Question 1

Which of the following is the best way to reduce the risk of compromised credentials when an organization allows employees to have remote access?

Accepted Answer

C

Explanation: Implementing multi-factor authentication is the best way to reduce the risk of compromised credentials when an organization allows employees to have remote access, as it adds an extra layer of security and verification to the authentication process. Multi-factor authentication requires the user to provide two or more pieces of evidence to prove their identity, such as something they know (e.g., password, PIN), something they have (e.g., token, smart card), or something they are (e.g., fingerprint, face scan)135. Reference: 1 Domain 2, Task 8;

Question 2

Which of the following is the BEST way to distinguish between a privacy risk and compliance risk?

Accepted Answer

B

Explanation: A privacy risk assessment is a process of identifying, analyzing and evaluating the privacy risks associated with the collection, use, disclosure or retention of personal data. A privacy risk assessment is the best way to distinguish between a privacy risk and compliance risk, as it would help to determine the likelihood and impact of privacy incidents or breaches that could affect the rights and interests of the data subjects, as well as the legal obligations and responsibilities of the organization. A privacy risk assessment would also help to identify and implement appropriate controls and measures to mitigate or reduce the privacy risks and ensure compliance with privacy principles, laws and regulations. The other options are not as effective as conducting a privacy risk assessment in distinguishing between a privacy risk and compliance risk. Performing a privacy risk audit is a process of verifying and validating the effectiveness and adequacy of the privacy controls and measures implemented by the organization, but it does not necessarily identify or evaluate the privacy risks or compliance risks. Validating a privacy risk attestation is a process of confirming and certifying the accuracy and completeness of the privacy information or statements provided by the organization, but it does not necessarily identify or evaluate the privacy risks or compliance risks. Conducting a privacy risk remediation exercise is a process of implementing corrective actions or improvements to address the identified or reported privacy risks or compliance risks, but it does not necessarily distinguish between them1, p. 66-67 Reference: 1: CDPSE Review Manual (Digital Version)

Question 3

Which of the following is the BEST way to manage different IT staff access permissions for personal data within an organization?

Accepted Answer

D

Explanation: Reference: https://www.imperva.com/learn/data-security/role-based-access-control-rbac/ Role-based access control is a method of managing different IT staff access permissions for personal data within an organization by assigning roles to users based on their job functions and responsibilities, and granting access rights to roles based on the principle of least privilege and need to know. Role-based access control is the best way to manage different IT staff access permissions for personal data within an organization, as it would help to protect the confidentiality, integrity and availability of the personal data, and also comply with the privacy principles, laws and regulations. Role-based access control would also simplify the administration and maintenance of access permissions, as it would reduce the complexity and redundancy of managing individual user accounts. The other options are not as effective as role-based access control in managing different IT staff access permissions for personal data within an organization. Mandatory access control is a method of managing access permissions for data or resources based on predefined security labels or classifications, such as confidential, secret or top secret, but it does not consider the job functions or responsibilities of the users. Network segmentation is a method of dividing a network into separate segments or zones with different levels of access and control, based on the sensitivity and value of the data or resources, but it does not consider the job functions or responsibilities of the users. Dedicated access system is a method of providing access to data or resources through a separate system or device that is isolated from other systems or networks, but it does not consider the job functions or responsibilities of the users1, p. 91-92 Reference: 1: CDPSE Review Manual (Digital Version)

Question 4

Which of the following MUST be available to facilitate a robust data breach management response?

