CDPSE

What should be the PRIMARY consideration of a multinational organization deploying a user and entity behavior analytics (UEBA) tool to centralize the monitoring of anomalous employee behavior?. Cross-border data transfer. Support staff availability and skill set. User notification. Global public interest.

Which of the following should be the FIRST consideration when conducting a privacy impact assessment (PIA)?. The applicable privacy legislation. The quantity of information within the scope of the assessment. The systems in which privacy-related data is stored. The organizational security risk profile.

Which of the following BEST represents privacy threat modeling methodology?. Mitigating inherent risks and threats associated with privacy control weaknesses. Systematically eliciting and mitigating privacy threats in a software architecture. Reliably estimating a threat actor’s ability to exploit privacy vulnerabilities. Replicating privacy scenarios that reflect representative software usage.

An organization is creating a personal data processing register to document actions taken with personal data. Which of the following categories should document controls relating to periods of retention for personal data?. Data archiving. Data storage. Data acquisition. Data input.

Data collected by a third-party vendor and provided back to the organization may not be protected according to the organization’s privacy notice. Which of the following is the BEST way to address this concern?. Review the privacy policy. Obtain independent assurance of current practices. Re-assess the information security requirements. Validate contract compliance.

During the design of a role-based user access model for a new application, which of the following principles is MOST important to ensure data privacy is protected?. Segregation of duties. Unique user credentials. Two-person rule. Need-to-know basis.

Which of the following should FIRST be established before a privacy office starts to develop a data protection and privacy awareness campaign?. Detailed documentation of data privacy processes. Strategic goals of the organization. Contract requirements for independent oversight. Business objectives of senior leaders.

Which of the following features should be incorporated into an organization’s technology stack to meet privacy requirements related to the rights of data subjects to control their personal data?. Providing system engineers the ability to search and retrieve data. Allowing individuals to have direct access to their data. Allowing system administrators to manage data access. Establishing a data privacy customer service bot for individuals.

Which of the following is the GREATEST concern for an organization subject to cross-border data transfer regulations when using a cloud service provider to store and process data?. The service provider has denied the organization’s request for right to audit. Personal data stored on the cloud has not been anonymized. The extent of the service provider’s access to data has not been established. The data is stored in a region with different data protection requirements.

When configuring information systems for the communication and transport of personal data, an organization should: adopt the default vendor specifications. review configuration settings for compliance. implement the least restrictive mode. enable essential capabilities only.

Which of the following helps define data retention time is a stream-fed data lake that includes personal data?. Information security assessments. Privacy impact assessments (PIAs). Data privacy standards. Data lake configuration.

When evaluating cloud-based services for backup, which of the following is MOST important to consider from a privacy regulation standpoint?. Data classification labeling. Data residing in another country. Volume of data stored. Privacy training for backup users.

Which of the following should be the FIRST consideration when selecting a data sanitization method?. Risk tolerance. Implementation cost. Industry standards. Storage type.

Which of the following system architectures BEST supports anonymity for data transmission?. Client-server. Plug-in-based. Front-end. Peer-to-peer.

Of the following, who should be PRIMARILY accountable for creating an organization’s privacy management strategy?. Chief data officer (CDO). Privacy steering committee. Information security steering committee. Chief privacy officer (CPO).

Which of the following is the BEST way to protect personal data in the custody of a third party?. Have corporate counsel monitor privacy compliance. Require the third party to provide periodic documentation of its privacy management program. Include requirements to comply with the organization’s privacy policies in the contract. Add privacy-related controls to the vendor audit plan.

Which of the following is MOST important to ensure when developing a business case for the procurement of a new IT system that will process and store personal information?. The system architecture is clearly defined. A risk assessment has been completed. Security controls are clearly defined. Data protection requirements are included.

Which of the following is the BEST way to validate that privacy practices align to the published enterprise privacy management program?. Conduct an audit. Report performance metrics. Perform a control self-assessment (CSA). Conduct a benchmarking analysis.

Which of the following is the GREATEST benefit of adopting data minimization practices?. Storage and encryption costs are reduced. Data retention efficiency is enhanced. The associated threat surface is reduced. Compliance requirements are met.

An organization want to develop an application programming interface (API) to seamlessly exchange personal data with an application hosted by a third-party service provider. What should be the FIRST step when developing an application link?. Data tagging. Data normalization. Data mapping. Data hashing.

Which of the following vulnerabilities is MOST effectively mitigated by enforcing multi-factor authentication to obtain access to personal information?. End users using weak passwords. Organizations using weak encryption to transmit data. Vulnerabilities existing in authentication pages. End users forgetting their passwords.

Which of the following is the BEST way for an organization to limit potential data exposure when implementing a new application?. Implement a data loss prevention (DLP) system. Use only the data required by the application. Encrypt all data used by the application. Capture the application’s authentication logs.

An online business posts its customer data protection notice that includes a statement indicating information is collected on how products are used, the content viewed, and the time and duration of online activities. Which data protection principle is applied?. Data integrity and confidentiality. System use requirements. Data use limitation. Lawfulness and fairness.

What type of personal information can be collected by a mobile application without consent?. Full name. Geolocation. Phone number. Accelerometer data.

What is the PRIMARY means by which an organization communicates customer rights as it relates to the use of their personal information?. Distributing a privacy rights policy. Mailing rights documentation to customers. Publishing a privacy notice. Gaining consent when information is collected.

A new marketing application needs to use data from the organization’s customer database. Prior to the application using the data, which of the following should be done FIRST?. Ensure the data loss prevention (DLP) tool is logging activity. De-identify all personal data in the database. Determine what data is required by the application. Renew the encryption key to include the application.

Which of the following MUST be available to facilitate a robust data breach management response?. Lessons learned from prior data breach responses. Best practices to obfuscate data for processing and storage. An inventory of previously impacted individuals. An inventory of affected individuals and systems.

Which of the following zones within a data lake requires sensitive data to be encrypted or tokenized?. Trusted zone. Clean zone. Raw zone. Temporal zone.

