CTPRP Exam Dumps : Certified Third-Party Risk Professional (CTPRP)

Web content accessibility guidelines (WCAG) are a set of standards that aim to make web content more accessible to people with disabilities, such as visual, auditory, cognitive, or motor impairments. While WCAG is a good practice for web development and usability, it is not directly related to web application security. WCAG does not address the common security risks that web applications face, such as injection, broken authentication, misconfiguration, or vulnerable components. Therefore, adhering to WCAG is not a method of securing web applications, unlike the other options. References:

• 4: OWASP Top 10, a standard awareness document for web application security, lists the most critical security risks to web applications and provides best practices to prevent or mitigate them.
• 5: SANS Institute, a leading provider of cybersecurity training and certification, offers a security checklist for web application technologies (SWAT) that covers best practices for error handling, data protection, configuration, authentication, session management, input and output handling, and access control.
• 6: Built In, a platform for tech professionals, provides 13 web application security best practices, such as using a web application firewall, keeping track of APIs, enforcing expected application behaviors, and following the OWASP Top 10.

Physical access procedures and activity logs are important components of third-party risk management, as they help to ensure the security and integrity of the physical assets and data of the organization and its third parties. However, requiring physical access logs to be retained indefinitely for audit purposes is not a best practice, as it may pose legal, regulatory, and operational challenges. According to the Supplemental Examination Procedures for Risk Management of Third-Party Relationships, physical access logs should be retained for a reasonable period of time, consistent with the organization’s policies and procedures, and in compliance with applicable laws and regulations1. Retaining physical access logs indefinitely may increase the risk of unauthorized access, data breaches, privacy violations, and litigation2. Therefore, the statement B is the correct answer, as it is the only one that does not reflect a best practice for physical access procedures and activity logs.

References:

• 1: How to Write Third-Party Risk Management (TPRM) Policies and Procedures - SecurityScorecard Blog
• 2: Five Best Practices to Manage and Control Third-Party Risk - Broadcom Inc.
• 3: A checklist for third-party risk management platforms - Crowe LLP
• 4: Supplemental Examination Procedures for Risk Management of Third-Party Relationships
• 5: Third Party Risk Management: Why It’s Important And What Features To Look For - Expert Insights

According to the Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, physical security compliance is the process of ensuring that the physical assets and personnel of an organization are protected from unauthorized access, theft, damage, or harm1. Physical security compliance can be achieved by implementing various measures, such as locks, alarms, cameras, guards, fences, badges, etc. However, these measures need to be regularly monitored, tested, and verified to ensure their effectiveness and alignment with the defined standards and policies2. Therefore, maintaining a standardized schedule for confirming controls to defined standards demonstrates a greater maturity of physical security compliance, as it indicates a proactive and consistent approach to assessing and improving the physical security posture of an organization3.

The other options do not reflect a high level of physical security compliance maturity, as they either rely on reactive or ad hoc methods, or lack sufficient verification and validation mechanisms. Leveraging periodic reporting to schedule facility inspections based on reported events may indicate a lack of preventive and predictive measures, as well as a dependency on external or internal incidents to trigger the inspections. Providing a checklist for self-assessment may indicate a lack of independent and objective evaluation, as well as a potential for bias or error in the self-assessment process. Conducting unannounced checks on an ad hoc basis may indicate a lack of planning and coordination, as well as a potential for disruption or inconsistency in the checks.

References:

• 1: Shared Assessments Certified Third Party Risk Professional (CTPRP) Study Guide, page 24
• 2: Physical Security: Planning, Measures & Examples + PDF - Avigilon
• 3: Security Maturity Models: Levels, Assessment, and Benefits
• [4]: Best Practices for Planning and Managing Physical Security Resources - CISA, page 10
• [5]: Self-Assessment vs. Independent Assessment: What’s the Difference? | Linford & Company LLP
• [6]: The Pros and Cons of Unannounced Audits | NQA