Shared Assessments CTPRP Exam Questions

A well-defined third party risk management program does not require conducting onsite or virtual assessments for all third parties, as this would be impractical, costly, and inefficient. Instead, a TPRM program should adopt a risk-based approach to determine the frequency, scope, and depth of assessments based on the inherent and residual risks posed by each third party. This means that some third parties may require more frequent and comprehensive assessments than others, depending on factors such as the nature, scope, and criticality of their services, the sensitivity and volume of data they access or process, the regulatory and contractual obligations they must comply with, and the results of previous assessments and monitoring activities. A risk-based approach to assessments allows an organization to allocate its resources and efforts more effectively and efficiently, while also ensuring that the most significant risks are adequately addressed and mitigated.Reference:

Shared Assessments,CTPRP Job Guide, page 9: ''The frequency, scope, and depth of assessments should be determined by the inherent and residual risks posed by each third party.''

OneTrust, [What is Third-Party Risk Management?]: ''A risk-based approach to third-party risk management means that you prioritize your efforts and resources based on the level of risk each vendor poses to your organization.''

[Deloitte], [Third Party Risk Management: Managing Risk]: ''A risk-based approach to third-party risk management helps organizations prioritize their efforts and resources based on the level of risk each third party poses to the organization.''

In the 'Defense in Depth' security model, the innermost layer typically focuses on protecting the most sensitive and critical assets, which are often categorized as 'Private internal'. This layer includes security controls and measures that are designed to safeguard the core, confidential aspects of an organization's infrastructure and data. It encompasses controls such as access controls, encryption, and monitoring of sensitive systems and data to prevent unauthorized access and ensure data integrity and confidentiality. The 'Private internal' layer is crucial for maintaining the security of critical information and systems that are essential to the organization's operations and could have the most significant impact if compromised. Implementing robust security measures at this layer is vital for mitigating risks associated with physical access to critical infrastructure and sensitive information.

Security frameworks and standards, including NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) and the SANS Institute's guidelines on implementing 'Defense in Depth', provide detailed recommendations on securing the innermost layers of an organization's information systems.

Publications such as 'Physical Security Principles' by ASIS International offer insights into best practices for securing the private internal layer, including access control systems, surveillance, and intrusion detection mechanisms.

Web content accessibility guidelines (WCAG) are a set of standards that aim to make web content more accessible to people with disabilities, such as visual, auditory, cognitive, or motor impairments. While WCAG is a good practice for web development and usability, it is not directly related to web application security. WCAG does not address the common security risks that web applications face, such as injection, broken authentication, misconfiguration, or vulnerable components. Therefore, adhering to WCAG is not a method of securing web applications, unlike the other options.Reference:

4: OWASP Top 10, a standard awareness document for web application security, lists the most critical security risks to web applications and provides best practices to prevent or mitigate them.

5: SANS Institute, a leading provider of cybersecurity training and certification, offers a security checklist for web application technologies (SWAT) that covers best practices for error handling, data protection, configuration, authentication, session management, input and output handling, and access control.

6: Built In, a platform for tech professionals, provides 13 web application security best practices, such as using a web application firewall, keeping track of APIs, enforcing expected application behaviors, and following the OWASP Top 10.

Shadow IT is the use and management of any IT technologies, solutions, services, projects, and infrastructure without formal approval and support of internal IT departments. Shadow IT can pose significant security risks to the organization, such as data breaches, compliance violations, malware infections, or network disruptions. Therefore, assessing and mitigating the risk of shadow IT is an essential part of organizational security.

One of the most important factors when assessing the risk of shadow IT is whether the organization maintains adequate policies and procedures that communicate required controls for security functions. Policies and procedures are the documents that define the organization's security objectives, standards, roles, responsibilities, and processes. They provide guidance and direction for the organization's security activities, such as risk assessment, vendor management, incident response, data protection, access control, etc. They also establish the expectations and requirements for the organization's employees, vendors, and other stakeholders regarding the use and management of IT resources.