Which of the following poses the GREATEST privacy risk for client-side application processing?. Failure of a firewall protecting the company network. An employee loading personal information on a company laptop. A remote employee placing communication software on a company server. A distributed denial of service attack (DDoS) on the company network.

Which of the following is the PRIMARY consideration to ensure control of remote access is aligned to the privacy policy?. Access is logged on the virtual private network (VPN). Multi-factor authentication is enabled. Active remote access is monitored. Access is only granted to authorized users.

Which of the following scenarios poses the GREATEST risk to an organization from a privacy perspective?. The organization lacks a hardware disposal policy. Emails are not consistently encrypted when sent internally. Privacy training is carried out by a service provider. The organization’s privacy policy has not been reviewed in over a year.

Within a business continuity plan (BCP), which of the following is the MOST important consideration to ensure the ability to restore availability and access to personal data in the event of a data privacy incident?. Offline backup availability. Recovery time objective (RTO). Recovery point objective (RPO). Online backup frequency.

In which of the following should the data record retention period be defined and established?. Data record model. Data recovery procedures. Data quality standard. Data management plan.

When tokenizing credit card data, what security practice should be employed with the original data before it is stored in a data lake?. Encoding. Backup. Encryption. Classification.

Which key stakeholder within an organization should be responsible for approving the outcomes of a privacy impact assessment (PIA)?. Data custodian. Privacy data analyst. Data processor. Data owner.

Which of the following is the best reason for a health organization to use desktop virtualization to implement stronger access control to systems containing patient records?. Limited functions and capabilities of a secured operating environment. Monitored network activities for unauthorized use. Improved data integrity and reduced effort for privacy audits. Unlimited functionalities and highly secured applications.

What is the BEST way for an organization to maintain the effectiveness of its privacy breach incident response plan?. Require security management to validate data privacy security practices. Involve the privacy office in an organizational review of the incident response plan. Hire a third party to perform a review of data privacy processes. Conduct annual data privacy tabletop exercises.

Which of the following is MOST important when developing an organizational data privacy program?. Obtaining approval from process owners. Profiling current data use. Following an established privacy framework. Performing an inventory of all data.

Which of the following should be considered personal information?. Biometric records. Company address. University affiliation. Age.

Which of the following should an IT privacy practitioner do FIRST following a decision to expand remote working capability to all employees due to a global pandemic?. Evaluate the impact resulting from this change. Revisit the current remote working policies. Implement a virtual private network (VPN) tool. Enforce multi-factor authentication for remote access.

When using anonymization techniques to prevent unauthorized access to personal data, which of the following is the MOST important consideration to ensure the data is adequately protected?. The key must be kept separate and distinct from the data it protects. The data must be protected by multi-factor authentication. The key must be a combination of alpha and numeric characters. The data must be stored in locations protected by data loss prevention (DLP) technology.

Which party should data subject contact FIRST if they believe their personal information has been collected and used without consent?. Privacy rights advocate. Outside privacy counsel. Data protection authorities. The organization’s chief privacy officer (CPO).

Which of the following BEST enables an IT privacy practitioner to ensure appropriate protection for personal data collected that is required to provide necessary services?. Understanding the data flows within the organization. Implementing strong access controls on a need-to-know basis. Anonymizing privacy data during collection and recording. Encrypting the data throughout its life cycle.

Which of the following tracking technologies associated with unsolicited targeted advertisements presents the GREATEST privacy risk?. Online behavioral tracking. Radio frequency identification (RFID). Website cookies. Beacon-based tracking.

Which of the following should an IT privacy practitioner do FIRST before an organization migrates personal data from an on-premise solution to a cloud-hosted solution?. Develop and communicate a data security plan. Perform a privacy impact assessment (PIA). Ensure strong encryption is used. Conduct a security risk assessment.

Which of the following is a PRIMARY consideration to protect against privacy violations when utilizing artificial intelligence (AI) driven business decisions?. De-identifying the data to be analyzed. Verifying the data subjects have consented to the processing. Defining the intended objectives. Ensuring proper data sets are used to train the models.

To ensure effective management of an organization’s data privacy policy, senior leadership MUST define. training and testing requirements for employees handling personal data. roles and responsibilities of the person with oversights. metrics and outcomes recommended by external agencies. the scope and responsibilities of the data owner.

Which of the following BEST ensures data confidentiality across databases?. Logical data model. Data normalization. Data catalog vocabulary. Data anonymization.

Which of the following vulnerabilities would have the GREATEST impact on the privacy of information?. Private Key exposure. Poor patch management. Lack of password complexity. Out-of-date antivirus signatures.

Which of the following is MOST important to consider when managing changes to the provision of services by a third party that processes personal data?. Changes to current information architecture. Updates to data life cycle policy. Business impact due to the changes. Modifications to data quality standards.

Which of the following techniques mitigates design flaws in the application development process that may contribute to potential leakage of personal data?. User acceptance testing (UAT). Patch management. Software hardening. Web application firewall (WAF).

Which of the following is the PRIMARY reason that a single cryptographic key should be used for only one purpose, such as encryption or authentication?. It eliminates cryptographic key collision. It minimizes the risk if the cryptographic key is compromised. It is more practical and efficient to use a single cryptographic key. Each process can only be supported by its own unique key management process.

During which of the following system lifecycle stages is it BEST to conduct a privacy impact assessment (PIA) on a system that holds personal data?. Functional testing. Development. Production. User acceptance testing (UAT).

Which of the following is the PRIMARY reason that organizations need to map the data flows of personal data?. To assess privacy risks. To evaluate effectiveness of data controls. To determine data integration gaps. To comply with regulations.

Which of the following is the BEST method to ensure the security of encryption keys when transferring data containing personal information between cloud applications?. Whole disk encryption. Asymmetric encryption. Digital Signature. Symmetric encryption.

When using pseudonymization to prevent unauthorized access to personal data, which of the following is the MOST important consideration to ensure the data is adequately protected?. The data must be protected by multi-factor authentication. The identifier must be kept separate and distinct from the data it protects. The key must be a combination of alpha and numeric characters. The data must be stored in locations protected by data loss prevention (DLP) technology.

