CPE Qualifying Assessment Module (1-7)

Please add www.3prinstitute-qa.com to your Safe Senders list

/175

C3PRMP Qualifying Assessment - Modules (1-7)

1)

Unexpected events of such magnitude and consequence that they have a dominant role in history are called:

2)

Which function owns the third-party relationship and the risks?

3)

For greater clarity about the importance and risks of each relationship and easy comparison of risks across your portfolio of critical third party relationships, effective third party risk management programs separate third parties into Tiers, according to:

4)

A process that is useful for assessing third party risks and tying them back to strategic objectives is:

5)

Which of the following is an example of a separation of duties?

6)

The risk thresholds that are aligned with each KRI should be clearly aligned with your company’s:

7)

The nature and depth of third party due diligence should be proportional with:

8)

A third party information security risk event is is more likely to occur and has a higher impact than insurance risk, so would be given ____________ in a risk evaluation model.

9)

During third party due diligence, risk control experts should request

10)

____________ third parties are out of scope for most third party risk management programs

11)

Value from any third party relationship is a function of:

12)

12. ISO 27001, a high-level framework, helps companies establish a set of Information Security Management Standards (ISMS) to guide development and implementation of a framework for managing the security of their information assets, including:

13)

Site visits are recommended for

14)

A copy of the third party’s ISO 22301 Certificate of Compliance that covers contracted services could be an efficient and effective substitute for:

15)

The primary responsibility of Internal Audit in disaster recovery planning is to

16)

A “risk-centric” third party lifecycle management framework:

17)

Deficiencies in the third party’s controls identified during due diligence may be mitigated by :

18)

Your company and its third parties by formally defining expectations and agreeing on specific requirements is which type of agreement?

19)

The most challenging “pane” to address in Johari’s Window is:

20)

The Financial Accounting Standards Board (FASB) recognizes the long-term value of intangible assets that have indefinite useful lives. How frequently should their value be tested for impairment?

21)

Due Diligence is which type of third party risk management tool?

22)

Which of the following is an indicator of strong incident management practices?

23)

Trend analysis can identify opportunities:

24)

DDOS (Distributed Denial of Service) attack occurs when:

25)

Why are “point of sale” technologies especially vulnerable?

26)

How does mass digitization of records increase operational risk?

27)

A process/tool that focuses on specific events or processes, compares measures and results using common metrics, and identifies improvement opportunities is:

28) A company's Risk Appetite is:

29)

What does a company’s “Risk Tolerance” define?

30)

A client-specific business continuity or disaster recovery plan is:

31)

Effective risk management, and therefore effective third-party risk management, is strongest in which type of corporate culture?

32)

Governance practices may not be as critically dependent on direct expenditures as they are on the ability of management, boards, audit committees and internal auditors to work together to properly focus oversight attention, and larger banks have an edge in focusing that attention more efficiently.” Collectively, these practices are referred to as:

33)

What is the best course of action to determine the effectiveness of third party due diligence, evaluation, controls, processes and tools?

34)

An effective tool for providing assurance of compliance with policies, plans, procedures, laws, regulations and contracts is a:

35)

Accounting for third party vendor services are recorded as _______ on a company’s Income Statement?

36)

Which type of risk is your company exposed to in the following case study?

“Your third party is left without electrical power as a result of a serious fire”

37)

Management adopts and implements policies and procedures designed to promote both legal compliance and appropriate standards of honesty, integrity and ethics that are established by:

38)

How are a company’s Risk Appetite and Risk Tolerances tied together?

39)

The most challenging “pane” to address in Johari’s Window is:

40)

How is a strong risk culture most effectively expressed within any company?

41)

What was the most likely cause for Johnson + Johnson to observe possible damage to their reputation or loss of public trust?

42)

Which type of risk is your company exposed to in the following case study?

“Your third party’s senior leadership team is experiencing a period of rapid turnover”

43)

The best type of back-up site for critical services, those that would have a high impact if there is an outage or serious interruption is a:

44)

Contract provisions should clearly state that the primary third party has accountability for:

45)

To be effective, a core principle of “controllable” metrics in an effective Service Level Agreement is that:

46)

What is the primary cause of privacy breaches?

47)

When Internal Audit’s role extends beyond its core role/purpose, it should be:

48)

Which type of controls could be imposed to offset deficiencies in the third party’s controls and/or immature risk management capabilities in the contracting business unit?

49)

What is a third-party risk management cost driver?

50)

The weakest link in your company’s defensive perimeter is

51)

Cyber risk management is how precious assets such as financial assets, and re-saleable information and intellectual property are protected from:

52)

What is the main lesson that can be learned from engaging with social media/traditional media?

