SHRM CTPRP Certified Third-Party Risk Professional (CTPRP) Exam Practice Test

 Questionnaires are one of the most common and effective tools for conducting third party risk assessments. They help organizations gather information about the security and compliance practices of their vendors and service providers, as well as identify any gaps or weaknesses that may pose a risk to the organization. However, not all questionnaires are created equal. Depending on the nature and scope of the third party relationship, different types and levels of questions may be required to adequately assess the risk. Therefore, it is important to configure the assessment questionnaires based on the risk rating and type of service being evaluated12.

The risk rating of a third party is determined by various factors, such as the criticality of the service they provide, the sensitivity of the data they handle, the regulatory requirements they must comply with, and the potential impact of a breach or disruption on the organization. The higher the risk rating, the more detailed and comprehensive the questionnaire should be. For example, a high-risk third party that processes personal or financial data may require a questionnaire that covers multiple domains of security and privacy, such as data protection, encryption, access control, incident response, and audit. A low-risk third party that provides a non-critical service or does not handle sensitive data may require a questionnaire that covers only the basic security controls, such as firewall, antivirus, and password policy12.

The type of service that a third party provides also influences the configuration of the questionnaire. Different services may have different security and compliance standards and best practices that need to be addressed. For example, a third party that provides cloud-based services may require a questionnaire that covers topics such as cloud security architecture, data residency, service level agreements, and disaster recovery. A third party that provides software development services may require a questionnaire that covers topics such as software development life cycle, code review, testing, and vulnerability management12.

By configuring the assessment questionnaires based on the risk rating and type of service being evaluated, organizations can ensure that they ask the right questions to the right third parties, and obtain relevant and meaningful information to support their risk management decisions. Therefore, the statement that assessment questionnaires should be configured based on the risk rating and type of service being evaluated is TRUE12. References: 1: How to Use SIG Questionnaires for Better Third-Party Risk Management 2: Third-party risk assessment questionnaires - KPMG India

In IT asset end-of-life (EOL) processes, the requirement to conduct periodic risk assessments specifically to determine end-of-life is not typically included. EOL processes generally focus on managing the decommissioning and secure disposal of IT assets that have reached the end of their useful life or support period. This includes tracking the status of assets, managing updates and support for third-party systems and applications, and establishing procedures for the secure destruction of assets at sunset. While risk assessments are crucial in overall IT asset management, they are not usually a direct component of determining an asset's EOL status, which is more often based on operational effectiveness, manufacturer support, and technological obsolescence.

References:

• IT asset management and disposal best practices, such as those outlined in the NIST Guidelines for Media Sanitization (NIST SP 800-88), focus on the secure and environmentally responsible disposal of IT assets without specifically mandating periodic risk assessments for EOL determination.
• The "IT Asset Disposal (ITAD) Best Practice Guide" by the International Association of IT Asset Managers (IAITAM) provides insights into effective EOL processes, including tracking, updating, and securely destroying IT assets.

This statement does not reflect current practice in addressing fourth party risk or subcontracting risk because it is not sufficient to rely on external audit reports alone. Outsourcers should also perform their own due diligence and monitoring of the subcontractors, as well as ensure that the third party has a robust TPRM program in place. External audit reports may not cover all the relevant aspects of subcontracting risk, such as data security, compliance, performance, and quality. Moreover, external audit reports may not be timely, accurate, or consistent, and may not reflect the current state of the subcontractor’s operations. Therefore, outsourcers should adopt a more proactive and comprehensive approach to managing subcontracting risk, rather than relying on external audit reports. References:

• Shared Assessments Program, page 13: “Outsourcers should not rely solely on external audit reports to address subcontracting risk. Outsourcers should also inspect the vendor’s TPRM program and require evidence of the assessments of subcontractors.”
• Five Best Practices to Manage and Control Third-Party Risk, page 3: "Restricting privileged accounts

The onboarding process for new hires is a key part of the third-party risk management program, as it ensures that the right people are hired and trained to perform their roles effectively and securely. One of the best practices for onboarding new hires is to conduct applicant screening, which may include background checks, reference checks, verification of credentials, and assessment of skills and competencies. Applicant screening helps to identify and mitigate potential risks such as fraud, theft, corruption, or data breaches that may arise from hiring unqualified, dishonest, or malicious individuals. Therefore, it is important to wait for the results of applicant screening before onboarding new employees and contractors, as this can prevent costly and damaging incidents in the future.

The other statements are false regarding the onboarding process for new hires. It is necessary to have employees, contractors, and third-party users sign confidentiality or non-disclosure agreements, as this protects the company’s sensitive information and intellectual property from unauthorized disclosure or misuse. Non-compete agreements may not be required for all job roles, as they may limit the employee’s ability to work for other companies or in the same industry after leaving the current employer. They may also be subject to legal challenges depending on the jurisdiction and the scope of the agreement. Security and privacy awareness training is essential for all new employees and contractors, regardless of their existing certifications, as it educates them on the company’s policies, procedures, and standards for protecting data and systems from cyber threats. It also helps to foster a culture of security and compliance within the organization. References:

• 5 Steps to Effective Third-Party Onboarding
• Using a third-party onboarding tool to address new challenges in third-party risk
• Onboarding and terminating third parties
• CTPRP Job Guide

The best approach to address the conflict between the vendor’s legal obligations to retain data for tax purposes and the company’s policy to require data return or destruction at contract termination is A. Determine if a policy exception and approval is required, and require that data safeguarding obligations continue after termination. This approach recognizes that the vendor may have valid reasons to retain some data for a certain period of time, and that the company may have flexibility to grant exceptions to its policy under certain circumstances. However, this approach also ensures that the company maintains oversight and control over the data that the vendor retains, and that the vendor continues to comply with the data safeguarding obligations, such as encryption, access control, audit, and breach notification, until the data is returned or destroyed. This approach balances the interests and risks of both parties, and minimizes the potential for data breaches, misuse, or loss.

The other approaches are not the best ways to address the conflict, as they may create more problems or risks for either party. B. Change the risk rating of the vendor to reflect a higher risk tier. This approach does not resolve the conflict, but rather shifts the responsibility to the company to manage the increased risk of the vendor retaining the data. Changing the risk rating may also affect the contract terms, such as pricing, service level agreements, or liability clauses, and may require renegotiation or termination of the contract. C. Insist the vendor adheres to the policy and contract provisions without exception. This approach is too rigid and may not be feasible or reasonable for the vendor, especially if they have legal obligations to retain the data. This approach may also damage the relationship and trust between the parties, and may lead to disputes or litigation. D. Conduct an assessment of the vendor’s data governance and records management program. This approach is too time-consuming and costly, and may not be necessary or relevant for the conflict. Conducting an assessment may provide some assurance about the vendor’s data practices, but it does not address the underlying issue of the conflicting data retention requirements. Moreover, conducting an assessment may not be possible or appropriate during the contract negotiation process, as it may require access to the vendor’s systems, data, or personnel. References:

• : Best Practices for Data Destruction - ed
• : CHALLENGES AND RISKS INVOLVED WITH DATA RETENTION - DataOlogie
• : Third-Party Risk Management: Final Interagency Guidance
• : Ensuring Data Protection for Third Parties: Best Practices | UpGuard Blog

Terms for return or destruction of data should be defined and agreed upon during contract negotiation, as this is the phase where the organization and the third party establish the expectations, obligations, and responsibilities for the relationship, including the handling of data. According to the Shared Assessments CTPRP Study Guide, contract negotiation is the phase where "the organization and the third party negotiate and execute a contract that clearly defines the expectations and responsibilities of both parties, including the scope of work, service level agreements, performance measures, reporting requirements, compliance obligations, security and privacy controls, incident response procedures, dispute resolution mechanisms, termination rights, and other relevant terms and conditions."1 One of the key contractual terms that should be addressed is the return or destruction of data, which specifies how the third party will return or dispose of the organization’s data at the end of the relationship, or upon request, in a secure and timely manner. This term is important for ensuring the organization’s data protection, confidentiality, and compliance, as well as reducing the risk of data breaches, leaks, or misuse by the third party or unauthorized parties.