Which of the following is the BEST way to limit the organization’s potential exposure in the event of consumer data loss while maintaining the traceability of the data?. Encrypt the data at rest. De-identify the data. Use a unique hashing algorithm. Require a digital signature.

Which authentication practice is being used when an organization requires a photo on a government-issued identification card to validate an in-person credit card purchase?. Possession factor authentication. Knowledge-based credential authentication. Multi-factor authentication. Biometric authentication.

Which of the following BEST ensures a mobile application implementation will meet an organization’s data security standards?. User acceptance testing (UAT). Data classification. Privacy impact assessment (PIA). Automatic dynamic code scan.

Which of the following is the PRIMARY benefit of implementing policies and procedures for system hardening?. It increases system resiliency. It reduces external threats to data. It reduces exposure of data. It eliminates attack motivation for data.

Which of the following is the MOST important consideration when using advanced data sanitization methods to ensure privacy data will be unrecoverable?. Subject matter expertise. Type of media. Regulatory compliance requirements. Location of data.

An email opt-in form on a website applies to which privacy principle?. Accuracy. Consent. Transparency. Integrity.

Which of the following is MOST likely to present a valid use case for keeping a customer’s personal data after contract termination?. For the purpose of medical research. A forthcoming campaign to win back customers. A required retention period due to regulations. Ease of onboarding when the customer returns.

Which of the following is the BEST approach for a local office of a global organization faced with multiple privacy-related compliance requirements?. Focus on developing a risk action plan based on audit reports. Focus on requirements with the highest organizational impact. Focus on global compliance before meeting local requirements. Focus on local standards before meeting global compliance.

Which of the following is the MOST important consideration when writing an organization’s privacy policy?. Using a standardized business taxonomy. Aligning statements to organizational practices. Ensuring acknowledgment by the organization’s employees. Including a development plan for personal data handling.

Which of the following BEST supports an organization’s efforts to create and maintain desired privacy protection practices among employees?. Skills training programs. Awareness campaigns. Performance evaluations. Code of conduct principles.

Which of the following hard drive sanitation methods provides an organization with the GREATEST level of assurance that data has been permanently erased?. Degaussing the drive. Factory resetting the drive. Crypto-shredding the drive. Reformatting the drive.

Which of the following describes a user’s “right to be forgotten”?. The data is being used to comply with legal obligations or the public interest. The data is no longer required for the purpose originally collected. The individual objects despite legitimate grounds for processing. The individual’s legal residence status has recently changed.

When choosing data sources to be used within a big data architecture, which of the following data attributes MUST be considered to ensure data is not aggregated?. Accuracy. Granularity. Consistency. Reliability.

Which of the following should be used to address data kept beyond its intended lifespan?. Data minimization. Data anonymization. Data security. Data normalization.

Which of the following would MOST effectively reduce the impact of a successful breach through a remote access solution?. Compartmentalizing resource access. Regular testing of system backups. Monitoring and reviewing remote access logs. Regular physical and remote testing of the incident response plan.

A multinational corporation is planning a big data initiative to help with critical business decisions. Which of the following is the BEST way to ensure personal data usage is standardized across the entire organization?. De-identify all data. Develop a data dictionary. Encrypt all sensitive data. Perform data discovery.

An organization’s data destruction guidelines should require hard drives containing personal data to go through which of the following processes prior to being crushed?. Low-level formatting. Remote partitioning. Degaussing. Hammer strike.

Which of the following processes BEST enables an organization to maintain the quality of personal data?. Implementing routine automatic validation. Maintaining hashes to detect changes in data. Encrypting personal data at rest. Updating the data quality standard through periodic review.

Which of the following is the MOST important consideration when determining retention periods for personal data?. Sectoral best practices for the industry. Notice provided to customers during data collection. Data classification standards. Storage capacity available for retained data.

What is the BEST method to protect customers’ personal data that is forwarded to a central system for analysis?. Pseudonymization. Deletion. Encryption. Anonymization.

Which of the following should be done FIRST to address privacy risk when migrating customer relationship management (CRM) data to a new system?. Develop a data migration plan. Conduct a legitimate interest analysis (LIA). Perform a privacy impact assessment (PIA). Obtain consent from data subjects.

Which of the following is the GREATEST obstacle to conducting a privacy impact assessment (PIA)?. Conducting a PIA requires significant funding and resources. PIAs need to be performed many times in a year. The organization lacks knowledge of PIA methodology. The value proposition of a PIA is not understood by management.

Which of the following is the MOST important consideration to ensure privacy when using big data analytics?. Maintenance of archived data. Disclosure of how the data is analyzed. Transparency about the data being collected. Continuity with business requirements.

An organization uses analytics derived from archived transaction data to create individual customer profiles for customizing product and service offerings. Which of the following is the IT privacy. Anonymize personal data. Discontinue the creation of profiles. Implement strong access controls. Encrypt data at rest.

When a government’s health division established the complete privacy regulation for only the health market, which privacy protection reference model is being used?. Co-regulatory. Sectoral. Comprehensive. Self-regulatory.

An organization is developing a wellness smartwatch application and is considering what information should be collected from the application users. Which of the following is the MOST legitimate information to collect for business reasons in this situation?. Height, weight, and activities. Sleep schedule and calorie intake. Education and profession. Race, age, and gender.

Which of the following is the BEST way to distinguish between a privacy risk and compliance risk?. Perform a privacy risk audit. Conduct a privacy risk assessment. Validate a privacy risk attestation. Conduct a privacy risk remediation exercise.

It is MOST important to consider privacy by design principles during which phase of the software development life cycle (SDLC)?. Application design. Requirements definition. Implementation. Testing.

Which of the following is a PRIMARY objective of performing a privacy impact assessment (PIA) prior to onboarding a new Software as a Service (SaaS) provider for a customer relationship management (CRM) system?. To identify controls to mitigate data privacy risks. To classify personal data according to the data classification scheme. To assess the risk associated with personal data usage. To determine the service provider’s ability to maintain data protection controls.

