CTPRP Exam Study
Third Party - Answer: entities or persons that work on behalf of the organization but are not its
employees, including consultants, contingent workers, clients, business partners, service
providers, subcontractors, vendors, suppliers, affiliates and any other person or entity that
accessess customer, company confidential/proprietary data and/or systems that interact with
that data
Outsourcer - Answer: the entity delegating a function to another entity, or is considering doing
so
outsourcer - Answer: the entity evaluating the risk posed by obtaining services from another
entity
Fourth Party / Sub Contractor - Answer: an entity independent of and directly performing tasks
for the assessee being evaluated
Drivers for Third Party Risk Assessments - Answer: ISO 27002, FFEIC Appendix, OOC Bulletins,
FFEIC CAT Tool, PCI Data Security Standard, NIST Cybersecurity Framework, HIPAA/HiTech, EU
GDPR
Different Names for Third Parties - Answer: Business Associate, Service Provider, Processor,
Person who provides support for the internal operations of the Web site or online service,
Third-Party Service Provider
Lifecycle framework for third party risk - Answer: Planning, Due Diligence and Third Party
Selection, Contract Negotiation, Ongoing Monitoring, Termination
False - Answer: T/F - You can rely on contract requirements to satisfy regulatory requirements
for third parties.
True - Answer: T/F - It is possible to be subject to regulations from different industry sectors
, CTPRP Exam Study
False - In many instances state requirements may be more stringent than federal - Answer: T/F -
Federal regulations always supersede state regulations
Corporate, Legal, Regulatory, & Industry - Answer: Audits should ensure compliance with what
type of requirements
Risk Assessment & Treatment - Answer: Describes the vendor's risk assessment program, and its
maturity and operating effectiveness
True - Answer: T/F - A risk assessment program should be approved by management and
communicated to all appropriate constituents
Types of Data - Answer: Protected Health Information, Electronic Health Records, Personally
Identifiable Financial Information, Cardholder Data, Personal Data, Personal Information,
Consumer Financial Information
PII - Answer: any information about an individual maintained by an agency, including (1) any
information that can be used to distinguish or trace an individual's identity, such as name, or
biometric records and (2) any other information that is linked or linkable to an individual, such
as medical, educational, financial and employment information
Basic PII - Answer: physical - last name, first name, phone #'s, street address
Sensitive PII (SPII) - Answer: PII used in conjunction with basic PII (i.e., SS card, Driver's License,
DOB)
, CTPRP Exam Study
Card Holder Data(CHD)/Payment Card Industry(PCI) data - Answer: credit or debit card info that
includes the Primary Account Number (PAN), which is the payment card number (credit or
debit) that identifies the issuer and the particular cardholder account
IaaS (Infrastructure As a Service) - Answer: Organization outsources the equipment used to
support operations, including storage, hardware, servers and networking components.
PaaS (Platform as a Service) - Answer: Hardware and software infrastructure for the
development of business applications. Most commonly used by application developers.
SaaS (Software as a Service) - Answer: Business application delivered over the Internet in which
users interact iwth the application through a web browser.
Private Cloud - Answer: infrastructure is managed and operated exclusively for one company in
order to keep a consistent level of security privacy, and governance control.
Hybrid Cloud - Answer: Combination of public and private cloud computing environments
shared between them
Community Cloud - Answer: Collaborative effort in which infrastructure is shared between
several organizations from a specific community with common concerns
Public Cloud - Answer: owned by a cloud vendor and is accessible to the general public or a
large industry group
Components of a Cloud Vendor Assessment Program - Answer: - Review of Audit and
Attestation Forms
- Security Services Documentation
- Image snapshot and approval mgmt process
Third Party - Answer: entities or persons that work on behalf of the organization but are not its
employees, including consultants, contingent workers, clients, business partners, service
providers, subcontractors, vendors, suppliers, affiliates and any other person or entity that
accessess customer, company confidential/proprietary data and/or systems that interact with
that data
Outsourcer - Answer: the entity delegating a function to another entity, or is considering doing
so
outsourcer - Answer: the entity evaluating the risk posed by obtaining services from another
entity
Fourth Party / Sub Contractor - Answer: an entity independent of and directly performing tasks
for the assessee being evaluated
Drivers for Third Party Risk Assessments - Answer: ISO 27002, FFEIC Appendix, OOC Bulletins,
FFEIC CAT Tool, PCI Data Security Standard, NIST Cybersecurity Framework, HIPAA/HiTech, EU
GDPR
Different Names for Third Parties - Answer: Business Associate, Service Provider, Processor,
Person who provides support for the internal operations of the Web site or online service,
Third-Party Service Provider
Lifecycle framework for third party risk - Answer: Planning, Due Diligence and Third Party
Selection, Contract Negotiation, Ongoing Monitoring, Termination
False - Answer: T/F - You can rely on contract requirements to satisfy regulatory requirements
for third parties.
True - Answer: T/F - It is possible to be subject to regulations from different industry sectors
, CTPRP Exam Study
False - In many instances state requirements may be more stringent than federal - Answer: T/F -
Federal regulations always supersede state regulations
Corporate, Legal, Regulatory, & Industry - Answer: Audits should ensure compliance with what
type of requirements
Risk Assessment & Treatment - Answer: Describes the vendor's risk assessment program, and its
maturity and operating effectiveness
True - Answer: T/F - A risk assessment program should be approved by management and
communicated to all appropriate constituents
Types of Data - Answer: Protected Health Information, Electronic Health Records, Personally
Identifiable Financial Information, Cardholder Data, Personal Data, Personal Information,
Consumer Financial Information
PII - Answer: any information about an individual maintained by an agency, including (1) any
information that can be used to distinguish or trace an individual's identity, such as name, or
biometric records and (2) any other information that is linked or linkable to an individual, such
as medical, educational, financial and employment information
Basic PII - Answer: physical - last name, first name, phone #'s, street address
Sensitive PII (SPII) - Answer: PII used in conjunction with basic PII (i.e., SS card, Driver's License,
DOB)
, CTPRP Exam Study
Card Holder Data(CHD)/Payment Card Industry(PCI) data - Answer: credit or debit card info that
includes the Primary Account Number (PAN), which is the payment card number (credit or
debit) that identifies the issuer and the particular cardholder account
IaaS (Infrastructure As a Service) - Answer: Organization outsources the equipment used to
support operations, including storage, hardware, servers and networking components.
PaaS (Platform as a Service) - Answer: Hardware and software infrastructure for the
development of business applications. Most commonly used by application developers.
SaaS (Software as a Service) - Answer: Business application delivered over the Internet in which
users interact iwth the application through a web browser.
Private Cloud - Answer: infrastructure is managed and operated exclusively for one company in
order to keep a consistent level of security privacy, and governance control.
Hybrid Cloud - Answer: Combination of public and private cloud computing environments
shared between them
Community Cloud - Answer: Collaborative effort in which infrastructure is shared between
several organizations from a specific community with common concerns
Public Cloud - Answer: owned by a cloud vendor and is accessible to the general public or a
large industry group
Components of a Cloud Vendor Assessment Program - Answer: - Review of Audit and
Attestation Forms
- Security Services Documentation
- Image snapshot and approval mgmt process
