An organization Wishes to deploy strong encryption to its most critical and sensitive databases. Which of the following is the BEST way to safeguard the encryption keys?
Correct Answer: C
The best way to safeguard the encryption keys is to ensure that they are stored in a cryptographic vault. A cryptographic vault is a secure hardware or software module that provides cryptographic services and protects the keys from unauthorized access, modification, or disclosure. A cryptographic vault can also provide other functions, such as key generation, key backup, key rotation, key destruction, and key auditing. A cryptographic vault can enhance the security and privacy of the encrypted data by preventing key compromise, leakage, or misuse. A cryptographic vault can also comply with the security standards and best practices for key management, such as the ISO/IEC 27002, NIST SP 800-57, or PCI DSS. Reference: [ISACA Glossary of Terms] [ISACA CDPSE Review Manual, Chapter 3, Section 3.3.3] [ISACA Journal, Volume 4, 2019, "Key Management in the Multi-Cloud Environment"] [ISACA CDPSE Review Manual, Chapter 3, Section 3.3.4]
Question 172
The BEST way for a multinational organization to ensure the comprehensiveness of its data privacy policy is to perform an annual review of changes to privacy regulations in.
Correct Answer: B
Explanation A multinational organization that operates across different countries and regions should perform an annual review of changes to privacy regulations in all jurisdictions where its corporate data is processed. This is because different jurisdictions may have different privacy laws and requirements that apply to the collection, use, storage, transfer, and disposal of personal data. For example, the EU General Data Protection Regulation (GDPR) applies to any organization that processes personal data of individuals in the EU, regardless of where the organization is located or where the data is processed. Therefore, the organization should keep track of the changes to privacy regulations in all relevant jurisdictions and update its data privacy policy accordingly to ensure compliance and avoid penalties or lawsuits.
Question 173
Which of the following is the BEST control to secure application programming interfaces (APIs) that may contain personal information?
Correct Answer: C
Explanation Restricting access to authorized users is the best control to secure application programming interfaces (APIs) that may contain personal information, as it would prevent unauthorized access, modification or disclosure of the personal information by third parties or intermediaries. Restricting access to authorized users can be achieved by using various methods, such as authentication, authorization, encryption, tokens or certificates. The other options are not effective controls to secure APIs that may contain personal information. Encrypting APIs with the organization's private key is not a feasible or desirable method, as it would make the APIs unreadable by anyone who does not have the corresponding public key, which would defeat the purpose of using APIs for interoperability and integration. Requiring nondisclosure agreements (NDAs) when sharing APIs is not a reliable or enforceable method, as it would depend on the compliance and cooperation of the parties who receive the APIs, and it would not prevent unauthorized access, modification or disclosure of the personal information by third parties or intermediaries who are not bound by the NDAs. Sharing only digitally signed APIs is not a sufficient method, as it would only ensure the authenticity and integrity of the APIs, but it would not prevent unauthorized access, modification or disclosure of the personal information by third parties or intermediaries who can read or intercept the APIs1, p. 90-91 References: 1: CDPSE Review Manual (Digital Version)
Question 174
To ensure effective management of an organization's data privacy policy, senior leadership MUST define:
Correct Answer: B
Senior leadership must define the roles and responsibilities of the person with oversight, who is responsible for ensuring compliance with the data privacy policy and applicable laws and regulations. This person may also be known as the data protection officer, the privacy officer, or the chief privacy officer, depending on the organization and jurisdiction. The person with oversight should have the authority, resources, and independence to perform their duties effectively. Reference: ISACA, CDPSE Review Manual 2021, Chapter 2: Privacy Governance, Section 2.1: Privacy Governance Framework, p. 35-36. ISACA, Data Privacy Audit/Assurance Program, Control Objective 1: Data Privacy Governance, p. 4-51
Question 175
Which of the following is MOST important to review before using an application programming interface (API) to help mitigate related privacy risk?
Correct Answer: D
Explanation Data flows are the most important to review before using an application programming interface (API) to help mitigate related privacy risk. Data flows are the paths or routes that data take from their sources to their destinations through various processes, transformations, or exchanges. Data flows can help understand how data are collected, used, shared, stored, or deleted by an API and its related applications. Data flows can also help identify the potential privacy risks or impacts that may arise from data processing activities involving an API and its related applications. Data flows can be represented by diagrams, maps, models, or documents that show the sources, destinations, types, formats, volumes, frequencies, purposes, or legal bases of data. Data taxonomy, data classification, and data collection are also important for privacy risk mitigation when using an API, but they are not the most important. Data taxonomy is a system of organizing and categorizing data into groups, classes, or hierarchies based on their characteristics, attributes, or relationships. Data taxonomy can help understand the structure, meaning, context, or value of data. Data classification is a process of assigning labels or tags to data based on their sensitivity, confidentiality, criticality, or risk level. Data classification can help determine the appropriate level of protection or handling for data. Data collection is a process of gathering or obtaining data from various sources for a specific purpose or objective. Data collection can help obtain the necessary information or evidence for decision making or problem solving. References: Critical API security risks: 10 best practices | TechBeacon, Open APIs and Security Risks | Govenda Board Portal Software, The top API security risks and how to mitigate them - Appinventiv