Which of the following protocols BEST protects end-to-end communication of personal data?. Transmission Control Protocol (TCP). Transport Layer Security Protocol (TLS). Secure File Transfer Protocol (SFTP). Hypertext Transfer Protocol (HTTP).

An organization is planning a new implementation for tracking consumer web browser activity. Which of the following should be done FIRST?. Seek approval from regulatory authorities. Conduct a privacy impact assessment (PIA). Obtain consent from the organization’s clients. Review and update the cookie policy.

Which of the following is the BEST control to secure application programming interfaces (APIs) that may contain personal information?. Encrypting APIs with the organization’s private key. Requiring nondisclosure agreements (NDAs) when sharing APIs. Restricting access to authorized users. Sharing only digitally signed APIs.

Which of the following rights is an important consideration that allows data subjects to request the deletion of their data?. The right to object. The right to withdraw consent. The right to access. The right to be forgotten.

A global organization is planning to implement a customer relationship management (CRM) system to be used in offices based in multiple countries. Which of the following is the MOST important data protection consideration for this project?. Industry best practice related to information security standards in each relevant jurisdiction. Identity and access management mechanisms to restrict access based on need to know. Encryption algorithms for securing customer personal data at rest and in transit. National data privacy legislative and regulatory requirements in each relevant jurisdiction.

An organization is concerned with authorized individuals accessing sensitive personal customer information to use for unauthorized purposes. Which of the following technologies is the BEST choice to mitigate this risk?. Email filtering system. Intrusion monitoring. Mobile device management (MDM). User behavior analytics.

Which of the following MOST effectively protects against the use of a network sniffer?. Network segmentation. Transport layer encryption. An intrusion detection system (IDS). A honeypot environment.

Which of the following is the BEST indication of an effective records management program for personal data?. Archived data is used for future analytics. The legal department has approved the retention policy. All sensitive data has been tagged. A retention schedule is in place.

Which of the following is MOST important to establish within a data storage policy to protect data privacy?. Data redaction. Data quality assurance (QA). Irreversible disposal. Collection limitation.

Which of the following helps to ensure the identities of individuals in two-way communication are verified?. Virtual private network (VPN). Transport Layer Security (TLS). Mutual certificate authentication. Secure Shell (SSH).

Which of the following is the BEST way to hide sensitive personal data that is in use in a data lake?. Data masking. Data truncation. Data encryption. Data minimization.

A global financial institution is implementing data masking technology to protect personal data used for testing purposes in non-production environments. Which of the following is the GREATEST challenge in this situation?. Access to personal data is not strictly controlled in development and testing environments. Complex relationships within and across systems must be retained for testing. Personal data across the various interconnected systems cannot be easily identified. Data masking tools are complex and difficult to implement.

Which of the following is the BEST way to manage different IT staff access permissions for personal data within an organization?. Mandatory access control. Network segmentation. Dedicated access system. Role-based access control.

Which of the following deployed at an enterprise level will MOST effectively block malicious tracking of user Internet browsing?. Web application firewall (WAF). Website URL blacklisting. Domain name system (DNS) sinkhole. Desktop antivirus software.

Which of the following is the PRIMARY reason to complete a privacy impact assessment (PIA)?. To comply with consumer regulatory requirements. To establish privacy breach response procedures. To classify personal data. To understand privacy risks.

How can an organization BEST ensure its vendors are complying with data privacy requirements defined in their contracts?. Review self-attestations of compliance provided by vendor management. Obtain independent assessments of the vendors’ data management processes. Perform penetration tests of the vendors’ data security. Compare contract requirements against vendor deliverables.

Before executive leadership approves a new data privacy policy, it is MOST important to ensure. a training program is developed. a privacy committee is established. a distribution methodology is identified. a legal review is conducted.

Which of the following is an IT privacy practitioner’s BEST recommendation to reduce privacy risk before an organization provides personal data to a third party?. Tokenization. Aggregation. Anonymization. Encryption.

Which of the following is a responsibility of the audit function in helping an organization address privacy compliance requirements?. Approving privacy impact assessments (PIAs). Validating the privacy framework. Managing privacy notices provided to customers. Establishing employee privacy rights and consent.

An online retail company is trying to determine how to handle users’ data if they unsubscribe from marketing emails generated from the website. Which of the following is the BEST approach for handling personal data that has been restricted?. Encrypt users’ information so it is inaccessible to the marketing department. Reference the privacy policy to see if the data is truly restricted. Remove users’ information and account from the system. Flag users’ email addresses to make sure they do not receive promotional information.

Which of the following should be done FIRST when developing an organization-wide strategy to address data privacy risk?. Obtain executive support. Develop a data privacy policy. Gather privacy requirements from legal counsel. Create a comprehensive data inventory.

Which of the following is the BEST way to protect the privacy of data stored on a laptop in case of loss or theft?. Strong authentication controls. Remote wipe. Regular backups. Endpoint encryption.

Which of the following should be established FIRST before authorizing remote access to a data store containing personal data?. Privacy policy. Network security standard. Multi-factor authentication. Virtual private network (VPN).

Which of the following should be of GREATEST concern when an organization wants to store personal data in the cloud?. The organization’s potential legal liabilities related to the data. The data recovery capabilities of the storage provider. The data security policies and practices of the storage provider. Any vulnerabilities identified in the cloud system.

As part of a major data discovery initiative to identify personal data across the organization, the project team has identified the proliferation of personal data held as unstructured data as a major risk. What should be done FIRST to address this situation?. Identify sensitive unstructured data at the point of creation. Classify sensitive unstructured data. Identify who has access to sensitive unstructured data. Assign an owner to sensitive unstructured data.

Which types of controls need to be applied to ensure accuracy at all stages of processing, storage, and deletion throughout the data life cycle?. Processing flow controls. Time-based controls. Purpose limitation controls. Integrity controls.

Which of the following is the BEST approach to minimize privacy risk when collecting personal data?. Use a third party to collect, store, and process the data. Collect data through a secure organizational web server. Collect only the data necessary to meet objectives. Aggregate the data immediately upon collection.

