CTPRP EXAM 2026 EXAMINATION TEST
COMPLETE Q&A WITH ACCURATE ANSWERS
◉ outsourcer. Answer: the entity delegating a function to another
entity, or is considering doing so
◉ outsourcer. Answer: the entity evaluating the risk posed by
obtaining services from another entity
◉ fourth party/subcontractor. Answer: an entity independent of and
directly performing tasks for the assessee being evaluated
◉ drivers for third party risk assessments. Answer: ISO 27002,
FFEIC Appendix, OOC Bulletins, FFEIC CAT Tool, PCI Data Security
Standard, NIST Cybersecurity Framework, HIPAA/HiTech, EU GDPR
◉ different names for third parties. Answer: Business Associate,
Service Provider, Processor, Person who provides support for the
internal operations of the Web site or online service, Third-Party
Service Provider
◉ Office of the Comptroller of the Currency (OOC) lifecycle
framework for third party risk. Answer: Planning, Due Diligence and
,Third Party Selection, Contract Negotiation, Ongoing Monitoring,
Termination
◉ False - You must determine the third party's ability to satisfy
those requirements.. Answer: T/F - You can rely on contract
requirements to satisfy regulatory requirements for third parties.
◉ True - e.g., HIPAA and OFAC. Answer: T/F - It is possible to be
subject to regulations from different industry sectors
◉ False - in many instances state requirements may be more
stringent than federal. Answer: T/F - Federal regulations always
supersede state regulations
◉ Audits should ensure compliance with:. Answer: Corporate, Legal,
Regulatory, Industry requirements
◉ Risk Assessment and Treatment. Answer: Describes the vendor's
risk assessment program, and its maturity and operating
effectiveness.
◉ True. Answer: T/F - A risk assessment program should be
approved by management and communicated to all appropriate
constituents
, ◉ Different names for data. Answer: Protected Health Information,
Electronic Health Records, Personally Identifiable Financial
Information, Cardholder Data, Personal Data, Personal Information,
Consumer Financial Information
◉ Personally Identifiable Information (PII). Answer: any
information about an individual maintained by an agency, including
(1) any information that can be used to distinguish or trace an
individual's identity, such as name, or biometric records and (2) any
other information that is linked or linkable to an individual, such as
medical, educational, financial and employment information
◉ Basic PII. Answer: physical - last name, first name, phone #'s,
street address
◉ Sensitive PII. Answer: PII used in conjunction with basic PII (i.e.,
SS card, Driver's License, DOB)
◉ Card Holder Data(CHD)/Payment Card Industry(PCI) data.
Answer: credit or debit card info that includes the Primary Account
Number (PAN), which is the payment card number (credit or debit)
that identifies the issuer and the particular cardholder account
◉ IaaS (Infrastructure as a Service). Answer: Organization
outsources the equipment used to support operations, including
storage, hardware, servers and networking components.
COMPLETE Q&A WITH ACCURATE ANSWERS
◉ outsourcer. Answer: the entity delegating a function to another
entity, or is considering doing so
◉ outsourcer. Answer: the entity evaluating the risk posed by
obtaining services from another entity
◉ fourth party/subcontractor. Answer: an entity independent of and
directly performing tasks for the assessee being evaluated
◉ drivers for third party risk assessments. Answer: ISO 27002,
FFEIC Appendix, OOC Bulletins, FFEIC CAT Tool, PCI Data Security
Standard, NIST Cybersecurity Framework, HIPAA/HiTech, EU GDPR
◉ different names for third parties. Answer: Business Associate,
Service Provider, Processor, Person who provides support for the
internal operations of the Web site or online service, Third-Party
Service Provider
◉ Office of the Comptroller of the Currency (OOC) lifecycle
framework for third party risk. Answer: Planning, Due Diligence and
,Third Party Selection, Contract Negotiation, Ongoing Monitoring,
Termination
◉ False - You must determine the third party's ability to satisfy
those requirements.. Answer: T/F - You can rely on contract
requirements to satisfy regulatory requirements for third parties.
◉ True - e.g., HIPAA and OFAC. Answer: T/F - It is possible to be
subject to regulations from different industry sectors
◉ False - in many instances state requirements may be more
stringent than federal. Answer: T/F - Federal regulations always
supersede state regulations
◉ Audits should ensure compliance with:. Answer: Corporate, Legal,
Regulatory, Industry requirements
◉ Risk Assessment and Treatment. Answer: Describes the vendor's
risk assessment program, and its maturity and operating
effectiveness.
◉ True. Answer: T/F - A risk assessment program should be
approved by management and communicated to all appropriate
constituents
, ◉ Different names for data. Answer: Protected Health Information,
Electronic Health Records, Personally Identifiable Financial
Information, Cardholder Data, Personal Data, Personal Information,
Consumer Financial Information
◉ Personally Identifiable Information (PII). Answer: any
information about an individual maintained by an agency, including
(1) any information that can be used to distinguish or trace an
individual's identity, such as name, or biometric records and (2) any
other information that is linked or linkable to an individual, such as
medical, educational, financial and employment information
◉ Basic PII. Answer: physical - last name, first name, phone #'s,
street address
◉ Sensitive PII. Answer: PII used in conjunction with basic PII (i.e.,
SS card, Driver's License, DOB)
◉ Card Holder Data(CHD)/Payment Card Industry(PCI) data.
Answer: credit or debit card info that includes the Primary Account
Number (PAN), which is the payment card number (credit or debit)
that identifies the issuer and the particular cardholder account
◉ IaaS (Infrastructure as a Service). Answer: Organization
outsources the equipment used to support operations, including
storage, hardware, servers and networking components.
