CIS-VRM Free Sample Questions

A financial services firm is configuring their ServiceNow TPRM instance to automatically calculate a third-party's tier based on responses to an Inherent Risk Questionnaire (IRQ). The requirement is that if the third party will handle Personally Identifiable Information (PII) AND will be integrated with production systems, they must be assigned to the 'Tier 1 - Critical' level. However, if they only handle PII but are not integrated, they should be 'Tier 2 - High'. A risk manager reports that a new third party answering 'Yes' to both questions is incorrectly being assigned 'Tier 2'. Which of the following is the most likely cause of this misconfiguration?

A global manufacturing company wants to streamline its third-party risk assessment process. Their goal is to automatically trigger a specific set of questionnaires and document requests based on the inherent risk identified during the onboarding process. Which of the following components are essential to configure this automation? (Select THREE)

During a TPRM implementation, a consultant is tasked with configuring risk rating and scoring. The client requires a weighted average calculation for the overall risk score, where the 'Cybersecurity' risk area is three times more important than 'Financial Stability'. Where would the consultant configure these weights to ensure risk scores are calculated according to the client's requirement?

True or False: Once a third-party contact is granted the `sn_vdr_risk.vendor_contact` role, they can view and respond to all assessments assigned to their company via the Third-party Portal.

A risk analyst needs to generate a report showing the average time it takes for third parties in the 'Critical' tier to complete their annual cybersecurity assessments, measured from the time the assessment state changes to 'Submitted to Third Party' until it reaches 'Responses Received'. Which ServiceNow reporting feature is best suited for creating this performance metric?

A TPRM manager has a requirement that any 'High' severity issue generated from an assessment for a 'Tier 1' third party must be approved by the Director of Compliance before it can be moved to the 'Awaiting Implementation' state. What is the most appropriate tool in ServiceNow to automate this specific approval requirement?

A healthcare organization uses ServiceNow TPRM to manage suppliers of critical medical software. After an assessment, a high-risk issue related to HIPAA compliance is identified. The risk team needs to formally track this risk and link it to a specific HIPAA control. Which is the best practice for handling this within the GRC and TPRM applications?

A TPRM administrator is importing a large number of third-party records from a legacy system. The import set contains a 'Country' column. The administrator needs to ensure that the imported string for the country is correctly mapped to the corresponding `core_country` reference field on the Company table. Which feature of the import process should be used to accomplish this?

What is the primary function of an Inherent Risk Questionnaire (IRQ) in the ServiceNow Third-party Risk Management process?

A user with the `sn_vdr_risk_asmt.vendor_assessor` role reports that they are unable to see the 'Generate Observations' UI action on a Third-party Risk Assessment record that is in the 'Responses Received' state. What is the most likely reason for this issue? ```mermaid stateDiagram-v2 [*] --> Submitted Submitted --> "Responses Received" : vendor responds "Responses Received" --> "Generating Observations" : assessor action "Generating Observations" --> Finalizing : system process Finalizing --> Closed ```