Free Shared Assessments CTPRP Practice Exam with Questions & Answers | Set: 2

A risk register is a tool that records and tracks the identified risks, their probability, impact, status, and mitigation actions throughout the life cycle of a third-party relationship1. A risk register typically includes the following components2:

• A unique identifier for each risk
• A description of the risk and its source
• A rating or grading of the risk according to a risk assessment table or hierarchy
• An assessment of the impact and likelihood the risk will occur and the possible seriousness
• An outline of proposed mitigation actions and assignment of risk owner
• A status update on the risk and the progress of the mitigation actions
• A target date for resolving the risk or closing the action A vendor inventory is a list of all the third parties that a banking organization engages with, along with relevant information such as the type, scope, and nature of the services provided, the contract terms and conditions, the performance indicators, and the risk ratings3. A vendor inventory is not a component of a risk register, but rather a separate document that supports the planning and due diligence phases of the third-party relationship life cycle. A vendor inventory may be prioritized by contract value, but also by other criteria such as the criticality of the service, the risk level of the vendor, and the strategic importance of the relationship. References:
• 1: Third-Party Risk Management (TPRM): Final Interagency Guidance, KPMG, June 2023
• 2: What Is Third-Party Risk Management (TPRM)? 2024 Guide, UpGuard, January 2024
• 3: Third-Party Risk Management Guidance, OCC Bulletin 2023-29, October 2023
• [4]: Certified Third Party Risk Professional (CTPRP) Study Guide, Shared Assessments, 2023
• [5]: Best Practices Guidance for Third-Party Risk, GARP, February 2023

 An IT asset management program is a set of processes and tools that help an organization manage its IT assets throughout their lifecycle, from acquisition to disposal. An IT asset management program should include the following components1234:

• Maintaining inventories of systems, connections, and software applications: This component involves creating and updating a comprehensive and accurate list of all IT assets owned or used by the organization, including their location, ownership, configuration, and status. This helps the organization optimize the use of its IT resources, reduce costs, and ensure compliance with licensing and regulatory requirements.
• Tracking and monitoring availability of vendor updates and any timelines for end of support: This component involves keeping track of the latest updates, patches, and security fixes provided by the vendors of the IT assets, as well as the end-of-life dates and support options for the assets. This helps the organization maintain the security, performance, and functionality of its IT assets, and plan for timely replacement or migration of obsolete or unsupported assets.
• Identifying and tracking adherence to IT asset end-of-life policy: This component involves defining and implementing a policy for retiring and disposing of IT assets that are no longer needed, useful, or supported by the organization. This helps the organization reduce risks, costs, and environmental impacts associated with IT asset disposal, and ensure compliance with data protection and disposal regulations.

Defining application security standards for internally developed applications is not a component of an IT asset management program, but rather a component of an application development and security program. An application development and security program is a set of processes and tools that help an organization design, develop, test, deploy, and maintain secure and reliable applications, whether they are internally developed or acquired from external sources. An application development and security program should include the following components5 :

• Defining application security standards for internally developed applications: This component involves establishing and enforcing a set of security requirements and best practices for the applications developed by the organization, such as secure coding, testing, and deployment methodologies, security controls, and vulnerability management. This helps the organization ensure the confidentiality, integrity, and availability of its applications and data, and prevent or mitigate security breaches and incidents.
• Performing application security assessments for externally acquired applications: This component involves conducting security reviews and audits of the applications acquired from external sources, such as vendors, partners, or open source communities, before integrating them into the organization’s IT environment. This helps the organization identify and address any security risks, gaps, or weaknesses in the applications, and ensure compatibility and compliance with the organization’s security policies and standards.

References:

• ITAM: The ultimate guide to IT asset management
• IT asset management: 10 best practices for success
• Asset Management: The Five Core Components
• The Fundamentals of Asset Management
• Application Development and Security Program
• Application Security Best Practices

Shadow IT refers to the use of IT systems, services, or devices that are not authorized, approved, or supported by the official IT department. Shadow IT can pose significant risks to an organization’s data security, compliance, performance, and reputation. One of the main risks of shadow IT is that it often lacks governance and security oversight. This means that the shadow IT functions may not follow the established policies, standards, and best practices for IT management, such as data protection, access control, encryption, backup, patching, auditing, and reporting. This can expose the organization to various threats, such as data breaches, cyberattacks, malware infections, legal liabilities, regulatory fines, and reputational damage. Additionally, shadow IT can create operational inefficiencies, compatibility issues, duplication of efforts, and increased costs for the organization.