Which of the following should be done FIRST to establish privacy to design when developing a contact-tracing application?. Conduct a privacy impact assessment (PIA). Conduct a development environment review. Identify privacy controls for the application. Identify differential privacy techniques.

A software development organization with remote personnel has implemented a third-party virtualized workspace to allow the teams to collaborate. Which of the following should be of GREATEST concern?. The third-party workspace is hosted in a highly regulated jurisdiction. Personal data could potentially be exfiltrated through the virtual workspace. The organization’s products are classified as intellectual property. There is a lack of privacy awareness and training among remote personnel.

Which of the following is MOST important when designing application programming interfaces (APIs) that enable mobile device applications to access personal data?. The user’s ability to select, filter, and transform data before it is shared. Umbrella consent for multiple applications by the same developer. User consent to share personal data. Unlimited retention of personal data by third parties.

A migration of personal data involving a data source with outdated documentation has been approved by senior management. Which of the following should be done NEXT?. Review data flow post migration. Ensure appropriate data classification. Engage an external auditor to review the source data. Check the documentation version history for anomalies.

Which of the following is the best way to reduce the risk of compromised credentials when an organization allows employees to have remote access?. Enable whole disk encryption on remote devices. Purchase an endpoint detection and response (EDR) tool. Implement multi-factor authentication. Deploy single sign-on with complex password requirements.

Which of the following is the PRIMARY objective of privacy incident response?. To ensure data subjects impacted by privacy incidents are notified. To reduce privacy risk to the lowest possible level. To mitigate the impact of privacy incidents. To optimize the costs associated with privacy incidents.

An organization wants to ensure that endpoints are protected in line with the privacy policy. Which of the following should be the FIRST consideration?. Detecting malicious access through endpoints. Implementing network traffic filtering on endpoint devices. Managing remote access and control. Hardening the operating systems of endpoint devices.

An organization has a policy requiring the encryption of personal data if transmitted through email. Which of the following is the BEST control to ensure the effectiveness of this policy?. Provide periodic user awareness training on data encryption. Implement a data loss prevention (DLP) tool. Conduct regular control self-assessments (CSAs). Enforce annual attestation to policy compliance.

Which of the following helps to ensure the identities of individuals in a two-way communication are verified?. Virtual private network (VPN). Secure Shell (SSH). Transport Layer Security (TLS). Mutual certificate authentication.

Which of the following is the BEST practice to protect data privacy when disposing removable backup media?. Data encryption. Data sanitization. Data scrambling. Data masking.

Which of the following should be done FIRST before an organization migrates data from an onpremise solution to a cloud-hosted solution that spans more than one jurisdiction?. Ensure data loss prevention (DLP) alerts are turned on. Encrypt the data while it is being migrated. Conduct a penetration test of the hosted solution. Assess the organization's exposure related to the migration.

Which of the following is the MOST effective way to support organizational privacy awareness objectives?. Funding in-depth training and awareness education for data privacy staff. Implementing an annual training certification process. Including mandatory awareness training as part of performance evaluations. Customizing awareness training by business unit function.

Which of the following assurance approaches is MOST effective in identifying vulnerabilities within an application programming interface (API) transferring personal data?. Source code review. Security audit. Bug bounty program. Tabletop simulation.

Which of the following activities would BEST enable an organization to identify gaps in its privacy posture?. Retargeting employees for awareness training after a social engineering attack. Conducting a simulation exercise that requires participants to respond to a privacy incident. Providing an interactive session on privacy risks at an organization-wide meeting. Requiring employees to review the organization's privacy policy on an annual basis.

Which of the following is the BEST way to address threats to mobile device privacy when using beacons as a tracking technology?. Disable location services. Disable Bluetooth services. Enable Trojan scanners. Enable antivirus for mobile devices.

Which of the following BEST enables an organization to ensure privacy-related risk responses meet organizational objectives?. Integrating security and privacy control requirements into the development of risk scenarios. Prioritizing privacy-related risk scenarios as part of enterprise risk management ERM) processes. Using a top-down approach to develop privacy-related risk scenarios for the organization. Assigning the data protection officer accountability for privacy protection controls.

Which of the following technologies BEST facilitates protection of personal data?. Data loss prevention (DLP) tools. Data discovery and mapping tools. Data log file monitoring tools. Data profiling tools.

Which of the following is the MOST important consideration when choosing a method for data destruction?. Granularity of data to be destroyed. Validation and certification of data destruction. Time required for the chosen method of data destruction. Level and strength of current data encryption.

A multi-national organization has decided that regional human resources (HR) team members must be limited in their access to employee data only within their regional office. Which of the following is the BEST approach?. Discretionary access control (DAC). Attribute-based access control (ABAC). Provision-based access control (PBAC). Mandatory access control (MAC).

Which of the following provides the BEST assurance that a potential vendor is able to comply with privacy regulations and the organization's data privacy policy?. Including mandatory compliance language in the request for proposal (RFP). Obtaining self-attestations from all candidate vendors. Requiring candidate vendors to provide documentation of privacy processes. Conducting a risk assessment of all candidate vendors.

The BEST way for a multinational organization to ensure the comprehensiveness of its data privacy policy is to perform an annual review of changes to privacy regulations in. the region where the business IS incorporated. all jurisdictions where corporate data is processed. all countries with privacy regulations. all data sectors in which the business operates.

Using hash values With stored personal data BEST enables an organization to. Protect against unauthorized access. Detect changes to the data. Ensure data indexing performance. Tag the data with classification information.

To ensure the protection of personal data, privacy policies should mandate that access to information system applications be authorized by the. general counsel. database administrator. business application owner. chief information officer (CIO).

Which of the following is MOST important to include in a data use policy?. The requirements for collecting and using personal data. The method used to delete or destroy personal data. The reason for collecting and using personal data. The length of time personal data will be retained.

Which of the following is MOST important to capture in the audit log of an application hosting personal data?. Server details of the hosting environment. Last logins of privileged users. Last user who accessed personal data. Application error events.

