Shadow IT is the use and management of any IT technologies, solutions, services, projects, and infrastructure without formal approval and support of internal IT departments. Shadow IT can pose significant security risks to the organization, such as data breaches, compliance violations, malware infections, or network disruptions. Therefore, assessing and mitigating the risk of shadow IT is an essential part of organizational security.

One of the most important factors when assessing the risk of shadow IT is whether the organization maintains adequate policies and procedures that communicate required controls for security functions. Policies and procedures are the documents that define the organization’s security objectives, standards, roles, responsibilities, and processes. They provide guidance and direction for the organization’s security activities, such as risk assessment, vendor management, incident response, data protection, access control, etc. They also establish the expectations and requirements for the organization’s employees, vendors, and other stakeholders regarding the use and management of IT resources.

By maintaining adequate policies and procedures that communicate required controls for security functions, the organization can:

Educate and inform its employees about the security risks and implications of shadow IT, and the benefits and advantages of using authorized and supported IT resources.

Establish and enforce clear and consistent rules and boundaries for the use and management of IT resources, and the consequences and penalties for violating them.

Monitor and audit the compliance and performance of its employees, vendors, and other stakeholders regarding the use and management of IT resources, and identify and address any deviations or issues.

Review and update its policies and procedures regularly, and communicate any changes or updates to its employees, vendors, and other stakeholders.

By doing so, the organization can reduce the likelihood and impact of shadow IT, and increase the visibility and accountability of its IT environment. The organization can also foster a culture of security awareness and responsibility among its employees, vendors, and other stakeholders, and encourage them to report and resolve any shadow IT incidents or problems.

The other factors, such as the organization’s security training and certification, staffing levels, and resources and investment, are also relevant for assessing the risk of shadow IT, but they are not as important as the organization’s policies and procedures. Security training and certification can help the organization’s security personnel to acquire and maintain the necessary skills and knowledge to deal with shadow IT, but they do not address the root causes or motivations of shadow IT. Staffing levels can affect the organization’s ability to detect and respond to shadow IT, but they do not prevent or deter shadow IT from occurring. Resources and investment can enable the organization to provide adequate and appropriate IT resources to its employees, vendors, and other stakeholders, but they do not guarantee the satisfaction or compliance of those parties.  References:

:  Shadow IT Explained: Risks & Opportunities - BMC Software

:  What is Shadow IT? | IBM

:  Shadow IT: What Are the Risks and How Can You Mitigate Them? - Ekran System

: Policies and Procedures - Shared Assessments

A data flow diagram (DFD) is a graphical representation of the flow of information between outsourcers and third parties, as well as within a system or process. It shows the sources and destinations of data, the processes that transform data, the data stores that hold data, and the data flows that connect them. A DFD can help to understand and refine the business processes or systems that involve data exchange with external entities. A DFD can also help to identify potential risks and vulnerabilities in the data flows, such as data leakage, data corruption, data loss, or unauthorized access.

The other options are incorrect because they do not match the definition of a visual representation of data flows. A configuration standard (A) is a set of rules or guidelines that define how a system or process should be configured, such as hardware, software, or network settings. An audit log report (B) is a record of the activities or events that occurred in a system or process, such as user actions, system changes, or security incidents. A network diagram © is a graphical representation of the physical or logical connections between devices or nodes in a network, such as routers, switches, servers, or computers.  References:

https://www.visual-paradigm.com/tutorials/data-flow-diagram-dfd.jsp

https://www.lucidchart.com/pages/data-flow-diagram

 Performing due diligence during third party risk assessments is a process of verifying and validating the information provided by the third parties, as well as identifying and assessing any potential risks or issues that may arise from the relationship.  Due diligence methods may vary depending on the type, scope, and complexity of the third party engagement, but they generally involve the following steps 1 2 3 :

Interviewing subject matter experts or control owners: This method involves engaging with the relevant stakeholders from both the organization and the third party, such as business owners, project managers, legal counsel, compliance officers, security analysts, etc. The purpose of the interviews is to gather more information about the third party’s capabilities, processes, policies, performance, and challenges, as well as to clarify any questions or concerns that may arise from the questionnaire or other sources. The interviews can also help to establish rapport and trust between the parties, and to identify any gaps or discrepancies in the information provided.

Reviewing compliance artifacts: This method involves examining the evidence or documentation that supports the third party’s claims or assertions, such as certifications, accreditations, audit reports, policies, procedures, contracts, SLAs, etc. The purpose of the review is to verify the accuracy, completeness, and validity of the artifacts, as well as to assess the level of compliance with the applicable standards, regulations, and best practices. The review can also help to identify any areas of improvement or weakness in the third party’s controls or processes.

