Question 1

Which statement is TRUE regarding the use of questionnaires in third party risk assessments?

Options :

A : The total number of questions included in the questionnaire assigns the risk tier

B : Questionnaires are optional since reliance on contract terms is a sufficient control

C :

Assessment questionnaires should be configured based on the risk rating and type of service being evaluated

D : All topic areas included in the questionnaire require validation during the assessment

Answer: C

Question 2

Which of the following statements is FALSE about Data Loss Prevention Programs?

Options :

A :

DLP programs include the policy, tool configuration requirements, and processes for the identification, blocking or monitoring of data

B : DLP programs define the consequences for non-compliance to policies

C : DLP programs define the required policies based on default tool configuration

D : DLP programs include acknowledgement the company can apply controls to remove any data

Answer: C

Question 3

Which statement is FALSE regarding the primary factors in determining vendor risk classification?

Options :

A : The geographic area where the vendor is located may trigger specific regulatory obligations

B : The importance to the outsourcer-s recovery objectives may trigger a higher risk tier

C :

The type and volume of personal data processed may trigger a higher risk rating based on the criticality of the systems

D :

Network connectivity or remote access may trigger a higher vendor risk classification only for third parties that process personal information

Answer: D

Question 4

Which requirement is the MOST important for managing risk when the vendor contract terminates?

Options :

A : The responsibility to perform a financial review of outstanding invoices

B : The commitment to perform a final assessment based upon due diligence standards

C : The requirement to ensure secure data destruction and asset return

D : The obligation to define contract terms for transition services

Answer: C

Question 5

Which type of contract provision is MOST important in managing Fourth-Nth party risk after contract signing and on-boarding due diligence is complete?

Options :

A : Subcontractor notice and approval

B : Indemnification and liability

C : Breach notification

D : Right to audit

Answer: A