Accepted Answer

D

Explanation: Reference: https://securityscorecard.com/blog/the-ultimate-data-breach-response-plan To facilitate a robust data breach management response, an organization must have an inventory of affected individuals and systems, as this will help to identify the scope, impact and severity of the breach, and to take appropriate actions to contain, mitigate and notify the breach. An inventory of affected individuals and systems should include the following information: The number and categories of data subjects whose personal data have been compromised The types and volumes of personal data that have been exposed, altered or deleted The sources and locations of the personal data, such as databases, servers, devices or third parties The potential or actual consequences of the breach for the data subjects, such as identity theft, fraud, discrimination or physical harm The systems and processes that have been compromised or affected by the breach, such as networks, applications, devices or security controls The vulnerabilities or risks that have been exploited or introduced by the breach, such as malware, phishing, ransomware or human error An inventory of affected individuals and systems will help the organization to assess the risk level of the breach, and to determine the appropriate response strategy and actions, such as: Isolating or shutting down the affected systems or processes Restoring or recovering the personal data from backups or other sources Erasing or encrypting the personal data on the compromised devices or media Analyzing the root cause and impact of the breach Reporting the breach to the relevant authorities and stakeholders Notifying the data subjects of their rights and remedies Implementing corrective and preventive measures to avoid future breaches Reference: Data Breach Preparation and Response in Accordance With GDPR - ISACA, section 4: “The controller should document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.” Cybersecurity Incident Response Exercise Guidance - ISACA, section 3: “The IRT should identify all assets involved in an incident (e.g., hardware, software) and determine what information was compromised (e.g., PII).” Guide to Securing Personal Data in Electronic Medium, section 3.5: “Organisations should maintain an inventory of personal data in their possession or under their control.”

Question 5

Which of the following should be used to address data kept beyond its intended lifespan?

Accepted Answer

A

Explanation: Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-dataprotection-regulation-gdpr/principles/data-minimisation/ Data minimization is a privacy principle that requires limiting the collection, storage and processing of personal data to what is necessary and relevant for the intended purposes. Data minimization should be used to address data kept beyond its intended lifespan, as it helps to reduce the amount of data that is stored or retained, and to delete or dispose of data that is no longer needed or justified. Data minimization also reduces the privacy risks and costs associated with data storage and retention, such as data breaches, unauthorized access, misuse or loss of data. The other options are not effective ways to address data kept beyond its intended lifespan. Data anonymization is a technique that removes or modifies all identifiers in a data set to prevent or limit the identification of the data subjects, but it does not address the issue of data retention or deletion. Data security is a process of applying technical, administrative and physical measures to protect the confidentiality, integrity and availability of data, but it does not address the issue of data retention or deletion. Data normalization is a technique that organizes the data in a database to reduce redundancy and improve consistency, but it does not address the issue of data retention or deletion1, p. 75-76 Reference: 1: CDPSE Review Manual (Digital Version)

Question 6

An online retail company is trying to determine how to handle users’ data if they unsubscribe from
marketing emails generated from the website. Which of the following is the BEST approach for
handling personal data that has been restricted?

Accepted Answer

D

Explanation: The best approach for handling personal data that has been restricted is to flag users’ email addresses to make sure they do not receive promotional information, because this will respect the users’ p

Question 7

When using anonymization techniques to prevent unauthorized access to personal data, which of the following is the MOST important consideration to ensure the data is adequately protected?

Accepted Answer

A

Explanation: Anonymization is a technique that removes or modifies personal data in such a way that it can no longer be attributed to a specific data subject. Anonymization can be achieved by various methods, such as encryption, pseudonymization, aggregation, generalization, etc. When using anonymization techniques to prevent unauthorized access to personal data, the most important consideration to ensure the data is adequately protected is that the key must be kept separate and distinct from the data it protects. The key is a piece of information that is used to reverse the anonymization process and restore the original personal data. The key must be stored and managed in a secure location that is different from where the anonymized data is stored and processed. This way, even if the anonymized data is compromised, the key cannot be accessed or used to re-identify the data subjects. Reference: : CDPSE Review Manual (Digital Version), page 29

Question 8

Which of the following zones within a data lake requires sensitive data to be encrypted or tokenized?

