The purpose of internal communications and information sharing using TPRM performance metrics is to inform and align the organization’s stakeholders on the status, progress, and outcomes of the TPRM program. This includes communicating the results of vendor assessments, the compliance level of the organization’s policies and procedures, and the periodic reporting to management and other relevant parties. However, documenting the corrective action plan between external parties is not an internal communication, but rather an external one. This is because the corrective action plan is a formal agreement between the organization and the vendor to address and resolve the issues identified in the assessment. Therefore, this statement is not an example of the purpose of internal communications and information sharing using TPRM performance metrics.  References:

15 KPIs & Metrics to Measure the Success of Your TPRM Program

Third-party risk management metrics: Best practices to enhance your program

3 Best Third-Party Risk Management Software Solutions (2024)

 The three lines of defense model is a way of explaining the relationship between functions and roles of risk management and control in an organization.  It involves the first line of defense (owning and managing risks), the second line of defense (overseeing or specialising in risk), and the third line of defense (providing independent assurance) 1 .  The third line of defense is typically the internal audit function, which provides objective and independent assurance to the governing body, management, regulators, and external auditors that the control culture across the organization is effective in its design and operation 2 .  The third line of defense must have independence from the business unit, meaning that it is not involved in the execution of business activities or the design and implementation of controls, and that it reports to the highest level of governance, such as the board or the audit committee 3 .  The third line of defense is not limited to an external assessment firm, although external assurance providers may complement or supplement the work of the internal audit function 2 .  References:

1 : Internal audit: three lines of defence model explained | ICAS

2 : Modernizing The Three Lines of Defense Model | Deloitte US

3 : THE IIA S THREE LINES MODEL

In the context of Third-Party Risk Management (TPRM), problems or issues do not inherently lead to systemic failures but are indicative of underlying faults within processes or systems that could potentially result in incidents. Problem or issue management is a critical component of TPRM, focusing on identifying, classifying, and managing the root causes of incidents to prevent their recurrence and mitigate their impact. Effective problem management involves not just managing workarounds or known errors, but also implementing permanent fixes to eliminate the root causes of problems. By addressing the underlying issues, organizations can enhance their operational resilience and reduce the likelihood and impact of future incidents. This approach aligns with best practices in TPRM, emphasizing proactive risk identification, assessment, and mitigation to safeguard against potential disruptions in the supply chain and third-party ecosystems.

References:

Best practices in TPRM suggest a structured approach to problem and issue management, including identification, assessment, prioritization, and resolution of root causes, as outlined in frameworks such as ISO 31000 (Risk Management) and NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations).

Learning resources such as the " Third Party Risk Management Program Playbook " from Shared Assessments and the " Third-Party Risk Management Guide " from ISACA provide comprehensive guidelines on implementing effective problem and issue management processes within a TPRM program.

A change in company point of contact does not necessarily trigger an organization to prompt a third party contract provisions review, unless the contract specifically requires such a notification or approval. A change in company point of contact may affect the communication and relationship between the parties, but it does not affect the legal terms and obligations of the contract. However, other types of external events, such as business continuity events, data breaches/privacy incidents, and changes in regulations, may have a significant impact on the performance, compliance, and risk of the contract, and therefore may require a review of the contract provisions to ensure that they are still valid, enforceable, and aligned with the parties’ expectations and objectives. For example, a business continuity event may disrupt the delivery of goods or services, a data breach/privacy incident may expose confidential or personal information, and a change in regulations may impose new obligations or liabilities on the parties. These events may trigger clauses such as force majeure, termination, indemnification, or dispute resolution, and may require the parties to renegotiate or amend the contract accordingly.  References:

Third-Party Contract Reviews: Determining Your Best Options

Third party contracts: best practices for third party paper

What to Look For When Reviewing Third-Party Contracts

CTPRP Job Guide

 Security vulnerabilities and security defects are not synonymous, but rather different concepts that relate to the security of software products or services.  A security vulnerability is a weakness or flaw in the software that can be exploited by an attacker to compromise the confidentiality, integrity, or availability of the system or data 1 2 .  A security defect is a mistake or error in the software code that causes the software to behave in an unexpected or incorrect way 3 4 . A security defect may or may not lead to a security vulnerability, depending on the context and impact of the defect. For example, a security defect that causes a buffer overflow may result in a security vulnerability that allows an attacker to execute arbitrary code on the system. However, a security defect that causes a spelling error in the user interface may not pose a security risk at all.

