CTPRP 無料問題集「Shared Assessments Certified Third-Party Risk Professional (CTPRP)」

（A）Assessing risk impact requires an analysis of prior events, frequency of occurrence, and external trends to analyze and predict the potential of a particular event happening

（B）Risk can be measured both qualitatively and quantitatively

（C）Risk likelihood or probability is a critical element in quantifying inherent or residual risk

（D）Risk can be quantified by calculating the severity of impact and likelihood of occurrence

（A）DLP programs define the consequences for non-compliance to policies

（B）DLP programs include acknowledgement the company can apply controls to remove any data

（C）DLP programs include the policy, tool configuration requirements, and processes for the identification, blocking or monitoring of data

（D）DLP programs define the required policies based on default tool configuration

（A）Personally identifiable financial information includes only consumer report information

（B）Personally Identifiable Information and Protected Healthcare Information require the exact same data protection safequards

（C）Personally identifiable information and personal data are similar in context, but may have different legal definitions based upon jurisdiction

（D）Public personal information includes only web or online identifiers

（A）Conducting customer performed penetration tests

（B）Reviewing the entity's image snapshot approval and management process

（C）Requiring compliance evidence that provides the definition of patching responsibilities

（D）Requiring security services documentation and audit attestation reports

（A）Type of network connectivity

（B）Type of contract addendum

（C）Type of data accessed, processed, or retained

（D）Type of systems accessed

（A）Record successful and unsuccessful attempts including investigation of unsuccessful access attempts

（B）Require multiple access controls for server rooms and data centers

（C）Include a process to trigger review of the logs after security events

（D）Require physical access logs to be retained indefinitely for audit purposes

（A）Before the application design and development activities begin

（B）After the application vulnerability or penetration test is completed

（C）After testing and before the deployment of the final code into production

（D）Prior to the execution of a contract with each client

（A）Update the vender inventory with the mew location information in order to schedule a reassessment

（B）inform the business unit and recommend that the company cease future work with the IT vendor due to company policy

（C）Notify management to approve an exception and ensure that contract provisions require prior
"notification and evidence of subcontractor due diligence

（D）Inform the business unit and ask the vendor to replace the subcontractor at their expense in "order to move the processing back to an approved country

（A）The program includes protocols for disclosure of information to external parties

（B）The program includes processes in support of disaster recovery

（C）The program includes the definition of internal escalation processes

（D）The program includes mechanisms for notification to clients

（A）Calculating the average time to remediate identified corrective actions

（B）logging the number of exceptions to existing due diligence standards

（C）Measuring the time spent by resources for task and corrective action plan completion

（D）Tracking the number of outstanding findings