CPE Qualifying Assessment Module (1-7)

Please add www.3prinstitute-qa.com to your Safe Senders list

/175

C3PRMP Qualifying Assessment - Modules (1-7)

1)

The Financial Accounting Standards Board (FASB) recognizes the long-term value of intangible assets that have indefinite useful lives. How frequently should their value be tested for impairment?

2)

Collectively, the risk management responsibilities of senior management and the board are referred to as?

3)

The lifecycle of a third party relationship begins with identifying a business need that will be fulfilled by a third-party and ends with __________.

4)

In the event that one of your company’s third parties suffers a catastrophic failure, which course of action is often the least feasible?

5)

Actionable service-level agreements are primarily used to manage the third party’s:

6)

How are a company’s Risk Appetite and Risk Tolerances tied together?

7)

What is a significant and recent change in practices related to oversight of third-party risk?

8)

Which type of controls could be imposed to offset deficiencies in the third party’s controls and/or immature risk management capabilities in the contracting business unit?

9)

Another name for a “risk map” is a

10)

Inherent risk is ________________ the critical services delivered by the third party.

11)

Your company and its third parties by formally defining expectations and agreeing on specific requirements is which type of agreement?

12)

A Disaster Recovery Plan is a detailed description of:

13)

The weakest link in your company’s defensive perimeter is

14)

A client-specific business continuity or disaster recovery plan is:

15)

If a third-party has access to your network or information assets, or if your company accesses a third-party’s services via their web-portal, consider negotiating contractual obligations that:

16)

Which of the following is typically not in scope for third party cyber and information security due diligence?

17)

Which of the following services is infrequently outsourced to a third party?

18)

Requiring the third-party to outsource deficient services to another company

19)

Which of the following is an indicator of strong incident management practices?

20)

For greater clarity about the importance and risks of each relationship and easy comparison of risks across your portfolio of critical third party relationships, effective third party risk management programs separate third parties into Tiers, according to:

21)

Which step(s) in the third party lifecycle must be completed before risk experts can confidently define controls that are required for a critical third party?

22)

An important responsibility of third party risk oversight committees is a willingness to:

23)

An important contribution to third party risk management made by Internal Audit is to:

24)

DDOS (Distributed Denial of Service) attack occurs when:

25)

A copy of the third party’s ISO 22301 Certificate of Compliance that covers contracted services could be an efficient and effective substitute for:

26)

A Risk and Control Self-Assessment (RCSA) is:

27)

How is a strong risk culture most effectively expressed within any company?

28)

To be effective, a core principle of “controllable” metrics in an effective Service Level Agreement is that:

29)

Is “one size fits all” approach to third party risk management effective?

30)

Which Line of Defense owns the third party relationship and its risks?

31)

To fulfill their responsibilities to customers, shareholders and the board, senior management must have:

32)

The BIA should identify:

33)

A third party information security risk event is is more likely to occur and has a higher impact than insurance risk, so would be given ____________ in a risk evaluation model.

34)

The type and amount of third party risk that remains after taking into consideration the strength of the third party’s control environment is called:

35)

The primary responsibility of Internal Audit in disaster recovery planning is to

36)

Cyber risk management is how precious assets such as financial assets, and re-saleable information and intellectual property are protected from:

37)

When assessing exposure to third party risk, which of the following assessments is subjective?

38)

The third party risk management framework should align with the corporate:

39)

A third party relationship is:

40)

Which of the following third party risk management activities is commonly performed by the 1st Line of Defense?

41)

Which of these is often the weakest link in a company’s defenses?

42)

What is the main lesson that can be learned from engaging with social media/traditional media?

43)

If it was permissible to record a critical third party relationship as an asset, what type of asset would it be?

44)

The nature and amount of residual risk in a third party relationship can only be determined when:

45)

The risk thresholds that are aligned with each KRI should be clearly aligned with your company’s:

46)

At a minimum, well written information and cyber security policies should address:

47)

FCPA is an acronym for:

48)

For core functions, a Disaster Recovery Readiness Assessment Audit should be conducted

49)

Tying compensation to the actions of employees and senior management should promote:

50)

What defines a company’s tolerance for accepting third party risks to ensure it is aligned with their Risk Appetite?

51)

In the Cloud, identity management, security and compliance:

52)

Governance practices may not be as critically dependent on direct expenditures as they are on the ability of management, boards, audit committees and internal auditors to work together to properly focus oversight attention, and larger banks have an edge in focusing that attention more efficiently.” Collectively, these practices are referred to as:

53)

Third party risk that your company accepts after analyzing the third party’s controls over those risks is called:

54)

Which function(s) is responsible for establishing Tone at Top?