Validating controls: This method involves testing or inspecting the actual implementation and effectiveness of the third party’s controls or processes, such as security measures, quality assurance, data protection, incident response, etc. The purpose of the validation is to confirm that the controls are operating as intended and expected, and that they are sufficient to mitigate the risks or issues identified in the assessment. The validation can also help to identify any vulnerabilities or gaps in the third party’s controls or processes.

The other options are not as comprehensive or accurate as the methods described above, as they may not cover all the aspects or dimensions of the third party risk assessment, or they may rely on incomplete or outdated information. Inspecting physical and environmental security controls by conducting a facility tour is only one part of the validation method, and it may not be applicable or feasible for all types of third parties, such as cloud service providers or remote workers. Reviewing status of findings from the questionnaire and defining remediation plans is more of a follow-up or monitoring activity, rather than a due diligence method, as it assumes that the questionnaire has already been completed and analyzed. Reviewing and assessing only the obligations that are specifically defined in the contract is a narrow and limited approach, as it may not capture the full scope or complexity of the third party relationship, or the dynamic and evolving nature of the risks or issues involved.  References:

Third Party Due Diligence – a vital but challenging process

The guide to risk based third party due diligence - VinciWorks

Third Party Risk Assessment – Checklist & Best Practices

The most important factor when scoping assessments of cloud-based third parties that access, process, and retain personal data is to identify the type of cloud hosting deployment or service model. This is because different cloud models have different implications for the allocation of security responsibilities between the third party and the cloud hosting provider. For example, in a Software as a Service (SaaS) model, the cloud provider is responsible for most of the security controls, while in an Infrastructure as a Service (IaaS) model, the third party is responsible for securing its own data and applications. Therefore, it is essential to understand the type of cloud model and the corresponding security roles and responsibilities before conducting an assessment. This will help to avoid gaps, overlaps, or conflicts in security controls and expectations.  References:

Guidance on Cloud Security Assessment and Authorization - ITSP.50.105 , Canadian Centre for Cyber Security, May 2020, Section 2.1.1

The Importance of Properly Scoping Cloud Environments , PCI Security Standards Council and Cloud Security Alliance, August 2021

Third party and cloud: Regulatory challenges , KPMG, 2022, Section 2.1

Certified Third Party Risk Professional (CTPRP) Study Guide, Shared Assessments, 2021, Section 4.2.2

In the ‘Defense in Depth’ security model, the innermost layer typically focuses on protecting the most sensitive and critical assets, which are often categorized as ' Private internal ' . This layer includes security controls and measures that are designed to safeguard the core, confidential aspects of an organization ' s infrastructure and data. It encompasses controls such as access controls, encryption, and monitoring of sensitive systems and data to prevent unauthorized access and ensure data integrity and confidentiality. The ' Private internal ' layer is crucial for maintaining the security of critical information and systems that are essential to the organization ' s operations and could have the most significant impact if compromised. Implementing robust security measures at this layer is vital for mitigating risks associated with physical access to critical infrastructure and sensitive information.

References:

Security frameworks and standards, including NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations) and the SANS Institute ' s guidelines on implementing ' Defense in Depth ' , provide detailed recommendations on securing the innermost layers of an organization ' s information systems.

Publications such as " Physical Security Principles " by ASIS International offer insights into best practices for securing the private internal layer, including access control systems, surveillance, and intrusion detection mechanisms.

According to the Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, data loss prevention (DLP) is a strategy for preventing the unauthorized disclosure, transfer, or misuse of sensitive data, such as personally identifiable information (PII), personal health information (PHI), or intellectual property (IP) 1 .  Endpoint security is a component of DLP that focuses on protecting the devices (such as laptops, tablets, or smartphones) that access and store sensitive data from internal or external threats 2 .  Therefore, data loss prevention in endpoint security is the strategy for preventing exfiltration of confidential information by users who access company systems, as this could result in data breaches, regulatory fines, reputational damage, or competitive disadvantage 3 .

The other options are not the best descriptions of data loss prevention in endpoint security, as they either relate to different aspects of data protection or security, or do not address the specific goal of preventing data exfiltration. Data backups are a strategy for ensuring data recovery in the event of a disaster, but they do not prevent data loss or leakage from unauthorized access or transfer. High-availability is a strategy for ensuring data availability and continuity, but it does not prevent data loss or leakage from malicious or accidental actions. Malware prevention is a strategy for ensuring data integrity and confidentiality, but it does not prevent data loss or leakage from legitimate users who may misuse or overshare data.