The other phases of the TPRM lifecycle are not the best choices for defining and agreeing upon terms for return or destruction of data, because:

• B. At third party selection and initial due diligence: This is the phase where the organization identifies, evaluates, and selects the third party that best meets its needs, objectives, and risk appetite. This phase involves conducting due diligence on the third party’s capabilities, qualifications, reputation, performance, security, and compliance, as well as assessing the inherent risk of the relationship. While this phase is important for screening and choosing the right third party, it does not involve defining and agreeing upon the specific terms and conditions of the relationship, such as the return or destruction of data, which are usually done in the contract negotiation phase.
• C. When deploying ongoing monitoring: This is the phase where the organization monitors and reviews the third party’s performance, service delivery, risk management, and compliance on a regular basis, as well as identifies and addresses any issues, gaps, or changes that may arise during the relationship. This phase involves collecting and analyzing data and information from various sources, such as reports, audits, assessments, surveys, feedback, incidents, and metrics, as well as communicating and collaborating with the third party to ensure alignment and improvement. While this phase is important for ensuring the quality and security of the relationship, it does not involve defining and agreeing upon the terms and conditions of the relationship, such as the return or destruction of data, which are usually done in the contract negotiation phase.
• D. At termination and exit: This is the phase where the organization terminates and exits the relationship with the third party, either by mutual agreement, expiration of contract, breach of contract, or other reasons. This phase involves executing the termination and exit plan, which may include notifying the third party, transferring or discontinuing the services, settling the financial obligations, returning or destroying the data, revoking the access rights, and conducting a post-termination review. While this phase is important for ensuring a smooth and secure transition and closure of the relationship, it does not involve defining and agreeing upon the terms and conditions of the relationship, such as the return or destruction of data, which are usually done in the contract negotiation phase.

References:

• 1: Shared Assessments CTPRP Study Guide, page 59, section 5.1: TPRM Lifecycle
• : Third-Party Risk Management: Vendor Contract Terms and Conditions, section: Data Ownership, Return and Destruction
• : [Third-Party Risk Management: The 3rd Party Ecosystem: How to Manage the Risk While Keeping the Benefit], section: Contract Negotiation
• : [Third-Party Risk Management: The 3rd Party Ecosystem: How to Manage the Risk While Keeping the Benefit], section: Termination and Exit

Workstation and endpoint security refers to the protection of devices that connect to a network from malicious actors and exploits1. These devices include laptops, desktops, tablets, smartphones, and IoT devices. Workstation and endpoint security can involve various measures, such as antivirus software, firewalls, encryption, authentication, patch management, and device management1.

Among the four options, the use of multi-tenant laptops poses the greatest risk potential for workstation and endpoint security. Multi-tenant laptops are laptops that are shared by multiple users or organizations, such as in a cloud-based environment2. This means that the laptop’s resources, such as memory, CPU, storage, and network, are divided among different tenants, who may have different security policies, requirements, and access levels2. This can create several challenges and risks, such as:

• Data leakage or theft: If the laptop is not properly isolated or encrypted, one tenant may be able to access or compromise another tenant’s data or applications2. This can result in data breaches, identity theft, or compliance violations.
• Malware infection or propagation: If one tenant’s laptop is infected by malware, such as ransomware, spyware, or viruses, it may spread to other tenants’ laptops through the shared network or storage2. This can disrupt the laptop’s performance, functionality, or availability, and cause damage or loss of data or applications.
• Resource contention or exhaustion: If one tenant’s laptop consumes more resources than allocated, it may affect the performance or availability of other tenants’ laptops2. This can result in slow response, poor user experience, or service degradation or interruption.
• Configuration or compatibility issues: If one tenant’s laptop has different or conflicting settings, preferences, or applications than another tenant’s laptop, it may cause errors, crashes, or compatibility problems2. This can affect the laptop’s functionality, reliability, or usability.

Therefore, the use of multi-tenant laptops should trigger more investigation due to greater risk potential, and require more stringent and consistent security controls, such as:

• Segmentation or isolation: The laptop should be logically or physically separated into different segments or zones for each tenant, and restrict the communication or interaction between them2. This can prevent unauthorized access or interference between tenants, and limit the impact of a security incident to a specific segment or zone.
• Encryption or obfuscation: The laptop should encrypt or obfuscate the data and applications of each tenant, and use strong encryption keys or algorithms2. This can protect the confidentiality and integrity of the data and applications, and prevent data leakage or theft.
• Antivirus or anti-malware: The laptop should install and update antivirus or anti-malware software, and scan the laptop regularly for any malicious or suspicious activities2. This can detect and remove any malware infection or propagation, and prevent damage or loss of data or applications.
• Resource allocation or management: The laptop should allocate or manage the resources of each tenant, and monitor the resource consumption and utilization2. This can ensure the performance or availability of the laptop, and prevent resource contention or exhaustion.
• Configuration or standardization: The laptop should configure or standardize the settings, preferences, or applications of each tenant, and ensure the compatibility or interoperability between them2. This can avoid errors, crashes, or compatibility issues, and improve the functionality, reliability, or usability of the laptop.

References: 1: What is Desktop Virtualization? | IBM1 2: Multitenant organization scenario and Microsoft Entra capabilities2

Background check requirements are applicable for vendors or service providers based outside the United States, as well as those based within the country. According to the Shared Assessments Program, background checks are a key component of third-party risk management and should be conducted for all third parties that have access to sensitive data, systems, or facilities, regardless of their location1. The FCRA also applies to background checks performed by U.S. employers on foreign nationals who work outside the U.S. for a U.S. employer or its affiliates2. Therefore, statement A is false and the correct answer is A. References:

• Shared Assessments Program: Third Party Risk Management Fundamentals
• Background Checks for Contractors or Vendors

The Cardholder Data Environment (CDE) is the part of the network that stores, processes, or transmits cardholder data or sensitive authentication data, as well as any connected or security-impacting systems123. The CDE is subject to the Payment Card Industry Data Security Standard (PCI DSS), which is a set of requirements and guidelines for ensuring the security and compliance of payment card transactions123. The PCI DSS defines various artifacts that are reviewed when assessing the CDE, such as:

• The Data Security Standards (DSS) framework: This is the document that specifies the 12 high-level requirements and the corresponding sub-requirements and testing procedures for PCI DSS compliance123. The DSS framework should be used to scope the assessment, meaning to identify and document the systems and components that are in scope for PCI DSS, as well as the applicable requirements and controls for each system and component123. Therefore, option A is a true statement regarding artifacts reviewed when assessing the CDE.
• The Report on Compliance (ROC): This is the report that provides the assessment results completed by a qualified security assessor (QSA) that includes an onsite audit of the CDE123. The ROC is a detailed and comprehensive document that validates the organization’s compliance status and identifies any gaps or deficiencies that need to be remediated123. The ROC is required for merchants and service providers that process more than 6 million transactions annually, or that have suffered a breach or been compromised in the past year123. Therefore, option B is a true statement regarding artifacts reviewed when assessing the CDE.
• The Self-Assessment Questionnaire (SAQ): This is a questionnaire that provides a validation tool for merchants and service providers that are not required to submit a ROC123. The SAQ is a self-assessment tool that allows the organization to evaluate its own compliance status and identify any gaps or deficiencies that need to be remediated123. The SAQ does not provide independent testing of controls, as it is based on the organization’s self-reported answers and evidence123. Therefore, option C is a false statement regarding artifacts reviewed when assessing the CDE.
• A System and Organization Controls (SOC) report: This is a report that provides an independent audit of the internal controls and processes of a service organization, such as a cloud provider, a data center, or a payment processor45. The SOC report is not specific to PCI DSS, but rather to other standards and frameworks, such as SOC 1 (based on SSAE 18), SOC 2 (based on Trust Services Criteria), or SOC 3 (based on SOC 2)45. A SOC report is not sufficient to demonstrate PCI DSS compliance, as it may not cover all the requirements and controls of the PCI DSS, or it may not address the same location or scope as the CDE123. Therefore, option D is a false statement regarding artifacts reviewed when assessing the CDE.

References: The following resources support the verified answer and explanation:

• 1: PCI DSS Quick Reference Guide
• 2: PCI DSS FAQs
• 3: PCI DSS Glossary
• 4: What is a SOC report?
• 5: SOC Reports: What They Are, and Why They Matter

Notification obligations in incident response are the legal or contractual duties to inform relevant parties about a security breach or incident that affects their data or systems. These obligations may vary depending on the type, scope, and impact of the incident, as well as the jurisdiction, industry, and contractual agreements involved. The factors that are most likely to trigger notification obligations are:

• Regulatory requirements: Different laws and regulations may impose different notification obligations on organizations that experience or cause a security incident. For example, the General Data Protection Regulation (GDPR) requires data controllers to notify the supervisory authority within 72 hours of becoming aware of a personal data breach, and to notify the affected data subjects without undue delay if the breach poses a high risk to their rights and freedoms1. Similarly, the Computer-Security Incident Notification Rule requires banks and their service providers to notify their primary federal regulator as soon as possible, but no later than 36 hours, after a computer-security incident that materially disrupts, degrades, or impairs their operations, services, or customers2.
• Data classification or sensitivity: The type and sensitivity of the data involved in a security incident may also affect the notification obligations. For example, if the data contains personally identifiable information (PII), health information, financial information, or other confidential or sensitive information, the organization may have to notify the data owners, regulators, law enforcement, or other stakeholders about the incident and the potential risks to their privacy or security3. The data classification or sensitivity may also determine the content and timing of the notification, as well as the appropriate communication channels to use.
• Contractual terms: The contractual agreements between an organization and its third-party vendors or service providers may also specify the notification obligations in case of a security incident. For example, the contract may define the roles and responsibilities of each party, the notification procedures and timelines, the information to be shared, the remediation actions to be taken, and the penalties or liabilities for breach of contract. The contractual terms may also reflect the regulatory requirements or industry standards that apply to the organization or the third party.

The factor that is least likely to trigger notification obligations is:

• Encryption of data: Encryption of data is a security measure that protects the data from unauthorized access, modification, or disclosure. Encryption of data may reduce the impact or severity of a security incident, as it may prevent or limit the exposure of the data to malicious actors. However, encryption of data does not eliminate the notification obligations, as the organization still has to assess the nature and extent of the incident, and determine whether the encryption was effective or compromised. Moreover, encryption of data may not be sufficient to protect the data from other types of threats, such as deletion, corruption, or ransomware. Therefore, encryption of data is not a factor that influences the notification obligations in incident response.

References:

• 1: GDPR Article 33: Notification of a personal data breach to the supervisory authority
• 2: Computer-Security Incident Notification Rule
• 3: Third-Party Incident Management (TPIM): How to Balance IRPs with Third Parties
• : [Improving Third-Party Incident Response]
• : [Third-Party Incident Response Playbook]
• : [Does Encryption Protect You From a Data Breach?]

Third-party risk management (TPRM) is the process of identifying, assessing, and mitigating the risks associated with outsourcing business activities or functions to external entities. TPRM is influenced by various regulations that aim to protect the interests of customers, stakeholders, and regulators from the potential harm caused by third-party failures or misconduct. These regulations may vary depending on the industry, jurisdiction, and nature of the third-party relationship. Therefore, it is important for organizations to update their inventory of regulations that impact their TPRM program during their annual risk assessment, and prioritize the regulations that are most relevant and critical for their business objectives and risk appetite.

The optimal approach to prioritizing the regulations is to identify the applicable regulations that require an extension of specific obligations to service providers. This means that the organization should focus on the regulations that impose certain requirements or expectations on the organization and its third-party partners, such as data protection, security, compliance, reporting, auditing, or performance standards. These regulations may also specify the roles and responsibilities of the organization and the service provider, the scope and frequency of due diligence and monitoring activities, the contractual clauses and terms, and the remediation and termination procedures. By identifying these regulations, the organization can ensure that its TPRM program is aligned with the regulatory expectations and obligations, and that it can effectively manage and mitigate the risks associated with its third-party relationships.

Some examples of regulations that require an extension of specific obligations to service providers are:

• The General Data Protection Regulation (GDPR): This is a European Union regulation that governs the collection, processing, and transfer of personal data of individuals in the EU. The GDPR requires organizations to implement appropriate technical and organizational measures to protect the personal data, and to only engage with service providers that can provide sufficient guarantees of data protection. The GDPR also requires organizations to enter into written contracts with their service providers that specify the subject matter, duration, nature, and purpose of the data processing, as well as the rights and obligations of both parties. The GDPR also imposes strict notification and reporting requirements in case of data breaches or violations.
• The Health Insurance Portability and Accountability Act (HIPAA): This is a US federal law that regulates the privacy and security of health information of individuals. The HIPAA requires covered entities, such as health care providers, health plans, and health care clearinghouses, to safeguard the health information of their patients, and to only disclose or share it with authorized parties. The HIPAA also requires covered entities to enter into business associate agreements with their service providers that handle or access the health information on their behalf. These agreements must specify the permitted and required uses and disclosures of the health information, the safeguards and measures to protect the health information, and the reporting and notification obligations in case of breaches or incidents.
• The Sarbanes-Oxley Act (SOX): This is a US federal law that aims to improve the accuracy and reliability of corporate financial reporting and disclosure. The SOX requires public companies to establish and maintain internal controls over their financial reporting processes, and to assess and report on the effectiveness of these controls. The SOX also requires public companies to ensure that their external auditors are independent and qualified, and to disclose any material weaknesses or deficiencies in their internal controls. The SOX also applies to the service providers that perform or support the financial reporting functions of the public companies, such as accounting firms, information technology vendors, or consultants. The SOX requires public companies to evaluate and monitor the internal controls of their service providers, and to include them in their scope of audit and reporting.

References:

• Third-Party Risk Management and Mitigation | Gartner
• Best Practices to Jumpstart Third-Party Risk Management Program
• Third-party risk management best practices and why they matter
• GDPR and Third-Party Risk Management
• HIPAA Compliance for Business Associates and Third-Party Service Providers
• SOX Compliance Requirements for Third-Party Service Providers

In the ‘Defense in Depth’ security model, the innermost layer typically focuses on protecting the most sensitive and critical assets, which are often categorized as 'Private internal'. This layer includes security controls and measures that are designed to safeguard the core, confidential aspects of an organization's infrastructure and data. It encompasses controls such as access controls, encryption, and monitoring of sensitive systems and data to prevent unauthorized access and ensure data integrity and confidentiality. The 'Private internal' layer is crucial for maintaining the security of critical information and systems that are essential to the organization's operations and could have the most significant impact if compromised. Implementing robust security measures at this layer is vital for mitigating risks associated with physical access to critical infrastructure and sensitive information.

