out and exception procedures

C.

Logging, approval, back-out.

D.

Communications, approval, auditable.

Buy Now
Questions 12

Which policy requirement is typically NOT defined in an Asset Management program?

Options:

A.

The Policy states requirements for the reuse of physical media (e.9., devices, servers, disk drives, etc.)

B.

The Policy requires that employees and contractors return all company data and assets upon termination of their employment, contract or agreement

C.

The Policy defines requirements for the inventory, identification, and disposal of equipment “and/or physical media

D.

The Policy requires visitors (including other tenants and maintenance personnel) to sign-in and sign-out of the facility, and to be escorted at all times

Buy Now
Questions 13

Which of the following would be a component of an arganization’s Ethics and Code of Conduct Program?

Options:

A.

Participation in the company's annual privacy awareness program

B.

A disciplinary process for non-compliance with key policies, including formal termination or change of status process based on non-compliance

C.

Signing acknowledgement of Acceptable Use policy for use of company assets

D.

A process to conduct periodic access reviews of critical Human Resource files

Buy Now
Questions 14

An IT change management approval process includes all of the following components EXCEPT:

Options:

A.

Application version control standards for software release updates

B.

Documented audit trail for all emergency changes

C.

Defined roles between business and IT functions

D.

Guidelines that restrict approval of changes to only authorized personnel

Buy Now
Questions 15

Which statement is TRUE regarding artifacts reviewed when assessing the Cardholder Data Environment (CDE) in payment card processing?

Options:

A.

The Data Security Standards (DSS) framework should be used to scope the assessment

B.

The Report on Compliance (ROC) provides the assessment results completed by a qualified security assessor that includes an onsite audit

C.

The Self-Assessment Questionnaire (SAQ) provides independent testing of controls

D.

A System and Organization Controls (SOC) report is sufficient if the report addresses the same location

Buy Now
Questions 16

The following statements reflect user obligations defined in end-user device policies

EXCEPT:

Options:

A.

A statement specifying the owner of data on the end-user device

B.

A statement that defines the process to remove all organizational data, settings and accounts alt offboarding

C.

A statement detailing user responsibility in ensuring the security of the end-user device

D.

A statement that specifies the ability to synchronize mobile device data with enterprise systems

Buy Now
Questions 17

Which of the following BEST reflects components of an environmental controls testing program?

Options:

A.

Scheduling testing of building access and intrusion systems

B.

Remote monitoring of HVAC, Smoke, Fire, Water or Power

C.

Auditing the CCTV backup process and card-key access process

D.

Conducting periodic reviews of personnel access controls and building intrusion systems

Buy Now
Questions 18

At which level of reporting are changes in TPRM program metrics rare and exceptional?

Options:

A.

Business unit

B.

Executive management

C.

Risk committee

D.

Board of Directors

Buy Now
Questions 19

Which cloud deployment model is primarily focused on the application layer?

Options:

A.

Infrastructure as a Service

B.

Software as a Service

C.

Function a3 a Service

D.

Platform as a Service

Buy Now
Questions 20

The BEST way to manage Fourth-Nth Party risk is:

Options:

A.

Include a provision in the vender contract requiring the vendor to provide notice and obtain written consent before outsourcing any service

B.

Include a provision in the contract prohibiting the vendor from outsourcing any service which includes access to confidential data or systems

C.

Incorporate notification and approval contract provisions for subcontracting that require evidence of due diligence as defined by a TPRM program

D.

Require the vendor to maintain a cyber-insurance policy for any service that is outsourced which includes access to confidential data or systems

Buy Now
Questions 21

Which statement does NOT reflect current practice in addressing fourth party risk or subcontracting risk?

Options:

A.

Third party contracts and agreements should require prior notice and approval for subcontracting

B.

Outsourcers should rely on requesting and reviewing external audit reports to address subcontracting risk

C.

Outsourcers should inspect the vendor's TPRM program and require evidence of the assessments of subcontractors

D.

Third party contracts should include capturing, maintaining, and tracking authorized subcontractors

Buy Now
Questions 22

Which of the following data safeguarding techniques provides the STRONGEST assurance that data does not identify an individual?

Options:

A.

Data masking

B.

Data encryption

C.

Data anonymization

D.

Data compression

Buy Now
Questions 23

Which of the following actions is an early step when triggering an Information Security

Incident Response Program?

Options:

A.

Implementing processes for emergency change control approvals

B.

Requiring periodic changes to the vendor's contract for breach notification

C.

Assessing the vendor's Business Impact Analysis (BIA) for resuming operations

D.

Initiating an investigation of the unauthorized disclosure of data

Buy Now
Questions 24

Which of the following is NOT a key component of TPRM requirements in the software development life cycle (SDLC)?

Options:

A.

Maintenance of artifacts that provide proof that SOLC gates are executed

B.

Process for data destruction and disposal

C.

Software security testing

D.

Process for fixing security defects

Buy Now
Questions 25

Which action statement BEST describes an assessor calculating residual risk?

Options:

A.

