How does the GDPR suggest handling data breaches in terms of data volume?
Correct Answer: B
The GDPR treats the volume of data as an indicator of the potential impact of a data breach, rather than a determinant for the security measures themselves. This highlights that while volume can affect the severity of a breach, it is not the primary factor in setting data protection strategies.
Question 87
Upon completion of a third party assessment, a meeting should be scheduled with which of the following resources prior to sharing findings with the vendor/service provider to approve remediation plans:
Correct Answer: B
According to the Shared Assessments CTPRP Study Guide, the business unit relationship owner is the primary point of contact for the third party and is responsible for ensuring that the third party meets the contractual obligations and service level agreements. The business unit relationship owner is also involved in the third party risk assessment process and the remediation plan approval. Therefore, a meeting should be scheduled with the business unit relationship owner before sharing the findings and remediation plans with the third party, as they have the authority and accountability to approve or reject the plans. The other options are not necessarily involved in the remediation plan approval, although they may have other roles in the third party risk management lifecycle. References: * Shared Assessments CTPRP Study Guide, page 9, section 1.3.2 * The Third-Party Vendor Risk Management Lifecycle, section on Supplier Onboarding & Risk Monitoring * Remediation vs. Mitigation, section on Remediation
Question 88
An IT asset management program should include all of the following components EXCEPT:
Correct Answer: B
An IT asset management program is a set of processes and tools that help an organization manage its IT assets throughout their lifecycle, from acquisition to disposal. An IT asset management program should include the following components1234: * Maintaining inventories of systems, connections, and software applications: This component involves creating and updating a comprehensive and accurate list of all IT assets owned or used by the * organization, including their location, ownership, configuration, and status. This helps the organization optimize the use of its IT resources, reduce costs, and ensure compliance with licensing and regulatory requirements. * Tracking and monitoring availability of vendor updates and any timelines for end of support: This component involves keeping track of the latest updates, patches, and security fixes provided by the vendors of the IT assets, as well as the end-of-life dates and support options for the assets. This helps the organization maintain the security, performance, and functionality of its IT assets, and plan for timely replacement or migration of obsolete or unsupported assets. * Identifying and tracking adherence to IT asset end-of-life policy: This component involves defining and implementing a policy for retiring and disposing of IT assets that are no longer needed, useful, or supported by the organization. This helps the organization reduce risks, costs, and environmental impacts associated with IT asset disposal, and ensure compliance with data protection and disposal regulations. Defining application security standards for internally developed applications is not a component of an IT asset management program, but rather a component of an application development and security program. An application development and security program is a set of processes and tools that help an organization design, develop, test, deploy, and maintain secure and reliable applications, whether they are internally developed or acquired from external sources. An application development and security program should include the following components5 : * Defining application security standards for internally developed applications: This component involves establishing and enforcing a set of security requirements and best practices for the applications developed by the organization, such as secure coding, testing, and deployment methodologies, security controls, and vulnerability management. This helps the organization ensure the confidentiality, integrity, and availability of its applications and data, and prevent or mitigate security breaches and incidents. * Performing application security assessments for externally acquired applications: This component involves conducting security reviews and audits of the applications acquired from external sources, such as vendors, partners, or open source communities, before integrating them into the organization's IT environment. This helps the organization identify and address any security risks, gaps, or weaknesses in the applications, and ensure compatibility and compliance with the organization's security policies and standards. References: * ITAM: The ultimate guide to IT asset management * IT asset management: 10 best practices for success * Asset Management: The Five Core Components * The Fundamentals of Asset Management * Application Development and Security Program * Application Security Best Practices
Question 89
What is the main purpose of requiring visitors to sign-in and sign-out at a facility?
Correct Answer: A
Requiring visitors to sign-in and sign-out is critical to control and monitor access to the facility. This process ensures that all visitors are accounted for, which is essential for maintaining security and managing the flow of people in and out of the premises effectively.
Question 90
In the context of offboarding, who is primarily responsible for initiating the data removal process?
Correct Answer: D
It is primarily the responsibility of the user to initiate the data removal process, as they have direct control over their devices and the data contained therein. This empowers users to manage their data responsibly.