Accepted Answer

C

Explanation: A raw zone is a zone within a data lake that contains unprocessed or unstructured data that is ingested from various sources without any transformation or validation. A raw zone may contain sensitive data that has not been identified or classified yet, such as personal data. Therefore, sensitive data in a raw zone should be encrypted or tokenized to protect its confidentiality and integrity. Encryption is a process of transforming data into an unreadable form using a secret key or algorithm. Tokenization is a process of replacing sensitive data with non-sensitive substitutes called tokens. Both encryption and tokenization help to prevent unauthorized or unlawful access, use, disclosure, or transfer of sensitive data in a raw zone. Reference: : CDPSE Review Manual (Digital Version), page 169

Question 9

When evaluating cloud-based services for backup, which of the following is MOST important to consider from a privacy regulation standpoint?

Accepted Answer

B

Explanation: Reference: https://www.isaca.org/resources/isaca-journal/past-issues/2014/selecting-the-rightcloud-operating-model-privacy-and-data-security-in-the-cloud When evaluating cloud-based services for backup, one of the most important factors to consider from a privacy regulation standpoint is data residing in another country. This is because different countries may have different privacy laws and regulations that apply to the personal data stored or processed in their jurisdictions. Some countries may have more stringent or protective privacy laws than others, while some countries may have more intrusive or invasive practices that pose threats to data privacy. Therefore, an organization should be aware of the location of its cloud-based backup service provider and its servers, and ensure that there are adequate safeguards and agreements in place to protect the personal data from unauthorized or unlawful access, use, disclosure, or transfer. Reference: : CDPSE Review Manual (Digital Version), page 159

Question 10

Which of the following is the GREATEST concern for an organization subject to cross-border data transfer regulations when using a cloud service provider to store and process data?

Accepted Answer

D

Explanation: Reference: https://www.isaca.org/resources/isaca-journal/past-issues/2014/data-ownersresponsibilities-when-migrating-to-the-cloud Cross-border data transfer regulations are laws and rules that govern the movement of personal data across national or regional boundaries. They aim to protect the privacy rights and interests of the data subjects, and to ensure that their personal data are not subject to lower or incompatible standards of protection in other jurisdictions. Examples of cross-border data transfer regulations include the General Data Protection Regulation (GDPR) in the European Union, the California Consumer Privacy Act (CCPA) in the United States, and the Personal Information Protection Law (PIPL) in China. When an organization uses a cloud service provider to store and process data, it may face the risk of transferring personal data to a region with different data protection requirements, such as a region that has not been recognized as providing adequate or equivalent levels of protection by the original jurisdiction, or a region that has conflicting or incompatible laws or regulations with the original jurisdiction. This may result in the following consequences for the organization: It may violate the cross-border data transfer regulations of the original jurisdiction, and face legal sanctions, fines, or lawsuits from the regulators, customers, or data subjects. It may lose control or visibility over the personal data, and expose them to unauthorized or unlawful access, use, modification, or disclosure by the cloud service provider or third parties. It may compromise the trust and confidence of the customers and data subjects, and damage its reputation and competitiveness. Therefore, an organization subject to cross-border data transfer regulations should carefully assess and manage the risks of using a cloud service provider to store and process data, and ensure that it has appropriate safeguards and mechanisms in place to protect the privacy of personal data across borders. Reference: Cross-Border Data Transfer and Data Localization Requirements … - ISACA, section 1: “As a result, China’s National People’s Congress (NPC) and the National Committee of the Chinese People’s Political Consultative Conference (PCC) put forward suggestions on legislation addressing cross- border data transfer.” Regulatory Approaches to Cross-Border Data Transfers, section 1: “Cross-border transfers of personal information are increasingly common in today’s globalised economy. However, different jurisdictions have different approaches to regulating such transfers.” Cross-Border Data Transfer Requirements: Global Privacy Laws - Securiti, section 1: “Data transfer conditions, mechanisms, localization and regulatory authority of each law.” The Regulation of Cross-Border Data Transfers in the Context … - Springer, section 1: “No Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person.”

Question 11

An organization is creating a personal data processing register to document actions taken with
personal dat
a. Which of the following categories should document controls relating to periods of retention for
personal data?

