Which of the following helps define data retention time is a stream-fed data lake that includes
personal data?
B
Explanation:
A privacy impact assessment (PIA) is a systematic process of identifying and evaluating the potential
privacy risks and impacts of a data processing activity or system. A PIA helps to ensure that privacy is
considered and integrated into the design and development of data processing activities or systems,
and that privacy risks are mitigated or eliminated. A PIA also helps to determine the appropriate
retention periods for personal data based on the purpose and necessity of the data processing, as
well as the legal and regulatory obligations that apply to the data. Therefore, a PIA helps to define
data retention time in a stream-fed data lake that includes personal data. Reference: : CDPSE Review
Manual (Digital Version), page 99
When evaluating cloud-based services for backup, which of the following is MOST important to
consider from a privacy regulation standpoint?
B
Explanation:
Reference: https://www.isaca.org/resources/isaca-journal/past-issues/2014/selecting-the-right-
cloud-operating-model-privacy-and-data-security-in-the-cloud
When evaluating cloud-based services for backup, one of the most important factors to consider
from a privacy regulation standpoint is data residing in another country. This is because different
countries may have different privacy laws and regulations that apply to the personal data stored or
processed in their jurisdictions. Some countries may have more stringent or protective privacy laws
than others, while some countries may have more intrusive or invasive practices that pose threats to
data privacy. Therefore, an organization should be aware of the location of its cloud-based backup
service provider and its servers, and ensure that there are adequate safeguards and agreements in
place to protect the personal data from unauthorized or unlawful access, use, disclosure, or
transfer. Reference: : CDPSE Review Manual (Digital Version), page 159
Which of the following should be the FIRST consideration when selecting a data sanitization method?
D
Explanation:
The first consideration when selecting a data sanitization method is the type of storage device that
holds the data to be sanitized. Different types of storage devices have different characteristics and
limitations that affect the effectiveness and feasibility of data sanitization methods.
For example,
magnetic media, such as hard disk drives (HDDs), can be sanitized by data degaussing, which is
wiping data permanently by weakening the magnetic field1
.
However, data degaussing is not
applicable to devices that use solid state drive (SSD) technology, since SSDs do not store data
magnetically2
. Therefore, the storage type determines which data sanitization methods are suitable
and available for the data disposal process.
Reference:
ISACA, Why (and How to) Dispose of Digital Data, Data Degaussing1
ISACA, Best Practices for Data Hygiene, Data Hygiene Practices3
TechReset, Data Sanitization and Methods, Cryptographic Erasure2
Imperva, What is Data Sanitization?4
Which of the following system architectures BEST supports anonymity for data transmission?
D
Explanation:
A peer-to-peer (P2P) system architecture is a network model where each node (peer) can act as both
a client and a server, and communicate directly with other peers without relying on a centralized
authority or intermediary. A P2P system architecture best supports anonymity for data transmission,
by providing the following advantages:
It can hide the identity and location of the peers, by using encryption, pseudonyms, proxies, or onion
routing techniques, such as Tor1 or I2P2
. These techniques can prevent eavesdropping, tracking, or
censorship by third parties, such as Internet service providers, governments, or hackers.
It can distribute the data across multiple peers, by using hashing, replication, or fragmentation
techniques, such as BitTorrent3 or IPFS4
. These techniques can reduce the risk of data loss,
corruption, or tampering by malicious peers, and increase the availability and resilience of the data.
It can enable the peers to control their own data, by using consensus, validation, or incentive
mechanisms, such as blockchain5
or smart contracts. These mechanisms can ensure the integrity and
authenticity of the data transactions, and enforce the privacy policies and preferences of the data
owners.
Of the following, who should be PRIMARILY accountable for creating an organization’s privacy
management strategy?
D
Explanation:
Some organizations, typically those that manage large amounts of personal information related to
employees, customers, or constituents, will employ a chief privacy officer (CPO). Some organizations
have a CPO because applicable regulations such as the Gramm-Leach-Bliley Act (GLBA) require it.
