Shared Assessments CTPRP 問題集

質問 1：
Which of the following statements is FALSE about Data Loss Prevention Programs?
A. DLP programs include acknowledgement the company can apply controls to remove any data
B. DLP programs include the policy, tool configuration requirements, and processes for the identification, blocking or monitoring of data
C. DLP programs define the consequences for non-compliance to policies
D. DLP programs define the required policies based on default tool configuration
正解：D
解説: (Topexam メンバーにのみ表示されます)

質問 2：
Which statement is TRUE regarding a vendor's approach to Environmental, Social, and Governance (ESG) programs?
A. ESG expectations are driven by a company's executive team for internal commitments end not external entities
B. ESG requirements and programs may be directed by regulatory obligations or in response to company commitments
C. ESG obligations only apply to a company with publicly traded stocks
D. ESG commitments can only be measured qualitatively so it cannot be included in vendor due diligence standards
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 3：
Which statement is FALSE regarding analyzing results from a vendor risk assessment?
A. The frequency for conducting a vendor reassessment is defined by regulatory obligations
B. Risk assessment findings identified by controls testing or validation should map back to the information gathering questionnaire and agreed upon framework
C. Identifying findings from a vendor risk assessment can occur at any stage in the contract lifecycle
D. Findings from a vendor risk assessment may be defined at the entity level, and are based o na Specific topic or control
正解：A
解説: (Topexam メンバーにのみ表示されます)

質問 4：
Which of the following components is NOT typically included in external continuous monitoring solutions?
A. Alerts on legal and regulatory actions involving the vendor
B. Metrics that track SLAs for performance management
C. Reports that identify changes in vendor financial viability
D. Status updates on localized events based on geolocation
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 5：
The BEST way to manage Fourth-Nth Party risk is:
A. Include a provision in the vender contract requiring the vendor to provide notice and obtain written consent before outsourcing any service
B. Include a provision in the contract prohibiting the vendor from outsourcing any service which includes access to confidential data or systems
C. Incorporate notification and approval contract provisions for subcontracting that require evidence of due diligence as defined by a TPRM program
D. Require the vendor to maintain a cyber-insurance policy for any service that is outsourced which includes access to confidential data or systems
正解：C
解説: (Topexam メンバーにのみ表示されます)

質問 6：
Which of the following statements is TRUE regarding the accountabilities in a three lines of defense model?
A. The first line of defense is the risk or compliance team that provides an oversight or governance function
B. The third line of defense is an assurance function that has independence from the business unit
C. The third line of defense must be limited to an external assessment firm
D. The second line of defense is management within the business unit
正解：B
解説: (Topexam メンバーにのみ表示されます)

質問 7：
Which statement BEST describes the methods of performing due diligence during third party risk assessments?
A. interviewing subject matter experts or control owners, reviewing compliance artifacts, and validating controls
B. Reviewing status of findings from the questionnaire and defining remediation plans
C. Inspecting physical and environmental security controls by conducting a facility tour
D. Reviewing and assessing only the obligations that are specifically defined in the contract
正解：A
解説: (Topexam メンバーにのみ表示されます)