CTPRP Exam Questions and Answers With Complete Solution Latest (Score A+)

CTPRP Exam Questions and Answers With Complete Solution Latest (Score A+). outsourcer - ANS the entity delegating a function to another entity, or is considering doing so outsourcer - ANS the entity evaluating the risk posed by obtaining services from another entity fourth party/subcontractor - ANS an entity independent of and directly performing tasks for the assessee being evaluated drivers for third party risk assessments - ANS ISO 27002, FFEIC Appendix, OOC Bulletins, FFEIC CAT Tool, PCI Data Security Standard, NIST Cybersecurity Framework, HIPAA/HiTech, EU GDPR different names for third parties - ANS Business Associate, Service Provider, Processor, Person who provides support for the internal operations of the Web site or online service, Third-Party Service Provider Office of the Comptroller of the Currency (OOC) lifecycle framework for third party risk - ANS Planning, Due Diligence and Third Party Selection, Contract Negotiation, Ongoing Monitoring, Termination False - You must determine the third party's ability to satisfy those requirements. - ANS T/F - You can rely on contract requirements to satisfy regulatory requirements for third parties. True - e.g., HIPAA and OFAC - ANS T/F - It is possible to be subject to regulations from different industry sectors False - in many instances state requirements may be more stringent than federal - ANS T/F - Federal regulations always supersede state regulations Audits should ensure compliance with: - ANS Corporate, Legal, Regulatory, Industry requirements CTPRP Exam | 99 Questions and Answers With Complete Solution Risk Assessment and Treatment - ANS Describes the vendor's risk assessment program, and its maturity and operating effectiveness. True - ANS T/F - A risk assessment program should be approved by management and communicated to all appropriate constituents Different names for data - ANS Protected Health Information, Electronic Health Records, Personally Identifiable Financial Information, Cardholder Data, Personal Data, Personal Information, Consumer Financial Information Personally Identifiable Information (PII) - ANS any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, or biometric records and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information Basic PII - ANS physical - last name, first name, phone #'s, street address Sensitive PII - ANS PII used in conjunction with basic PII (i.e., SS card, Driver's License, DOB) Card Holder Data(CHD)/Payment Card Industry(PCI) data - ANS credit or debit card info that includes the Primary Account Number (PAN), which is the payment card number (credit or debit) that identifies the issuer and the particular cardholder account IaaS (Infrastructure as a Service) - ANS Organization outsources the equipment used to support operations, including storage, hardware, servers and networking components. PaaS (Platform as a Service) - ANS Hardware and software infrastructure for the development of business applications. Most commonly used by application developers. SaaS (Software as a Service) - ANS Business application delivered over the Internet in which users interact iwth the application through a web browser. private cloud - ANS infrastructure is managed and operated exclusively for one company in order to keep a consistent level of security privacy, and governance control. hybrid cloud - ANS combination of public and private cloud computing environments shared between them community cloud - ANS collaborative effort in which infrastructure is shared between several organizations from a specific community with common concerns public cloud - ANS owned by a cloud vendor and is accessible to the general public or a large industry group components of a cloud vendor assessment program - ANS - review of audit form attestation reports - security services documentation - image snapshot approval and mgmt process - patching responsibility first layer of defense in physical and environmental security - ANS assess the perimeter monitoring and controls established for infrastructure - ANS - video surveillance - electronic access control at essential ingress/egress points - correlation of the video an dcard access data - retention of video and logs for forensics asset management program - ANS process for documenting and maintaining an inventory of hardware, software and information assets (includes a data classification process) asset owner - ANS ensures assets are inventoried, properly classified and protected, defines and reviews access restrictions and classifications, reviews locations of where assets and data are being used, and ensures proper handling of an asset assets - ANS - hardware - software - data - facilities asset management program - ANS should be approved by senior management and communicated to all appropriate personnel potential egress points - ANS -email -USB ports -internet -printing -network DLP scanning - ANS -SSN/National ID -account numbers -functionality -email and attachments Commercial DLP software programs - ANS -capabilities vs configuration -monitor vs block -thresholds for acceptance -escalation processes -roles for review documented operating procedures - ANS ensure the effective mgmt, operation, integrity and security of information systems and data