By maintaining adequate policies and procedures that communicate required controls for security functions, the organization can:

Educate and inform its employees about the security risks and implications of shadow IT, and the benefits and advantages of using authorized and supported IT resources.

Establish and enforce clear and consistent rules and boundaries for the use and management of IT resources, and the consequences and penalties for violating them.

Monitor and audit the compliance and performance of its employees, vendors, and other stakeholders regarding the use and management of IT resources, and identify and address any deviations or issues.

Review and update its policies and procedures regularly, and communicate any changes or updates to its employees, vendors, and other stakeholders.

By doing so, the organization can reduce the likelihood and impact of shadow IT, and increase the visibility and accountability of its IT environment. The organization can also foster a culture of security awareness and responsibility among its employees, vendors, and other stakeholders, and encourage them to report and resolve any shadow IT incidents or problems.

The other factors, such as the organization's security training and certification, staffing levels, and resources and investment, are also relevant for assessing the risk of shadow IT, but they are not as important as the organization's policies and procedures. Security training and certification can help the organization's security personnel to acquire and maintain the necessary skills and knowledge to deal with shadow IT, but they do not address the root causes or motivations of shadow IT. Staffing levels can affect the organization's ability to detect and respond to shadow IT, but they do not prevent or deter shadow IT from occurring. Resources and investment can enable the organization to provide adequate and appropriate IT resources to its employees, vendors, and other stakeholders, but they do not guarantee the satisfaction or compliance of those parties.Reference:

:Shadow IT Explained: Risks & Opportunities - BMC Software

:What is Shadow IT? | IBM

:Shadow IT: What Are the Risks and How Can You Mitigate Them? - Ekran System

: Policies and Procedures - Shared Assessments

A BCP or IT DR plan is a set of procedures and actions that an organization takes to ensure the continuity and recovery of its critical business functions and IT systems in the event of a disruption.A BCP or IT DR plan typically covers the following aspects12:

Identification and prioritization of critical business functions and IT systems

Assessment and mitigation of risks and threats to the organization

Allocation and mobilization of resources and personnel

Communication and coordination with internal and external stakeholders

Testing and updating of the plan

Among the four examples of a response to external environmental factors, protocols for social media channels and PR communication are the least likely to be managed directly within the BCP or IT DR plan. This is because social media and PR communication are not critical business functions or IT systems that need to be restored or maintained during a disruption.They are rather supplementary tools that can be used to inform and engage with the public, customers, partners, and media about the organization's situation and actions3. Therefore, protocols for social media and PR communication are more likely to be part of a crisis communication plan, which is a separate but related document that outlines the strategies and tactics for communicating with various audiences during a crisis.

The other three examples are more likely to be managed directly within the BCP or IT DR plan, as they directly affect the organization's ability to perform its critical business functions and IT systems. For instance, a response to a natural or man-made disruption would involve activating the BCP or IT DR plan, assessing the impact and extent of the damage, deploying backup and recovery solutions, and restoring normal operations as soon as possible. A response to a dependency on key employee or supplier issues would involve identifying and managing the single points of failure, implementing contingency plans, and ensuring the availability and redundancy of essential skills and resources. A response to a large scale illness or health outbreak would involve implementing health and safety measures, enabling remote work arrangements, and ensuring the resilience and continuity of the workforce.Reference:

Business continuity vs. disaster recovery: Which plan is right ... - IBM

Business Continuity vs Disaster Recovery: What's The Difference?

Disaster recovery plan vs. business continuity plan: Is there a difference?

[Crisis Communication Plan: A PR Blue Print by Sandra K. Clawson Freeo]

[Disaster Recovery Planning (DRP) | Business Continuity Plan (BCP) | Disaster Recovery Journal]

[Managing Third Party Risk in a Disrupted World]

[Business Continuity Planning for a Pandemic]