References:

• Security frameworks and standards, including NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) and the SANS Institute's guidelines on implementing 'Defense in Depth', provide detailed recommendations on securing the innermost layers of an organization's information systems.
• Publications such as "Physical Security Principles" by ASIS International offer insights into best practices for securing the private internal layer, including access control systems, surveillance, and intrusion detection mechanisms.

Physical access procedures and activity logs are important components of third-party risk management, as they help to ensure the security and integrity of the physical assets and data of the organization and its third parties. However, requiring physical access logs to be retained indefinitely for audit purposes is not a best practice, as it may pose legal, regulatory, and operational challenges. According to the Supplemental Examination Procedures for Risk Management of Third-Party Relationships, physical access logs should be retained for a reasonable period of time, consistent with the organization’s policies and procedures, and in compliance with applicable laws and regulations1. Retaining physical access logs indefinitely may increase the risk of unauthorized access, data breaches, privacy violations, and litigation2. Therefore, the statement B is the correct answer, as it is the only one that does not reflect a best practice for physical access procedures and activity logs.

References:

• 1: How to Write Third-Party Risk Management (TPRM) Policies and Procedures - SecurityScorecard Blog
• 2: Five Best Practices to Manage and Control Third-Party Risk - Broadcom Inc.
• 3: A checklist for third-party risk management platforms - Crowe LLP
• 4: Supplemental Examination Procedures for Risk Management of Third-Party Relationships
• 5: Third Party Risk Management: Why It’s Important And What Features To Look For - Expert Insights

In patch management, testing is the most crucial factor when conducting post-cybersecurity incident analysis related to systems and applications. Proper testing of patches before deployment ensures that they effectively address vulnerabilities without introducing new issues or incompatibilities that could impact system functionality or security. Testing allows organizations to verify that the patch resolves the identified security issue without adversely affecting the system or application's performance. It also helps in identifying potential conflicts with existing configurations or dependencies. Effective testing strategies include regression testing, performance testing, and security testing to ensure comprehensive validation of the patch's effectiveness and safety before widespread deployment. This approach aligns with best practices in patch management, emphasizing the importance of thorough testing to mitigate the risk of unintended consequences and ensure the continued security and stability of systems and applications.

References:

• Industry standards such as ISO/IEC 27001 (Information Security Management) highlight the importance of a systematic approach to managing patches, including the role of testing in assessing the effectiveness and impact of patches.
• Resources like "Patch Management Best Practices" from the Center for Internet Security (CIS) provide guidance on developing and implementing a patch management program that includes rigorous testing procedures to ensure patches are safely and effectively applied.

 An Asset Management program is a set of policies, procedures, and practices that aim to optimize the value, performance, and lifecycle of the organization’s assets, such as physical, financial, human, or information assets123. An Asset Management program typically defines policy requirements for the following aspects of asset management:

• The Policy states requirements for the reuse of physical media (e.g., devices, servers, disk drives, etc.): This requirement ensures that the organization follows proper procedures for sanitizing, wiping, or destroying physical media that contain sensitive or confidential data before reusing, recycling, or disposing of them123. This requirement helps prevent data leakage, theft, or loss, and protects the organization’s reputation and compliance123.
• The Policy requires that employees and contractors return all company data and assets upon termination of their employment, contract or agreement: This requirement ensures that the organization recovers all the data and assets that were assigned, loaned, or accessed by the employees and contractors during their employment, contract, or agreement123. This requirement helps maintain the security, integrity, and availability of the organization’s data and assets, and prevents unauthorized or inappropriate use or disclosure of them123.
• The Policy defines requirements for the inventory, identification, and disposal of equipment and/or physical media: This requirement ensures that the organization maintains an accurate and up-to-date record of all the equipment and physical media that it owns, leases, or uses, and assigns unique identifiers to them123. This requirement also ensures that the organization follows proper procedures for disposing of equipment and physical media that are no longer needed, useful, or functional123. This requirement helps improve the efficiency, effectiveness, and accountability of the organization’s asset management processes, and reduces the risks of waste, fraud, or misuse of the organization’s resources123.

However, option D, a policy requirement that requires visitors (including other tenants and maintenance personnel) to sign-in and sign-out of the facility, and to be escorted at all times, is typically not defined in an Asset Management program. Rather, this requirement is more likely to be defined in a Physical Security program, which is a set of policies, procedures, and practices that aim to protect the organization’s premises, assets, and personnel from unauthorized access, damage, or harm . A Physical Security program typically defines policy requirements for the following aspects of physical security:

• The Policy requires visitors (including other tenants and maintenance personnel) to sign-in and sign-out of the facility, and to be escorted at all times: This requirement ensures that the organization controls and monitors the access of visitors to the facility, and verifies their identity, purpose, and authorization . This requirement also ensures that the organization prevents visitors from accessing restricted or sensitive areas, equipment, or information, and escorts them throughout their visit . This requirement helps enhance the security, safety, and compliance of the organization’s facility, assets, and personnel, and prevents potential threats, incidents, or breaches .
• The Policy defines requirements for the locking, alarming, and surveillance of the facility and its entrances and exits: This requirement ensures that the organization secures the perimeter and the interior of the facility, and detects and responds to any unauthorized or suspicious activity or intrusion . This requirement also ensures that the organization uses appropriate and effective physical security measures, such as locks, alarms, cameras, guards, or barriers, to deter, prevent, or delay unauthorized access . This requirement helps protect the organization’s facility, assets, and personnel from theft, vandalism, sabotage, or attack .
• The Policy specifies requirements for the emergency preparedness and response of the facility and its occupants: This requirement ensures that the organization plans and implements procedures for dealing with emergencies, such as fire, flood, earthquake, power outage, or active shooter, that may affect the facility and its occupants . This requirement also ensures that the organization provides adequate and accessible equipment, resources, and training for the emergency preparedness and response, such as fire extinguishers, first aid kits, evacuation routes, emergency contacts, or drills . This requirement helps ensure the safety, health, and continuity of the organization’s facility, assets, and personnel, and minimizes the impact and damage of emergencies .

Therefore, option D is the correct answer, as it is the only one that does not reflect a policy requirement that is typically defined in an Asset Management program. References: The following resources support the verified answer and explanation:

• 1: Asset Management Policy Guide + Free Template | Fiix
• 2: Asset Management Policy: How to Build One From Scratch - Limble CMMS
• 3: How to develop an asset management policy, strategy and governance framework: Set up a consistent approach to asset management in your municipality
• : Physical Security Policy - SANS
• : Physical Security Policy - IT Governance

Application security testing (AST) is a process of finding and eliminating vulnerabilities in software applications. There are different types of AST tools that can help with this process, such as static, dynamic, and interactive testing. Static testing analyzes the source code of the application without executing it, dynamic testing simulates attacks on the running application from the outside, and interactive testing combines both static and dynamic analysis to find more vulnerabilities and provide more context. Cookie consent scanning is not a type of AST, but rather a tool that checks if a website complies with the cookie consent regulations, such as the EU General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Cookie consent scanning does not test the security of the application, but rather the privacy and compliance of the website. References:

• 1: 10 Types of Application Security Testing Tools: When and How to Use Them
• 2: 5 Types of Application Security Testing You Must Know About
• 3: Types of Application Security Testing: Definitions and Differences
• 4: What is Application Security? | VMware Glossary

Inherent risk refers to the level of risk that exists in the absence of any controls or mitigation measures. It represents the natural exposure to risk in operations, transactions, or activities without considering the effectiveness of any risk management practices. In the context of Third-Party Risk Management (TPRM), inherent risk assesses the potential for loss or adverse outcomes associated with a third-party relationship before any controls or risk treatments are applied. Understanding inherent risk is crucial for organizations to identify where controls are necessary and to prioritize risk management efforts based on the potential impact and likelihood of different risks. This concept is foundational in risk management frameworks and is used to guide the development and implementation of controls to reduce risk to an acceptable level, aligned with the organization's risk appetite and tolerance.