Other regulations such as the Health Information Portability and Accountability Act (HIPAA), the Fair
Credit Reporting Act (FCRA), and the GLBA place a slate of responsibilities upon an organization that
compels them to hire an executive responsible for overseeing compliance.
The chief privacy officer (CPO) is the senior executive who is responsible for establishing and
maintaining the organization’s privacy vision, strategy, and program. The CPO oversees the
development and implementation of privacy policies, procedures, standards, and controls, and
ensures that they align with the organization’s business objectives and legal obligations. The CPO
also leads the privacy governance structure, such as the privacy steering committee, and coordinates
with other stakeholders, such as the chief data officer (CDO), the information security steering
committee, and the legal counsel, to ensure that privacy is integrated into all aspects of the
organization’s operations. Reference: : CDPSE Review Manual (Digital Version), page 21
Which of the following is the BEST way to protect personal data in the custody of a third party?
C
Explanation:
In GDPR parlance, organizations that use third-party service providers are often, but not always,
considered data controllers, which are entities that determine the purposes and means of the
processing of personal data, which can include directing third parties to process personal data on
their behalf. The third parties that process data for data controllers are known as data processors.
The best way to protect personal data in the custody of a third party is to include requirements to
comply with the organization’s privacy policies in the contract. This means that the organization
should specify the terms and conditions of data processing, such as the purpose, scope, duration,
and security measures, and ensure that they are consistent with the organization’s privacy policies
and applicable privacy regulations. The contract should also define the roles and responsibilities of
both parties, such as data controller and data processor, and establish mechanisms for monitoring,
reporting, auditing, and resolving any issues or incidents related to data privacy. Reference: : CDPSE
Review Manual (Digital Version), page 41
Which of the following is MOST important to ensure when developing a business case for the
procurement of a new IT system that will process and store personal information?
D
Explanation:
Reference: https://www.isaca.org/privacy-policy
The most important thing to ensure when developing a business case for the procurement of a new
IT system that will process and store personal information is that data protection requirements are
included. This means that the organization should identify and analyze the privacy risks and impacts
of the new IT system, and determine the appropriate measures to mitigate or eliminate them. The
data protection requirements should cover aspects such as data minimization, consent, access,
rectification, erasure, portability, security, breach notification, etc. The data protection requirements
should also align with the organization’s privacy policies and applicable privacy
regulations. Reference: : CDPSE Review Manual (Digital Version), page 63
Which of the following is the BEST way to validate that privacy practices align to the published
enterprise privacy management program?
A
Explanation:
The best way to validate that privacy practices align to the published enterprise privacy management
program is to conduct an audit. An audit is an independent and objective examination of evidence to
provide assurance that privacy practices are effective and compliant with the enterprise privacy
management program. An audit can also identify any gaps or weaknesses in the privacy practices and
provide recommendations for improvement. An audit can be conducted internally or externally,
depending on the scope, objectives, and standards of the audit. Reference: : CDPSE Review Manual
(Digital Version), page 83
Which of the following is the GREATEST benefit of adopting data minimization practices?
C
Explanation:
The greatest benefit of adopting data minimization practices is that the associated threat surface is
reduced. Data minimization is a privacy principle that states that personal data should be adequate,
relevant, and limited to what is necessary for the purposes for which they are processed. Data
minimization helps to protect data privacy by reducing the amount and type of personal data that are
collected, stored, processed, or shared by an organization. This in turn reduces the exposure of
personal data to potential threats, such as unauthorized access, use, disclosure, modification, or
loss. Reference: : CDPSE Review Manual (Digital Version), page 29
An organization want to develop an application programming interface (API) to seamlessly exchange
personal data with an application hosted by a third-party service provider. What should be the FIRST
step when developing an application link?
C
Explanation:
Data mapping is the process of defining how data elements from different sources are related,
transformed, and transferred to a common destination. Data mapping is the first step when
developing an application link because it helps to ensure that the data exchanged between the API
and the third-party application is consistent, accurate, and compatible. Data mapping also helps to
identify any gaps, errors, or conflicts in the data and resolve them before the data transfer occurs.
Reference:
What is Data Mapping?
, Talend
Data Mapping: What It Is and How to Do It
, Xplenty