Data loss prevention in endpoint security is the strategy for:
A. Assuring there are adequate data backups in the event of a disaster
B. Preventing exfiltration of confidential information by users who access company systems
C. Enabling high-availability to prevent data transactions from loss
D. Preventing malware from entering secure systems used for processing confidential information
Which statement is FALSE regarding analyzing results from a vendor risk assessment?
A. The frequency for conducting a vendor reassessment is defined by regulatory obligations
B. Findings from a vendor risk assessment may be defined at the entity level, and are based o na Specific topic or control
C. Identifying findings from a vendor risk assessment can occur at any stage in the contract lifecycle
D. Risk assessment findings identified by controls testing or validation should map back to the information gathering questionnaire and agreed upon framework
Which requirement is the MOST important for managing risk when the vendor contract terminates?
A. The responsibility to perform a financial review of outstanding invoices
B. The commitment to perform a final assessment based upon due diligence standards
C. The requirement to ensure secure data destruction and asset return
D. The obligation to define contract terms for transition services
Which statement BEST represents the primary objective of a third party risk assessment:
A. To assess the appropriateness of non-disclosure agreements regarding the organization's systems/data
B. To validate that the vendor/service provider has adequate controls in place based on the organization's risk posture
C. To determine the scope of the business relationship
D. To evaluate the risk posture of all vendors/service providers in the vendor inventory
Which statement BEST describes the use of risk based decisioning in prioritizing gaps identified at a critical vendor when defining the corrective action plan?
A. The assessor determined that gaps should be analyzed, documented, reviewed for compensating controls, and submitted to the business owner to approve risk treatment plan
B. The assessor decided that the critical gaps should be discussed in the closing meeting so that the vendor can begin to implement corrective actions immediately
C. The assessor concluded that all gaps should be logged and treated as high severity findings since the assessment was performed on a critical vendor
D. The assessor determined that all gaps should be logged and communicated that if the gaps were corrected immediately they would not need to be included in the findings report
You are assessing your organization's Disaster Recovery and Business Continuity (BR/BCP) requirements based on the shift to remote work. Which statement is LEAST reflective of current practices in business resiliency?
A. Third party service providers should be included in the company’s exercise and testing program based on the criticality of the outsourced business function
B. The right to require participation in testing with third party service providers should be included in the contract
C. The contract is the only enforceable control to stipulate third party service provider obligations for DR/BCP since both programs were triggered by the pandemic
D. Management should request and receive artifacts that Gemonstrate successful test results and any remediation action plans
Which of the following changes to the production environment is typically NOT subject to the change control process?
A. Change in network
B. Change in systems
C. Change to administrator access
D. Update to application
Which of the following indicators is LEAST likely to trigger a reassessment of an existing vendor?
A. Change in vendor location or use of new fourth parties
B. Change in scope of existing work (e.g., new data or system access)
C. Change in regulation that impacts service provider requirements
D. Change at outsourcer due to M&A
Which requirement is NOT included in IT asset end-of-life (EOL) processes?
A. The requirement to conduct periodic risk assessments to determine end-of-life
B. The requirement to track status using a change initiation request form
C. The requirement to track updates to third party provided systems or applications for any planned end-of-life support
D. The requirement to establish defined procedures for secure destruction al sunset of asset
Information classification of personal information may trigger specific regulatory obligations. Which statement is the BEST response from a privacy perspective:
A. Personally identifiable financial information includes only consumer report information
B. Public personal information includes only web or online identifiers
C. Personally identifiable information and personal data are similar in context, but may have different legal definitions based upon jurisdiction
D. Personally Identifiable Information and Protected Healthcare Information require the exact same data protection safequards
Which statement is FALSE regarding the primary factors in determining vendor risk classification?
A. The geographic area where the vendor is located may trigger specific regulatory obligations B. The importance to the outsourcer's recovery objectives may trigger a higher risk tier C. The type and volume of personal data processed may trigger a higher risk rating based on the criticality of the systems D. Network connectivity or remote access may trigger a higher vendor risk classification only for third parties that process personal information Answer: D
B. The importance to the outsourcer's recovery objectives may trigger a higher risk tier
C. The type and volume of personal data processed may trigger a higher risk rating based on the criticality of the systems
D. Network connectivity or remote access may trigger a higher vendor risk classification only for third parties that process personal information
If a system requires ALL of the following for accessing its data: (1) a password, (2) a security token, and (3) a user's fingerprint, the system employs:
A. Biometric authentication
B. Challenge/Response authentication
C. One-Time Password (OTP) authentication
D. Multi-factor authentication
| Page 3 out of 11 Pages |
| 1234 |
| CTPRP Practice Test Home |
Real-World Scenario Mastery: Our CTPRP practice exam don't just test definitions. They present you with the same complex, scenario-based problems you'll encounter on the actual exam.
Strategic Weakness Identification: Each practice session reveals exactly where you stand. Discover which domains need more attention, before Certified Third-Party Risk Professional (CTPRP) exam day arrives.
Confidence Through Familiarity: There's no substitute for knowing what to expect. When you've worked through our comprehensive CTPRP practice exam questions pool covering all topics, the real exam feels like just another practice session.
Copyright © All Rights Reserved