Which of the following is the BEST way to explain the difference between data privacy and data security?
Correct Answer: D
Explanation Data privacy and data security are related but distinct concepts that are both essential for protecting personal data. Data privacy is about ensuring that personal data are collected, used, shared and disposed of in a lawful, fair and transparent manner, respecting the rights and preferences of the data subjects. Data privacy also involves implementing policies, procedures and controls to comply with data protection laws and regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Data privacy protects users from unauthorized disclosure of their personal data, which may result in harm, such as identity theft, fraud, discrimination or reputational damage. Data security is about safeguarding the confidentiality, integrity and availability of data from unauthorized or malicious access, use, modification or destruction. Data security also involves implementing technical and organizational measures to prevent or mitigate data breaches or incidents, such as encryption, authentication, backup or incident response. Data security prevents compromise of data, which may result in loss, corruption or disruption of data. References: The Difference Between Data Privacy and Data Security - ISACA, section 1: "Data privacy is focused on the use and governance of personal data-things like putting policies in place to ensure that consumers' personal information is being collected, shared and used in appropriate ways." Practical Data Security and Privacy for GDPR and CCPA - ISACA, section 1: "Data security is the practice of protecting digital information from unauthorized access, corruption or theft throughout its life cycle."
Question 157
Which of the following is the FIRST step toward the effective management of personal data assets?
Correct Answer: C
Explanation The first step toward the effective management of personal data assets is to create a personal data inventory, which is a comprehensive list of the personal data that an organization collects, processes, stores, transfers, and disposes of. A personal data inventory helps an organization to understand the types, sources, locations, owners, purposes, and retention periods of the personal data it holds, as well as the risks and obligations associated with them. A personal data inventory is essential for complying with data privacy laws and regulations, such as the GDPR or the PDPA, which require organizations to implement data protection principles and practices, such as obtaining consent, providing notice, ensuring data quality and security, respecting data subject rights, and reporting data breaches. A personal data inventory also helps an organization to identify and mitigate data privacy risks and gaps, and to implement data minimization and data security controls. References: * ISACA, Data Privacy Audit/Assurance Program, Control Objective 3: Data Inventory and Classification1 * ISACA, Simplify and Contextualize Your Data Classification Efforts2 * PDPC, Managing Personal Data3 * PDPC, PDPA Assessment Tool for Organisations4
Question 158
Which of the following helps to ensure the identities of individuals in a two-way communication are verified?
Correct Answer: D
Explanation The best answer is D. Mutual certificate authentication. A comprehensive explanation is: Mutual certificate authentication is a method of mutual authentication that uses public key certificates to verify the identities of both parties in a two-way communication. A public key certificate is a digital document that contains information about the identity of the certificate holder, such as their name, organization, domain name, etc., as well as their public key, which is used for encryption and digital signature. A public key certificate is issued and signed by a trusted authority, called a certificate authority (CA), that vouches for the validity of the certificate. Mutual certificate authentication works as follows: * Both parties have a public key certificate issued by a CA that they trust. * When they initiate a communication, they exchange their certificates with each other. * They verify the signatures on the certificates using the CA's public key, which they already have or can obtain from a trusted source. * They check that the certificates are not expired, revoked, or tampered with. * They extract the public keys from the certificates and use them to encrypt and decrypt messages or to generate and verify digital signatures. * They confirm that the identities in the certificates match their expectations and intentions. By using mutual certificate authentication, both parties can be confident that they are communicating with the intended and legitimate party, and that their communication is secure and confidential. Mutual certificate authentication is often used in conjunction with Transport Layer Security (TLS), a protocol that provides encryption and authentication for network communications. TLS supports both one-way and two-way authentication. In one-way authentication, only the server presents a certificate to the client, and the client verifies it. In two-way authentication, also known as mutual TLS or mTLS, both the server and the client present certificates to each other, and they both verify them. Mutual TLS is commonly used for secure web services, such as APIs or webhooks, that require both parties to authenticate each other. Virtual private network (VPN), Secure Shell (SSH), and Transport Layer Security (TLS) are all technologies that can help to ensure the identities of individuals in a two-way communication are verified, but they are not methods of mutual authentication by themselves. They can use mutual certificate authentication as one of their options, but they can also use other methods, such as username and password, pre-shared keys, or tokens. Therefore, they are not as specific or accurate as mutual certificate authentication. References: * What is mutual authentication? | Two-way authentication1 * How to prove and verify someone's identity2 * Identity verification - Information Security & Policy3
Question 159
Which of the following is considered a privacy-enhancing technology (PET)?
Correct Answer: C
Synthetic data generation is a recognized privacy-enhancing technology (PET) because it allows realistic model training and analysis without exposing actual personal data. PKI (A) provides authentication, not privacy preservation; blockchain (B) increases transparency but may conflict with privacy; identity management (D) supports security but is not a PET by itself. "Synthetic data preserves patterns while removing identifiable personal information, enabling safe processing."
Question 160
Which of the following should be done FIRST when developing an organization-wide strategy to address data privacy risk?