Security vulnerabilities and security defects have different causes, consequences, and solutions.  Security vulnerabilities are often caused by design flaws, logic errors, or insufficient security controls in the software 1 2 .  Security defects are often caused by poor coding practices, lack of testing, or human mistakes in the software development process 3 4 .  Security vulnerabilities can have severe consequences for the software users, providers, and stakeholders, such as data breaches, identity theft, fraud, or sabotage 1 2 .  Security defects can have various consequences for the software functionality, performance, or usability, such as crashes, glitches, or bugs 3 4 .  Security vulnerabilities require proactive and reactive measures to prevent, detect, and mitigate the potential attacks, such as security testing, patching, monitoring, and incident response 1 2 .  Security defects require corrective and preventive measures to identify, resolve, and avoid the errors, such as code review, debugging, refactoring, and quality assurance 3 4 .

Therefore, the statement that security vulnerabilities and security defects are synonymous is FALSE.  They are distinct but related aspects of software security that require different approaches and techniques to address them.  References:   1 : What is a Software Vulnerability?  | Veracode  2 : Software Security: differences between vulnerabilities and Defects  3 : What is a Software Defect?  - Definition from Techopedia  4 : Are vulnerabilities discovered and resolved like other defects? - Springer

A well-defined third party risk management program does not require conducting onsite or virtual assessments for all third parties, as this would be impractical, costly, and inefficient. Instead, a TPRM program should adopt a risk-based approach to determine the frequency, scope, and depth of assessments based on the inherent and residual risks posed by each third party. This means that some third parties may require more frequent and comprehensive assessments than others, depending on factors such as the nature, scope, and criticality of their services, the sensitivity and volume of data they access or process, the regulatory and contractual obligations they must comply with, and the results of previous assessments and monitoring activities. A risk-based approach to assessments allows an organization to allocate its resources and efforts more effectively and efficiently, while also ensuring that the most significant risks are ad equately addressed and mitigated.  References:

Shared Assessments ,  CTPRP Job Guide , page 9: “The frequency, scope, and depth of assessments should be determined by the inherent and residual risks posed by each third party.”

OneTrust , [What is Third-Party Risk Management?]: “A risk-based approach to third-party risk management means that you prioritize your efforts and resources based on the level of risk each vendor poses to your organization.”

[Deloitte], [Third Party Risk Management: Managing Risk] : “A risk-based approach to third-party risk management helps organizations prioritize their efforts and resources based on the level of risk each third party poses to the organization.”

A documented process to gain approvals for use of open source applications is typically not part of evaluating the vendor’s patch management controls, because it is not directly related to the patching process. Patch management controls are the policies, procedures, and tools that enable an organization to identify, acquire, install, and verify patches for software vulnerabilities. Patch management controls aim to reduce the risk of exploitation of known software flaws and ensure the functionality and compatibility of the patched systems. A documented process to gain approvals for use of open source applications is more relevant to the software development and procurement processes, as it involves assessing the legal, security, and operational implications of using open source software components in the vendor’s products or services. Open source software may have different licensing terms, quality standards, and support levels than proprietary software, and may introduce additional vulnerabilities or dependencies that need to be managed. Therefore, a documented process to gain approvals for use of open source applications is a good practice for vendors, but it is not a patch management control per se.  References:

Guide to Enterprise Patch Management Planning

Governance of Key Aspects of System Patch Management

Certified Third Party Risk Professional (CTPRP) Study Guide

Remote access is any connection made to an organization’s internal network and systems from an external source by a device or host. Remote access can enable greater worker flexibility and productivity, but it also poses significant security risks, such as unauthorized access, data leakage, malware infection, or network compromise. Therefore, it is important to evaluate a third party’s use of remote access within their information security policy, which should define the roles, responsibilities, standards, and procedures for remote access.

One of the key components of evaluating a third party’s use of remote access within their information security policy is identifying the use of multifactor authentication. Multifactor authentication is a method of verifying the identity of a remote user by requiring two or more factors, such as something the user knows (e.g., password, PIN), something the user has (e.g., token, smart card), or something the user is (e.g., fingerprint, face). Multifactor authentication enhances the security of remote access by making it harder for attackers to impersonate or compromise legitimate users.  According to the NIST Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security 1 , multifactor authentication should be used for all remote access, especially for high-risk situations, such as accessing sensitive data or privileged accounts.

