Which of the following protocols BEST protects end-to-end communication of personal data?
Correct Answer: B
Reference: Transport Layer Security Protocol (TLS) is a cryptographic protocol that provides end-to-end communication security between two parties over a network, such as the internet. TLS protects the confidentiality, integrity and authenticity of the data exchanged between the parties, such as personal data, by using encryption, hashing and digital signatures. TLS is the best protocol to protect end-to-end communication of personal data, as it prevents unauthorized access, modification or tampering of the data by third parties or intermediaries. The other options are not as effective as TLS in protecting end-to-end communication of personal data. Transmission Control Protocol (TCP) is a network protocol that provides reliable and ordered delivery of data packets between two parties over a network, but it does not provide any security or encryption of the data. Secure File Transfer Protocol (SFTP) is a network protocol that provides secure and encrypted file transfer between two parties over a network, but it does not provide end-to-end communication security for other types of data or messages. Hypertext Transfer Protocol (HTTP) is a network protocol that defines how data is formatted and transmitted over the web, but it does not provide any security or encryption of the data1, p. 90-91 Reference: 1: CDPSE Review Manual (Digital Version)
Question 127
Which of the following is the BEST way to protect the privacy of data stored on a laptop in case of loss or theft?
Correct Answer: A
Question 128
Which of the following should be established FIRST before authorizing remote access to a data store containing personal data?
Correct Answer: C
Question 129
Which of the following is the BEST practice to protect data privacy when disposing removable backup media?
Correct Answer: B
Explanation The best practice to protect data privacy when disposing removable backup media is B. Data sanitization. A comprehensive explanation is: Data sanitization is the process of permanently and irreversibly erasing or destroying the data on a storage device or media, such as a hard drive, a USB drive, a CD/DVD, etc. Data sanitization ensures that the data cannot be recovered or reconstructed by any means, even by using specialized software or hardware tools. Data sanitization is also known as data wiping, data erasure, data destruction, or data disposal. Data sanitization is the best practice to protect data privacy when disposing removable backup media because it prevents unauthorized access, disclosure, theft, or misuse of the sensitive or confidential data that may be stored on the media. Data sanitization also helps to comply with the legal and regulatory requirements and standards for data protection and privacy, such as the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), etc. There are different methods and techniques for data sanitization, depending on the type and format of the storage device or media. Some of the common methods are: * Overwriting: Overwriting replaces the existing data on the device or media with random or meaningless data, such as zeros, ones, or patterns. Overwriting can be done multiple times to increase the level of security and assurance. Overwriting is suitable for magnetic media, such as hard disk drives (HDDs) or tapes. * Degaussing: Degaussing exposes the device or media to a strong magnetic field that disrupts and destroys the magnetic structure and alignment of the data. Degaussing renders the device or media unusable and unreadable. Degaussing is suitable for magnetic media, such as hard disk drives (HDDs) or tapes. * Physical Destruction: Physical destruction involves applying physical force or damage to the device or media that breaks it into small pieces or shreds it. Physical destruction can be done by using mechanical tools, such as shredders, crushers, drills, hammers, etc., or by using thermal methods, such as incineration, melting, etc. Physical destruction is suitable for any type of media, such as hard disk drives (HDDs), solid state drives (SSDs), USB drives, CDs/DVDs, etc. Data encryption (A) is not a good practice to protect data privacy when disposing removable backup media because it does not erase or destroy the data on the media. Data encryption only transforms the data into an unreadable format that can only be accessed with a key or a password. However, if the key or password is lost, stolen, compromised, or guessed by an attacker, the data can still be decrypted and exposed. Data encryption is more suitable for protecting data in transit or at rest, but not for disposing data. Data scrambling is not a good practice to protect data privacy when disposing removable backup media because it does not erase or destroy the data on the media. Data scrambling only rearranges the order of the bits or bytes of the data to make it appear random or meaningless. However, if the algorithm or pattern of scrambling is known or discovered by an attacker, the data can still be unscrambled and restored. Data scrambling is more suitable for obfuscating data for testing or debugging purposes, but not for disposing data. Data masking (D) is not a good practice to protect data privacy when disposing removable backup media because it does not erase or destroy the data on the media. Data masking only replaces some parts of the data with fictitious or anonymized values to hide its true identity or meaning. However, if the original data is still stored somewhere else or if the masking technique is weak or reversible by an attacker, the data can still be unmasked and revealed. Data masking is more suitable for protecting data in use or in analysis, but not for disposing data. References: * What Is Data Sanitization?1 * How to securely erase hard drives (HDDs) and solid state drives (SSDs)2 * Secure Data Disposal & Destruction: 6 Methods to Follow3
Question 130
Who is ULTIMATELY accountable for the protection of personal data collected by an organization?
Correct Answer: B
The data owner is the person or entity who has the ultimate authority and responsibility for the protection of personal data collected by an organization. The data owner defines the purpose, scope, classification, and retention of the personal data, as well as the rights and obligations of the data subjects and other parties involved in the data processing. The data owner also ensures that the personal data is handled in compliance with the applicable privacy laws and regulations, as well as the organization's privacy policies and standards. The data owner may delegate some of the operational tasks to the data processor, data custodian, or data protection officer, but the accountability remains with the data owner.
