You are reviewing assessment results of workstation and endpoint security. Which result should trigger more investigation due to greater risk potential?
A. Use of multi-tenant laptops
B. Disabled printing and USB devices
C. Use of desktop virtualization
D. Disabled or blocked access to internet
Which activity BEST describes conducting due diligence of a lower risk vendor?
A. Accepting a service providers self-assessment questionnaire responses
B. Preparing reports to management regarding the status of third party risk management and remediation activities
C. Reviewing a service provider's self-assessment questionnaire and external audit report(s)
D. Requesting and filing a service provider's external audit report(s) for future reference
Which statement is TRUE regarding artifacts reviewed when assessing the Cardholder Data Environment (CDE) in payment card processing?
A. The Data Security Standards (DSS) framework should be used to scope the assessment
B. The Report on Compliance (ROC) provides the assessment results completed by a qualified security assessor that includes an onsite audit
C. The Self-Assessment Questionnaire (SAQ) provides independent testing of controls
D. A System and Organization Controls (SOC) report is sufficient if the report addresses the same location
Tracking breach, credential exposure and insider fraud/theft alerts is an example of which continuous monitoring technique?
A. Monitoring surface
B. Vulnerabilities
C. Passive and active indicators of compromise
D. Business intelligence
Which type of contract provision is MOST important in managing Fourth-Nth party risk after contract signing and on-boarding due diligence is complete?
A. Subcontractor notice and approval
B. Indemnification and liability
C. Breach notification
D. Right to audit
When working with third parties, which of the following requirements does not reflect a “Zero Trust" approach to access management?
A. Utilizing a solution that allows direct access by third parties to the organization's network
B. Ensure that access is granted on a per session basis regardless of network location, user, or device
C. Implement device monitoring, continual inspection and monitoring of logs/traffic
D. Require that all communication is secured regardless of network location
Which of the following components is NOT typically included in external continuous monitoring solutions?
A. Status updates on localized events based on geolocation
B. Alerts on legal and regulatory actions involving the vendor
C. Metrics that track SLAs for performance management
D. Reports that identify changes in vendor financial viability
A set of principles for software development that address the top application security risks and industry web requirements is known as:
A. Application security design standards
B. Security testing methodology
C. Secure code reviews
D. Secure architecture risk analysis
Which statement BEST describes the methods of performing due diligence during third party risk assessments?
A. Inspecting physical and environmental security controls by conducting a facility tour
B. Reviewing status of findings from the questionnaire and defining remediation plans
C. interviewing subject matter experts or control owners, reviewing compliance artifacts, and validating controls
D. Reviewing and assessing only the obligations that are specifically defined in the contract
Which example of analyzing a vendor's response should trigger further investigation of their information security policies?
A. Determination that the security policies include contract or temporary workers
B. Determination that the security policies do not specify any requirements for third party
C. Determination that the security policies are approved by management and available to constituents including employees and contract workers
D. Determination that the security policies are communicated to constituents including full and part-time employees
Which of the following is typically NOT included within the scape of an organization's network access policy?
A. Firewall settings
B. Unauthorized device detection
C. Website privacy consent banners
D. Remote access
Which example BEST represents the set of restrictive areas that require an additional authentication factor for access control?
A. Datacenters; telecom rooms; server rooms; exterior building entrance
B. Datacenters; telecom rooms; security operations centers; loading docks
C. Telecom rooms; parking garage; security operations centers; exterior building entrance
D. Exterior building entrance; datacenters; telecom rooms; printer rooms
| Page 1 out of 11 Pages |
| 1234 |
Real-World Scenario Mastery: Our CTPRP practice exam don't just test definitions. They present you with the same complex, scenario-based problems you'll encounter on the actual exam.
Strategic Weakness Identification: Each practice session reveals exactly where you stand. Discover which domains need more attention, before Certified Third-Party Risk Professional (CTPRP) exam day arrives.
Confidence Through Familiarity: There's no substitute for knowing what to expect. When you've worked through our comprehensive CTPRP practice exam questions pool covering all topics, the real exam feels like just another practice session.
Copyright © All Rights Reserved