References:

• Risk management standards such as ISO 31000 (Risk Management - Guidelines) provide a framework for assessing and managing inherent risks, emphasizing the importance of understanding the baseline level of risk in decision-making processes.
• The "Third-Party Risk Management Guide" by ISACA outlines best practices for assessing inherent risks in third-party relationships, highlighting the need to evaluate the nature and scope of third-party engagements to determine the baseline risk exposure.

Restrictive areas are those that contain sensitive or critical assets, systems, or information that require additional protection from unauthorized access or tampering. Access control is the process of granting or denying access to these areas based on predefined policies, rules, and criteria. An additional authentication factor is a method of verifying the identity or authorization of a user or device that is used in conjunction with another factor, such as a password, a token, or a biometric feature. Additional authentication factors enhance the security and reliability of access control by reducing the risk of impersonation, compromise, or theft of credentials.

The example that best represents the set of restrictive areas that require an additional authentication factor for access control is A. Datacenters; telecom rooms; server rooms; exterior building entrance. These areas contain vital infrastructure, equipment, and data that are essential for the organization’s operations, performance, and security. Unauthorized access to these areas could result in significant damage, disruption, or loss of data, services, or resources. Therefore, these areas should be protected by multiple layers of access control, including physical and logical barriers, as well as additional authentication factors, such as smart cards, biometrics, or one-time passwords.

The other examples are less likely to represent the set of restrictive areas that require an additional authentication factor for access control, because they either contain less sensitive or critical assets, systems, or information, or they are more accessible or visible to the public or other authorized users. For example:

• B. Datacenters; telecom rooms; security operations centers; loading docks: While datacenters, telecom rooms, and security operations centers are restrictive areas that require an additional authentication factor for access control, loading docks are not. Loading docks are typically open to external vendors, suppliers, or delivery personnel, and may not contain any sensitive or critical assets, systems, or information. Therefore, loading docks may not require an additional authentication factor for access control, but rather a basic verification of identity or authorization, such as a badge, a signature, or a receipt.
• C. Telecom rooms; parking garage; security operations centers; exterior building entrance: While telecom rooms, security operations centers, and exterior building entrance are restrictive areas that require an additional authentication factor for access control, parking garage is not. Parking garage is usually accessible to employees, visitors, or customers, and may not contain any sensitive or critical assets, systems, or information. Therefore, parking garage may not require an additional authentication factor for access control, but rather a simple validation of access rights, such as a ticket, a code, or a gate.
• D. Exterior building entrance; datacenters; telecom rooms; printer rooms: While exterior building entrance, datacenters, and telecom rooms are restrictive areas that require an additional authentication factor for access control, printer rooms are not. Printer rooms are generally available to all employees or authorized users, and may not contain any sensitive or critical assets, systems, or information. Therefore, printer rooms may not require an additional authentication factor for access control, but rather a standard authentication factor, such as a password, a PIN, or a fingerprint.

References:

• Shared Assessments CTPRP Study Guide, page 46, section 4.3.1: Access Control
• Access Controls Over Third-Party Applications, section: Vendor Access
• Controlling Third-Party Access Risk, section: Best Practices for Controlling Third-Party Vendor Risks, bullet point: Implementing supporting processes and controls that define and enforce access policies for third-party privileged users.

The purpose of internal communications and information sharing using TPRM performance metrics is to inform and align the organization’s stakeholders on the status, progress, and outcomes of the TPRM program. This includes communicating the results of vendor assessments, the compliance level of the organization’s policies and procedures, and the periodic reporting to management and other relevant parties. However, documenting the corrective action plan between external parties is not an internal communication, but rather an external one. This is because the corrective action plan is a formal agreement between the organization and the vendor to address and resolve the issues identified in the assessment. Therefore, this statement is not an example of the purpose of internal communications and information sharing using TPRM performance metrics. References:

• 15 KPIs & Metrics to Measure the Success of Your TPRM Program
• Third-party risk management metrics: Best practices to enhance your program
• 3 Best Third-Party Risk Management Software Solutions (2024)

TPRM vendor classification is the process of categorizing vendors based on their criticality, risk level, and service type. Vendor classification helps to prioritize and allocate resources for vendor assessment, monitoring, and remediation. Vendor classification should be updated periodically to reflect changes in the business environment, vendor performance, and regulatory requirements.

When updating TPRM vendor classification requirements with a focus on availability, the risk rating factors that provide the greatest impact to the analysis are the impact on operations and end users, the impact on revenue, and the impact on regulatory compliance. This is because:

• Availability is the degree to which a system or service is accessible and functional when required by authorized users. Availability is a key component of information security and business continuity, as it ensures that the business can operate normally and deliver value to its customers and stakeholders.
• Impact on operations and end users measures the extent to which a vendor’s service disruption or failure affects the business processes, functions, and activities that depend on the vendor’s service. A high impact on operations and end users means that the vendor’s service is essential for the business to perform its core functions and meet its objectives, and that any downtime or degradation of the service would cause significant operational delays, inefficiencies, or losses.
• Impact on revenue measures the extent to which a vendor’s service disruption or failure affects the business’s income, profitability, and market share. A high impact on revenue means that the vendor’s service is directly or indirectly linked to the business’s revenue generation, and that any downtime or degradation of the service would cause substantial financial losses, reduced customer satisfaction, or competitive disadvantage.
• Impact on regulatory compliance measures the extent to which a vendor’s service disruption or failure affects the business’s adherence to the laws, regulations, standards, and contractual obligations that govern its industry, sector, or jurisdiction. A high impact on regulatory compliance means that the vendor’s service is subject to strict regulatory requirements, and that any downtime or degradation of the service would cause serious legal penalties, fines, sanctions, or reputational damage.

Therefore, these three factors are the most important to consider when updating TPRM vendor classification requirements with a focus on availability, as they reflect the potential consequences and risks of vendor unavailability for the business.

References:

• CTPRP Job Guide
• Criticality and Risk Rating Vendors 101
• The Third-Party Vendor Risk Management Lifecycle
• What Is Third-Party Risk Management (TPRM)? 2024 Guide
• Third-Party Risk Management and ISO Requirements for 2022

Change management is the process of controlling and documenting any changes to the scope, objectives, requirements, deliverables, or resources of a project or a program. Change management ensures that the impact of any change is assessed and communicated to all stakeholders, and that the changes are implemented in a controlled and coordinated manner. Compliance artifacts are the documents, records, or reports that demonstrate the adherence to the change management process and the regulatory or industry standards.