References:

1 : Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, page 25

2 : What is Endpoint Security? | McAfee

3 : What is data loss prevention (DLP)? | Microsoft Security

[4]: Data Backup vs. Data Recovery: What’s the Difference? | Carbonite

[5]: What is High Availability? | IBM

[6]: What is Malware? | Norton

Infrastructure as a service (IaaS) is a cloud deployment model that provides users with access to virtualized hardware resources, such as servers, storage, and network devices. Users can install and run their own operating systems and applications on the cloud infrastructure, and have full control over the configuration and management of the hardware equipment. IaaS is suitable for organizations that need high scalability, flexibility, and customization of their cloud environment. IaaS is different from other cloud deployment models, such as function as a service (FaaS), platform as a service (PaaS), and software as a service (SaaS), which provide users with higher-level services and abstract away the underlying hardware details.  References:

Cloud Infrastructure: 4 Key Components and Deployment Models

Cloud Deployment Models - GeeksforGeeks

On-Premises Cloud Deployment Model: Organization-Owned Hardware Explained

Vendor classification or risk tiering is a process of categorizing vendors based on the level of security risk they introduce to an organization 1 2 .  It is a key component of a third-party risk management (TPRM) program, as it helps to prioritize and allocate resources for vendor assessment, monitoring, and remediation 1 2 .  The statement D is true, as it reflects the first step of vendor classification or risk tiering, which is to determine the inherent risk of each vendor relationship based on the nature, scope, and complexity of the product or service being outsourced 3  .  Inherent risk is the risk that exists before any controls or mitigating factors are applied 3  .  By calculating the inherent risk, an organization can assign each vendor to a risk tier that reflects the potential impact and likelihood of a security breach or incident involving the vendor 3  .

The other statements are false, as they do not accurately describe the vendor classification or risk tiering process. The statement A is false, as vendor classification and risk tiers are not based on residual risk calculations, but on inherent risk calculations.  Residual risk is the risk that remains after controls or mitigating factors are applied 3  .  Residual risk is used to evaluate the effectiveness of the controls and the need for further action, but not to classify or tier vendors 3  . The statement B is false, as vendor classification and risk tiering should be used for all third party relationships, not only for critical ones.  Vendor classification and risk tiering helps to identify and prioritize the critical vendors, but also to manage the low and medium risk vendors according to their respective risk profiles 1 2 . The statement C is false, as vendor classification and corresponding risk tiers do not utilize the same due diligence standards for controls evaluation based upon policy, but different ones. Due diligence standards are the criteria and methods used to assess the security posture and performance of vendors. Due diligence standards should vary according to the risk tier of the vendor, as higher risk vendors require more rigorous and frequent evaluation than lower risk vendors.

References :

1 : What is Vendor Tiering? Optimize Your Vendor Risk Management | UpGuard Blog

2 : Vendor Tiering Best Practices: Categorizing Vendor Risks | UpGuard Blog

3 : Third-Party Risk Management (TPRM): A Complete Guide - BlueVoyant

[4]: Supplemental Examination Procedures for Risk Management of Third-Party Relationships

[5]: Third Party Risk Management: Why It’s Important And What Features To Look For - Expert Insights

Application security testing (AST) is a process of finding and eliminating vulnerabilities in software applications. There are different types of AST tools that can help with this process, such as static, dynamic, and interactive testing. Static testing analyzes the source code of the application without executing it, dynamic testing simulates attacks on the running application from the outside, and interactive testing combines both static and dynamic analysis to find more vulnerabilities and provide more context. Cookie consent scanning is not a type of AST, but rather a tool that checks if a website complies with the cookie consent regulations, such as the EU General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Cookie consent scanning does not test the security of the application, but rather the privacy and compliance of the website.  References:

1 : 10 Types of Application Security Testing Tools: When and How to Use Them

2 : 5 Types of Application Security Testing You Must Know About

3 : Types of Application Security Testing: Definitions and Differences

4 : What is Application Security? | VMware Glossary

 Personal information is any information that can be used to identify an individual, either directly or indirectly, such as name, address, email, phone number, ID number, etc. Personal data is a term used in some jurisdictions, such as the European Union, to refer to personal information that is subject to data protection laws and regulations. However, the scope and definition of personal data may vary depending on the jurisdiction and the context. For example, the GDPR defines personal data as “any information relating to an identified or identifiable natural person” and includes online identifiers, such as IP addresses, cookies, or device IDs, as well as special categories of data, such as biometric, genetic, health, or political data. On the other hand, the US does not have a single federal law that regulates personal data, but rather a patchwork of sector-specific and state-level laws that may have different definitions and requirements. For example, the California Consumer Privacy Act (CCPA) defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household” and excludes publicly available information from its scope. Therefore, from a privacy perspective, it is important to understand the different legal definitions and obligations that may apply to personal information or personal data depending on the jurisdiction and the context of the data processing activity.  References:

GDPR personal data – what information does this cover?

Personal Information, Data Classification, Life Cycle and Best Practices

5 Types of Data Classification (With Examples)