CTPRP CERTIFICATION EXAM 2025 STUDYGUIDE
QUESTIONS AND 100% ANSWERS
Audits should ensure compliance with: - ans -Corporate, Legal, Regulatory,
Industry requirements
Risk Assessment and Treatment - ans -Describes the vendor's risk assessment
program, and its maturity and operating effectiveness.
True - ans -T/F - A risk assessment program should be approved by management
and communicated to all appropriate constituents
Different names for data - ans -Protected Health Information, Electronic Health
Records, Personally Identifiable Financial Information, Cardholder Data, Personal
Data, Personal Information, Consumer Financial Information
Personally Identifiable Information (PII) - ans -any information about an individual
maintained by an agency, including (1) any information that can be used to
distinguish or trace an individual's identity, such as name, or biometric records
and (2) any other information that is linked or linkable to an individual, such as
medical, educational, financial and employment information
Basic PII - ans -physical - last name, first name, phone #'s, street address
Sensitive PII - ans -PII used in conjunction with basic PII (i.e., SS card, Driver's
License, DOB)
Card Holder Data(CHD)/Payment Card Industry(PCI) data - ans -credit or debit
card info that includes the Primary Account Number (PAN), which is the payment
card number (credit or debit) that identifies the issuer and the particular
cardholder account
IaaS (Infrastructure as a Service) - ans -Organization outsources the equipment
used to support operations, including storage, hardware, servers and networking
components.
, PaaS (Platform as a Service) - ans -Hardware and software infrastructure for the
development of business applications. Most commonly used by application
developers.
SaaS (Software as a Service) - ans -Business application delivered over the
Internet in which users interact iwth the application through a web browser.
private cloud - ans -infrastructure is managed and operated exclusively for one
company in order to keep a consistent level of security privacy, and governance
control.
hybrid cloud - ans -combination of public and private cloud computing
environments shared between them
community cloud - ans -collaborative effort in which infrastructure is shared
between several organizations from a specific community with common concerns
public cloud - ans -owned by a cloud vendor and is accessible to the general public
or a large industry group
components of a cloud vendor assessment program - ans -- review of audit form
attestation reports
- security services documentation
- image snapshot approval and mgmt process
- patching responsibility
first layer of defense in physical and environmental security - ans -assess the
perimeter
monitoring and controls established for infrastructure - ans -- video surveillance
- electronic access control at essential ingress/egress points
- correlation of the video an dcard access data
- retention of video and logs for forensics
asset management program - ans -process for documenting and maintaining an
inventory of hardware, software and information assets (includes a data
classification process)
QUESTIONS AND 100% ANSWERS
Audits should ensure compliance with: - ans -Corporate, Legal, Regulatory,
Industry requirements
Risk Assessment and Treatment - ans -Describes the vendor's risk assessment
program, and its maturity and operating effectiveness.
True - ans -T/F - A risk assessment program should be approved by management
and communicated to all appropriate constituents
Different names for data - ans -Protected Health Information, Electronic Health
Records, Personally Identifiable Financial Information, Cardholder Data, Personal
Data, Personal Information, Consumer Financial Information
Personally Identifiable Information (PII) - ans -any information about an individual
maintained by an agency, including (1) any information that can be used to
distinguish or trace an individual's identity, such as name, or biometric records
and (2) any other information that is linked or linkable to an individual, such as
medical, educational, financial and employment information
Basic PII - ans -physical - last name, first name, phone #'s, street address
Sensitive PII - ans -PII used in conjunction with basic PII (i.e., SS card, Driver's
License, DOB)
Card Holder Data(CHD)/Payment Card Industry(PCI) data - ans -credit or debit
card info that includes the Primary Account Number (PAN), which is the payment
card number (credit or debit) that identifies the issuer and the particular
cardholder account
IaaS (Infrastructure as a Service) - ans -Organization outsources the equipment
used to support operations, including storage, hardware, servers and networking
components.
, PaaS (Platform as a Service) - ans -Hardware and software infrastructure for the
development of business applications. Most commonly used by application
developers.
SaaS (Software as a Service) - ans -Business application delivered over the
Internet in which users interact iwth the application through a web browser.
private cloud - ans -infrastructure is managed and operated exclusively for one
company in order to keep a consistent level of security privacy, and governance
control.
hybrid cloud - ans -combination of public and private cloud computing
environments shared between them
community cloud - ans -collaborative effort in which infrastructure is shared
between several organizations from a specific community with common concerns
public cloud - ans -owned by a cloud vendor and is accessible to the general public
or a large industry group
components of a cloud vendor assessment program - ans -- review of audit form
attestation reports
- security services documentation
- image snapshot approval and mgmt process
- patching responsibility
first layer of defense in physical and environmental security - ans -assess the
perimeter
monitoring and controls established for infrastructure - ans -- video surveillance
- electronic access control at essential ingress/egress points
- correlation of the video an dcard access data
- retention of video and logs for forensics
asset management program - ans -process for documenting and maintaining an
inventory of hardware, software and information assets (includes a data
classification process)