53)

In the event that one of your company’s third parties suffers a catastrophic failure, which course of action is often the least feasible?

54)

Risk-Based Authentication:

55)

Privacy laws are enacted to:

56)

An important characteristic of any critical third party relationship is:

57)

For core functions, a Disaster Recovery Readiness Assessment Audit should be conducted

58)

Third party relationships are:

59)

What is the difference between an incident and an issue?

60)

What is an important “lesson learned” from serious information security breaches experienced by a large, reputable third parties?

61)

Systemic issues are:

62)

A Metric that determines which third party risks will be measured, how they will be measured, and the frequency of measurement is a:

63)

In relative terms, getting a cold back up site and a hot back up site up and running will take

64)

In which stage of a third-party’s lifecycle do manufacturers typically excel?

65)

U.S. Sarbanes-Oxley Act specifically stipulates that senior management has personal liability for:

66)

All companies need to define the goals and objectives related to Strategic, Financial, Reputational and Operational risk management. What is a common approach for accomplishing this?

67)

The simplest way to aggregate third party risks is to:

68)

Which of the following is one of the most important benefits of a third-party risk management program?

69)

Which Line of Defense is the domain of a company’s risk specialists?

70)

A third party relationship is:

71)

The use of a cloud service provider typically means that:

72)

The type and amount of third party risk that remains after taking into consideration the strength of the third party’s control environment is called:

73)

When assessing exposure to third party risk, which of the following assessments is subjective?

74)

To assess the potential impact a third party has on your company’s business resilience you should periodically review

75)

What is one of the most serious outcomes of a serious third party cyber security breach?

76)

The inter-related set of ISO standards for cyber and information security are specifically designed to:

77)

An information or cyber security event is:

78)

What is a significant and recent change in practices related to oversight of third-party risk?

79)

Business line should not approve their ______?

80)

A key indicator of third party information and cyber security risk is:

81)

“IoT” The Internet of Things are:

82)

After implementing a third party risk management program, cycle time - the time it takes to complete third party due diligence, controls evaluation and contracting – is typically:

83)

In-depth risk business continuity management risk assessments should be conducted for:

84)

Which type of third party risk is described in the following case study?

“One of your critical third party’s employees secretly recorded one of their senior executives harassing one of your customers, and the video went viral”

85)

Requiring the third-party to outsource deficient services to another company

86)

A best practice for business continuity management is:

87)

A third party relationship of such importance that a serious incident or failure would affect most or all of company operations and customers is typically referred to as:

88)

The BIA should identify:

89)

A Disaster Recovery Plan is a detailed description of:

90)

Which of these is often the weakest link in a company’s defenses?

91)

Risk assessment is often performed as a two-stage process. An initial screening of the risks and opportunities is performed using qualitative techniques followed by:

92)

If it was permissible to record a critical third party relationship as an asset, what type of asset would it be?

93)

The third party relationship is “critical” to the company and/or the business if:

94)

Internal Audit provides independent assurance to ________________ concerning the effectiveness of third party risk management and controls

95)

The primary role of the board is to:

96)

Collectively, the risk management responsibilities of senior management and the board are referred to as?

97)

Which Line of Defense owns the third party relationship and its risks?

98)

A Risk and Control Self-Assessment (RCSA) is:

99)

A common challenge that companies face when creating methodologies that enable consistent interpretation of third party risk by different constituencies is

100)

An important contribution to third party risk management made by Internal Audit is to:

101)

A performance curve in a third party contract that provides a significant increase in the value of incentive payouts following a relatively small increase in performance level is typically:

102)

Specific and measurable Service Level Agreements benefit:

103)

Designating a high proportion of your company’s critical third party relationships as “high risk” results in

104)

Which of the following is typically not in scope for third party cyber and information security due diligence?

105)

A risk management strategy where your company contracts with more than one third party to spread the risk may:

106)

Spyware is not used to:

107)

What is the most efficient way to enable comprehensive third party risk reporting?

108)

To fulfill their fiduciary duties, boards must:

109)

The most common source of vulnerability to a successful cyber-attack is:

110)

Internal risk management controls within market-dominant third parties are always:

111)

The core role of Internal Audit in ERM is to:

112)

If the third party is unable to meet your company’s expectations and/or control requirements, possible next steps include:

113)

A disadvantage of qualitative assessments of third party risks is that it:

114)

Using Johari’s window, in which “pane” would your company’s business requirements reside in a Request for Proposal for a new third party relationship?

115)

Any serious misalignment between risk control functions, processes and risk taxonomy will:

116)

BIA’s should consider:

117)

Which function(s) is responsible for establishing Tone at Top?

118)

Is “one size fits all” approach to third party risk management effective?