A robust change management process should include the following attributes:

• Logging: This means that any change request or proposal is recorded in a change log or a change register, along with the details of the change initiator, the change description, the change category, the change priority, the change status, and the change history. Logging helps to track and monitor the progress and outcome of each change, and to provide an audit trail for compliance purposes.
• Approvals: This means that any change request or proposal is reviewed and approved by the appropriate authority or stakeholder, such as the project manager, the sponsor, the customer, the steering committee, or the regulatory body. Approvals help to ensure that the change is justified, feasible, aligned with the project or program objectives, and acceptable to the affected parties.
• Validation: This means that any change request or proposal is verified and tested to ensure that it meets the quality standards, the functional and non-functional requirements, and the expected benefits and outcomes. Validation helps to ensure that the change is implemented correctly, effectively, and efficiently, and that it does not introduce any errors, defects, or risks.
• Back-out and exception procedures: This means that any change request or proposal has a contingency plan or a rollback plan in case the change fails, causes problems, or is rejected. Back-out and exception procedures help to minimize the negative impact of the change, and to restore the original state or the baseline of the project or program. They also help to handle any deviations or issues that may arise during the change implementation or the change review.

References:

• CTPRP Job Guide
• An Agile Approach to Change Management
• CM Overview
• Management Artifacts and its Types
• Achieving Regulatory and Industry Standards Compliance with the Scaled Agile Framework
• 8 Steps for an Effective Change Management Process

One of the key elements of a robust information security policy is the definition and implementation of requirements for third party governance and oversight. This means that the vendor should have clear and consistent processes and procedures for managing and monitoring the information security risks and controls of their subcontractors, suppliers, or service providers. Third party governance and oversight should include the following aspects12:

• Establishing criteria and standards for selecting and evaluating third parties based on their information security capabilities and performance
• Conducting regular and comprehensive assessments and audits of third parties’ information security policies, practices, and incidents
• Ensuring contractual agreements and service level agreements (SLAs) with third parties include information security clauses and obligations
• Maintaining visibility and communication with third parties regarding their information security status and issues
• Implementing corrective actions and remediation plans for any identified information security gaps or weaknesses
• Terminating or suspending the relationship with third parties that fail to meet the information security expectations or requirements If a vendor’s response does not specify any requirements for third party governance and oversight, it should trigger further investigation of their information security policies. This indicates that the vendor may not have a comprehensive and effective approach to managing the information security risks and impacts of their extended network of partners. This could expose the vendor and their clients to potential data breaches, cyberattacks, compliance violations, or reputational damages. Therefore, the vendor should be asked to provide more details and evidence of how they ensure the information security of their third parties, and how they address any information security incidents or issues involving their third parties. References:
• 1: Third-Party Information Security Risk Management Policy - SecurityStudio
• 2: Ensuring Data Protection for Third Parties: Best Practices | UpGuard Blog

Contract addendums are supplementary documents that modify or amend the original contract terms. They can be used to address third party risk obligations, such as security, privacy, compliance, or performance standards, without having to rewrite the entire MSA. However, contract addendums should be consistent with the MSA and clearly specify the scope, duration, and responsibilities of each party. Contract addendums can also be used to update or revise the contract terms in response to changing business needs or regulatory requirements12.

The other statements are true regarding the different types of contracts and agreements between outsourcers and service providers. Evergreen contracts are contracts that do not have a fixed end date and are automatically renewed unless one party decides to terminate them under the existing contract provisions3. RFPs are documents that solicit proposals from potential service providers for a specific project or service. RFPs should include mandatory requirements based on an organization’s TPRM program policies, standards and procedures, such as risk assessment, due diligence, monitoring, reporting, and remediation . SOWs are documents that define the operational requirements and obligations for each party, such as the scope, deliverables, timelines, costs, quality, and performance metrics . References:

• 1: Contracts and third-party risk - KPMG UK
• 2: Third-Party Risk & Contract Management: A Comprehensive Beginner’s Guide - Trackado
• 3: What Is an Evergreen Contract? | Legal Beagle
• : [Best Practices Guidance for Third Party Risk - GARP]
• : Third-Party Risk Management: A Comprehensive Guide - UpGuard
• : Statement of Work (SOW) - Definition, Contents & Examples
• : How to Write a Statement of Work for Any Industry | Smartsheet

Business Continuity or Disaster Recovery (BC/DR) plans are designed to ensure the continuity of critical business functions and processes in the event of a disruption or disaster. BC/DR plans should include annual testing activities to validate the effectiveness and readiness of the plans, as well as to identify and address any gaps or weaknesses. Testing activities should cover the three main areas of BC/DR: people, processes, and technology12.

The four options given in the question represent different types of testing activities that may be included in the BC/DR plans. However, option D is the least likely to be included, as it is not a mandatory or common practice for most organizations. While it is beneficial to involve third party service providers in the BC/DR testing, as they may play a vital role in the recovery process, it is not a requirement or a standard for most industries. Third party service providers may have their own BC/DR plans and testing schedules, which may not align with the organization’s plans and objectives. Moreover, requiring their participation in industry exercises may pose challenges in terms of coordination, confidentiality, and cost34.

Therefore, option D is the correct answer, as it is the least likely to be included in the annual testing activities for BC/DR plans. The other options are more likely to be included, as they are essential for ensuring the availability and functionality of the technology, processes, and personnel that support the critical business operations. These options are:

• A. Plans to enable technology and business operations to be resumed at a back-up site. This is a common testing activity that involves simulating a disaster scenario that affects the primary site and activating the back-up site to resume the operations. This tests the technical infrastructure, data backup and recovery, and operational procedures of the BC/DR plan12.
• B. Process to validate that specific databases can be accessed by applications at the designated location. This is a common testing activity that involves verifying that the data and applications that are critical for the business functions are accessible and functional at the recovery location. This tests the data integrity, security, and compatibility of the BC/DR plan12.
• C. Ability for business personnel to perform their functions at an alternate work space location. This is a common testing activity that involves relocating the key staff to an alternate location and having them perform their normal duties. This tests the communication, coordination, and productivity of the BC/DR plan12.

References:

• 1: How to Test a Business Continuity Disaster Recovery (BCDR) Plan
• 2: Business Continuity or Disaster Recovery Testing and Training Guidelines
• 3: Third Party Risk Management and Business Continuity Planning
• 4: Third Party Risk Management: Business Continuity and Disaster Recovery

External continuous monitoring solutions are tools or services that provide objective and timely data on the cybersecurity posture and performance of third-party vendors. They typically include components such as:

• Status updates on localized events based on geolocation, which can alert the organization to potential disruptions or incidents affecting the vendor’s operations or infrastructure in a specific region or country12.
• Alerts on legal and regulatory actions involving the vendor, which can indicate the vendor’s compliance status, reputation, or liability exposure13.
• Reports that identify changes in vendor financial viability, which can signal the vendor’s ability to sustain its business operations, invest in security, or honor its contractual obligations14.