The assessor adjusts the vendor risk rating prior to reporting the findings to the business unit

B.

The assessor adjusts the vendor risk rating based on changes to the risk level after analyzing the findings and mitigating controls

C.

The business unit closes out the finding prior to the assessor submitting the final report

D.

The assessor recommends implementing continuous monitoring for the next 18 months

Buy Now
Questions 26

Which statement is NOT a method of securing web applications?

Options:

A.

Ensure appropriate logging and review of access and events

B.

Conduct periodic penetration tests

C.

Adhere to web content accessibility guidelines

D.

Include validation checks in SDLC for cross site scripting and SOL injections

Buy Now
Questions 27

When evaluating remote access risk, which of the following is LEAST applicable to your analysis?

Options:

A.

Logging of remote access authentication attempts

B.

Limiting access by job role of business justification

C.

Monitoring device activity usage volumes

D.

Requiring application whitelisting

Buy Now
Questions 28

For services with system-to-system access, which change management requirement

MOST effectively reduces the risk of business disruption to the outsourcer?

Options:

A.

Approval of the change by the information security department

B.

Documenting sufficient time for quality assurance testing

C.

Communicating the change to customers prior ta deployment to enable external acceptance testing

D.

Documenting and legging change approvals

Buy Now
Questions 29

You are reviewing assessment results of workstation and endpoint security. Which result should trigger more investigation due to greater risk potential?

Options:

A.

Use of multi-tenant laptops

B.

Disabled printing and USB devices

C.

Use of desktop virtualization

D.

Disabled or blocked access to internet

Buy Now
Questions 30

Which statement BEST reflects the factors that help you determine the frequency of cyclical assessments?

Options:

A.

Vendor assessments should be conducted during onboarding and then be replaced by continuous monitoring

B.

Vendor assessment frequency should be based on the level of risk and criticality of the vendor to your operations as determined by their vendor risk score

C.

Vendor assessments should be scheduled based on the type of services/products provided

D.

Vendor assessment frequency may need to be changed if the vendor has disclosed a data breach

Buy Now
Questions 31

Which factor describes the concept of criticality of a service provider relationship when determining vendor classification?

Options:

A.

Criticality is limited to only the set of vendors involved in providing disaster recovery services

B.

Criticality is determined as all high risk vendors with access to personal information

C.

Criticality is assigned to the subset of vendor relationships that pose the greatest impact due to their unavailability

D.

Criticality is described as the set of vendors with remote access or network connectivity to company systems

Buy Now
Questions 32

Which cloud deployment model is primarily used for load balancing?

Options:

A.

Public Cloud

B.

Community Cloud

C.

Hybrid Cloud

D.

Private Cloud

Buy Now
Questions 33

Which statement is FALSE when describing the differences between security vulnerabilities and security defects?

Options:

A.

A security defect is a security flaw identified in an application due to poor coding practices

B.

Security defects should be treated as exploitable vulnerabilities

C.

Security vulnerabilities and security defects are synonymous

D.

A security defect can become a security vulnerability if undetected after migration into production

Buy Now
Questions 34

Which statement reflects a requirement that is NOT typically found in a formal Information Security Incident Management Program?

Options:

A.

The program includes the definition of internal escalation processes

B.

The program includes protocols for disclosure of information to external parties

C.

The program includes mechanisms for notification to clients

D.

The program includes processes in support of disaster recovery

Buy Now
Questions 35

When defining due diligence requirements for the set of vendors that host web applications which of the following is typically NOT part of evaluating the vendor's patch

management controls?

Options:

A.

The capability of the vendor to apply priority patching of high-risk systems

B.

Established procedures for testing of patches, service packs, and hot fixes prior to installation

C.

A documented process to gain approvals for use of open source applications

D.

The existence of a formal process for evaluation and prioritization of known vulnerabilities

Buy Now
Questions 36

The primary disadvantage of Single Sign-On (SSO) access control is:

Options:

A.

The impact of a compromise of the end-user credential that provides access to multiple systems is greater

B.

A single password is easier to guess and be exploited

C.

Users store multiple passwords in a single repository limiting the ability to change the password

D.

Vendors must develop multiple methods to integrate system access adding cost and complexity

Buy Now
Questions 37

Which statement BEST describes the use of risk based decisioning in prioritizing gaps identified at a critical vendor when defining the corrective action plan?

Options:

A.

The assessor determined that gaps should be analyzed, documented, reviewed for compensating controls, and submitted to the business owner to approve risk treatment plan

B.

The assessor decided that the critical gaps should be discussed in the closing meeting so that the vendor can begin to implement corrective actions immediately

C.

The assessor concluded that all gaps should be logged and treated as high severity findings since the assessment was performed on a critical vendor

D.

The assessor determined that all gaps should be logged and communicated that if the gaps were corrected immediately they would not need to be included in the findings report

Buy Now
Exam Code: CTPRP
Exam Name: Certified Third-Party Risk Professional (CTPRP)
Last Update: May 21, 2024
Questions: 125
$64  $159.99
$48  $119.99
$40  $99.99
buy now CTPRP