Accepted Answer

A

Explanation: However, the risks associated with long-term retention have compelled organizations to consider alternatives; one is data archival, the process of preparing data for long-term storage. When organizations are bound by specific laws to retain data for many years, archival provides a viable opportunity to remove data from online transaction systems to other systems or media. Data archiving is the process of moving data that is no longer actively used to a separate storage device for long-term retention. Data archiving helps to reduce the cost and complexity of data storage, improve the performance and availability of data systems, and comply with data retention policies and regulations. Data archiving should document controls relating to periods of retention for personal data, such as the criteria for determining the retention period, the procedures for deleting or anonymizing data after the retention period expires, and the mechanisms for ensuring the integrity and security of archived data. Reference: : CDPSE Review Manual (Digital Version), page 123

Question 12

Which authentication practice is being used when an organization requires a photo on a government-issued identification card to validate an in-person credit card purchase?

Accepted Answer

A

Explanation: Authentication is a process of verifying the identity of a user or device that requests access to a system or resource. Authentication can be based on one or more factors, such as something the user knows (e.g., password), something the user has (e.g., token), something the user is (e.g., fingerprint) or something the user does (e.g., signature). When an organization requires a photo on a government-issued identification card to validate an in-person credit card purchase, it is using possession factor authentication, which relies on something the user has as proof of identity. The other options are not applicable in this scenario1, p. 81 Reference: 1: CDPSE Review Manual (Digital Version)

Question 13

During which of the following system lifecycle stages is it BEST to conduct a privacy impact assessment (PIA) on a system that holds personal data?

Accepted Answer

B

Explanation: A PIA is a systematic process to identify and evaluate the potential privacy impacts of a system, project, program or initiative that involves the collection, use, disclosure or retention of personal data. A PIA should be conducted as early as possible in the system lifecycle, preferably during the development stage, to ensure that privacy risks are identified and mitigated before the system is deployed. Conducting a PIA during functional testing, UAT or production stages may be too late to address privacy issues effectively and may result in costly rework or delays1, p. 67 Reference: 1: CDPSE Review Manual (Digital Version)

Question 14

Data collected by a third-party vendor and provided back to the organization may not be protected
according to the organization’s privacy notice. Which of the following is the BEST way to address this
concern?

Accepted Answer

D

Explanation: The best way to address the concern that data collected by a third-party vendor and provided back to the organization may not be protected according to the organization’s privacy notice is to validate contract compliance. This means that the organization should verify that the third-party vendor is adhering to the terms and conditions of the contract, which should include clauses on data protection, privacy, and security. The contract should also specify the obligations and responsibilities of both parties regarding data collection, processing, storage, transfer, retention, and disposal. By validating contract compliance, the organization can ensure that the third-party vendor is following the same privacy standards and practices as the organization. Reference: ISACA, CDPSE Review Manual 2021, Chapter 2: Privacy Governance, Section 2.3: Third-Party Management, p. 51-52. ISACA, Data Privacy Audit/Assurance Program, Control Objective 8: Third-Party Management, p. 14- 151

Question 15

How can an organization BEST ensure its vendors are complying with data privacy requirements defined in their contracts?

Accepted Answer

B

Explanation: The best way for an organization to ensure its vendors are complying with data privacy requirements defined in their contracts is to obtain independent assessments of the vendors’ data management processes, because this will provide an objective and reliable evaluation of the vendors’ privacy practices, policies, and controls. Independent assessments can be performed by external auditors, consultants, or certification bodies that have the expertise and credibility to verify the vendors’ compliance with the contractual obligations and expectations. Independent assessments can also help identify and address any privacy risks or gaps that may arise from the vendors’ processing of personal data12. Reference: CDPSE Exam Content Outline, Domain 1 – Privacy Governance (Governance, Management & Risk Management), Task 7: Participate in the management and evaluation of contracts, service levels and practices of vendors and other external parties3. CDPSE Review Manual, Chapter 1 – Privacy Governance, Section 1.4 – Third-Party Management4.

Free ISACA CDPSE Actual Exam Questions