CTPRP CERTIFICATION EXAM SCRIPT 2026
COMPLETE QUESTIONS AND VERIFIED
ANSWERS
◉ Vendor Risk Classification. Answer: The process of assessing and
categorizing the level of risk associated with a vendor based on
factors such as geographic location, data processing, and network
connectivity.
◉ Three Lines of Defense Model. Answer: A risk management
framework that delineates responsibilities among three layers: the
first line (risk owners), the second line (risk oversight or
specialization), and the third line (independent assurance).
◉ Subcontractor. Answer: A third party engaged by a vendor to
perform specific tasks or services as part of a larger contract, with
the subcontractor being subject to the same risk management and
compliance standards as the primary vendor.
◉ Vendor Questionnaire. Answer: A set of questions and inquiries
sent to vendors to gather information about their operations,
security practices, and compliance with relevant policies and
regulations.
, ◉ Fourth-Nth party risk. Answer: Refers to potential threats and
vulnerabilities associated with subcontractors, vendors, or service
providers of an organization's direct third-party partners.
◉ Subcontractor notice and approval. Answer: Type of contract
provision requiring third parties to inform the organization of
subcontracting arrangements and obtain consent before engaging
Fourth-Nth parties.
◉ Shadow IT. Answer: The use of IT technologies without formal
approval, posing security risks such as data breaches, compliance
violations, and network disruptions.
◉ Policies and procedures. Answer: Documents defining security
objectives, standards, roles, responsibilities, and processes to guide
security activities within an organization.
◉ Web content accessibility guidelines (WCAG). Answer: Standards
aiming to make web content more accessible to people with
disabilities, not directly related to web application security.
◉ SANS Institute. Answer: A leading provider of cybersecurity
training and certification.
COMPLETE QUESTIONS AND VERIFIED
ANSWERS
◉ Vendor Risk Classification. Answer: The process of assessing and
categorizing the level of risk associated with a vendor based on
factors such as geographic location, data processing, and network
connectivity.
◉ Three Lines of Defense Model. Answer: A risk management
framework that delineates responsibilities among three layers: the
first line (risk owners), the second line (risk oversight or
specialization), and the third line (independent assurance).
◉ Subcontractor. Answer: A third party engaged by a vendor to
perform specific tasks or services as part of a larger contract, with
the subcontractor being subject to the same risk management and
compliance standards as the primary vendor.
◉ Vendor Questionnaire. Answer: A set of questions and inquiries
sent to vendors to gather information about their operations,
security practices, and compliance with relevant policies and
regulations.
, ◉ Fourth-Nth party risk. Answer: Refers to potential threats and
vulnerabilities associated with subcontractors, vendors, or service
providers of an organization's direct third-party partners.
◉ Subcontractor notice and approval. Answer: Type of contract
provision requiring third parties to inform the organization of
subcontracting arrangements and obtain consent before engaging
Fourth-Nth parties.
◉ Shadow IT. Answer: The use of IT technologies without formal
approval, posing security risks such as data breaches, compliance
violations, and network disruptions.
◉ Policies and procedures. Answer: Documents defining security
objectives, standards, roles, responsibilities, and processes to guide
security activities within an organization.
◉ Web content accessibility guidelines (WCAG). Answer: Standards
aiming to make web content more accessible to people with
disabilities, not directly related to web application security.
◉ SANS Institute. Answer: A leading provider of cybersecurity
training and certification.
