2020-2021 job practice guide
TRANSCRIPT
Role Description
The CTPRP designation is designed to validate knowledge and experienceto demonstrate proficiency in the development of a comprehensiveThirdParty Risk Management (TPRM) Program; and, the assessment,analysis, management, and remediation of Third Party risk issues. The JobPractice Guide identifies the domains, topics, skills, competencies, and jobrole accountabilities that represent the type of work performed by anindividual who supports the development, implementation, maintenance,and training of a Third Party risk management program within theirorganization. The structure of the Job Practice Guide is based on theinputs of Shared Assessments Program members, recognized bestpractices, and tools that drive Third Party risk assurance.
About The CTPRP Credential
To achieve the CTPRP credential, candidates must provide both evidenceof their years of experience and successfully pass a rigorous proctoredexam. To earn a CTPRP credential, we recommend at least 30 hours ofpreparation prior to taking the examination. The class materials andexamination are career resources designed for those professionals whoplan to certify, as well as for those who simply need to deepen theirknowledge in Third Party risk management. The CTPRP training materialand examination are organized by grouping the required body ofknowledge topics into specific job practice focus areas.
The CTPRP examination contains questions testing the domain technicalknowledge and application of on-the-job knowledge based on theCTPRPCurriculum Outline.
Examination Protocols & Question Formats
The CTPRP examination contains 125 questions worth up to 140points.Examination questions include testing the domain technicalknowledge and application of knowledge using Third Party risk situations.The CTPRP examination is a time-based (3 hours), closed book exam. The exam is taken online from your computer and remote proctoring isrequired to monitor examination compliance. Multiple choice questionsare presented to users using third party risk management scenarios fromthe Outsourcer or theService Provider point of view. A score of 70% orhigher is required to pass the exam. Upon completion of the exam, asurvey may be presented to provide feedback on the method ofinstruction, curriculum,materials, or examination content.
2020-2021 Job Practice Guide
© 2020, 2021 The Santa Fe Group, Shared Assessments Program. All rights reserved.
Program governance policies, standards, and procedures
Contract development, adherence and contract managementVendor risk classificationDue diligence standardsSkills and ExpertiseCommunications and information sharing
Tools, measurements & analysisMonitoring and review
Risk assessment & treatmentInformation security policyOrganizational securityData privacy governanceHuman resources securityCompliance & audit
Access controlEnd user device securityServer securityNetwork securityApplication securityPrivacy Data safeguardsCloud securityPhysical & environmental security
Asset managementOperations managementBusiness continuity managementDisaster Recovery
Incident event and communicationsThreat managementVulnerability programSecurity awareness
I. Third Party Risk Management FoundationA. Regulatory Drivers for Third Party RiskB. Information Classification & Data GovernanceC. Third Party Risk Management Program Components
II. Third Party Risk Program ManagementA. TPRM Program Structure
B. TPRM Operations
C. TPRM Measurements
III. Third Party Risk Control DomainsA. Governance & Risk Management
B. Information Protection
C. IT Operations & Business Resiliency
D. Security Incident & Threat Management
IV. Third Party Risk Assessment ProcessA. Phases of an EngagementB. Assessment Planning & PreparationC. Assessment Engagement & CommunicationD. Post-Assessment Reporting & Remediation
CTPRP BODY OF KNOWLEDGE
CTPRP EXAM PROFILE
© 2020, 2021 The Santa Fe Group, Shared Assessments Program. All rights reserved.
Participates in the classification and risk tiering of third parties, including defining the frequency of risk assessments Coordinates the identification, ranking and tracking of third party risks for the organization Defines the due diligence standards based on risk rating or classification to be applied in third party assessmentsManages communication plans and escalation plans regarding third party risk governance activities Actively drives coordination and implementation for the overall third party risk management program function within theorganization Monitors changes in the regulatory landscape to identify relevant compliance requirements Facilitates the escalation process for management risk acceptance or remediation approvals Partners with lines of business to manage third party risk as defined in contracts and third party policies and procedures Collaborates with internal functions to deploy standard contract provisions for security and privacy requirementsMonitors remediation actions and mitigation plans for identified third party risks Defines and tracks third party risk assessment metrics Communicates third party risk requirements to internal stakeholders Negotiates with third parties and business partners to address compliance with risk management policies Coordinatesgathering and analysis of risk assessment data for management Maintains third party governance policies, procedures and practices Provides dashboard reporting on third party risk management program activities, results, and outcomes Identifies andimplements monitoring functions for critical vendors Supports the vendor due diligence process by ensuring data protection requirements are maintained in contractualrelationships
CTPRP THIRD PARTY RISKROLE ACCOUNTABILITIES
DEFINESrequirements for thirdparty risk managementprogram structures
CONDUCTSvendor risk identificationand analysis to establishassurance and due diligencestandards
THIRD PARTY RISK PROFESSIONAL
IMPLEMENTSthird party risk managementprocesses within theorganization
EVALUATESprogram performance withmanagement reportingand benchmarking
© 2020, 2021 The Santa Fe Group, Shared Assessments Program. All rights reserved.