According to the web search results from the search_web tool, shadow IT is a common and growing phenomenon in many organizations, especially with the proliferation of cloud-based services and applications. Some of the articles suggest the following best practices for managing and mitigating shadow IT risks123:

• Performing SaaS assessments to proactively detect shadow IT
• Prioritizing user experience (UX) and providing support for integrating tools
• Streamlining user account and identity management
• Using operating systems and devices with which employees are comfortable
• Compromising and collaborating with users to minimize shadow IT risks
• Educating and training users on the security risks and consequences of shadow IT
• Establishing clear policies and guidelines for IT procurement and usage
• Creating a culture of trust and transparency between IT and business units

Therefore, the verified answer to the question is B. “Shadow IT" functions often lack governance and security oversight.

References:

• Shadow IT Explained: Risks & Opportunities - BMC Software
• Start reducing your organization’s Shadow IT risk in 3 steps
• What is shadow IT? - Article | SailPoint

The purpose of internal communications and information sharing using TPRM performance metrics is to inform and align the organization’s stakeholders on the status, progress, and outcomes of the TPRM program. This includes communicating the results of vendor assessments, the compliance level of the organization’s policies and procedures, and the periodic reporting to management and other relevant parties. However, documenting the corrective action plan between external parties is not an internal communication, but rather an external one. This is because the corrective action plan is a formal agreement between the organization and the vendor to address and resolve the issues identified in the assessment. Therefore, this statement is not an example of the purpose of internal communications and information sharing using TPRM performance metrics. References:

• 15 KPIs & Metrics to Measure the Success of Your TPRM Program
• Third-party risk management metrics: Best practices to enhance your program
• 3 Best Third-Party Risk Management Software Solutions (2024)

This statement is false because assessing risk impact does not require an analysis of prior events, frequency of occurrence, and external trends. These factors are relevant for assessing risk likelihood or probability, not impact. Risk impact is the potential consequence or damage that a risk event may cause to the organization or its stakeholders. Risk impact can be measured qualitatively (e.g., high, medium, low) or quantitatively (e.g., monetary value, percentage of revenue, number of customers affected). To assess risk impact, the organization needs to consider the nature and scope of the risk, the potential harm or loss, and the sensitivity or tolerance of the organization or its stakeholders to the risk. References:

• How to Manage and Measure Third-Party Risk, OneTrust Blog
• Third-party risk, Deloitte
• Assessing Risks in Third Parties, ERM - Enterprise Risk Management Initiative

Hybrid cloud is the cloud deployment model that is primarily used for load balancing. Load balancing is the process of distributing workloads and network traffic across multiple servers or resources to optimize performance, reliability, and scalability1. Load balancing can help prevent overloading or underutilizing any single server or resource, as well as improve fault tolerance and availability. Hybrid cloud is a mix of two or more different deployment models, such as public cloud, private cloud, or community cloud2. Hybrid cloud allows organizations to leverage the benefits of both public and private clouds, such as cost efficiency, scalability, security, and control3. Hybrid cloud can also enable load balancing across different cloud environments, depending on the demand, cost, and performance requirements of each workload. For example, an organization can use a private cloud for sensitive or mission-critical applications that require high security and performance, and a public cloud for less sensitive or variable applications that require more scalability and flexibility. By using a hybrid cloud, the organization can balance the load between the private and public clouds, and optimize the resource utilization and cost efficiency of each cloud.

The other cloud deployment models are not primarily used for load balancing, although they may have some load balancing capabilities within their own environments. Public cloud is the infrastructure that is shared by multiple tenants and open to the public. Anyone can use the public cloud by subscribing to it. Public cloud offers high scalability, elasticity, and cost-effectiveness, but may have lower security, privacy, and control than private cloud2. Community cloud is the infrastructure that is shared by similar consumers who collaborate to set up a cloud for their exclusive use. For example, government organizations can form a cloud for their exclusive use. Community cloud offers some benefits of both public and private clouds, such as shared costs, common standards, and enhanced security, but may have lower scalability and flexibility than public cloud2. Private cloud is the infrastructure that is for the exclusive use of a single organization. The cloud may or may not be operated by the organization. Private cloud offers high security, privacy, and control, but may have lower scalability, elasticity, and cost-effectiveness than public cloud2. References:

• 1: What is Load Balancing? | How Load Balancing Works | F5
• 2: The NIST Definition of Cloud Computing
• 3: What is Hybrid Cloud? | IBM
• : Hybrid Cloud Load Balancing - Kemp Technologies
• : [Hybrid Cloud Load Balancing: What You Need to Know - CloudHealth by VMware]

In the context of Third-Party Risk Management (TPRM) requirements within the Software Development Life Cycle (SDLC), a process for data destruction and disposal is not typically considered a key component. The primary focus within SDLC in TPRM is on ensuring secure software development practices, which includes maintaining artifacts to prove that SDLC gates are executed, conducting software security testing, and having processes in place for fixing security defects. While data destruction and disposal are important security considerations, they are generally associated with data lifecycle management and information security management practices rather than being integral to the SDLC process itself.