Which of the following should an organization do FIRST to ensure it can respond to all data subject access requests in a timely manner?. Understand the data in its possession. Invest in a platform to automate data review. Confirm what is required for disclosure. Create a policy for handling access request.

A technology company has just launched a mobile application tor tracking health symptoms_ This application is built on a mobile device technology stack that allows users to share their location and details of their symptoms. Which of the following is the GREATEST privacy concern with collecting this data via mobile devices?. Client-side device ID. Data storage requirements. Encryption of key data elements. Data usage without consent.

Which of the following is the BEST way for senior management to verify the success of its commitment to privacy by design?. Review the findings of an industry benchmarking assessment. Identify trends in the organization's amount of compromised personal data. Review the findings of a third-party privacy control assessment. Identify trends in the organization's number of privacy incidents.

Which of the following is the BEST way to explain the difference between data privacy and data security?. Data privacy is about data segmentation, while data security prevents unauthorized access. Data privacy protects the data subjects, while data security is about protecting critical assets. Data privacy stems from regulatory requirements, while data security focuses on consumer rights. Data privacy protects users from unauthorized disclosure, while data security prevents compromise.

An organization is considering the use of remote employee monitoring software. Which of the following is the MOST important privacy consideration when implementing this solution?. Data should be used to improve employee performance. Data should be retained per the organization's retention policy. Data access should be restricted based on roles. Data analysis should be used to set staffing levels.

Which of the following is the BEST way to reduce the risk of compromise when transferring personal information using email?. Centrally managed encryption. End user-managed encryption. Private cloud storage space. Password-protected .zip files.

Which of the following is an example of data anonymization as a means to protect personal data when sharing a database?. The data is encrypted and a key is required to re-identify the data. Key fields are hidden and unmasking is required to access to the data. Names and addresses are removed but the rest of the data is left untouched. The data is transformed such that re-identification is impossible.

Which of the following BEST enables an organization to ensure consumer credit card numbers are accurately captured?. Input reference controls. Access controls. Input validation controls. Reconciliation controls.

Which of the following is the BEST course of action to prevent false positives from data loss prevention (DLP) tools?. Conduct additional discovery scans. Suppress the alerts generating the false positives. Evaluate new data loss prevention (DLP) tools. Re-establish baselines tor configuration rules.

When contracting with a Software as a Service (SaaS) provider, which of the following is the MOST important contractual requirement to ensure data privacy at service termination?. Encryption of customer data. Removal of customer data. De-identification of customer data. Destruction of customer data.

A project manager for a new data collection system had a privacy impact assessment (PIA) completed before the solution was designed. Once the system was released into production, an audit revealed personal data was being collected that was not part of the PIA What is the BEST way to avoid this situation in the future?. Conduct a privacy post-implementation review. Document personal data workflows in the product life cycle. Require management approval of changes to system architecture design. Incorporate privacy checkpoints into the secure development life cycle.

Which of the following should an IT privacy practitioner review FIRST to understand where personal data is coming from and how it is used within the organization?. Data process flow diagrams. Data inventory. Data classification. Data collection standards.

Which of the following is the FIRST step toward the effective management of personal data assets?. Establish data security controls. Analyze metadata. Create a personal data inventory. Minimize personal data.

Which of the following should be done FIRST when performing a data quality assessment?. Identify the data owner. Define data quality rules. Establish business thresholds. Assess completeness of the data inventory.

Which of the following is a foundational goal of data privacy laws?. Privacy laws are designed to protect companies' collection of personal data. Privacy laws are designed to prevent the collection of personal data. Privacy laws are designed to provide transparency for the collection of personal data. Privacy laws are designed to give people rights over the collection of personal data.

Which of the following is the MOST effective remote access model for reducing the likelihood of attacks originating from connecting devices?. Thick client desktop with virtual private network (VPN) connection. Remote wide area network (WAN) links. Thin Client remote desktop protocol (RDP). Site-to-site virtual private network (VPN).

Which of the following is the PRIMARY reason for an organization to use hash functions when hardening application systems involved in biometric data processing?. To reduce the risk of sensitive data breaches. To meet the organization's security baseline. To ensure technical security measures are effective. To prevent possible identity theft.

When is the BEST time during the secure development life cycle to perform privacy threat modeling?. When identifying business requirements. Early in the design phase. During functional verification testing. Prior to the production release.

Which of the following is BEST used to validate compliance with agreed-upon service levels established with a third party that processes personal data?. Key risk indicators (KRIS). Key performance indicators (KPIS). Industry benchmarks. Contractual right to audit.

Which of the following BEST ensures an effective data privacy policy is implemented?. Developing a clear privacy statement with documented objectives. Incorporating data privacy regulations from all jurisdictions. Aligning regulatory requirements with business needs. Providing a comprehensive review of the policy for all business units.

Which type of data is produced by using a more complex method of analytics to find correlations between data sets and using them to categorize or profile people?. Observed data. Inferred data. Derived data. Provided data.

Which of the following is a PRIMARY element of application and software hardening?. Vulnerability analysis. Database configuration. Code review. Software repository.

A mortgage lender has created an online application that collects borrower information and delivers a mortgage decision automatically based on criteria set by the lender. Which fundamental data subject right does this process infringe upon?. Right to restriction of processing. Right to be informed. Right not to be profiled. Right to object.

Which of the following is the BEST way to ensure third-party providers that process an organization's personal data are addressed as part of the data privacy strategy?. Require data dictionaries from service providers that handle the organization's personal data. Outsource personal data processing to the same third party. Require independent audits of the providers' data privacy controls. Require service level agreements (SLAs) to ensure data integrity while safeguarding confidentiality.

An organization must de-identify its data before it is transferred to a third party Which of the following should be done FIRST?. Encrypt the data at rest and in motion. Remove the identifiers during the data transfer. Determine the categories of personal data collected. Ensure logging is turned on for the database.

Which of the following is the MOST important consideration for developing data retention requirements?. Industry guidelines. Cost-benefit analysis. Data classification rules. Applicable regulations.

