Which of the following is the GREATEST privacy risk associated with the use of application programming interfaces (APIs)?
Correct Answer: B
Explanation API keys are codes that are used to identify and authenticate an application or user when accessing an API. API keys could be stored insecurely, such as in plain text, in public repositories, or in unencrypted files. This could expose the API keys to unauthorized access, theft, or misuse by malicious actors, who could then access the API and the data it contains. This could result in data breaches, privacy violations, fraud, or other damages. References: * ISACA Certified Data Privacy Solutions Engineer Study Guide, Domain 3: Privacy Engineering, Task 3.4: Implement privacy engineering techniques to protect data in applications and systems, p. 106-107. * What Is an API Key? | API Key Definition | Fortinet
Question 22
Which of the following is the GREATEST obstacle to conducting a privacy impact assessment (PIA)?
Correct Answer: C
Question 23
Which of the following is MOST important to review before using an application programming interface (API) to help mitigate related privacy risk?
Correct Answer: D
Explanation Data flows are the most important to review before using an application programming interface (API) to help mitigate related privacy risk. Data flows are the paths or routes that data take from their sources to their destinations through various processes, transformations, or exchanges. Data flows can help understand how data are collected, used, shared, stored, or deleted by an API and its related applications. Data flows can also help identify the potential privacy risks or impacts that may arise from data processing activities involving an API and its related applications. Data flows can be represented by diagrams, maps, models, or documents that show the sources, destinations, types, formats, volumes, frequencies, purposes, or legal bases of data. Data taxonomy, data classification, and data collection are also important for privacy risk mitigation when using an API, but they are not the most important. Data taxonomy is a system of organizing and categorizing data into groups, classes, or hierarchies based on their characteristics, attributes, or relationships. Data taxonomy can help understand the structure, meaning, context, or value of data. Data classification is a process of assigning labels or tags to data based on their sensitivity, confidentiality, criticality, or risk level. Data classification can help determine the appropriate level of protection or handling for data. Data collection is a process of gathering or obtaining data from various sources for a specific purpose or objective. Data collection can help obtain the necessary information or evidence for decision making or problem solving. References: Critical API security risks: 10 best practices | TechBeacon, Open APIs and Security Risks | Govenda Board Portal Software, The top API security risks and how to mitigate them - Appinventiv
Question 24
When configuring information systems for the communication and transport of personal data, an organization should:
Correct Answer: D
Question 25
When is the BEST time during the secure development life cycle to perform privacy threat modeling?
Correct Answer: B
Explanation The best time during the secure development life cycle to perform privacy threat modeling is early in the design phase, because this will help identify and mitigate the potential privacy risks and vulnerabilities of the system or application before they become costly or difficult to fix. Privacy threat modeling is a systematic process of analyzing the data flows, assets, actors, and scenarios of a system or application to identify and prioritize the privacy threats and countermeasures12. Performing privacy threat modeling early in the design phase will also help ensure that privacy is built into the system or application from the start, rather than as an afterthought. References: * CDPSE Exam Content Outline, Domain 2 - Privacy Architecture (Privacy Architecture Implementation), Task 2: Implement privacy solutions3. * CDPSE Review Manual, Chapter 2 - Privacy Architecture, Section 2.3 - Privacy Architecture Implementation4.
