CTPRP Exam | 99 Questions and Answers Graded A+
entities or persons that work on behalf of the
organization but are not its employees, including
consultants, contingent workers, clients, T/F - You can rely on contract requirements to
business partners, service providers, satisfy regulatory requirements for third parties. -
subcontractors, vendors, suppliers, affiliates and ANSWER -False - You must determine the
any other person or entity that accessess third party's ability to satisfy those requirements.
customer, company confidential/proprietary data
and/or systems that interact with that data -
ANSWER -third party T/F - It is possible to be subject to regulations
from different industry sectors - ANSWER -
True - e.g., HIPAA and OFAC
the entity delegating a function to another entity,
or is considering doing so - ANSWER -
outsourcer T/F - Federal regulations always supersede state
regulations - ANSWER -False - in many
instances state requirements may be more
the entity evaluating the risk posed by obtaining stringent than federal
services from another entity - ANSWER -
outsourcer
Corporate, Legal, Regulatory, Industry
requirements - ANSWER -Audits should
an entity independent of and directly performing ensure compliance with:
tasks for the assessee being evaluated -
ANSWER -fourth party/subcontractor
Describes the vendor's risk assessment program,
and its maturity and operating effectiveness. -
ISO 27002, FFEIC Appendix, OOC Bulletins, ANSWER -Risk Assessment and Treatment
FFEIC CAT Tool, PCI Data Security Standard,
NIST Cybersecurity Framework, HIPAA/HiTech,
EU GDPR - ANSWER -drivers for third T/F - A risk assessment program should be
party risk assessments approved by management and communicated to
all appropriate constituents - ANSWER -
True
Business Associate, Service Provider,
Processor, Person who provides support for the
internal operations of the Web site or online Protected Health Information, Electronic Health
service, Third-Party Service Provider - Records, Personally Identifiable Financial
ANSWER -different names for third parties Information, Cardholder Data, Personal Data,
Personal Information, Consumer Financial
Information - ANSWER -Different names for
Planning, Due Diligence and Third Party data
Selection, Contract Negotiation, Ongoing
Monitoring, Termination - ANSWER -Office
of the Comptroller of the Currency (OOC) any information about an individual maintained by
lifecycle framework for third party risk an agency, including (1) any information that can
1/8
, CTPRP Exam | 99 Questions and Answers Graded A+
be used to distinguish or trace an individual's infrastructure is managed and operated
identity, such as name, or biometric records and exclusively for one company in order to keep a
(2) any other information that is linked or linkable consistent level of security privacy, and
to an individual, such as medical, educational, governance control. - ANSWER -private
financial and employment information - cloud
ANSWER -Personally Identifiable
Information (PII)
combination of public and private cloud
computing environments shared between them -
physical - last name, first name, phone #'s, street ANSWER -hybrid cloud
address - ANSWER -Basic PII
collaborative effort in which infrastructure is
PII used in conjunction with basic PII (i.e., SS shared between several organizations from a
card, Driver's License, DOB) - ANSWER - specific community with common concerns -
Sensitive PII ANSWER -community cloud
credit or debit card info that includes the Primary owned by a cloud vendor and is accessible to the
Account Number (PAN), which is the payment general public or a large industry group -
card number (credit or debit) that identifies the ANSWER -public cloud
issuer and the particular cardholder account -
ANSWER -Card Holder
Data(CHD)/Payment Card Industry(PCI) data - review of audit form attestation reports
- security services documentation
- image snapshot approval and mgmt process
Organization outsources the equipment used to - patching responsibility - ANSWER -
support operations, including storage, hardware, components of a cloud vendor assessment
servers and networking components. - program
ANSWER -IaaS (Infrastructure as a
Service)
assess the perimeter - ANSWER -first layer
of defense in physical and environmental security
Hardware and software infrastructure for the
development of business applications. Most
commonly used by application developers. - - video surveillance
ANSWER -PaaS (Platform as a Service) - electronic access control at essential
ingress/egress points
- correlation of the video an dcard access data
Business application delivered over the Internet - retention of video and logs for forensics -
in which users interact iwth the application ANSWER -monitoring and controls
through a web browser. - ANSWER -SaaS established for infrastructure
(Software as a Service)
process for documenting and maintaining an
2/8
entities or persons that work on behalf of the
organization but are not its employees, including
consultants, contingent workers, clients, T/F - You can rely on contract requirements to
business partners, service providers, satisfy regulatory requirements for third parties. -
subcontractors, vendors, suppliers, affiliates and ANSWER -False - You must determine the
any other person or entity that accessess third party's ability to satisfy those requirements.