However, metrics that track SLAs for performance management are not typically included in external continuous monitoring solutions, as they are more relevant for internal monitoring and reporting. SLAs are service level agreements that define the expected quality, availability, and reliability of the vendor’s services or products, as well as the penalties or remedies for non-compliance. SLAs are usually measured and reported by the vendor itself, or by a third-party auditor or assessor, based on the specific criteria and frequency agreed upon by the parties . Therefore, option C is the correct answer. References:

• Third Party Risk Management Framework, Module 5: Program Implementation, Section 5.2: Ongoing Monitoring, p. 32
• Bitsight Continuous Monitoring, Section: Uncover hidden risks
• Best-Practices Guidance for Third-Party Risk, Section: Monitor Third-Party Compliance with Regulations and Standards, p. 3
• Five Best Practices to Manage and Control Third-Party Risk, Section: Monitor Third-Party Financial Health, p. 4
• [Third Party Risk Management Framework], Module 4: Program Components, Section 4.3: Contracting, p. 24
• [A Better Way to Manage Third-Party Risk], Section: Establish clear service level agreements (SLAs) and key performance indicators (KPIs), p. 2

Scoping is a critical step in third party assessments, as it determines the scope and depth of the assessment based on the inherent risk, impact, and complexity of the vendor relationship. Scoping helps to ensure that the assessment is relevant, efficient, and consistent with the outsourcer’s risk appetite and objectives. Scoping also helps to avoid over or under assessing the vendor, which could result in unnecessary costs, delays, or gaps in risk management. Scoping is not a one-time activity, but rather an ongoing process that should be reviewed and updated throughout the vendor lifecycle. Scoping should be aligned with the outsourcer’s third party risk management framework and policies, and follow the best practices and guidelines provided by the Shared Assessments Program and other industry standards. References:

• 1: THIRD PARTY RISK MANAGEMENT TOOLKIT - Shared Assessments, pages 4-6
• 2: How Dynamic Scoping Can Improve Vendor Risk Assessments - ProcessUnity
• 3: Inherent Risk Tiering for Third-Party Vendor Assessments - MindPoint Group

Infrastructure as a service (IaaS) is a cloud deployment model that provides users with access to virtualized hardware resources, such as servers, storage, and network devices. Users can install and run their own operating systems and applications on the cloud infrastructure, and have full control over the configuration and management of the hardware equipment. IaaS is suitable for organizations that need high scalability, flexibility, and customization of their cloud environment. IaaS is different from other cloud deployment models, such as function as a service (FaaS), platform as a service (PaaS), and software as a service (SaaS), which provide users with higher-level services and abstract away the underlying hardware details. References:

• Cloud Infrastructure: 4 Key Components and Deployment Models
• Cloud Deployment Models - GeeksforGeeks
• On-Premises Cloud Deployment Model: Organization-Owned Hardware Explained

Peer code reviews are an essential part of the software development lifecycle (SDLC) process, as they help to improve the quality, security, and maintainability of the code. Peer code reviews involve having other developers review the code written by a developer before it is merged into the main branch or deployed to production. Peer code reviews can help to identify and fix errors, bugs, vulnerabilities, performance issues, coding standards violations, design flaws, and other issues that may affect the functionality or usability of the software. Peer code reviews also facilitate knowledge sharing, collaboration, and feedback among the development team, which can enhance the skills and productivity of the developers123.

The other options are not as likely to be included in the SDLC process, as they are either performed at different stages or not directly related to the development of the software. Scheduling the frequency of automated vulnerability scans and defining the scope of annual penetration tests are more related to the security testing and monitoring of the software, which are usually done after the development phase or as part of the maintenance phase. Scanning for data input validation in production is also a security measure that is done after the software is deployed, and it is not a good practice to rely on production testing alone, as it may expose the software to potential attacks or data breaches. Data input validation should be done during the development and testing phases, as well as in production123. References:

• What is SDLC? - Software Development Lifecycle Explained - AWS
• Software Development Life Cycle (SDLC) - GeeksforGeeks
• What Is the Software Development Life Cycle? SDLC Explained | Coursera

Data privacy policies are documents that outline how an organization collects, uses, stores, shares, and protects personal information from its customers, employees, partners, and other stakeholders1. Data privacy policies should address the following key elements2:

• The purpose and scope of data collection and processing
• The legal basis and consent mechanism for data processing
• The types and categories of personal data collected and processed
• The data retention and deletion policies and practices
• The data security and encryption measures and standards
• The data sharing and disclosure practices and procedures, including the use of third parties and cross-border transfers
• The data access, correction, and deletion rights and requests of individuals
• The data breach and incident response and notification procedures and responsibilities
• The data protection officer and contact details
• The data privacy policy review and update process and frequency

Procedures for configuration settings in identity access management are typically not addressed within data privacy policies, as they are more related to the technical and operational aspects of data security and access control. Identity access management (IAM) is a framework of policies, processes, and technologies that enable an organization to manage and verify the identities and access rights of its users and devices3. IAM configuration settings determine how users and devices are authenticated, authorized, and audited when accessing data and resources. IAM configuration settings should be aligned with the data privacy policies and principles, but they are not part of the data privacy policies themselves. IAM configuration settings should be documented and maintained separately from data privacy policies, and should be reviewed and updated regularly to ensure compliance and security. References: 1: What is a Data Privacy Policy? | OneTrust 2: Privacy Policy Checklist: What to Include in Your Privacy Policy 3: What is identity and access management? | IBM : [Identity and Access Management Configuration Settings] : [Why data privacy and third-party risk teams need to work … - OneTrust] : [Privacy Risk Management - ISACA] : [What Every Chief Privacy Officer Should Know About Third-Party Risk …]

Continuous monitoring is a process of collecting and analyzing data on the performance and security of third-party vendors on an ongoing basis. Continuous monitoring helps to identify and mitigate potential risks, such as data breaches, credential exposures, insider fraud/theft, and other cyber incidents, that may affect the organization and its customers. Continuous monitoring can use various techniques, such as monitoring surface, vulnerabilities, passive and active indicators of compromise, and business intelligence.

Passive and active indicators of compromise are examples of continuous monitoring techniques that track the signs of malicious activity or compromise on the third-party vendor’s systems or networks. Passive indicators of compromise are data sources that do not require direct interaction with the target, such as threat intelligence feeds, dark web monitoring, or external scanning. Active indicators of compromise are data sources that require direct interaction with the target, such as penetration testing, malware analysis, or incident response. Both passive and active indicators of compromise can provide valuable information on the current state and potential threats of the third-party vendor’s environment.

The other options are not examples of continuous monitoring techniques that track breach, credential exposure and insider fraud/theft alerts. Monitoring surface is a technique that measures the size and complexity of the third-party vendor’s attack surface, such as the number and type of internet-facing assets, domains, and services. Vulnerabilities are a technique that identifies the weaknesses or flaws in the third-party vendor’s systems or applications that can be exploited by attackers, such as outdated software, misconfigurations, or unpatched bugs. Business intelligence is a technique that analyzes the business performance and reputation of the third-party vendor, such as financial stability, customer satisfaction, or regulatory compliance. References:

• Guide: Continuous Monitoring for Third-Party Risk
• Continuous Monitoring - Third Party Risk Management
• 12 Ongoing Monitoring Best Practices for Third-Party Risk Management

An emergency response plan (ERP) is a document that outlines the procedures and actions to be taken by an organization in the event of a disruptive incident that threatens its operations, assets, reputation, or stakeholders1. An ERP should be aligned with the organization’s business continuity and disaster recovery plans, and should cover the roles and responsibilities, communication channels, escalation processes, resources, and recovery strategies for different types of emergencies2.

The first step in developing an ERP is to conduct an assessment that includes an inventory of the types of events that have the greatest potential to trigger an ERP3. This assessment should consider the likelihood and impact of various scenarios, such as natural disasters, cyberattacks, pandemics, civil unrest, terrorism, or supply chain disruptions, and identify the critical functions, processes, assets, and dependencies that could be affected by these events4. The assessment should also evaluate the existing capabilities and gaps in the organization’s preparedness and response, and prioritize the areas that need improvement or enhancement5. The assessment should be based on a comprehensive risk analysis and a business impact analysis, and should involve input from relevant stakeholders, such as senior management, business units, IT, security, legal, compliance, human resources, and third parties.

