Brainscape's Knowledge GenomeTM


Top Flashcards (Certified)
All Flashcards

TPCRA: Lesson 7: Reporting & Analytics > Lesson 7 Workshop > Flashcards

Lesson 7 Workshop Flashcards

1
Q

Overview

A

The most important part of a strong TPRM program is issue remediation.

Once you find an issue or observation, it is important to:
1. Validate the issue with the third party
2. Work with the third party to create a remediation plan, to include target date, that meets your organization’s expectations.

We, as practioners, do not complete assessments just to complete assessments, but we do so to mitigate risk (which is done through issue remediation)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Lesson 7 Workshop

A

**Target report audiences. Not all reports should be sent to everyone. Depends on what the need is and who the decision makers are.

Review the example TPRM report and discuss:
* What should be sent to Business Owners?
* What should be sent to the Third Party?
* What should be sent to Executives and/or a Risk
Committee?

  • What should be sent to the Board?
  • What steps should be taken to ensure risk is
    remediated during the reporting phase?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What should be sent to the Business Owner?

A

Third Party Due Diligence Efforts:
-Why you’re doing it
-How you’re doing it
-Outcomes
-Their vendor portfolios and scores for them

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What should be sent to the Third Party?

A

-Tell them if they passed or failed.
-Send them your findings
-Program expectations
-Meeting- this is our program, this is the evidence we request, this is what we want, this is who we need to talk to, when do you do you pen tests, soc reports, so we know when to receive them.
-Let them know the communication expectations if they were to be breached.
-Follow up process, we need evidence showing risks have been remediated.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What should be sent to your executives and/or risk committee?

A

-Risk mitigation strategies things we would like to do that they need to make decisions on.
-You want a committee to do this not TPRM because if something happens they will blame you.
-Spreads the liability
-Escalations, risk acceptance send to them.
-Receive updates on emerging risks or threats and any regulatory updates that are newer so they’re not surprised if something happens.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What should be sent to the Board?

A

-Pull highlevel information and metrics tied through TPRM
-Updates on overall health of TPRM program
-Impact of mitigation activities for higher risk and the impact on this
-Emerging risk, threats, regulatory matters
-If new, level set what TPRM is. Give good understanding of what the program is, what we’re evaluating, key risks, what our program does

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What steps should be taken to ensure risk is remediated during the reporting phase?

A

-Formally log the issue into the system which sets remediation timelines, get evidence to confirm resolved.
-Make sure you are remediating risk because you spent so much time assessing and discovering risk because you’re liable if you know and do nothing.
-Regulatory issue if audited.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly

TPCRA: Lesson 7: Reporting & Analytics (5 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions