.png){kind=logo}
- | Page
CTPRP EXAM
WITH CORRECT SOLUTIONS.
third party - correct answer- entities or persons that work on behalf of the organization but are not its employees, including consultants, contingent workers, clients, business partners, service providers, subcontractors, vendors, suppliers, affiliates and any other person or entity that accessess customer, company confidential/proprietary data and/or systems that interact with that data
outsourcer - correct answer- the entity delegating a function to another entity, or is considering doing so
outsourcer - correct answer- the entity evaluating the risk posed by obtaining services from another entity
fourth party/subcontractor - correct answer- an entity independent of and directly performing tasks for the assessee being evaluated
drivers for third party risk assessments - correct answer- ISO 27002, FFEIC Appendix, OOC Bulletins, FFEIC CAT Tool, PCI 1 / 3
- | Page
Data Security Standard, NIST Cybersecurity Framework, HIPAA/HiTech, EU GDPR
different names for third parties - correct answer- Business Associate, Service Provider, Processor, Person who provides support for the internal operations of the Web site or online service, Third-Party Service Provider
Office of the Comptroller of the Currency (OOC) lifecycle framework for third party risk - correct answer- Planning, Due Diligence and Third Party Selection, Contract Negotiation, Ongoing Monitoring, Termination
False - You must determine the third party's ability to satisfy those requirements. - correct answer- T/F - You can rely on contract requirements to satisfy regulatory requirements for third parties.
True - e.g., HIPAA and OFAC - correct answer- T/F - It is possible to be subject to regulations from different industry sectors
- / 3
- | Page
False - in many instances state requirements may be more stringent than federal - correct answer- T/F - Federal regulations always supersede state regulations
Audits should ensure compliance with: - correct answer-
Corporate, Legal, Regulatory, Industry requirements
Risk Assessment and Treatment - correct answer- Describes the vendor's risk assessment program, and its maturity and operating effectiveness.
True - correct answer- T/F - A risk assessment program should be approved by management and communicated to all appropriate constituents
Different names for data - correct answer- Protected Health Information, Electronic Health Records, Personally Identifiable Financial Information, Cardholder Data, Personal Data, Personal Information, Consumer Financial Information
Personally Identifiable Information (PII) - correct answer- any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, or biometric
- / 3
.png)