CTPRP Exam 99 Questions with Complete Answers.
third party - Correct answer entities or persons that work on behalf of the organization
but are not its employees, including consultants, contingent workers, clients, business
partners, service providers, subcontractors, vendors, suppliers, affiliates and any other
person or entity that accesses customer, company confidential/proprietary data and/or
systems that interact with that data
Outsourcer - Correct answer the entity delegating a function to another entity, or is
considering doing so
Outsourcer - Correct answer the entity evaluating the risk posed by obtaining services
from another entity
Fourth party/subcontractor - Correct answer an entity independent of and directly
performing tasks for the assesse being evaluated
drivers for third party risk assessments - Correct answer ISO 27002, FFEIC Appendix,
OOC Bulletins, FFEIC CAT Tool, PCI Data Security Standard, NIST Cyber security
Framework, HIPAA/Hitch, EU GDPR
different names for third parties - Correct answer Business Associate, Service Provider,
Processor, Person who provides support for the internal operations of the Web site or
online service, Third-Party Service Provider
Office of the Comptroller of the Currency (OOC) lifecycle framework for third party risk -
Correct answer Planning, Due Diligence and Third Party Selection, Contract
Negotiation, Ongoing Monitoring, Termination
False - You must determine the third party's ability to satisfy those requirements. -
Correct answer T/F - You can rely on contract requirements to satisfy regulatory
requirements for third parties.
True - e.g., HIPAA and OFAC - Correct answer T/F - It is possible to be subject to
regulations from different industry sectors
False - in many instances state requirements may be more stringent than federal -
Correct answer T/F - Federal regulations always supersede state regulations
Audits should ensure compliance with: - Correct answer Corporate, Legal, Regulatory,
Industry requirements
Risk Assessment and Treatment - Correct answer Describes the vendor's risk
assessment program, and its maturity and operating effectiveness.
, True - Correct answer T/F - A risk assessment program should be approved by
management and communicated to all appropriate constituents
Different names for data - Correct answer Protected Health Information, Electronic
Health Records, Personally Identifiable Financial Information, Cardholder Data,
Personal Data, Personal Information, Consumer Financial Information
Personally Identifiable Information (PII) - Correct answer any information about an
individual maintained by an agency, including (1) any information that can be used to
distinguish or trace an individual's identity, such as name, or biometric records and (2)
any other information that is linked or linkable to an individual, such as medical,
educational, financial and employment information
Basic PII - Correct answer physical - last name, first name, phone #'s, street address
Sensitive PII - Correct answer PII used in conjunction with basic PII (i.e., SS card,
Driver's License, DOB)
Card Holder Data (CHD)/Payment Card Industry (PCI) data - Correct answer credit or
debit card info that includes the Primary Account Number (PAN), which is the payment
card number (credit or debit) that identifies the issuer and the particular cardholder
account
IA as (Infrastructure as a Service) - Correct answer Organization outsources the
equipment used to support operations, including storage, hardware, servers and
networking components.
Papas (Platform as a Service) - Correct answer Hardware and software infrastructure
for the development of business applications. Most commonly used by application
developers.
Saabs (Software as a Service) - Correct answer Business application delivered over the
Internet in which users interact with the application through a web browser.
Private cloud - Correct answer infrastructure is managed and operated exclusively for
one company in order to keep a consistent level of security privacy, and governance
control.
Hybrid cloud - Correct answer combination of public and private cloud computing
environments shared between them
Community cloud - Correct answer collaborative effort in which infrastructure is shared
between several organizations from a specific community with common concerns
Public cloud - Correct answer owned by a cloud vendor and is accessible to the general
public or a large industry group
third party - Correct answer entities or persons that work on behalf of the organization
but are not its employees, including consultants, contingent workers, clients, business
partners, service providers, subcontractors, vendors, suppliers, affiliates and any other
person or entity that accesses customer, company confidential/proprietary data and/or
systems that interact with that data
Outsourcer - Correct answer the entity delegating a function to another entity, or is
considering doing so
Outsourcer - Correct answer the entity evaluating the risk posed by obtaining services
from another entity
Fourth party/subcontractor - Correct answer an entity independent of and directly
performing tasks for the assesse being evaluated
drivers for third party risk assessments - Correct answer ISO 27002, FFEIC Appendix,
OOC Bulletins, FFEIC CAT Tool, PCI Data Security Standard, NIST Cyber security
Framework, HIPAA/Hitch, EU GDPR
different names for third parties - Correct answer Business Associate, Service Provider,
Processor, Person who provides support for the internal operations of the Web site or
online service, Third-Party Service Provider
Office of the Comptroller of the Currency (OOC) lifecycle framework for third party risk -
Correct answer Planning, Due Diligence and Third Party Selection, Contract
Negotiation, Ongoing Monitoring, Termination
False - You must determine the third party's ability to satisfy those requirements. -
Correct answer T/F - You can rely on contract requirements to satisfy regulatory
requirements for third parties.
True - e.g., HIPAA and OFAC - Correct answer T/F - It is possible to be subject to
regulations from different industry sectors
False - in many instances state requirements may be more stringent than federal -
Correct answer T/F - Federal regulations always supersede state regulations
Audits should ensure compliance with: - Correct answer Corporate, Legal, Regulatory,
Industry requirements
Risk Assessment and Treatment - Correct answer Describes the vendor's risk
assessment program, and its maturity and operating effectiveness.
, True - Correct answer T/F - A risk assessment program should be approved by
management and communicated to all appropriate constituents
Different names for data - Correct answer Protected Health Information, Electronic
Health Records, Personally Identifiable Financial Information, Cardholder Data,
Personal Data, Personal Information, Consumer Financial Information
Personally Identifiable Information (PII) - Correct answer any information about an
individual maintained by an agency, including (1) any information that can be used to
distinguish or trace an individual's identity, such as name, or biometric records and (2)
any other information that is linked or linkable to an individual, such as medical,
educational, financial and employment information
Basic PII - Correct answer physical - last name, first name, phone #'s, street address
Sensitive PII - Correct answer PII used in conjunction with basic PII (i.e., SS card,
Driver's License, DOB)
Card Holder Data (CHD)/Payment Card Industry (PCI) data - Correct answer credit or
debit card info that includes the Primary Account Number (PAN), which is the payment
card number (credit or debit) that identifies the issuer and the particular cardholder
account
IA as (Infrastructure as a Service) - Correct answer Organization outsources the
equipment used to support operations, including storage, hardware, servers and
networking components.
Papas (Platform as a Service) - Correct answer Hardware and software infrastructure
for the development of business applications. Most commonly used by application
developers.
Saabs (Software as a Service) - Correct answer Business application delivered over the
Internet in which users interact with the application through a web browser.
Private cloud - Correct answer infrastructure is managed and operated exclusively for
one company in order to keep a consistent level of security privacy, and governance
control.
Hybrid cloud - Correct answer combination of public and private cloud computing
environments shared between them
Community cloud - Correct answer collaborative effort in which infrastructure is shared
between several organizations from a specific community with common concerns
Public cloud - Correct answer owned by a cloud vendor and is accessible to the general
public or a large industry group