References:

• Best practices in secure software development, as outlined in frameworks like the Secure Software Development Framework (SSDF) by NIST, emphasize the importance of secure coding, vulnerability testing, and remediation processes rather than data disposal practices.
• The "Software Security Framework (SSF)" by the Open Web Application Security Project (OWASP) provides guidance on integrating security practices into the SDLC, focusing on areas like threat modeling, secure coding, and security testing.

A network access policy is a set of rules and conditions that define how authorized users and devices can access the network resources and services of an organization. It typically includes the following elements12:

• Firewall settings: These are the rules that control the incoming and outgoing network traffic based on the source, destination, protocol, and port of the packets. Firewall settings help to protect the network from unauthorized or malicious access, and to enforce the network security policy of the organization.
• Unauthorized device detection: This is the process of identifying and preventing unauthorized devices from accessing the network. Unauthorized devices can pose a security risk to the network, as they may not comply with the security standards and policies of the organization, or they may be compromised by malware or hackers. Unauthorized device detection can be done by using various methods, such as network access control (NAC), network admission control (NAC), or 802.1X authentication.
• Remote access: This is the ability of authorized users to access the network resources and services of the organization from a remote location, such as a home office, a hotel, or a public hotspot. Remote access can be provided by using various technologies, such as virtual private networks (VPNs), remote desktop services (RDS), or remote access services (RAS). Remote access requires a secure and reliable connection, and it must comply with the network access policy of the organization.
• Website privacy consent banners: These are the messages that appear on websites to inform the visitors about the use of cookies and other tracking technologies, and to obtain their consent for such use. Website privacy consent banners are part of the website privacy policy, which is a legal document that discloses how the website collects, uses, and protects the personal data of the visitors. Website privacy consent banners are not related to the network access policy of the organization, as they do not affect how the users and devices can access the network resources and services of the organization.

Therefore, the correct answer is C. Website privacy consent banners, as they are typically not included within the scope of an organization’s network access policy. References:

• 1: Network Policy Server (NPS) | Microsoft Learn
• 2: Network Access Policy | University Policies

For services with system-to-system access, ensuring sufficient time for quality assurance (QA) testing before implementing changes is crucial to reducing the risk of business disruption to the outsourcer. This requirement ensures that any modifications to the system are thoroughly vetted for potential issues that could impact the outsourcer's operations. QA testing allows for the identification and remediation of bugs, compatibility issues, and other potential problems that could lead to operational disruptions or security vulnerabilities. By allocating adequate time for QA testing, organizations can ensure that changes are fully functional and secure, thereby maintaining the integrity and availability of services provided to the outsourcer. This practice is aligned with industry standards for change management, which advocate for comprehensive testing and validation processes to ensure the reliability and stability of system changes.

References:

• Industry standards such as ITIL (Information Technology Infrastructure Library) emphasize the importance of thorough testing and validation within the change management process to minimize the risk of disruptions and ensure the smooth operation of services.
• Guides like "Managing Change in IT Outsourcing Arrangements: The TPRM Perspective" provide insights into best practices for change management in third-party relationships, including the critical role of QA testing in mitigating risks associated with system changes.

  Performance risk, defined as the risk that a third party may not be able to meet its obligations due to inadequate systems or processes, accurately describes the situation. This type of risk involves concerns about the third party's ability to deliver services or products at the required performance level, potentially due to limitations in their technology infrastructure, operational procedures, or management practices. Identifying and managing performance risk is essential in Third-Party Risk Management (TPRM) to ensure that third-party vendors can reliably meet contractual and service-level agreements, thereby minimizing the impact on the organization's operations and service delivery.

References:

• TPRM guidelines, such as those from the Office of the Comptroller of the Currency (OCC) and the Federal Financial Institutions Examination Council (FFIEC), highlight the importance of assessing and managing performance risks associated with third-party relationships.
• The "Third-Party Risk Management Guide" by ISACA discusses various types of risks, including performance risk, associated with engaging third-party service providers, emphasizing the need for thorough due diligence and ongoing monitoring.