Free Practice Questions for Shared Assessments CTPRP Exam

The contract is not the only enforceable control to stipulate third party service provider obligations for DR/BCP, nor are both programs necessarily triggered by the pandemic. According to the Shared Assessments Program, third party risk management (TPRM) is a continuous process that requires ongoing monitoring and assessment of third parties’ performance, compliance, and resilience. Therefore, the contract should be complemented by other controls, such as due diligence, audits, reviews, and reporting, to ensure that third parties meet the organization’s expectations and standards for DR/BCP. Moreover, DR/BCP are not only relevant for pandemic scenarios, but also for other types of disasters, such as natural disasters, cyberattacks, power outages, or human errors. Therefore, the contract should reflect the organization’s risk appetite and tolerance for different types of disruptions and scenarios, and not be limited to pandemic-related events. 

Asset management is the process of identifying, tracking, and managing the physical and digital assets of an organization. An asset management program is a set of policies, procedures, and tools that help to ensure the optimal use, security, and disposal of assets. According to the Shared Assessments CTPRP Study Guide1, an asset management program should include the following components:

Asset inventories: A comprehensive and accurate list of all assets owned, leased, or used by the organization, including hardware, software, data, and services. Asset inventories should include connections to external parties, networks, or systems that process data, as this may introduce additional risks and dependencies12.

Asset owners: A clear assignment of roles and responsibilities for each asset, including an organizational owner who is accountable for the asset throughout its life cycle. Asset owners should ensure that assets are properly maintained, updated, secured, and disposed of in accordance with the organization’s policies and standards13.

Asset classification: A consistent and objective method of categorizing assets based on their criticality or data sensitivity. Asset classification helps to determine the appropriate level of protection, monitoring, and testing for each asset, as well as the potential impact of asset loss or compromise1 .

Asset controls: A set of measures and mechanisms that help to safeguard assets from unauthorized access, use, modification, disclosure, or destruction. Asset controls may include physical, technical, administrative, or contractual means, such as locks, encryption, passwords, policies, or agreements1 .

The statement that is least likely to represent a component of an asset management program is D. Asset inventories should track the flow or distribution of items used to fulfill products and Services across production lines. This statement describes a supply chain management function, not an asset management function. Supply chain management is the process of planning, coordinating, and controlling the flow of materials, information, and services from suppliers to customers. Supply chain management may involve some aspects of asset management, such as inventory control, quality assurance, or vendor risk management, but it is not the same as asset management . Asset management focuses on the assets that the organization owns or uses, not the assets that the organization produces or delivers.

References:

1: Shared Assessments. (2020). Certified Third Party Risk Professional (CTPRP) Study Guide.

2: ISACA. (2019). COBIT 2019 Framework: Governance and Management Objectives. APO03 Manage enterprise architecture.

3: ISO. (2018). ISO/IEC 27001:2018 Information technology — Security techniques — Information security management systems — Requirements. Clause 8.1.2 Asset management roles and responsibilities.

: NIST. (2013). NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations. RA-2 Security Categorization.

: NIST. (2013). NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations. CM-8 Information System Component Inventory.

: APICS. (2018). APICS Dictionary, 16th edition. Supply chain management.

: ISACA. (2019). COBIT 2019 Framework: Governance and Management Objectives. APO13 Manage security.

Data classification is the process of categorizing data according to its type, sensitivity, and value to the organization if altered, stolen, or destroyed1. Data classification helps an organization understand the risk level of its data and implement appropriate controls to protect it. Data can be classified into three risk levels: low, moderate, and high23. Low risk data are data that are intended for public disclosure or have no adverse impact on the organization’s mission, safety, finances, or reputation if compromised23. Sanitized customer data used for aggregated profiling are an example of low risk data, as they do not contain any personally identifiable or sensitive information that could be exploited for criminal or other wrongful purposes. Sanitized data are data that have been modified to remove or obscure any confidential or identifying information, such as names, addresses, phone numbers, etc. Aggregated data are data that have been combined or summarized from multiple sources to provide statistical or analytical insights, such as trends, patterns, averages, etc. Sanitized and aggregated data are often used for research, marketing, or business intelligence purposes, and do not pose a significant threat to the organization or the customers if exposed. References:

1: What is Data Classification? | Best Practices & Data Types | Imperva

2: Data Classification Guideline (1604 GD.01) - Yale University

3: Risk Classifications | University IT

: Data Classification Policy - Shared Assessments

: What is Data Sanitization? | Definition and Examples | Imperva

: What is Data Aggregation? | Definition and Examples | Imperva

Data Loss Prevention (DLP) programs are not based on default tool configuration, but on the specific needs and risks of the organization. DLP programs should be tailored to the data types, locations, flows, and users that are relevant to the business. DLP programs should also align with the regulatory and contractual obligations, as well as the data risk appetite, of the organization. Default tool configuration may not adequately address these factors and may result in either over-blocking or under-protecting data. Therefore, statement C is false about DLP programs. References:

1: The Best Data Loss Prevention Software Tools - Comparitech

2: Build a Successful Data Loss Prevention Program in 5 Steps - Gartner

3: What is data loss prevention (DLP)? | Microsoft Security

Application security design standards are a set of principles for software development that address the top application security risks and industry web requirements. They provide guidance on how to design, develop, and deploy secure applications that meet the security objectives of the organization and the expectations of the customers and regulators. Application security design standards cover topics such as secure design principles, threat modeling, encryption, identity and access management, logging and auditing, coding standards and conventions, safe functions, data handling, error handling, third-party components, and testing and validation. Application security design standards help developers avoid common security pitfalls, reduce vulnerabilities, and enhance the quality and reliability of the software. Application security design standards also facilitate the alignment of the software development lifecycle with the third-party risk management framework, by ensuring that security requirements are defined, implemented, verified, and maintained throughout the development process. References:

Fundamental Practices for Secure Software Development

Secure Coding Practices

Secure Software Development Best Practices

Certified Third Party Risk Professional (CTPRP) Study Guide

Software as a Service (SaaS) is a cloud deployment model that provides users with access to software applications over the internet, without requiring them to install, maintain, or update the software on their own devices. SaaS is primarily focused on the application layer, as it delivers the complete functionality of the software to the end users, while abstracting away the underlying infrastructure, platform, and middleware layers. SaaS providers are responsible for managing the servers, databases, networks, security, and scalability of the software, as well as ensuring its availability, performance, and compliance. SaaS users only pay for the software usage, usually on a subscription or pay-per-use basis, and can access the software from any device and location, as long as they have an internet connection. Some examples of SaaS applications are Gmail, Salesforce, Dropbox, and Netflix. References:

Shared Assessments CTPRP Study Guide, page 15, section 2.2.2

Cloud Computing Deployment Models and Architectures, section on Cloud Computing Models

Layered Architecture of Cloud, section on Application Layer

Remote monitoring of HVAC, Smoke, Fire, Water, or Power systems best reflects components of an environmental controls testing program. These systems are critical to ensuring the physical security and operational integrity of data centers and IT facilities. Environmental controls testing programs are designed to verify that these systems are functioning correctly and can effectively respond to environmental threats. This includes monitoring temperature and humidity (HVAC), detecting smoke or fire, preventing water damage, and ensuring uninterrupted power supply. Regular testing and monitoring of these systems help prevent equipment damage, data loss, and downtime due to environmental factors.

References:

Environmental control standards such as ISO/IEC 27001 (Information Security Management) include requirements for the testing and monitoring of physical and environmental security controls.

The "Data Center Operations Manual" by the Uptime Institute provides detailed guidelines on the testing and maintenance of environmental control systems to ensure the resilience and reliability of data center operations.

 Performing due diligence during third party risk assessments is a process of verifying and validating the information provided by the third parties, as well as identifying and assessing any potential risks or issues that may arise from the relationship. Due diligence methods may vary depending on the type, scope, and complexity of the third party engagement, but they generally involve the following steps123:

Interviewing subject matter experts or control owners: This method involves engaging with the relevant stakeholders from both the organization and the third party, such as business owners, project managers, legal counsel, compliance officers, security analysts, etc. The purpose of the interviews is to gather more information about the third party’s capabilities, processes, policies, performance, and challenges, as well as to clarify any questions or concerns that may arise from the questionnaire or other sources. The interviews can also help to establish rapport and trust between the parties, and to identify any gaps or discrepancies in the information provided.

Reviewing compliance artifacts: This method involves examining the evidence or documentation that supports the third party’s claims or assertions, such as certifications, accreditations, audit reports, policies, procedures, contracts, SLAs, etc. The purpose of the review is to verify the accuracy, completeness, and validity of the artifacts, as well as to assess the level of compliance with the applicable standards, regulations, and best practices. The review can also help to identify any areas of improvement or weakness in the third party’s controls or processes.

Validating controls: This method involves testing or inspecting the actual implementation and effectiveness of the third party’s controls or processes, such as security measures, quality assurance, data protection, incident response, etc. The purpose of the validation is to confirm that the controls are operating as intended and expected, and that they are sufficient to mitigate the risks or issues identified in the assessment. The validation can also help to identify any vulnerabilities or gaps in the third party’s controls or processes.