The other options are not components of evaluating a third party’s use of remote access within their information security policy. Maintaining blocked IP address ranges, reviewing the testing and deployment procedures to networking components, and providing guidelines to configuring ports on a router are all examples of network security controls, but they are not specific to remote access. They may be part of the overall information security policy, but they are not sufficient to assess the security of remote access.  References:

NIST Guide to Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Security

How to Implement an Effective Remote Access Policy

Why Managing Third-Party Access Requires A Better Approach

The frequency of cyclical assessments is one of the key factors that determines the effectiveness and efficiency of a TPRM program. Cyclical assessments are periodic reviews of the vendor’s performance, compliance, and risk posture that are conducted after the initial onboarding assessment. The frequency of cyclical assessments should be aligned with the organization’s risk appetite and tolerance, and should reflect the level of risk and criticality of the vendor to the organization’s operations. A common approach to determine the frequency of cyclical assessments is to use a vendor risk score, which is a numerical value that represents the vendor’s inherent and residual risk based on various criteria, such as the type, scope, and complexity of the services or products provided, the vendor’s security and privacy controls, the vendor’s compliance with relevant regulations and standards, the vendor’s past performance and incident history, and the vendor’s business continuity and disaster recovery capabilities. The vendor risk score can be used to categorize the vendors into different risk tiers, such as high, medium, and low, and assign appropriate frequencies for cyclical assessments, such as annually, biannually, or quarterly. For example, a high-risk vendor may require an annual assessment, while a low-risk vendor may require a biannual or quarterly assessment. The vendor risk score and the frequency of cyclical assessments should be reviewed and updated regularly to account for any changes in the vendor’s risk profile or the organization’s risk appetite.

The other three statements do not best reflect the factors that help you determine the frequency of cyclical assessments, as they are either too rigid, too vague, or too reactive. Statement A implies that vendor assessments are only necessary during onboarding and can be replaced by continuous monitoring afterwards. However, continuous monitoring alone is not sufficient to ensure the vendor’s compliance and risk management, as it may not capture all the aspects of the vendor’s performance and risk posture, such as contractual obligations, service level agreements, audit results, and remediation actions. Therefore, vendor assessments should be conducted during onboarding and at regular intervals thereafter, complemented by continuous monitoring. Statement C suggests that vendor assessments should be scheduled based on the type of services or products provided, without considering the other factors that may affect the vendor’s risk level and criticality, such as the vendor’s security and privacy controls, the vendor’s compliance with relevant regulations and standards, the vendor’s past performance and incident history, and the vendor’s business continuity and disaster recovery capabilities. Therefore, statement C is too vague and does not provide a clear and consistent basis for determining the frequency of cyclical assessments. Statement D indicates that vendor assessment frequency may need to be changed if the vendor has disclosed a data breach, implying that the frequency of cyclical assessments is only adjusted in response to a negative event. However, this approach is too reactive and may not prevent or mitigate the impact of the data breach, as the vendor’s risk level and criticality may have already increased before the data breach occurred. Therefore, statement D does not reflect a proactive and risk-based approach to determining the frequency of cyclical assessments.  References:

Third-Party Risk Management 101: Guiding Principles

Mastering the TPRM Lifecycle

Third Party Risk Management Maturity Assessment

According to the Certified Third Party Risk Professional (CTPRP) Job Guide, one of the key tasks of a third party risk professional is to “manage the corrective action process for identified issues and ensure timely resolution” (p. 10). This task involves the following steps:

Document the findings and recommendations from the assessment and communicate them to the appropriate stakeholders

Review the findings and recommendations with the line of business (LOB) and obtain their risk acceptance or rejection

If the LOB accepts the risk, document the rationale and approval in the risk register

If the LOB rejects the risk, work with the vendor to develop a remediation plan that addresses the root cause and mitigates the risk

Monitor the progress and completion of the remediation plan and verify the effectiveness of the corrective actions

Update the risk register and the vendor profile with the results of the remediation

Therefore, the statement that best represents the roles and responsibilities for managing corrective actions is C, as it reflects the need to review the findings and need for remediation with the LOB for risk acceptance before sharing the remediation plan with the vendor. This ensures that the LOB is aware of the risks and their impact, and that the vendor is committed to resolving the issues in a timely and satisfactory manner.

References :

CTPRP Job Guide , Shared Assessments, 2020

Best Practices Guidance for Third Party Risk , Global Association of Risk Professionals (GARP), 2019

Simple Guide for Corrective and Preventative Action (CAPA) , Qualcy eQMS, 2020

[The Three Key Parts of an EHS Corrective Action Plan], EHS Daily Advisor, 2021