Shared Assessments Updated CTPRP Exam Questions and Answers by ewan

Scoping is a critical step in third party assessments, as it determines the scope and depth of the assessment based on the inherent risk, impact, and complexity of the vendor relationship. Scoping helps to ensure that the assessment is relevant, efficient, and consistent with the outsourcer’s risk appetite and objectives. Scoping also helps to avoid over or under assessing the vendor, which could result in unnecessary costs, delays, or gaps in risk management. Scoping is not a one-time activity, but rather an ongoing process that should be reviewed and updated throughout the vendor lifecycle. Scoping should be aligned with the outsourcer’s third party risk management framework and policies, and follow the best practices and guidelines provided by the Shared Assessments Program and other industry standards. References:

• 1: THIRD PARTY RISK MANAGEMENT TOOLKIT - Shared Assessments, pages 4-6
• 2: How Dynamic Scoping Can Improve Vendor Risk Assessments - ProcessUnity
• 3: Inherent Risk Tiering for Third-Party Vendor Assessments - MindPoint Group

Application whitelisting is a security technique that allows only authorized applications to run on a device or network, preventing malware or unauthorized software from executing. While this can be a useful security measure, it is not directly related to remote access risk evaluation, which focuses on the security of the connection and the access rights of the remote users. The other options are more relevant to remote access risk evaluation, as they help to monitor, control, and audit the remote access activities and prevent unauthorized or malicious access. References:

• 1: Secure Remote Access: Risks, Auditing, and Best Practices
• 2: 5 Common Vulnerabilities Associated With Remote Access

A network access policy is a set of rules and conditions that define how authorized users and devices can access the network resources and services of an organization. It typically includes the following elements12:

• Firewall settings: These are the rules that control the incoming and outgoing network traffic based on the source, destination, protocol, and port of the packets. Firewall settings help to protect the network from unauthorized or malicious access, and to enforce the network security policy of the organization.
• Unauthorized device detection: This is the process of identifying and preventing unauthorized devices from accessing the network. Unauthorized devices can pose a security risk to the network, as they may not comply with the security standards and policies of the organization, or they may be compromised by malware or hackers. Unauthorized device detection can be done by using various methods, such as network access control (NAC), network admission control (NAC), or 802.1X authentication.
• Remote access: This is the ability of authorized users to access the network resources and services of the organization from a remote location, such as a home office, a hotel, or a public hotspot. Remote access can be provided by using various technologies, such as virtual private networks (VPNs), remote desktop services (RDS), or remote access services (RAS). Remote access requires a secure and reliable connection, and it must comply with the network access policy of the organization.
• Website privacy consent banners: These are the messages that appear on websites to inform the visitors about the use of cookies and other tracking technologies, and to obtain their consent for such use. Website privacy consent banners are part of the website privacy policy, which is a legal document that discloses how the website collects, uses, and protects the personal data of the visitors. Website privacy consent banners are not related to the network access policy of the organization, as they do not affect how the users and devices can access the network resources and services of the organization.

Therefore, the correct answer is C. Website privacy consent banners, as they are typically not included within the scope of an organization’s network access policy. References:

• 1: Network Policy Server (NPS) | Microsoft Learn
• 2: Network Access Policy | University Policies

Multi-factor authentication (MFA) is an electronic authentication method that requires a user to present two or more pieces of evidence (or factors) to an authentication mechanism. The factors can be something the user knows (such as a password or a PIN), something the user has (such as a smartphone or a security token), or something the user is (such as a fingerprint or a facial recognition). MFA enhances the security of online accounts and applications by making it harder for attackers to gain access with stolen or guessed credentials. MFA is recommended as a best practice for third-party risk management, as it can reduce the risk of unauthorized access, data breaches, and identity theft. MFA is also a requirement for some regulatory standards and frameworks, such as PCI DSS, HIPAA, and NIST 800-63. References:

• What is: Multifactor Authentication
• Set up your Microsoft 365 sign-in for multi-factor authentication
• Multi-factor authentication - Wikipedia
• Shared Assessments CTPRP Study Guide, page 19
• Shared Assessments CTPRP Job Guide, page 14
• Best Practices Guidance for Third Party Risk, page 9