119)

The most effective way to eliminate third party risks is to:

120)

The best KRIs enable business leaders and risk managers with an opportunity to __________ significant third party risks that are expected to become incidents or losses, before they happen?

121)

Your company has outsourced its call center to a third-party and they are changing telecom providers. What is the relationship your company has with the third party’s telecom provider?

122)

Transparency and predictability are key indicators of effective:

123)

Which of the following is an intangible asset?

124)

A documented plan that defines the preferred course of action in the event of a serious business interruption or failure, where recovery by the third party is in serious doubt or not expected, is a

125)

A framework widely used by global companies to help them protect against, prepare for, respond to, and recover from disruptive incidents is:

126)

To be useful, risk taxonomy - a common language to identify, classify, understand and communicate risks - must be:

127)

Which step(s) in the third party lifecycle must be completed before risk experts can confidently define controls that are required for a critical third party?

128)

In which of the following scenarios is it not advisable to proceed with the third party relationship?

129)

An important responsibility of third party risk oversight committees is a willingness to:

130)

Another name for a “risk map” is a

131)

The lifecycle of a third party relationship begins with identifying a business need that will be fulfilled by a third-party and ends with __________.

132)

Which of the following services is infrequently outsourced to a third party?

133)

What defines a company’s tolerance for accepting third party risks to ensure it is aligned with their Risk Appetite?

134)

During third party due diligence, requesting details of physical security controls, including for visitors and contractors, is:

135)

A standard of comparison of third party risks that is comprised of definitions and rating levels that enable consistent interpretation by different constituencies is:

136)

The difference and relationship between assurance and other monitoring activities is clarified by the:

137)

If a third-party has access to your network or information assets, or if your company accesses a third-party’s services via their web-portal, consider negotiating contractual obligations that:

138)

NPPI stands for:

139)

Inherent risk is ________________ the critical services delivered by the third party.

140)

Tying compensation to the actions of employees and senior management should promote:

141)

Open and candid communications throughout the organization, clear lines of authority and responsibility and transparency are key elements of:

142)

The purpose of third party due diligence is to:

143)

In a weighted risk rating methodology, an important benefit of isolating criticality of the third party relationship is to:

144)

“Tone at the Top” is a term that has been widely adopted to describe

145)

At a minimum, well written information and cyber security policies should address:

146)

The nature and amount of residual risk in a third party relationship can only be determined when:

147)

Which of the following makes the greatest contribution to effective performance management of critical third parties?

148)

Which of the following are particularly important for effective risk reporting for senior management?

149)

An example of systemic third party Concentration Risk is:

150)

Actionable service-level agreements are primarily used to manage the third party’s:

151)

FCPA is an acronym for:

152)

The type and amount of third party risk that your company assumes by entering in a relationship with a third party before evaluating the strength of the third party’s controls is called:

153)

Which is one of the most important responsibilities that senior management has to create and maintain a strong risk culture?

154)

In a well-designed RACI matrix, if there is more than one designated Responsible party for a specific task there is a need to “zoom in” further detail on the sub process associated with “obtain resource commitment” to:

155)

The findings from a completed Risk Control Self-Assessment (RCSA) can be used:

156)

To increase monitoring effectiveness, management should periodically rank third party relationships according to risk to determine:

157)

Third party risk that your company accepts after analyzing the third party’s controls over those risks is called:

158)

What is the most important lesson learned by the Equifax breach?

159)

Effective risk management, and therefore effective third-party risk management, is strongest in which type of corporate culture?

160)

Which one of the following is used to control third party risks?

161)

A framework that helps define the role of the board and management, delineates duties and helps prevent duplicated efforts and the overlooking of critical issues is called a ____________ framework:

162)

In the Cloud, identity management, security and compliance:

163)

Ransomware is:

164)

The best defense against a successful Ransomware attack, one where the company has no feasible alternative to paying the hacker’s ransom, is:

165)

To fulfill their responsibilities to customers, shareholders and the board, senior management must have:

166)

Cyber criminals were most likely to unleash ransomware using:

167) The COSO Internal Control – Integrated Framework is used to:

168)

Which of the following third party risk management activities is commonly performed by the 1st Line of Defense?

169)

The majority of companies that paid a ransom as a result of a Malware attack did not report the incident to law enforcement due to:

170)

The most effective cyber and information security due diligence is:

171)

Computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware are examples of:

172)

The third party risk management framework should align with the corporate:

173)

A structured, consistent and continuous framework across the whole organization for identifying, assessing and deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives is:

174)

What is the most important “lesson learned” from the story about “Larry’s Laptop”?

175)

An analytical method that consists of an expert opinion of the likelihood of a risk event occurring based on a set of known variables that can be used to determine the probability of each risk event occurring is called:

Your score is

0%