Question 1

The BEST time in the SDLC process for an application service provider to perform Threat Modeling analysis is:

Options :

A : Before the application design and development activities begin

B : After the application vulnerability or penetration test is completed

C : After testing and before the deployment of the final code into production

D : Prior to the execution of a contract with each client

Answer: A

Question 2

Which type of contract provision is MOST important in managing Fourth-Nth party risk after contract signing and on-boarding due diligence is complete?

Options :

A : Subcontractor notice and approval

B : Indemnification and liability

C : Breach notification

D : Right to audit

Answer: A

Question 3

Which of the following BEST describes the distinction between a regulation and a standard?

Options :

A :

A regulation must be adhered to by all companies subject to its requirements, but companies “can voluntarily choose to follow standards.

B : There is no distinction, regulations and standards are the same and have equal impact

C : Standards are always a subset of a regulation

D :

A standard must be adhered to by companies based on the industry they are in, while regulations are voluntary.

Answer: A

Question 4

Which statement is FALSE regarding the primary factors in determining vendor risk classification?

Options :

A : The geographic area where the vendor is located may trigger specific regulatory obligations

B : The importance to the outsourcer-s recovery objectives may trigger a higher risk tier

C :

The type and volume of personal data processed may trigger a higher risk rating based on the criticality of the systems

D :

Network connectivity or remote access may trigger a higher vendor risk classification only for third parties that process personal information

Answer: D

Question 5

Which statement is TRUE regarding the use of questionnaires in third party risk assessments?

Options :

A : The total number of questions included in the questionnaire assigns the risk tier

B : Questionnaires are optional since reliance on contract terms is a sufficient control

C :

Assessment questionnaires should be configured based on the risk rating and type of service being evaluated

D : All topic areas included in the questionnaire require validation during the assessment

Answer: C