55)

Using Johari’s window, in which “pane” would your company’s business requirements reside in a Request for Proposal for a new third party relationship?

56)

Your company has outsourced its call center to a third-party and they are changing telecom providers. What is the relationship your company has with the third party’s telecom provider?

57)

What does a company’s “Risk Tolerance” define?

58)

Contract provisions should clearly state that the primary third party has accountability for:

59)

The most common source of vulnerability to a successful cyber-attack is:

60)

“Tone at the Top” is a term that has been widely adopted to describe

61)

If the third party is unable to meet your company’s expectations and/or control requirements, possible next steps include:

62)

Effective risk management, and therefore effective third-party risk management, is strongest in which type of corporate culture?

63)

The simplest way to aggregate third party risks is to:

64)

After implementing a third party risk management program, cycle time - the time it takes to complete third party due diligence, controls evaluation and contracting – is typically:

65)

Risk-Based Authentication:

66)

A common challenge that companies face when creating methodologies that enable consistent interpretation of third party risk by different constituencies is

67)

Which Line of Defense is the domain of a company’s risk specialists?

68)

Which is one of the most important responsibilities that senior management has to create and maintain a strong risk culture?

69)

Site visits are recommended for

70)

Spyware is not used to:

71) The COSO Internal Control – Integrated Framework is used to:

72)

The nature and depth of third party due diligence should be proportional with:

73)

To be useful, risk taxonomy - a common language to identify, classify, understand and communicate risks - must be:

74)

Privacy laws are enacted to:

75)

The most challenging “pane” to address in Johari’s Window is:

76)

A process that is useful for assessing third party risks and tying them back to strategic objectives is:

77)

“IoT” The Internet of Things are:

78)

The type and amount of third party risk that your company assumes by entering in a relationship with a third party before evaluating the strength of the third party’s controls is called:

79)

What is the primary cause of privacy breaches?

80)

Which type of risk is your company exposed to in the following case study?

“Your third party’s senior leadership team is experiencing a period of rapid turnover”

81)

The most effective cyber and information security due diligence is:

82)

Due Diligence is which type of third party risk management tool?

83)

The inter-related set of ISO standards for cyber and information security are specifically designed to:

84)

In a well-designed RACI matrix, if there is more than one designated Responsible party for a specific task there is a need to “zoom in” further detail on the sub process associated with “obtain resource commitment” to:

85)

To increase monitoring effectiveness, management should periodically rank third party relationships according to risk to determine:

86)

Computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware are examples of:

87)

The use of a cloud service provider typically means that:

88)

Unexpected events of such magnitude and consequence that they have a dominant role in history are called:

89)

____________ third parties are out of scope for most third party risk management programs

90)

Which of the following is an intangible asset?

91)

Which of the following are particularly important for effective risk reporting for senior management?

92)

A Metric that determines which third party risks will be measured, how they will be measured, and the frequency of measurement is a:

93)

A documented plan that defines the preferred course of action in the event of a serious business interruption or failure, where recovery by the third party is in serious doubt or not expected, is a

94)

Internal risk management controls within market-dominant third parties are always:

95)

A standard of comparison of third party risks that is comprised of definitions and rating levels that enable consistent interpretation by different constituencies is:

96)

What is an important “lesson learned” from serious information security breaches experienced by a large, reputable third parties?

97)

Internal Audit provides independent assurance to ________________ concerning the effectiveness of third party risk management and controls

98)

Why are “point of sale” technologies especially vulnerable?

99)

Third party relationships are:

100)

What is the difference between an incident and an issue?

101)

Which type of third party risk is described in the following case study?

“One of your critical third party’s employees secretly recorded one of their senior executives harassing one of your customers, and the video went viral”

102)

What is the most important “lesson learned” from the story about “Larry’s Laptop”?

103)

Designating a high proportion of your company’s critical third party relationships as “high risk” results in

104)

An information or cyber security event is:

105)

An effective tool for providing assurance of compliance with policies, plans, procedures, laws, regulations and contracts is a:

106)

Open and candid communications throughout the organization, clear lines of authority and responsibility and transparency are key elements of:

107)

The core role of Internal Audit in ERM is to:

108)

A structured, consistent and continuous framework across the whole organization for identifying, assessing and deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives is:

109)

Transparency and predictability are key indicators of effective:

110)

What is a third-party risk management cost driver?

111)

BIA’s should consider:

112)

Which one of the following is used to control third party risks?

113)

In a weighted risk rating methodology, an important benefit of isolating criticality of the third party relationship is to:

114)

The findings from a completed Risk Control Self-Assessment (RCSA) can be used:

115)

A risk management strategy where your company contracts with more than one third party to spread the risk may:

116)

In-depth risk business continuity management risk assessments should be conducted for:

117)

To assess the potential impact a third party has on your company’s business resilience you should periodically review

118)

In which of the following scenarios is it not advisable to proceed with the third party relationship?

