Question 1

When defining due diligence requirements for the set of vendors that host web applications which of thefollowing is typically NOT part of evaluating the vendor's patchmanagement controls?

Options :

A : The capability of the vendor to apply priority patching of high-risk systems

B : Established procedures for testing of patches, service packs, and hot fixes prior to installation

C : A documented process to gain approvals for use of open source applications

D : The existence of a formal process for evaluation and prioritization of known vulnerabilities

Answer: C

Question 2

Which of the following factors is LEAST likely to trigger notification obligations in incident response?

Options :

A : Regulatory requirements

B : Data classification or sensitivity

C : Encryption of data

D : Contractual terms

Answer: C

Question 3

Which requirement is the MOST important for managing risk when the vendor contract terminates?

Options :

A : The responsibility to perform a financial review of outstanding invoices

B : The commitment to perform a final assessment based upon due diligence standards

C : The requirement to ensure secure data destruction and asset return

D : The obligation to define contract terms for transition services

Answer: C

Question 4

Which factor is MOST important when scoping assessments of cloud-based third parties that access, process, and retain personal data?

Options :

A : The geographic location of the vendor-s outsourced datacenters since assessments are only required for international data transfers

B : The identification of the type of cloud hosting deployment or service model in order to confirm responsibilities between the third party and the cloud hosting provider

C : The definition of requirements for backup capabilities for power generation and redundancy in the resilience plan

D : The contract terms for the configuration of the environment which may prevent conducting the assessment

Answer: B

Question 5

Which statement is TRUE regarding the use of questionnaires in third party risk assessments?

Options :

A : The total number of questions included in the questionnaire assigns the risk tier

B : Questionnaires are optional since reliance on contract terms is a sufficient control

C : Assessment questionnaires should be configured based on the risk rating and type of service being evaluated

D : All topic areas included in the questionnaire require validation during the assessment

Answer: C

Free CTPRP Mock Exam – Practice Online Confidently

Buying Options: