An organization has an initiative to implement database encryption to strengthen privacy controls. Which of the following is the MOST useful information for prioritizing database selection?
Correct Answer: D
The most useful information for prioritizing database selection for encryption is the asset classification scheme. An asset classification scheme is a system of organizing and categorizing assets based on their value, sensitivity, criticality, or risk level. An asset classification scheme helps to determine the appropriate level of protection or handling for each asset. For example, an asset classification scheme may assign labels such as public, internal, confidential, or secret to different types of data based on their impact if compromised. Databases that contain higher-classified data should be prioritized for encryption to prevent unauthorized access, disclosure, or modification. Database administration audit logs, historical security incidents, or penetration test results are also useful information for database security, but they are not the most useful for prioritizing database selection for encryption. Database administration audit logs are records of activities performed by database administrators or other privileged users on the database system. Database administration audit logs help to monitor and verify the actions and changes made by authorized users and detect any anomalies or violations. Historical security incidents are records of events that have compromised or threatened the security of the database system in the past. Historical security incidents help to identify and analyze the root causes, impacts, and lessons learned from previous breaches or attacks. Penetration test results are reports of simulated attacks performed by ethical hackers or security experts on the database system to evaluate its vulnerabilities and defenses. Penetration test results help to discover and exploit any weaknesses or gaps in the database security posture and recommend remediation actions.
Question 82
Which of the following is MOST important to consider when managing changes to the provision of services by a third party that processes personal data?
Correct Answer: C
The most important thing to consider when managing changes to the provision of services by a third party that processes personal data is the business impact due to the changes. Changes to the provision of services by a third party can affect the organization's ability to meet its business objectives and legal obligations related to data processing activities. For example, changes to the service level agreement (SLA), the scope of services, the security measures, the location of servers, etc., can have implications for the quality, availability, confidentiality, integrity, and compliance of personal data processing. Therefore, an IT privacy practitioner should assess and evaluate the business impact due to the changes, and ensure that they are aligned with the organization's privacy policies and applicable privacy regulations and standards. Reference: : CDPSE Review Manual (Digital Version), page 41
Question 83
Which of the following is the BEST way to address privacy concerns when an organization captures personal data from a third party through an open application programming interface (API)?
Correct Answer: C
Explanation The best way to address privacy concerns when an organization captures personal data from a third party through an open application programming interface (API) is to obtain consent from the data subjects. Consent is a freely given, specific, informed, and unambiguous indication of the data subject's wishes by which they agree to the processing of their personal data by the organization for a defined purpose. Consent is one of the legal bases for processing personal data under various privacy laws and regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Obtaining consent from the data subjects can help ensure that they are aware of and agree to the collection and use of their personal data by the organization through the open API. Obtaining consent can also help respect the data subject's rights and preferences regarding their personal data. Developing a service level agreement (SLA) with the third party, implementing encryption for the data transmission, or reviewing the specification document of the open API are also good practices for addressing privacy concerns when using an open API to capture personal data from a third party, but they are not the best way. Developing an SLA with the third party can help define the roles, responsibilities, expectations, and obligations of both parties regarding the provision and use of the open API and the personal data involved. Implementing encryption for the data transmission can help protect the confidentiality, integrity, and availability of the personal data transferred between the third party and the organization through the open API. Reviewing the specification document of the open API can help understand the functionality, features, parameters, or requirements of the open API and how it handles personal data. References: Open APIs and Security Risks | Govenda Board Portal Software, The top API security risks and how to mitigate them - Appinventiv, Critical API security risks: 10 best practices | TechBeacon
Question 84
Which of the following is the BEST approach when providing data subjects with access to their personal data?
Correct Answer: C
Providing data subjects direct access through a profile page is the best practice because it supports transparency and control while fulfilling data subject rights (e.g., access, rectification). Limiting edits (A) or disabling modifications (D) restricts rights. Using email to generate IDs (B) is unrelated to enabling data subject access. "Data subjects should have the ability to view and manage their own information directly."
Question 85
When choosing data sources to be used within a big data architecture, which of the following data attributes MUST be considered to ensure data is not aggregated?
Correct Answer: B
Reference: Granularity is the level of detail or specificity of the data. Data that is not aggregated is data that has a high level of granularity, meaning it contains more information and can be analyzed in more ways. Data that is aggregated is data that has a low level of granularity, meaning it has been summarized or combined and has lost some information. Therefore, when choosing data sources to be used within a big data architecture, the granularity of the data must be considered to ensure data is not aggregated. Data Visualization Part 4: aggregation and granularity | by Kristi Pelzel | Upskilling | Medium Data Prep 101: What is an aggregate function and how do you combine aggregated data? - Tableau Understanding Aggregation and Granularity in Data Analysis with Real World Examples | by Usha Vivek | Medium