Which of the following is the MOST important action to protect a mobile banking app and its data against manipulation and disclosure?. Define the mobile app privacy policy. Implement application hardening measures. Provide the app only through official app stores. Conduct penetration testing.

Which of the following BEST mitigates the privacy risk associated with setting cookies on a website?. Implementing impersonation. Obtaining user consent. Ensuring nonrepudiation. Applying data masking.

Which of the following is the MOST important attribute of a privacy policy?. Breach notification period. Data retention period. Transparency. Language localization.

Which of the following is the GREATEST privacy risk associated with the use of application programming interfaces (APIs)?. APIs are costly to assess and monitor. API keys could be stored insecurely. APIs are complex to build and test. APIS could create an unstable environment.

An organization's work-from-home policy allows employees to access corporate IT assets remotely Which of the following controls is MOST important to mitigate the risk of potential personal data compromise?. Encryption of network traffic. Intrusion prevention system (IPS). Firewall rules review. Intrusion detection system (IOS).

Which of the following should be done NEXT after a privacy risk has been accepted?. Monitor the risk landscape for material changes. Determine the risk appetite With management. Adjust the risk rating to help ensure it is remediated. Reconfirm the risk during the next reporting period.

Which of the following is MOST important to review before using an application programming interface (API) to help mitigate related privacy risk?. Data taxonomy. Data classification. Data collection. Data flows.

Which of the following is the BEST way to address privacy concerns when an organization captures personal data from a third party through an open application programming interface (API)?. Develop a service level agreement (SLA) with the third party. Implement encryption for the data transmission. Obtain consent from the data subjects. Review the specification document of the open API.

Which of the following needs to be identified FIRST to define the privacy requirements to use when assessing the selection of IT systems?. Type of data being processed. Applicable privacy legislation. Applicable control frameworks. Available technology platforms.

The MOST effective way to incorporate privacy by design principles into applications is to include privacy requirements in. Senior management approvals. Secure coding practices. Software development practices. Software testing guidelines.

Which of the following should be done FIRST when a data collection process is deemed to be a highlevel risk?. Perform a business impact analysis (BIA). Implement remediation actions to mitigate privacy risk. Conduct a privacy Impact assessment (PIA). Create a system of records notice (SORN).

An organization has an initiative to implement database encryption to strengthen privacy controls. Which of the following is the MOST useful information for prioritizing database selection?. Database administration audit logs. Historical security incidents. Penetration test results. Asset classification scheme.

Which of the following is the BEST method of data sanitization when there is a need to balance the destruction of data and the ability to recycle IT assets?. Cryptographic erasure. Factory reset. Data deletion. Degaussing.

Which of the following is the MOST important privacy consideration for video surveillance in high security areas?. Video surveillance recordings may only be viewed by the organization. Those affected must be informed of the video surveillance. There is no limitation for retention of this data. Video surveillance data must be stored in encrypted format.

Which of the following is the PRIMARY reason to use public key infrastructure (PRI) for protection against a man-in-the-middle attack?. It uses Transport Layer Security (TLS). It provides a secure connection on an insecure network. It makes public key cryptography feasible. It contains schemes for revoking keys.

Which of the following scenarios should trigger the completion of a privacy impact assessment (PIA)?. Updates to data quality standards. New inter-organizational data flows. New data retention and backup policies. Updates to the enterprise data policy.

When can data subjects be prohibited from withdrawing consent for processing their personal data?. When the data is no longer necessary. When the processing is unlawful. When there is an absence of overriding legitimate grounds. When the data is being archived in the public interest.

Which of the following is the BEST way for an organization to gain visibility into Its exposure to privacy-related vulnerabilities?. Implement a data loss prevention (DLP) solution. Review historical privacy incidents in the organization. Monitor inbound and outbound communications. Perform an analysis of known threats.

An organization has initiated a project to enhance privacy protections by improving its information security controls. Which of the following is the MOST useful action to help define the scope of the project?. Review recent audit reports on the internal control environment. Identify databases that contain personal data. Identify databases that do not have encryption in place. Review proposed privacy rules that govern the processing of personal data.

Which of the following is the BEST way to ensure privacy considerations are included when working with vendors?. Including privacy requirements in the request for proposal (RFP) process. Monitoring privacy-related service level agreements (SLAS). Including privacy requirements in vendor contracts. Requiring vendors to complete privacy awareness training.

Which of the following is the BEST control to detect potential internal breaches of personal data?. Data loss prevention (DLP) systems. User behavior analytics tools. Employee background Checks. Classification of data.

From a privacy perspective, it is MOST important to ensure data backups are: encrypted. incremental. differential. pseudonymized.

A data processor that handles personal data tor multiple customers has decided to migrate its data warehouse to a third-party provider. What is the processor obligated to do prior to implementation?. Seek approval from all in-scope data controllers. Obtain assurance that data subject requests will continue to be handled appropriately. Implement comparable industry-standard data encryption in the new data warehouse. Ensure data retention periods are documented.

Which of the following BEST ensures an organization's data retention requirements will be met in the public cloud environment?. Data classification schemes. Automated data deletion schedules. Cloud vendor agreements. Service level agreements (SLAs).

Which of the following is the MOST important privacy consideration when developing a contact tracing application?. The proportionality of the data collected tor the intended purpose. Whether the application can be audited for compliance purposes. The creation of a clear privacy notice. Retention period for data storage.

An organization Wishes to deploy strong encryption to its most critical and sensitive databases. Which of the following is the BEST way to safeguard the encryption keys?. Ensure key management responsibility is assigned to the privacy officer. Ensure the keys are stored in a remote server. Ensure the keys are stored in a cryptographic vault. Ensure all access to the keys is under dual control.

An IT privacy practitioner wants to test an application in pre-production that will be processing sensitive personal dat a. Which of the following testing methods is BEST used to identity and review the application's runtime modules?. Static application security testing (SAST). Dynamic application security testing (DAST). Regression testing. Software composition analysis.

