Which of the following MUST be available to facilitate a robust data breach management response?
Correct Answer: D
Reference: To facilitate a robust data breach management response, an organization must have an inventory of affected individuals and systems, as this will help to identify the scope, impact and severity of the breach, and to take appropriate actions to contain, mitigate and notify the breach. An inventory of affected individuals and systems should include the following information: The number and categories of data subjects whose personal data have been compromised The types and volumes of personal data that have been exposed, altered or deleted The sources and locations of the personal data, such as databases, servers, devices or third parties The potential or actual consequences of the breach for the data subjects, such as identity theft, fraud, discrimination or physical harm The systems and processes that have been compromised or affected by the breach, such as networks, applications, devices or security controls The vulnerabilities or risks that have been exploited or introduced by the breach, such as malware, phishing, ransomware or human error An inventory of affected individuals and systems will help the organization to assess the risk level of the breach, and to determine the appropriate response strategy and actions, such as: Isolating or shutting down the affected systems or processes Restoring or recovering the personal data from backups or other sources Erasing or encrypting the personal data on the compromised devices or media Analyzing the root cause and impact of the breach Reporting the breach to the relevant authorities and stakeholders Notifying the data subjects of their rights and remedies Implementing corrective and preventive measures to avoid future breaches Data Breach Preparation and Response in Accordance With GDPR - ISACA, section 4: "The controller should document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken." Cybersecurity Incident Response Exercise Guidance - ISACA, section 3: "The IRT should identify all assets involved in an incident (e.g., hardware, software) and determine what information was compromised (e.g., PII)." Guide to Securing Personal Data in Electronic Medium, section 3.5: "Organisations should maintain an inventory of personal data in their possession or under their control."
Question 127
How can an organization BEST ensure its vendors are complying with data privacy requirements defined in their contracts?
Correct Answer: B
Explanation The best way for an organization to ensure its vendors are complying with data privacy requirements defined in their contracts is to obtain independent assessments of the vendors' data management processes, because this will provide an objective and reliable evaluation of the vendors' privacy practices, policies, and controls. Independent assessments can be performed by external auditors, consultants, or certification bodies that have the expertise and credibility to verify the vendors' compliance with the contractual obligations and expectations. Independent assessments can also help identify and address any privacy risks or gaps that may arise from the vendors' processing of personal data12. References: * CDPSE Exam Content Outline, Domain 1 - Privacy Governance (Governance, Management & Risk Management), Task 7: Participate in the management and evaluation of contracts, service levels and practices of vendors and other external parties3. * CDPSE Review Manual, Chapter 1 - Privacy Governance, Section 1.4 - Third-Party Management4.
Question 128
Which of the following is the MOST effective remote access model for reducing the likelihood of attacks originating from connecting devices?
Correct Answer: C
Explanation A thin client remote desktop protocol (RDP) is the most effective remote access model for reducing the likelihood of attacks originating from connecting devices, because it minimizes the amount of data and processing that occurs on the remote device. A thin client RDP only sends keyboard, mouse and display information between the remote device and the server, while the actual processing and storage of data happens on the server. This reduces the exposure of sensitive data and applications to potential attackers who may compromise the remote device. References: * CDPSE Review Manual, Chapter 2 - Privacy Architecture, Section 2.3 - Privacy Architecture Implementation1. * CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, Chapter 2 - Privacy Architecture, Section 2.4 - Remote Access2.
Question 129
Which of the following technologies BEST facilitates protection of personal data?
Correct Answer: A
Explanation Data loss prevention (DLP) tools are technologies that help to prevent unauthorized access, use, or transfer of personal data. DLP tools can monitor, detect, and block data leakage or exfiltration from various sources, such as endpoints, networks, cloud services, or email. DLP tools can also enforce data protection policies and compliance requirements, such as encryption, masking, or deletion of sensitive data. DLP tools can help to protect personal data from both internal and external threats, such as malicious insiders, hackers, or accidental exposure. References: * Data protection solutions rely on technologies such as data loss prevention (DLP), storage with built-in data protection, firewalls, encryption, and endpoint protection, Cloudian * Top 10 Hot Data Security And Privacy Technologies, Forbes
Question 130
Which of the following is the BEST method of data sanitization when there is a need to balance the destruction of data and the ability to recycle IT assets?
Correct Answer: A
Cryptographic erasure is a data sanitization method that uses encryption to render data unreadable and unrecoverable. It is the best method when there is a need to balance the destruction of data and the ability to recycle IT assets, because it does not damage the storage media and allows it to be reused or sold. It is also faster and more environmentally friendly than physical destruction methods. Reference: ISACA Certified Data Privacy Solutions Engineer (CDPSE) Exam Content Outline, Domain 2: Privacy Architecture, Task 2.4: Implement data sanitization methods to ensure data privacy and security, Subtask 2.4.1: Select appropriate data sanitization methods based on the type of data and storage media. What is Data Sanitization? | Data Erasure Methods | Imperva
