CPE Qualifying Assessment Module (1-7)

Please add www.3prinstitute-qa.com to your Safe Senders list

/175

C3PRMP Qualifying Assessment - Modules (1-7)

1)

A performance curve in a third party contract that provides a significant increase in the value of incentive payouts following a relatively small increase in performance level is typically:

2)

Which of the following are particularly important for effective risk reporting for senior management?

3)

Which of the following is an example of a separation of duties?

4)

Management adopts and implements policies and procedures designed to promote both legal compliance and appropriate standards of honesty, integrity and ethics that are established by:

5)

What defines a company’s tolerance for accepting third party risks to ensure it is aligned with their Risk Appetite?

6)

The lifecycle of a third party relationship begins with identifying a business need that will be fulfilled by a third-party and ends with __________.

7)

What is the most efficient way to enable comprehensive third party risk reporting?

8)

The third party risk management framework should align with the corporate:

9)

An example of systemic third party Concentration Risk is:

10)

A Metric that determines which third party risks will be measured, how they will be measured, and the frequency of measurement is a:

11)

The simplest way to aggregate third party risks is to:

12)

A standard of comparison of third party risks that is comprised of definitions and rating levels that enable consistent interpretation by different constituencies is:

13)

Site visits are recommended for

14)

What is the most important lesson learned by the Equifax breach?

15)

To fulfill their fiduciary duties, boards must:

16)

Is “one size fits all” approach to third party risk management effective?

17)

Cyber risk management is how precious assets such as financial assets, and re-saleable information and intellectual property are protected from:

18)

Your company and its third parties by formally defining expectations and agreeing on specific requirements is which type of agreement?

19)

Which of the following is an intangible asset?

20)

What is the best course of action to determine the effectiveness of third party due diligence, evaluation, controls, processes and tools?

21)

“Tone at the Top” is a term that has been widely adopted to describe

22)

The primary responsibility of Internal Audit in disaster recovery planning is to

23)

What is the main lesson that can be learned from engaging with social media/traditional media?

24)

In which of the following scenarios is it not advisable to proceed with the third party relationship?

25)

An important contribution to third party risk management made by Internal Audit is to:

26)

To increase monitoring effectiveness, management should periodically rank third party relationships according to risk to determine:

27)

Which of these is often the weakest link in a company’s defenses?

28)

The third party relationship is “critical” to the company and/or the business if:

29)

Which of the following services is infrequently outsourced to a third party?

30)

Which type of controls could be imposed to offset deficiencies in the third party’s controls and/or immature risk management capabilities in the contracting business unit?

31)

When Internal Audit’s role extends beyond its core role/purpose, it should be:

32)

What does a company’s “Risk Tolerance” define?

33)

Which of the following is one of the most important benefits of a third-party risk management program?

34)

The most challenging “pane” to address in Johari’s Window is:

35)

The core role of Internal Audit in ERM is to:

36)

Unexpected events of such magnitude and consequence that they have a dominant role in history are called:

37)

For core functions, a Disaster Recovery Readiness Assessment Audit should be conducted

38)

Cyber criminals were most likely to unleash ransomware using:

39)

Ransomware is:

40)

A key indicator of third party information and cyber security risk is:

41) A company's Risk Appetite is:

42)

What is one of the most serious outcomes of a serious third party cyber security breach?

43)

The type and amount of third party risk that remains after taking into consideration the strength of the third party’s control environment is called:

44)

Which type of risk is your company exposed to in the following case study?

“Your third party is left without electrical power as a result of a serious fire”

45)

“IoT” The Internet of Things are:

46)

Contract provisions should clearly state that the primary third party has accountability for:

47)

An important responsibility of third party risk oversight committees is a willingness to:

48)

FCPA is an acronym for:

49)

An analytical method that consists of an expert opinion of the likelihood of a risk event occurring based on a set of known variables that can be used to determine the probability of each risk event occurring is called:

50)

The type and amount of third party risk that your company assumes by entering in a relationship with a third party before evaluating the strength of the third party’s controls is called:

51)

The Financial Accounting Standards Board (FASB) recognizes the long-term value of intangible assets that have indefinite useful lives. How frequently should their value be tested for impairment?

52)

The findings from a completed Risk Control Self-Assessment (RCSA) can be used:

53)

A documented plan that defines the preferred course of action in the event of a serious business interruption or failure, where recovery by the third party is in serious doubt or not expected, is a

54)

U.S. Sarbanes-Oxley Act specifically stipulates that senior management has personal liability for:

55)

Systemic issues are:

56)

A best practice for business continuity management is:

57)

BIA’s should consider:

58)

Which of the following is typically not in scope for third party cyber and information security due diligence?

59)

Inherent risk is ________________ the critical services delivered by the third party.

