CTPRA Job Guide

Program Description

The Certified Third Party Risk Assessor (CTPRA) designation is a professional credential that validates knowledge, expertise, and proficiency in controls evaluation within specific Third Party risk control domains needed in order to perform a comprehensive IT risk evaluation of a third party during an assessment.

The Job Practice Guide identifies the domains, topics, skills, competencies, and job role accountabilities that represent the type of work performed in the role of a Third Party risk assessor who plans, performs, and oversees third party assessments across multiple risk domains. The structure of the Job Practice Guide is based on the inputs of Shared Assessments Program members, recognized best practices, and education and tools that drive third party risk assurance.

About The CTPRA Credential

To achieve the CTPRA credential, candidates must provide both evidence of their years of experience and successfully pass a rigorous proctored exam. It is not uncommon for CTPRA test takers to not pass the test on the first attempt. We recommend at least 30 hours of preparation prior to taking the examination. The class materials and examination are career resources designed for those professionals who plan to certify, as well as for those who simply need to deepen their knowledge in third party risk management. The CTPRA training material and examination are organized by grouping the required body of knowledge topics into specific job practice focus areas. The CTPRA examination contains questions testing domain technical knowledge and application of on-the-job knowledge based on the CTPRA Curriculum Outline.

Examination Protocols & Question Formats

The CTPRA examination contains 125 questions worth up to 140 points.Examination questions include testing the domain technical knowledge and application of knowledge using Third Party risk situations. The CTPRA examination is a time-based (3 hours), closed book exam taken on your own computer. Remote proctoring is required to monitor examination compliance. Multiple choice questions are presented to users using third party risk management scenarios from the Outsourcer or the ServiceProvider point of view. A score of 70% or higher is required to pass the exam. Upon completion of the exam a survey may be presented to provide feedback on the method of instruction, curriculum, materials, prexamination content.

Knowledge Level: Advanced

Prerequisites

Candidates are seasoned professionals or have deep technical expertise.
Candidates have in-depth knowledge on TPRM topics in order to conduct assessments.
Candidates may also pursue the certification to organizational leaders with specialized knowledge in certain areas who need to enhance their skills/knowledge on applying that knowledge to outside relationships.

Learning Objectives

Demonstrate a thorough understanding of outsourcing business models, regulatory drivers, data governance factors involved in third party risk management in order to understand each of the core components of a TPRM program.
Incorporate industry and technology assessment frameworks for controls evaluation using risk assessment techniques to conduct various types of assessments based on vendor classification, risk rating, and criticality.
Evaluate, interpret, and understand a third party’s control environment based on analysis of risk factors for each category of third party risk control domains from the point of view of the outsourcer and the service provider.
Organize and manage the due diligence and risk assessment process by conducting discovery, review of artifacts, and testing to effectively validate controls, identify and risk rate findings, and identify measures for risk mitigation.

CTPRA Curriculum Outline

Module I. Third Party Risk Management Foundation
A. Regulatory Drivers for Third Party Risk
B. Information Classification and Data Governance
C. Managing Risk in Third Party Relationships

Module II. Risk Based Due Diligence
A. Assessment Frameworks, Standards and Methodologies
B. Risk Assessment Techniques
C. Vendor Classification and Risk Ratings in Due Diligence

Module III. Risk Control Domains

A. Governance & Risk Management

Enterprise Risk Management
Information Security Policy
Organizational Security
Compliance and Audit
Data Privacy Governance
Human Resources Security

B. Information Protection

Access Control
End User Device Security
Network Security
Server Security
Application Security
Data Privacy Safeguards
Cloud Hosting Services
Physical & Environmental Security

C. IT Operations & Business Resiliency

Asset Management
IT Operations Management
Operational Resilience
Disaster Recovery

D. Security Incident & Threat Management

Incident Event & Communications
Threat Management
Vulnerability Program
Security Awareness

Module IV. Third Party Risk Assessment Process
A. Phases of the Assessment Process
B. Assessment Planning and Preparation
C. Assessment Execution and Communication
D. Post Assessment Reporting & Remediation

CTPRA Exam Profile

CTPRA

CTPRA Third Party Assessor Accountabilities

Actively drives coordination and execution of conducting third party risk assessment reviews either on-site or through virtual assessments
Participates in the creation, development, deployment of security and risk plans and mitigation controls Manages and deploys third party risk intake, assessment, remediation, risk acceptance and communication processes
Conducts security, vulnerability and control assessments using standard methodologies
Plans and coordinates testing and verification of controls
Reviews compliance artifacts and technical materials to identify and evaluate controls
Monitors existing and proposed security, risk, and control frameworks
Monitors changes in regulation that impact third party risk
Builds and manages remediation plans for third party due diligence risk assessments
Manages and maintains information in governance, risk, compliance systems and tools
Prepares reports on risk ratings, findings, and assessment results
Identifies and evaluates compensating controls based on risk mitigation techniques
Analyzes complex situations where an in-depth evaluation of risk is required
Accountable to synthesize information to technical and non-technical audiences
Ability to use judgement within established policies and procedures to evaluate control effectiveness and control attributes
Creates management reporting on third party risk activities across multiple engagements
Conducts audits or assessments in alignment with standards and risk-based strategies
Conducts interviews with subject matter experts to gain thorough understanding of the control environment Identifies synergies and dependencies in planning third party assessments
Manages project management timelines, status reports, findings, results, and recommendations to stakeholders
Interacts directly with key personnel within both IT and lines of business to understand the roles and responsibilities