Which statement is NOT a method of securing web applications?
A. Ensure appropriate logging and review of access and events
B. Conduct periodic penetration tests
C. Adhere to web content accessibility guidelines
D. Include validation checks in SDLC for cross site scripting and SOL injections
Which risk treatment approach typically requires a negotiation of contract terms between parties?
A. Monitor the risk
B. Mitigate the risk
C. Accept the risk
D. Transfer the risk
Which statement is FALSE regarding the methods of measuring third party risk?
A. Risk can be measured both qualitatively and quantitatively
B. Risk can be quantified by calculating the severity of impact and likelihood of occurrence
C. Assessing risk impact requires an analysis of prior events, frequency of occurrence, and external trends to analyze and predict the potential of a particular event happening
D. Risk likelihood or probability is a critical element in quantifying inherent or residual risk
You are updating program requirements due to shift in use of technologies by vendors to enable hybrid work. Which statement is LEAST likely to represent components of an Asset Management Program?
A. Asset inventories should include connections to external parties, networks, or systems that process data
B. Each asset should include an organizational owner who is responsible for the asset throughout its life cycle
C. Assets should be classified based on criticality or data sensitivity
D. Asset inventories should track the flow or distribution of items used to fulfill products and Services across production lines
When defining third party requirements for transmitting Pll, which factors provide stranger controls?
A. Full disk encryption and backup
B. Available bandwidth and redundancy
C. Strength of encryption cipher and authentication method
D. Logging and monitoring
Which of the following is NOT an example of a type of application security testing?
A. Cookie consent scanning
B. Interactive testing
C. Static testing
D. Dynamic testing
When conducting an assessment of a third party's physical security controls, which of the following represents the innermost layer in a ‘Defense in Depth’ model?
A. Public internal
B. Restricted entry
C. Private internal
D. Public external
Which of the following actions reflects the first step in developing an emergency response plan?
A. Conduct an assessment that includes an inventory of the types of events that have the greatest potential to trigger an emergency response plan
B. Consider work-from-home parameters in the emergency response plan
C. incorporate periodic crisis management team tabletop exercises to test different scenarios
D. Use the results of continuous monitoring tools to develop the emergency response plan
Which statement is FALSE regarding the risk factors an organization may include when defining TPRM compliance requirements?
A. Organizations include TPRM compliance requirements within vendor contracts, and periodically review and update mandatory contract provisions
B. Organizations rely on regulatory mandates to define and structure TPRM compliance requirements
C. Organizations incorporate the use of external standards and frameworks to align and map TPRM compliance requirements to industry practice
D. Organizations define TPRM policies based on the company’s risk appetite to shape requirements based on the services being outsourced
Which statement is FALSE regarding problem or issue management?
A. Problems or issues are the root cause of an actual or potential incident
B. Problem or issue management involves managing workarounds or known errors
C. Problems or issues typically lead to systemic failures
D. Problem or issue management may reduce the likelihood and impact of incidents
Which statement provides the BEST example of the purpose of scoping in third party assessments?
A. Scoping is used to reduce the number of questions the vendor has to complete based on vendor “classification
B. Scoping is the process an outsourcer uses to configure a third party assessment based on the risk the vendor presents to the organization
C. Scoping is an assessment technique only used for high risk or critical vendors that require on-site assessments
D. Scoping is used primarily to limit the inclusion of supply chain vendors in third party assessments
The following statements reflect user obligations defined in end-user device policies EXCEPT:
A. A statement specifying the owner of data on the end-user device
B. A statement that defines the process to remove all organizational data, settings and accounts alt offboarding
C. A statement detailing user responsibility in ensuring the security of the end-user device
D. A statement that specifies the ability to synchronize mobile device data with enterprise systems
| Page 4 out of 11 Pages |
| 2345 |
| CTPRP Practice Test Home |
Real-World Scenario Mastery: Our CTPRP practice exam don't just test definitions. They present you with the same complex, scenario-based problems you'll encounter on the actual exam.
Strategic Weakness Identification: Each practice session reveals exactly where you stand. Discover which domains need more attention, before Certified Third-Party Risk Professional (CTPRP) exam day arrives.
Confidence Through Familiarity: There's no substitute for knowing what to expect. When you've worked through our comprehensive CTPRP practice exam questions pool covering all topics, the real exam feels like just another practice session.
Copyright © All Rights Reserved