Which set of procedures is typically NOT addressed within data privacy policies?
Correct Answer: C
Data privacy policies are documents that outline how an organization collects, uses, stores, shares, and protects personal information from its customers, employees, partners, and other stakeholders1. Data privacy policies should address the following key elements2: * The purpose and scope of data collection and processing * The legal basis and consent mechanism for data processing * The types and categories of personal data collected and processed * The data retention and deletion policies and practices * The data security and encryption measures and standards * The data sharing and disclosure practices and procedures, including the use of third parties and cross-border transfers * The data access, correction, and deletion rights and requests of individuals * The data breach and incident response and notification procedures and responsibilities * The data protection officer and contact details * The data privacy policy review and update process and frequency Procedures for configuration settings in identity access management are typically not addressed within data privacy policies, as they are more related to the technical and operational aspects of data security and access control. Identity access management (IAM) is a framework of policies, processes, and technologies that enable an organization to manage and verify the identities and access rights of its users and devices3. IAM configuration settings determine how users and devices are authenticated, authorized, and audited when accessing data and resources. IAM configuration settings should be aligned with the data privacy policies and principles, but they are not part of the data privacy policies themselves. IAM configuration settings should be documented and maintained separately from data privacy policies, and should be reviewed and updated regularly to ensure compliance and security. References: 1: What is a Data Privacy Policy? | OneTrust 2: Privacy Policy Checklist: What to Include in Your Privacy Policy 3: What is identity and access management? | IBM : [Identity and Access Management Configuration Settings] : [Why data privacy and third-party risk teams need to work ... - OneTrust] : [Privacy Risk Management - ISACA] : [What Every Chief Privacy Officer Should Know About Third-Party Risk ...]
Question 82
In the context of third-party risk management, what tool is used to gather information about a vendor's operations and compliance?
Correct Answer: C
The self-assessment questionnaire is a key tool in third-party risk management, designed to collect detailed information on the vendor's operations, controls, and compliance status, helping organizations make informed decisions with minimal resources.
Question 83
Which factor is NOT typically used in multi-factor authentication?
Correct Answer: D
The user's location is not typically one of the factors used in multi-factor authentication, which classically involves something the user knows, has, or is. Location is more related to contextual or adaptive authentication mechanisms.
Question 84
Understanding the __________ is crucial to allocating security responsibilities correctly in cloud-based environments.
Correct Answer: C
Understanding the type of cloud service model is crucial because different models, such as SaaS, PaaS, or IaaS, have distinct implications for security responsibility distribution, affecting how security controls are managed.
Question 85
Which statement does NOT reflect current practice in addressing fourth party risk or subcontracting risk?
Correct Answer: B
This statement does not reflect current practice in addressing fourth party risk or subcontracting risk because it is not sufficient to rely on external audit reports alone. Outsourcers should also perform their own due diligence and monitoring of the subcontractors, as well as ensure that the third party has a robust TPRM program in place. External audit reports may not cover all the relevant aspects of subcontracting risk, such as data security, compliance, performance, and quality. Moreover, external audit reports may not be timely, accurate, or consistent, and may not reflect the current state of the subcontractor's operations. Therefore, outsourcers should adopt a more proactive and comprehensive approach to managing subcontracting risk, rather than relying on external audit reports. References: * Shared Assessments Program, page 13: "Outsourcers should not rely solely on external audit reports to address subcontracting risk. Outsourcers should also inspect the vendor's TPRM program and require evidence of the assessments of subcontractors." * Five Best Practices to Manage and Control Third-Party Risk, page 3: "Restricting privileged accounts
