Which of the following should be the FIRST consideration when conducting a privacy impact assessment (PIA)?
Correct Answer: B
Question 52
Which of the following helps to ensure the identities of individuals in a two-way communication are verified?
Correct Answer: D
The best answer is D. Mutual certificate authentication. A comprehensive explanation is: Mutual certificate authentication is a method of mutual authentication that uses public key certificates to verify the identities of both parties in a two-way communication. A public key certificate is a digital document that contains information about the identity of the certificate holder, such as their name, organization, domain name, etc., as well as their public key, which is used for encryption and digital signature. A public key certificate is issued and signed by a trusted authority, called a certificate authority (CA), that vouches for the validity of the certificate. Mutual certificate authentication works as follows: Both parties have a public key certificate issued by a CA that they trust. When they initiate a communication, they exchange their certificates with each other. They verify the signatures on the certificates using the CA's public key, which they already have or can obtain from a trusted source. They check that the certificates are not expired, revoked, or tampered with. They extract the public keys from the certificates and use them to encrypt and decrypt messages or to generate and verify digital signatures. They confirm that the identities in the certificates match their expectations and intentions. By using mutual certificate authentication, both parties can be confident that they are communicating with the intended and legitimate party, and that their communication is secure and confidential. Mutual certificate authentication is often used in conjunction with Transport Layer Security (TLS), a protocol that provides encryption and authentication for network communications. TLS supports both one-way and two-way authentication. In one-way authentication, only the server presents a certificate to the client, and the client verifies it. In two-way authentication, also known as mutual TLS or mTLS, both the server and the client present certificates to each other, and they both verify them. Mutual TLS is commonly used for secure web services, such as APIs or webhooks, that require both parties to authenticate each other. Virtual private network (VPN), Secure Shell (SSH), and Transport Layer Security (TLS) are all technologies that can help to ensure the identities of individuals in a two-way communication are verified, but they are not methods of mutual authentication by themselves. They can use mutual certificate authentication as one of their options, but they can also use other methods, such as username and password, pre-shared keys, or tokens. Therefore, they are not as specific or accurate as mutual certificate authentication. Reference: What is mutual authentication? | Two-way authentication1 How to prove and verify someone's identity2 Identity verification - Information Security & Policy3
Question 53
Transport Layer Security (TLS) provides data integrity through:
Correct Answer: A
Explanation Transport Layer Security (TLS) is a protocol that provides secure communication over the internet by encrypting and authenticating data. TLS provides data integrity through the calculation of message digests, which are cryptographic hashes that summarize the content and structure of a message. The sender and the receiver of a message can compare the message digests to verify that the message has not been altered or corrupted during transmission. TLS also uses digital certificates, asymmetric encryption, and symmetric encryption to provide confidentiality and authentication, but these are not directly related to data integrity. References: CDPSE Review Manual, 2021, p. 117
Question 54
Which of the following is the BEST way for senior management to verify the success of its commitment to privacy by design?
Correct Answer: C
Explanation A third-party privacy control assessment is an independent and objective evaluation of the design and effectiveness of the privacy controls implemented by an organization to protect personal data and comply with privacy laws and regulations. A third-party privacy control assessment can help senior management to verify the success of its commitment to privacy by design, by providing the following benefits: * It can measure the extent to which the organization has adopted and integrated the principles and practices of privacy by design throughout its products, services, processes and systems. * It can identify the strengths and weaknesses of the organization's privacy governance, policies, procedures, standards and guidelines, and provide recommendations for improvement. * It can validate the organization's compliance with the applicable privacy requirements and expectations of its customers, stakeholders, regulators and auditors. * It can enhance the organization's reputation and trustworthiness as a responsible and transparent data controller and processor. The other options are less effective or irrelevant for verifying the success of the commitment to privacy by design. Reviewing the findings of an industry benchmarking assessment may provide some insights into how the organization compares with its peers or competitors in terms of privacy performance, but it may not reflect the specific privacy goals, risks and challenges of the organization. Identifying trends in the organization's amount of compromised personal data or number of privacy incidents may indicate some aspects of the organization's privacy maturity, but they are reactive and lagging indicators that do not capture the proactive and preventive nature of privacy by design. Moreover, these metrics may not account for other factors that may influence the occurrence or impact of data breaches or privacy violations, such as external threats, human errors or environmental changes. References: * Privacy by Design: How Far Have We Come? - ISACA, section 1: "Privacy by design challenges conventional system thinking. It mandates that any system, process or infrastructure that uses personal data consider privacy throughout its development life cycle." * Privacy Control Assessment - ISACA, section 1: "A Privacy Control Assessment (PCA) is an independent evaluation performed by a qualified assessor to determine whether an entity's controls are suitably designed and operating effectively to meet its objectives related to protecting personal information." * Privacy by Design: The New Competitive Advantage - ISACA, section 2: "Privacy by design is a proactive approach to embedding privacy into the design specifications of various technologies, business practices and networked infrastructure."
Question 55
An IT privacy practitioner wants to test an application in pre-production that will be processing sensitive personal data. Which of the following testing methods is BEST used to identity and review the application's runtime modules?
Correct Answer: B
Explanation The best testing method to identify and review the application's runtime modules is dynamic application security testing (DAST). DAST is a testing technique that analyzes the application's behavior and functionality during its execution. DAST can detect security and privacy vulnerabilities that are not visible in the source code, such as injection attacks, cross-site scripting, broken authentication, sensitive data exposure, or improper error handling. DAST can also simulate real-world attacks and test the application's response and resilience. DAST can provide a comprehensive and realistic assessment of the application's security and privacy posture in the pre-production environment. References: * [ISACA Glossary of Terms] * [OWASP Top 10 Web Application Security Risks] * [ISACA CDPSE Review Manual, Chapter 2, Section 2.4.2] * [ISACA Journal, Volume 6, 2018, "Dynamic Application Security Testing"]
