CTPRP Exam 2026 Questions and
Answers
third party - Answer -entities or persons that work on behalf of the organization but
are not its employees, including consultants, contingent workers, clients, business
partners, service providers, subcontractors, vendors, suppliers, affiliates and any
other person or entity that accessess customer, company confidential/proprietary
data and/or systems that interact with that data
outsourcer - Answer -the entity delegating a function to another entity, or is
considering doing so
outsourcer - Answer -the entity evaluating the risk posed by obtaining services
from another entity
fourth party/subcontractor - Answer -an entity independent of and directly
performing tasks for the assessee being evaluated
drivers for third party risk assessments - Answer -ISO 27002, FFEIC Appendix,
OOC Bulletins, FFEIC CAT Tool, PCI Data Security Standard, NIST
Cybersecurity Framework, HIPAA/HiTech, EU GDPR
©COPYRIGHT 2025, ALL RIGHTS RESERVED 1
,different names for third parties - Answer -Business Associate, Service Provider,
Processor, Person who provides support for the internal operations of the Web site
or online service, Third-Party Service Provider
Office of the Comptroller of the Currency (OOC) lifecycle framework for third
party risk - Answer -Planning, Due Diligence and Third Party Selection, Contract
Negotiation, Ongoing Monitoring, Termination
False - You must determine the third party's ability to satisfy those requirements. -
Answer -T/F - You can rely on contract requirements to satisfy regulatory
requirements for third parties.
True - e.g., HIPAA and OFAC - Answer -T/F - It is possible to be subject to
regulations from different industry sectors
False - in many instances state requirements may be more stringent than federal -
Answer -T/F - Federal regulations always supersede state regulations
Audits should ensure compliance with: - Answer -Corporate, Legal, Regulatory,
Industry requirements
Risk Assessment and Treatment - Answer -Describes the vendor's risk assessment
program, and its maturity and operating effectiveness.
©COPYRIGHT 2025, ALL RIGHTS RESERVED 2
, True - Answer -T/F - A risk assessment program should be approved by
management and communicated to all appropriate constituents
Different names for data - Answer -Protected Health Information, Electronic
Health Records, Personally Identifiable Financial Information, Cardholder Data,
Personal Data, Personal Information, Consumer Financial Information
Personally Identifiable Information (PII) - Answer -any information about an
individual maintained by an agency, including (1) any information that can be used
to distinguish or trace an individual's identity, such as name, or biometric records
and (2) any other information that is linked or linkable to an individual, such as
medical, educational, financial and employment information
Basic PII - Answer -physical - last name, first name, phone #'s, street address
Sensitive PII - Answer -PII used in conjunction with basic PII (i.e., SS card,
Driver's License, DOB)
Card Holder Data(CHD)/Payment Card Industry(PCI) data - Answer -credit or
debit card info that includes the Primary Account Number (PAN), which is the
payment card number (credit or debit) that identifies the issuer and the particular
cardholder account
©COPYRIGHT 2025, ALL RIGHTS RESERVED 3
Answers
third party - Answer -entities or persons that work on behalf of the organization but
are not its employees, including consultants, contingent workers, clients, business
partners, service providers, subcontractors, vendors, suppliers, affiliates and any
other person or entity that accessess customer, company confidential/proprietary
data and/or systems that interact with that data
outsourcer - Answer -the entity delegating a function to another entity, or is
considering doing so
outsourcer - Answer -the entity evaluating the risk posed by obtaining services
from another entity
fourth party/subcontractor - Answer -an entity independent of and directly
performing tasks for the assessee being evaluated
drivers for third party risk assessments - Answer -ISO 27002, FFEIC Appendix,
OOC Bulletins, FFEIC CAT Tool, PCI Data Security Standard, NIST
Cybersecurity Framework, HIPAA/HiTech, EU GDPR
©COPYRIGHT 2025, ALL RIGHTS RESERVED 1
,different names for third parties - Answer -Business Associate, Service Provider,
Processor, Person who provides support for the internal operations of the Web site
or online service, Third-Party Service Provider
Office of the Comptroller of the Currency (OOC) lifecycle framework for third
party risk - Answer -Planning, Due Diligence and Third Party Selection, Contract
Negotiation, Ongoing Monitoring, Termination
False - You must determine the third party's ability to satisfy those requirements. -
Answer -T/F - You can rely on contract requirements to satisfy regulatory
requirements for third parties.
True - e.g., HIPAA and OFAC - Answer -T/F - It is possible to be subject to
regulations from different industry sectors
False - in many instances state requirements may be more stringent than federal -
Answer -T/F - Federal regulations always supersede state regulations
Audits should ensure compliance with: - Answer -Corporate, Legal, Regulatory,
Industry requirements
Risk Assessment and Treatment - Answer -Describes the vendor's risk assessment
program, and its maturity and operating effectiveness.
©COPYRIGHT 2025, ALL RIGHTS RESERVED 2
, True - Answer -T/F - A risk assessment program should be approved by
management and communicated to all appropriate constituents
Different names for data - Answer -Protected Health Information, Electronic
Health Records, Personally Identifiable Financial Information, Cardholder Data,
Personal Data, Personal Information, Consumer Financial Information
Personally Identifiable Information (PII) - Answer -any information about an
individual maintained by an agency, including (1) any information that can be used
to distinguish or trace an individual's identity, such as name, or biometric records
and (2) any other information that is linked or linkable to an individual, such as
medical, educational, financial and employment information
Basic PII - Answer -physical - last name, first name, phone #'s, street address
Sensitive PII - Answer -PII used in conjunction with basic PII (i.e., SS card,
Driver's License, DOB)
Card Holder Data(CHD)/Payment Card Industry(PCI) data - Answer -credit or
debit card info that includes the Primary Account Number (PAN), which is the
payment card number (credit or debit) that identifies the issuer and the particular
cardholder account
©COPYRIGHT 2025, ALL RIGHTS RESERVED 3