60)

What is a significant and recent change in practices related to oversight of third-party risk?

61)

A third party information security risk event is is more likely to occur and has a higher impact than insurance risk, so would be given ____________ in a risk evaluation model.

62)

During third party due diligence, risk control experts should request

63)

Which of the following makes the greatest contribution to effective performance management of critical third parties?

64)

After implementing a third party risk management program, cycle time - the time it takes to complete third party due diligence, controls evaluation and contracting – is typically:

65)

In which stage of a third-party’s lifecycle do manufacturers typically excel?

66)

Deficiencies in the third party’s controls identified during due diligence may be mitigated by :

67)

In relative terms, getting a cold back up site and a hot back up site up and running will take

68)

Governance practices may not be as critically dependent on direct expenditures as they are on the ability of management, boards, audit committees and internal auditors to work together to properly focus oversight attention, and larger banks have an edge in focusing that attention more efficiently.” Collectively, these practices are referred to as:

69)

The purpose of third party due diligence is to:

70)

During third party due diligence, requesting details of physical security controls, including for visitors and contractors, is:

71)

Risk-Based Authentication:

72)

A common challenge that companies face when creating methodologies that enable consistent interpretation of third party risk by different constituencies is

73)

What is a third-party risk management cost driver?

74)

The inter-related set of ISO standards for cyber and information security are specifically designed to:

75)

12. ISO 27001, a high-level framework, helps companies establish a set of Information Security Management Standards (ISMS) to guide development and implementation of a framework for managing the security of their information assets, including:

76)

Designating a high proportion of your company’s critical third party relationships as “high risk” results in

77)

Which of the following third party risk management activities is commonly performed by the 1st Line of Defense?

78)

A process that is useful for assessing third party risks and tying them back to strategic objectives is:

79)

A framework widely used by global companies to help them protect against, prepare for, respond to, and recover from disruptive incidents is:

80)

A disadvantage of qualitative assessments of third party risks is that it:

81)

To fulfill their responsibilities to customers, shareholders and the board, senior management must have:

82)

In the Cloud, identity management, security and compliance:

83)

If a third-party has access to your network or information assets, or if your company accesses a third-party’s services via their web-portal, consider negotiating contractual obligations that:

84)

DDOS (Distributed Denial of Service) attack occurs when:

85)

How does mass digitization of records increase operational risk?

86)

The nature and depth of third party due diligence should be proportional with:

87)

An important characteristic of any critical third party relationship is:

88)

Your company has outsourced its call center to a third-party and they are changing telecom providers. What is the relationship your company has with the third party’s telecom provider?

89)

NPPI stands for:

90)

A structured, consistent and continuous framework across the whole organization for identifying, assessing and deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives is:

91)

An effective tool for providing assurance of compliance with policies, plans, procedures, laws, regulations and contracts is a:

92)

The best KRIs enable business leaders and risk managers with an opportunity to __________ significant third party risks that are expected to become incidents or losses, before they happen?

93)

Which is one of the most important responsibilities that senior management has to create and maintain a strong risk culture?

94)

The best defense against a successful Ransomware attack, one where the company has no feasible alternative to paying the hacker’s ransom, is:

95)

Internal Audit provides independent assurance to ________________ concerning the effectiveness of third party risk management and controls

96)

Effective risk management, and therefore effective third-party risk management, is strongest in which type of corporate culture?

97)

Which type of third party risk is described in the following case study?

“One of your critical third party’s employees secretly recorded one of their senior executives harassing one of your customers, and the video went viral”

98)

At a minimum, well written information and cyber security policies should address:

99)

The BIA should identify:

100)

A Disaster Recovery Plan is a detailed description of:

101)

A copy of the third party’s ISO 22301 Certificate of Compliance that covers contracted services could be an efficient and effective substitute for:

102)

A risk management strategy where your company contracts with more than one third party to spread the risk may:

103)

A framework that helps define the role of the board and management, delineates duties and helps prevent duplicated efforts and the overlooking of critical issues is called a ____________ framework:

104)

The difference and relationship between assurance and other monitoring activities is clarified by the:

105)

To assess the potential impact a third party has on your company’s business resilience you should periodically review

106)

To be useful, risk taxonomy - a common language to identify, classify, understand and communicate risks - must be:

107)

A process/tool that focuses on specific events or processes, compares measures and results using common metrics, and identifies improvement opportunities is:

108)

In the event that one of your company’s third parties suffers a catastrophic failure, which course of action is often the least feasible?