119)

The difference and relationship between assurance and other monitoring activities is clarified by the:

120)

The best defense against a successful Ransomware attack, one where the company has no feasible alternative to paying the hacker’s ransom, is:

121)

What is the most important lesson learned by the Equifax breach?

122)

Trend analysis can identify opportunities:

123)

U.S. Sarbanes-Oxley Act specifically stipulates that senior management has personal liability for:

124)

Which of the following makes the greatest contribution to effective performance management of critical third parties?

125)

In relative terms, getting a cold back up site and a hot back up site up and running will take

126)

What is one of the most serious outcomes of a serious third party cyber security breach?

127)

The majority of companies that paid a ransom as a result of a Malware attack did not report the incident to law enforcement due to:

128)

The primary role of the board is to:

129)

A key indicator of third party information and cyber security risk is:

130)

A performance curve in a third party contract that provides a significant increase in the value of incentive payouts following a relatively small increase in performance level is typically:

131)

An analytical method that consists of an expert opinion of the likelihood of a risk event occurring based on a set of known variables that can be used to determine the probability of each risk event occurring is called:

132)

Business line should not approve their ______?

133)

A best practice for business continuity management is:

134)

The most challenging “pane” to address in Johari’s Window is:

135)

Effective risk management, and therefore effective third-party risk management, is strongest in which type of corporate culture?

136)

The best KRIs enable business leaders and risk managers with an opportunity to __________ significant third party risks that are expected to become incidents or losses, before they happen?

137)

What was the most likely cause for Johnson + Johnson to observe possible damage to their reputation or loss of public trust?

138)

Cyber criminals were most likely to unleash ransomware using:

139)

A third party relationship of such importance that a serious incident or failure would affect most or all of company operations and customers is typically referred to as:

140)

All companies need to define the goals and objectives related to Strategic, Financial, Reputational and Operational risk management. What is a common approach for accomplishing this?

141)

The most effective way to eliminate third party risks is to:

142)

Which function owns the third-party relationship and the risks?

143) A company's Risk Appetite is:

144)

Ransomware is:

145)

To fulfill their fiduciary duties, boards must:

146)

Which of the following is an example of a separation of duties?

147)

During third party due diligence, requesting details of physical security controls, including for visitors and contractors, is:

148)

The third party relationship is “critical” to the company and/or the business if:

149)

Which type of risk is your company exposed to in the following case study?

“Your third party is left without electrical power as a result of a serious fire”

150)

A “risk-centric” third party lifecycle management framework:

151)

Systemic issues are:

152)

The purpose of third party due diligence is to:

153)

NPPI stands for:

154)

Risk assessment is often performed as a two-stage process. An initial screening of the risks and opportunities is performed using qualitative techniques followed by:

155)

A framework widely used by global companies to help them protect against, prepare for, respond to, and recover from disruptive incidents is:

156)

An important characteristic of any critical third party relationship is:

157)

Accounting for third party vendor services are recorded as _______ on a company’s Income Statement?

158)

Specific and measurable Service Level Agreements benefit:

159)

Which of the following is one of the most important benefits of a third-party risk management program?

160)

During third party due diligence, risk control experts should request

161)

How does mass digitization of records increase operational risk?

162)

What is the best course of action to determine the effectiveness of third party due diligence, evaluation, controls, processes and tools?

163)

The best type of back-up site for critical services, those that would have a high impact if there is an outage or serious interruption is a:

164)

What is the most efficient way to enable comprehensive third party risk reporting?

165)

Management adopts and implements policies and procedures designed to promote both legal compliance and appropriate standards of honesty, integrity and ethics that are established by:

166)

A framework that helps define the role of the board and management, delineates duties and helps prevent duplicated efforts and the overlooking of critical issues is called a ____________ framework:

167)

A disadvantage of qualitative assessments of third party risks is that it:

168)

An example of systemic third party Concentration Risk is:

169)

In which stage of a third-party’s lifecycle do manufacturers typically excel?

170)

12. ISO 27001, a high-level framework, helps companies establish a set of Information Security Management Standards (ISMS) to guide development and implementation of a framework for managing the security of their information assets, including:

171)

A process/tool that focuses on specific events or processes, compares measures and results using common metrics, and identifies improvement opportunities is:

172)

Any serious misalignment between risk control functions, processes and risk taxonomy will:

173)

When Internal Audit’s role extends beyond its core role/purpose, it should be:

174)

Deficiencies in the third party’s controls identified during due diligence may be mitigated by :

175)

Value from any third party relationship is a function of:

Your score is

0%