The other options are not as comprehensive or accurate as the methods described above, as they may not cover all the aspects or dimensions of the third party risk assessment, or they may rely on incomplete or outdated information. Inspecting physical and environmental security controls by conducting a facility tour is only one part of the validation method, and it may not be applicable or feasible for all types of third parties, such as cloud service providers or remote workers. Reviewing status of findings from the questionnaire and defining remediation plans is more of a follow-up or monitoring activity, rather than a due diligence method, as it assumes that the questionnaire has already been completed and analyzed. Reviewing and assessing only the obligations that are specifically defined in the contract is a narrow and limited approach, as it may not capture the full scope or complexity of the third party relationship, or the dynamic and evolving nature of the risks or issues involved. References:

Third Party Due Diligence – a vital but challenging process

The guide to risk based third party due diligence - VinciWorks

Third Party Risk Assessment – Checklist & Best Practices

Vendor management is the process of coordinating with vendors to ensure excellent service to your customers12. It involves activities such as selecting vendors, negotiating contracts, controlling costs, reducing vendor-related risks and ensuring service delivery12. One of the key activities of vendor management is managing service level agreements (SLAs), which are contracts that define the expectations and obligations of both parties regarding the quality, quantity, and timeliness of the goods or services provided3. SLAs help to monitor and measure vendor performance, identify and resolve issues, and enforce penalties or rewards based on the agreed-upon metrics3. The other options are not correct because they do not reflect the concept of vendor management as a whole, but rather specific aspects or tools of vendor management. Scanning and collecting information from third party web sites, reviewing and analyzing external audit reports, and receiving and analyzing a vendor’s response to a questionnaire are all examples of methods or sources of information that can be used to conduct vendor due diligence, risk assessment, or performance evaluation, but they are not the only or the most important activities of vendor management. References:

What is Vendor Management? Definition, Process, and Tools

What is vendor management? | Definition & Process | Taulia

Essential Guide to Vendor Management | Smartsheet, section “Service Level Agreements”

A cloud hosting vendor assessment program is a process of evaluating the security, compliance, and performance of a cloud service provider (CSP) that hosts an organization’s data or applications. A cloud hosting vendor assessment program typically includes the following components123:

Reviewing the entity’s image snapshot approval and management process: This component involves verifying how the CSP creates, approves, stores, and deletes image snapshots of the virtual machines or containers that run the organization’s workloads. Image snapshots can contain sensitive data or configuration settings that need to be protected from unauthorized access or modification.

Requiring security services documentation and audit attestation reports: This component involves requesting and reviewing the CSP’s documentation and reports that demonstrate the security controls and practices that the CSP implements to protect the organization’s data and applications. These may include service level agreements (SLAs), security policies and procedures, security certifications and standards, vulnerability scanning and patching reports, incident response and disaster recovery plans, and independent audit reports such as SOC 2 or ISO 27001.

Requiring compliance evidence that provides the definition of patching responsibilities: This component involves asking and verifying how the CSP handles the patching of the operating systems, applications, and libraries that run on the cloud infrastructure. Patching is a critical activity to prevent security breaches and ensure compliance with regulatory requirements. The organization needs to understand the roles and responsibilities of the CSP and the organization in patching the cloud environment, and the frequency and scope of patching activities.

The component that is typically NOT part of a cloud hosting vendor assessment program is conducting customer performed penetration tests. Penetration testing is a method of simulating a cyberattack on a system or network to identify and exploit vulnerabilities and weaknesses. While penetration testing can be a valuable tool to assess the security posture of a CSP, it is not usually included in a cloud hosting vendor assessment program for the following reasons :

Penetration testing may violate the CSP’s terms of service or acceptable use policy, which may prohibit or restrict the customer from performing any unauthorized or disruptive activities on the cloud infrastructure. The customer may face legal or contractual consequences if they conduct penetration testing without the CSP’s consent or knowledge.

Penetration testing may interfere with the CSP’s normal operations or affect the availability and performance of the cloud services for other customers. The customer may cause unintended damage or disruption to the CSP’s systems or networks, or trigger false alarms or alerts that may divert the CSP’s resources or attention.

Penetration testing may not provide a comprehensive or accurate assessment of the CSP’s security, as the customer may have limited visibility or access to the CSP’s internal systems or networks, or may encounter security mechanisms or countermeasures that prevent or limit the penetration testing activities. The customer may also face ethical or legal issues if they access or compromise the data or systems of other customers or the CSP.

Therefore, the verified answer to the question is D. Conducting customer performed penetration tests.

References:

Four Important Best Practices for Assessing Cloud Vendors

Top 11 Questionnaires for IT Vendor Assessment in 2024

Cloud Vendor Assessments | Done The Right Way

[Penetration Testing in the Cloud: What You Need to Know]

[Cloud Penetration Testing: Challenges and Best Practices]