109)

The risk thresholds that are aligned with each KRI should be clearly aligned with your company’s:

110)

Third party relationships are:

111)

The best type of back-up site for critical services, those that would have a high impact if there is an outage or serious interruption is a:

112)

A Risk and Control Self-Assessment (RCSA) is:

113)

The most common source of vulnerability to a successful cyber-attack is:

114)

A third party relationship of such importance that a serious incident or failure would affect most or all of company operations and customers is typically referred to as:

115)

The weakest link in your company’s defensive perimeter is

116)

Trend analysis can identify opportunities:

117)

When assessing exposure to third party risk, which of the following assessments is subjective?

118)

Which Line of Defense owns the third party relationship and its risks?

119)

In-depth risk business continuity management risk assessments should be conducted for:

120)

Why are “point of sale” technologies especially vulnerable?

121)

Effective risk management, and therefore effective third-party risk management, is strongest in which type of corporate culture?

122)

Which Line of Defense is the domain of a company’s risk specialists?

123)

Requiring the third-party to outsource deficient services to another company

124)

Business line should not approve their ______?

125)

Specific and measurable Service Level Agreements benefit:

126)

If the third party is unable to meet your company’s expectations and/or control requirements, possible next steps include:

127)

An information or cyber security event is:

128)

Which of the following is an indicator of strong incident management practices?

129)

In a weighted risk rating methodology, an important benefit of isolating criticality of the third party relationship is to:

130)

Tying compensation to the actions of employees and senior management should promote:

131)

How is a strong risk culture most effectively expressed within any company?

132)

Open and candid communications throughout the organization, clear lines of authority and responsibility and transparency are key elements of:

133)

What was the most likely cause for Johnson + Johnson to observe possible damage to their reputation or loss of public trust?

134)

The most challenging “pane” to address in Johari’s Window is:

135)

If it was permissible to record a critical third party relationship as an asset, what type of asset would it be?

136)

Due Diligence is which type of third party risk management tool?

137)

Which type of risk is your company exposed to in the following case study?

“Your third party’s senior leadership team is experiencing a period of rapid turnover”

138)

Value from any third party relationship is a function of:

139)

All companies need to define the goals and objectives related to Strategic, Financial, Reputational and Operational risk management. What is a common approach for accomplishing this?

140)

How are a company’s Risk Appetite and Risk Tolerances tied together?

141)

The most effective way to eliminate third party risks is to:

142)

Any serious misalignment between risk control functions, processes and risk taxonomy will:

143)

Accounting for third party vendor services are recorded as _______ on a company’s Income Statement?

144)

Third party risk that your company accepts after analyzing the third party’s controls over those risks is called:

145)

To be effective, a core principle of “controllable” metrics in an effective Service Level Agreement is that:

146)

Risk assessment is often performed as a two-stage process. An initial screening of the risks and opportunities is performed using qualitative techniques followed by:

147) The COSO Internal Control – Integrated Framework is used to:

148)

____________ third parties are out of scope for most third party risk management programs

149)

What is the most important “lesson learned” from the story about “Larry’s Laptop”?

150)

What is the primary cause of privacy breaches?

151)

A “risk-centric” third party lifecycle management framework:

152)

The use of a cloud service provider typically means that:

153)

For greater clarity about the importance and risks of each relationship and easy comparison of risks across your portfolio of critical third party relationships, effective third party risk management programs separate third parties into Tiers, according to:

154)

Which function owns the third-party relationship and the risks?

155)

The nature and amount of residual risk in a third party relationship can only be determined when:

156)

Which one of the following is used to control third party risks?

157)

Using Johari’s window, in which “pane” would your company’s business requirements reside in a Request for Proposal for a new third party relationship?

158)

The primary role of the board is to:

159)

Which function(s) is responsible for establishing Tone at Top?

160)

A client-specific business continuity or disaster recovery plan is:

161)

Another name for a “risk map” is a

162)

Collectively, the risk management responsibilities of senior management and the board are referred to as?

163)

What is the difference between an incident and an issue?

164)

Internal risk management controls within market-dominant third parties are always:

165)

The majority of companies that paid a ransom as a result of a Malware attack did not report the incident to law enforcement due to:

166)

In a well-designed RACI matrix, if there is more than one designated Responsible party for a specific task there is a need to “zoom in” further detail on the sub process associated with “obtain resource commitment” to:

167)

A third party relationship is:

168)

Privacy laws are enacted to:

169)

Spyware is not used to:

170)

What is an important “lesson learned” from serious information security breaches experienced by a large, reputable third parties?

171)

Actionable service-level agreements are primarily used to manage the third party’s:

172)

Computer viruses, worms, Trojan horses, ransomware, spyware, adware, and scareware are examples of:

173)

Transparency and predictability are key indicators of effective:

174)

The most effective cyber and information security due diligence is:

175)

Which step(s) in the third party lifecycle must be completed before risk experts can confidently define controls that are required for a critical third party?

Your score is

0%