Shared Assessments Updated CTPRP Exam Questions and Answers by aadam

Incident response and incident notification are two related but distinct processes that organizations should follow when dealing with security incidents. Incident response is the process of identifying, containing, analyzing, eradicating, and recovering from security incidents, while incident notification is the process of communicating the relevant information about the incident to the appropriate internal and external stakeholders, such as senior management, regulators, customers, and media12.

Not all security incidents are security breaches, which are defined as unauthorized access to or disclosure of sensitive or confidential information that could result in harm to the organization or individuals3. A security incident may become a security breach based on the analysis of the impact, scope, and severity of the incident, as well as the applicable legal and regulatory requirements. When a security breach is confirmed or suspected, the organization should trigger its incident notification or crisis communication process, which should include the following elements:

• A clear definition of roles and responsibilities for notification and communication
• A list of internal and external stakeholders who need to be notified and their contact information
• A set of predefined templates and messages for different types of incidents and audiences
• A communication strategy and timeline that aligns with the incident response plan and the business continuity plan
• A feedback mechanism to monitor and measure the effectiveness of the communication and adjust as needed

Incident notification and communication are critical for managing the reputation, trust, and compliance of the organization, as well as for mitigating the potential legal, financial, and operational consequences of a security breach. References:

• 1: Incident Response Plan: Frameworks and Steps
• 2: A Guide to Incident Response Plans, Playbooks, and Policy
• 3: What is Incident Response? Plan and Steps
• : Incident Response and Breach Notification
• : Incident Response Communication: Best Practices
• : The Importance of Incident Response Communication

According to the Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, the third party risk assessor’s role is to evaluate the design and operating effectiveness of the third party’s controls based on an industry framework, such as ISO, NIST, COBIT, or COSO1. The assessor’s role is not to provide an opinion on the effectiveness of controls, but rather to report the results of the evaluation in a factual and objective manner2. The assessor’s role is also to conduct discovery with subject matter experts to understand the control environment, to conduct discovery and validate responses from the risk assessment questionnaire by testing or validating controls, and to review compliance artifacts and identify potential control gaps based on evaluation of the presence of control attributes1. These are all true statements that describe the assessor’s role when conducting a controls evaluation using an industry framework.

References:

• 1: Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, page 29
• 2: What is a Third-Party Risk Assessment? — RiskOptics

Virtual assessments are a method of conducting third party risk assessments remotely, using various tools and techniques to collect and verify information about the third party’s controls, processes, and performance. Virtual assessments can be used to evaluate various risk domains, such as information security, privacy, resiliency, and compliance, depending on the scope and objectives of the assessment. Virtual assessments can also be used to complement or supplement onsite assessments, especially when travel or access restrictions are in place.

One of the key components of virtual assessments is the use of interviews with subject matter experts (SMEs) from the third party, who can provide insights and clarifications on the third party’s policies, procedures, practices, and evidence. Interviews can also be used to validate or confirm the understanding of key controls, and not just to review questionnaire responses. However, interviews are not the only way to perform controls evaluation and testing in virtual assessments. Other methods include:

• Requesting and reviewing documentation and artifacts from the third party, such as policies, standards, certifications, attestations, test results, audit reports, or incident logs, that demonstrate the implementation and effectiveness of the controls.
• Performing live or recorded demonstrations of the controls, such as showing how the third party monitors, detects, and responds to security incidents, or how the third party encrypts, backs up, and restores data.
• Using remote access tools or platforms, such as screen sharing, video conferencing, or web portals, to observe and verify the controls in action, such as checking the configuration settings, access rights, or patch levels of the third party’s systems or applications.
• Using independent or external sources of information, such as ratings, benchmarks, or feedback, to validate and compare the third party’s performance, compliance, or reputation.

Therefore, the statement that virtual assessments include using interviews with SMEs since controls evaluation and testing cannot be performed virtually is false, as there are other ways to perform controls evaluation and testing in virtual assessments, besides interviews.

References:

• 1: Shared Assessments, a leading provider of third party risk management solutions, offers a comprehensive guide for Certified Third Party Risk Professional (CTPRP) candidates, which covers the core concepts and best practices of third party risk management, including virtual assessments.
• 2: Schneider Downs, a professional services firm, provides a blog post on the best practices for conducting third party risk management virtual assessments, which includes the methods and steps for performing controls evaluation and testing remotely.
• 3: Shared Assessments, a leading provider of third party risk management solutions, offers a blog post on the value and challenges of virtual assessments, which includes the benefits and drawbacks of using interviews and other techniques for controls evaluation and testing.

Shadow IT refers to the use of IT systems, services, or devices that are not authorized, approved, or supported by the official IT department. Shadow IT can pose significant risks to an organization’s data security, compliance, performance, and reputation. One of the main risks of shadow IT is that it often lacks governance and security oversight. This means that the shadow IT functions may not follow the established policies, standards, and best practices for IT management, such as data protection, access control, encryption, backup, patching, auditing, and reporting. This can expose the organization to various threats, such as data breaches, cyberattacks, malware infections, legal liabilities, regulatory fines, and reputational damage. Additionally, shadow IT can create operational inefficiencies, compatibility issues, duplication of efforts, and increased costs for the organization.

According to the web search results from the search_web tool, shadow IT is a common and growing phenomenon in many organizations, especially with the proliferation of cloud-based services and applications. Some of the articles suggest the following best practices for managing and mitigating shadow IT risks123:

• Performing SaaS assessments to proactively detect shadow IT
• Prioritizing user experience (UX) and providing support for integrating tools
• Streamlining user account and identity management
• Using operating systems and devices with which employees are comfortable
• Compromising and collaborating with users to minimize shadow IT risks
• Educating and training users on the security risks and consequences of shadow IT
• Establishing clear policies and guidelines for IT procurement and usage
• Creating a culture of trust and transparency between IT and business units

Therefore, the verified answer to the question is B. “Shadow IT" functions often lack governance and security oversight.

References:

• Shadow IT Explained: Risks & Opportunities - BMC Software
• Start reducing your organization’s Shadow IT risk in 3 steps
• What is shadow IT? - Article | SailPoint