Which of the following is the BEST way to reduce the risk of compromise when transferring personal information using email?
Correct Answer: A
Explanation Encryption is a security practice that transforms data into an unreadable format using a secret key or algorithm. Encryption protects the confidentiality and integrity of data, especially when they are transferred using email or other communication channels. Encryption ensures that only authorized parties can access and use the data, while unauthorized parties cannot decipher or modify the data without the key or algorithm. Encryption also helps to comply with data protection laws and regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), which require data controllers and processors to implement appropriate technical and organizational measures to safeguard personal data. Centrally managed encryption is a type of encryption that is implemented and controlled by a central authority or system, such as an organization or a service provider. Centrally managed encryption has the following advantages over end user-managed encryption, private cloud storage space, or password-protected .zip files, for reducing the risk of compromise when transferring personal information using email: It can enforce consistent and standardized encryption policies and procedures across the organization or the service, such as the encryption standards, algorithms, keys, modes, and formats. It can automate the encryption and decryption processes for the users, without requiring them to perform any manual actions or install any software or plug-ins on their devices. It can monitor and audit the encryption activities and incidents, and provide visibility and accountability for the data protection and compliance status. It can reduce the human errors or negligence that may compromise the encryption security, such as losing or sharing the keys, forgetting or reusing the passwords, or sending the data to the wrong recipients. References: Encryption in the Hands of End Users - ISACA, section 2: "A key goal of encryption is to protect the file even when direct access is possible or the transfer is intercepted." The Complexity Conundrum: Simplifying Data Security - ISACA, section 3: "Centrally managed encryption solutions can help enterprises overcome these challenges by providing a unified platform for encrypting data across different environments and applications." Email Encryption: What You Need to Know - Lifewire, section 1: "Email encryption is a way of protecting your email messages from being read by anyone other than the intended recipients."
Question 52
Which of the following is MOST important to capture in the audit log of an application hosting personal data?
Correct Answer: C
Explanation An audit log is a record of the activities and events that occur in an information system, such as an application hosting personal data. An audit log can help to monitor, detect, investigate and prevent unauthorized or malicious access, use, modification or deletion of personal data. An audit log can also help to demonstrate compliance with data protection laws and regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). An audit log should capture the following information for each event: 9 The date and time of the event The identity of the user or system that performed the event The type and description of the event The outcome or result of the event The personal data that were accessed, used, modified or deleted The last user who accessed personal data is the most important information to capture in the audit log, as it can help to identify who is responsible for any data breach or misuse of personal data. It can also help to verify that only authorized and legitimate users have access to personal data, and that they follow the data use policy and the principle of least privilege. The last user who accessed personal data can also help to support data subjects' rights, such as the right to access, rectify, erase or restrict their personal data. The other options are less important or irrelevant to capture in the audit log of an application hosting personal data. Server details of the hosting environment are not related to personal data, and they can be obtained from other sources, such as network logs or configuration files. Last logins of privileged users are important to capture in a separate audit log for user account management, but they do not indicate what personal data were accessed or used by those users. Application error events are important to capture in a separate audit log for system performance and reliability, but they do not indicate what personal data were affected by those errors. References: IS Audit Basics: Auditing Data Privacy, section 4: "Audit logs should be maintained for all systems that process PII." Data Protection Audit Manual, section 3.2: "Audit trails should be kept for all processing operations involving personal data." Audit Logging Best Practices, section 2: "An audit log entry should contain enough information to answer who did what and when."
Question 53
Which authentication practice is being used when an organization requires a photo on a government-issued identification card to validate an in-person credit card purchase?
Correct Answer: A
Question 54
Which of the following BEST represents privacy threat modeling methodology?
Correct Answer: B
Explanation Privacy threat modeling is a methodology for identifying and mitigating privacy threats in a software architecture. It helps to ensure that privacy is considered in the design and development of software systems, and that privacy risks are minimized or eliminated. Privacy threat modeling typically involves the following steps: defining the scope and context of the system, identifying the data flows and data elements, identifying the privacy threats and their sources, assessing the impact and likelihood of the threats, and applying appropriate countermeasures to mitigate the threats. References: : CDPSE Review Manual (Digital Version), page 97
Question 55
Which of the following techniques mitigates design flaws in the application development process that may contribute to potential leakage of personal data?
Correct Answer: C
Explanation Software hardening is a technique that mitigates design flaws in the application development process that may contribute to potential leakage of personal data. Software hardening is a process of modifying or configuring software to make it more secure and resilient against attacks or exploitation. Software hardening can involve various methods, such as removing unnecessary features or functions, disabling debugging or testing modes, applying patches or updates, implementing secure coding practices, etc. Software hardening helps to protect personal data by preventing or reducing the vulnerabilities that can allow unauthorized access, use, disclosure, or transfer of personal data. References: : CDPSE Review Manual (Digital Version), page 151