customer, company confidential/proprietary data
and/or systems that interact with that data -
ANSWER -third party T/F - It is possible to be subject to regulations
from different industry sectors - ANSWER -
True - e.g., HIPAA and OFAC
the entity delegating a function to another entity,
or is considering doing so - ANSWER -
outsourcer T/F - Federal regulations always supersede state
regulations - ANSWER -False - in many
instances state requirements may be more
the entity evaluating the risk posed by obtaining stringent than federal
services from another entity - ANSWER -
outsourcer
Corporate, Legal, Regulatory, Industry
requirements - ANSWER -Audits should
an entity independent of and directly performing ensure compliance with:
tasks for the assessee being evaluated -
ANSWER -fourth party/subcontractor
Describes the vendor's risk assessment program,
and its maturity and operating effectiveness. -
ISO 27002, FFEIC Appendix, OOC Bulletins, ANSWER -Risk Assessment and Treatment
FFEIC CAT Tool, PCI Data Security Standard,
NIST Cybersecurity Framework, HIPAA/HiTech,
EU GDPR - ANSWER -drivers for third T/F - A risk assessment program should be
party risk assessments approved by management and communicated to
all appropriate constituents - ANSWER -
True
Business Associate, Service Provider,
Processor, Person who provides support for the
internal operations of the Web site or online Protected Health Information, Electronic Health
service, Third-Party Service Provider - Records, Personally Identifiable Financial
ANSWER -different names for third parties Information, Cardholder Data, Personal Data,
Personal Information, Consumer Financial
Information - ANSWER -Different names for
Planning, Due Diligence and Third Party data
Selection, Contract Negotiation, Ongoing
Monitoring, Termination - ANSWER -Office
of the Comptroller of the Currency (OOC) any information about an individual maintained by
lifecycle framework for third party risk an agency, including (1) any information that can
1/8
, CTPRP Exam | 99 Questions and Answers Graded A+
be used to distinguish or trace an individual's infrastructure is managed and operated
identity, such as name, or biometric records and exclusively for one company in order to keep a
(2) any other information that is linked or linkable consistent level of security privacy, and
to an individual, such as medical, educational, governance control. - ANSWER -private
financial and employment information - cloud
ANSWER -Personally Identifiable
Information (PII)
combination of public and private cloud
computing environments shared between them -
physical - last name, first name, phone #'s, street ANSWER -hybrid cloud
address - ANSWER -Basic PII
collaborative effort in which infrastructure is
PII used in conjunction with basic PII (i.e., SS shared between several organizations from a
card, Driver's License, DOB) - ANSWER - specific community with common concerns -
Sensitive PII ANSWER -community cloud
credit or debit card info that includes the Primary owned by a cloud vendor and is accessible to the
Account Number (PAN), which is the payment general public or a large industry group -
card number (credit or debit) that identifies the ANSWER -public cloud
issuer and the particular cardholder account -
ANSWER -Card Holder
Data(CHD)/Payment Card Industry(PCI) data - review of audit form attestation reports
- security services documentation
- image snapshot approval and mgmt process
Organization outsources the equipment used to - patching responsibility - ANSWER -
support operations, including storage, hardware, components of a cloud vendor assessment
servers and networking components. - program
ANSWER -IaaS (Infrastructure as a
Service)
assess the perimeter - ANSWER -first layer
of defense in physical and environmental security
Hardware and software infrastructure for the
development of business applications. Most
commonly used by application developers. - - video surveillance
ANSWER -PaaS (Platform as a Service) - electronic access control at essential
ingress/egress points
- correlation of the video an dcard access data
Business application delivered over the Internet - retention of video and logs for forensics -
in which users interact iwth the application ANSWER -monitoring and controls
through a web browser. - ANSWER -SaaS established for infrastructure
(Software as a Service)
process for documenting and maintaining an
2/8