The other options are not the first step in developing an ERP, but rather subsequent or complementary steps that should be performed after the initial assessment. Considering work-from-home parameters, incorporating periodic crisis management team tabletop exercises, and using the results of continuous monitoring tools are all important aspects of an ERP, but they are not the starting point for creating one. These steps should be based on the findings and recommendations of the assessment, and should be updated and tested regularly to ensure the effectiveness and relevance of the ERP. References: 1: What is an Emergency Response Plan? | IBM 2: Emergency Response Plan | Ready.gov 3: 8 Steps to Building a Third-Party Incident Response Plan | Prevalent 4: How to create an effective business continuity plan | CIO 5: Emergency Response Planning: 4 Steps to Creating a Plan : Third-Party Risk Management: Final Interagency Guidance : Improving Third-Party Incident Response | Prevalent

 ESG programs are initiatives that aim to improve the environmental, social, and governance performance of a vendor or service provider. ESG programs may be driven by various factors, such as regulatory obligations, customer expectations, stakeholder pressure, industry standards, or company commitments. Therefore, statement B is true and the correct answer is B. Statement A is false because ESG expectations may come from external entities, such as regulators, investors, customers, or civil society. Statement C is false because ESG commitments can be measured both qualitatively and quantitatively, using indicators such as carbon emissions, diversity, ethics, or compliance. Statement D is false because ESG obligations may apply to any company, regardless of its size, ownership, or sector. References:

• Third-party risk management and the ESG agenda
• ESG third-party risk
• The Role of Third-Party Risk Management in ESG Compliance

Controls evaluation is the process of verifying and validating the effectiveness of the controls implemented by the third party to mitigate the identified risks. It involves reviewing the evidence provided by the third party, such as policies, procedures, certifications, attestations, or test results, to determine if the controls are adequate, consistent, and compliant with the requirements and standards of the organization. Controls evaluation also involves analyzing the assessment results to identify any gaps, weaknesses, or issues in the third party’s controls, and reporting the findings and recommendations to the relevant stakeholders. Negotiating contract terms for the right to audit is not a component of controls evaluation, but rather a component of contract management. Contract management is the process of establishing, maintaining, and enforcing the contractual agreements between the organization and the third party. It involves defining the roles, responsibilities, expectations, and obligations of both parties, as well as the terms and conditions for service delivery, performance measurement, risk management, dispute resolution, and termination. Negotiating contract terms for the right to audit is a key aspect of contract management, as it allows the organization to monitor and verify the third party’s compliance with the contract and the applicable regulations and standards. It also enables the organization to conduct independent audits or assessments of the third party’s controls, processes, and performance, and to request remediation actions if necessary. References:

• 1: Shared Assessments, a leading provider of third party risk management solutions, offers a comprehensive guide for Certified Third Party Risk Professional (CTPRP) candidates, which covers the core concepts and best practices of third party risk management, including controls evaluation and contract management.
• 2: UpGuard, a platform for cybersecurity and third party risk management, provides a detailed overview of the best practices for third party risk assessment, which includes the steps and criteria for evaluating the controls of third parties.
• 3: Deloitte, a global professional services firm, offers an end-to-end managed service for third party risk management, which includes controls evaluation and contract management as key components of the service.

Multi-factor authentication (MFA) is an electronic authentication method that requires a user to present two or more pieces of evidence (or factors) to an authentication mechanism. The factors can be something the user knows (such as a password or a PIN), something the user has (such as a smartphone or a security token), or something the user is (such as a fingerprint or a facial recognition). MFA enhances the security of online accounts and applications by making it harder for attackers to gain access with stolen or guessed credentials. MFA is recommended as a best practice for third-party risk management, as it can reduce the risk of unauthorized access, data breaches, and identity theft. MFA is also a requirement for some regulatory standards and frameworks, such as PCI DSS, HIPAA, and NIST 800-63. References:

• What is: Multifactor Authentication
• Set up your Microsoft 365 sign-in for multi-factor authentication
• Multi-factor authentication - Wikipedia
• Shared Assessments CTPRP Study Guide, page 19
• Shared Assessments CTPRP Job Guide, page 14
• Best Practices Guidance for Third Party Risk, page 9

 According to the GDPR, personal data is any information relating to an identified or identifiable natural person (data subject). The GDPR does not consider the volume of data records as a relevant factor for classifying personal data, but rather the nature and context of the data. The GDPR requires data controllers and processors to apply appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing personal data, taking into account factors such as the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of natural persons. Therefore, the volume of data records is not a decisive attribute for classifying personal data, but rather an indicator of the potential impact of a data breach or misuse.

The other factors listed in the question are more important attributes for classifying personal data, as they relate to the identification, protection, and rights of the data subjects. The data subject category that identifies the data owner refers to the type of natural person whose personal data is processed, such as customers, employees, patients, students, etc. This factor is important for determining the purpose and legal basis of processing, as well as the data subject’s rights and expectations1. The sensitivity level of specific data elements that could identify an individual refers to the degree of harm or discrimination that could result from the disclosure or misuse of such data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, sex life or sexual orientation, or criminal convictions or offenses2. The GDPR imposes stricter rules and obligations for the processing of such special categories of personal data, as they pose a higher risk to the data subject’s fundamental rights and freedoms. The assignment of a confidentiality level that differentiates public or non-public information refers to the degree of access and disclosure that is permitted or required for the personal data, depending on the data subject’s consent, the legitimate interests of the data controller or processor, or the applicable laws and regulations1. The GDPR requires data controllers and processors to implement data protection by design and by default, meaning that they should only process the personal data that is necessary for the specific purpose and limit the access to those who need to know.

References:

• 4: 5 Types of Data Classification (With Examples) | Indeed.com
• 7: Special Categories of Personal Data - GDPR EU
• [8]: Data Classification for GDPR Explained [Full Breakdown] - DataGrail

Fourth-Nth party risk refers to the potential threats and vulnerabilities associated with the subcontractors, vendors, or service providers of an organization’s direct third-party partners. This can create a complex network of dependencies and exposures that can affect the organization’s security, data protection, and business resilience. To manage this risk effectively, organizations should conduct comprehensive due diligence on their extended vendor and supplier network, and include contractual stipulations that require notification and approval for any subcontracting activities. This way, the organization can ensure that the subcontractors meet the same standards and expectations as the direct third-party partners, and that they have adequate controls and safeguards in place to protect the organization’s data and systems. Additionally, the organization should monitor and assess the performance and compliance of the subcontractors on a regular basis, and update the contract provisions as needed to reflect any changes in the risk environment. References:

• Understanding 4th- and Nth-Party Risk: What Do You Need to Know?
• Best Practices for Fourth and Nth Party Management
• Fourth-Party Risk Management: Best Practices

 Risk culture is the term used to describe the collective way that an organization thinks about, manages, and responds to risk. It is influenced by the organization’s values, beliefs, norms, and practices, as well as the external environment and stakeholders. Risk culture affects how employees perceive, communicate, and act on risk issues, and how they balance risk and reward in their decision making. A strong risk culture is one that supports the organization’s strategic objectives, fosters accountability and transparency, and promotes learning and improvement. A weak risk culture is one that undermines the organization’s risk management framework, creates silos and conflicts, and exposes the organization to excessive or unnecessary risks. References:

• Shared Assessments CTPRP Study Guide, page 13, section 2.1.1
• GARP Best Practices Guidance for Third Party Risk, page 5, section 2.1
• Organizational culture | Definition, Benefits and Challenges