What is the BES T way for an organization to maintain the effectiveness of its privacy breach incident response plan?. Require security management to validate data privacy security practices. Conduct annual data privacy tabletop exercises. Hire a third party to perform a review of data privacy processes. Involve the privacy office in an organizational review of the incident response plan.

What is the PRIMARY means by which an organization communicates customer rights as it relates to the use of their personal information?. Gaining consent when information is collected. Publishing a privacy notice. Mailing rights documentation to customers. Distributing a privacy rights policy.

Which of the following is a role PRIMARILY assigned to an internal data owner?. Monitoring data retention periods. Authorizing access rights. Serving as primary contact with regulators. Implementing appropriate technical controls.

Which of the following practices BEST indicates an organization follows the data minimization principle?. Data is pseudonymized when being backed up. Data is encrypted before storage. Data is only accessible on a need-to-know basis. Data is regularly reviewed tor its relevance.

An online business posts its customer data protection notice that includes a statement indicating information is collected on how products are used, the content viewed, and the time and duration of online activities. Which data protection principle is applied?. System use requirements. Data integrity and confidentiality. Lawfulness and fairness. Data use limitation.

Which of the following is the BEST indication of a highly effective privacy training program?. Members of the workforce understand their roles in protecting data privacy. Recent audits have no findings or recommendations related to data privacy. No privacy incidents have been reported in the last year. HR has made privacy training an annual mandate for the organization.

Which encryption method encrypts and decrypts data using two separate yet mathematically connected cryptographic keys?. Hashing. Private key. Asymmetric. Symmetric.

A health organization experienced a breach of a database containing pseudonymized personal dat a. Which of the following should be of MOST concern to the IT privacy practitioner?. The data may be re-identified. The data was proprietary. The data was classified as confidential. The data is subject to regulatory fines.

Which of the following information would MOST likely be considered sensitive personal data?. Mailing address. Bank account login ID. Ethnic origin. Contact phone number.

Within a regulatory and legal context, which of the following is the PRIMARY purpose of a privacy notice sent to customers?. To educate data subjects regarding how personal data will be safeguarded. To inform customers about the procedure to legally file complaints for misuse of personal data. To provide transparency to the data subject on the intended use of their personal data. To establish the organization's responsibility for protecting personal data during the relationship with the data subject.

Transport Layer Security (TLS) provides data integrity through: calculation of message digests. use of File Transfer Protocol (FTP). asymmetric encryption of data sets. exchange of digital certificates.

Which of the following outputs of a privacy audit is MOST likely to trigger remedial action?. Deficiencies in how personal data is shared with third parties. Recommendations to optimize current privacy policy. Identification of uses of sensitive personal data. Areas of focus for privacy training.

Which of the following is the BEST control to prevent the exposure of personal information when redeploying laptops within an organization?. Set a unique static IP for the default network interface. Disable all wireless networking in the group policy. Reinstall the operating system and enable laptop encryption. Perform a full wipe and reimage of the laptops.

Critical data elements should be mapped to which of the following?. Data process flow. Business analytics. Business taxonomy. Privacy policy.

Which of the following is the BEST way to ensure an organization's enterprise risk management (ERM) framework can protect the organization from privacy harms?. Include privacy risks as a risk category. Establish a privacy incident response plan. Conduct an internal privacy audit. Complete a privacy risk assessment.

A privacy risk assessment identified that a third-party collects personal data on the organization's behalf. This finding could subject the organization to a regulatory fine for not disclosing this relationship. What should the organization do NEXT?. Amend the privacy policy to include a provision that data might be collected by trusted third parties. Review the third-party relationship to determine who should be collecting data. Update the risk assessment process to cover only required disclosures. Disclose the relationship to those affected in jurisdictions where such disclosures are required.

Which of the following MOST significantly impacts an organization's ability to respond to data subject access requests?. The organization's data retention schedule is complex. Logging of systems and application data is limited. Third-party service level agreement (SLA) data is not always available. Availability of application data flow diagrams is limited.

Which of the following has the GREATEST impact on the treatment of data within the scope of an organization's privacy policy?. Data protection impact assessment (DPIA). Data flow diagram. Data classification. Data processing agreement.

Which cloud deployment model is BEST for an organization whose main objectives are to logically isolate personal data from other tenants and adopt custom privacy controls for the data?. Community cloud. Private cloud. Hybrid cloud. Public cloud.

Which of the following helps define data retention time in a stream-fed data lake that includes personal data?. Privacy impact assessments (PIAs). Data lake configuration. Data privacy standards. Information security assessments.

An organization plans to implement a new cloud-based human resources (HR) solution with a mobile application interface. Which of the following is the BEST control to prevent data leakage?. Download of data to the mobile devices is disabled. Single sign-on is enabled for the mobile application. Data stored in the cloud-based solution is encrypted. Separate credentials are used for the mobile application.

Which of the following is MOST important to capture in the audit log of an application hosting personal data?. Server details of the hosting environment. Last user who accessed personal data. Application error events. Last logins of privileged users.

Which of the following is the MOST important consideration for determining the operational life of an encryption key?. Number of entities involved in communication. Number of digitally signed documents in force. Volume and sensitivity of data protected. Length of key and complexity of algorithm.

Which of the following is the BEST way to ensure that application hardening is included throughout the software development life cycle (SDLC)?. Require an annual internal audit of SDLC processes. Include qualified application security personnel as part of the process. Ensure comprehensive application security testing immediately prior to release. Require an annual third-party audit of new client software solutions.

An increase in threats originating from endpoints is an indication that: network audit frequency should increase. network protection should be maintained remotely. extended detection and response should be installed. credential management should be implemented.

Which of the following BEST illustrates privacy by design in the development of a consumer mobile application?. The application only stores data locally. The application shares personal information upon request. The application only stores data for 24 hours. The application requires consent before sharing locations.

Who is ULTIMATELY accountable for the protection of personal data collected by an organization?. Data processor. Data owner. Data custodian. Data protection officer.

Which of the following principles is MOST important to apply when granting access to an enterprise resource planning (ERP) system that contains a significant amount of personal data?. Read-only access. Least privilege. Segregation of duties. Data minimization.