CDPSE Certified Data Privacy Solutions Engineer Question and Answers

Degaussing is a hard drive sanitation method that uses a powerful magnetic field to erase or destroy the data stored on a magnetic disk or tape. Degaussing should be used to sanitize hard drives containing personal data prior to being crushed, as it provides an additional layer of assurance that data has been permanently erased and cannot be recovered by any means. Degaussing also damages the drive itself, making it unusable for future storage. The other options are not effective or necessary hard drive sanitation methods prior to being crushed. Low-level formatting is a hard drive sanitation method that erases the data and the partition table on the drive, but it may leave some traces of data that can be recovered by forensic tools or software. Remote partitioning is a hard drive sanitation method that creates separate logical sections on the drive, but it does not erase or destroy the data on the drive. Hammer strike is a hard drive sanitation method that physically damages the drive by hitting it with a hammer, but it may not erase or destroy the data completely or prevent data recovery by advanced tools or techniques1, p. 93-94 References: 1: CDPSE Review Manual (Digital Version)

A bug bounty program is an assurance approach that involves offering rewards to external security researchers who find and report vulnerabilities in an API or other software. A bug bounty program can be more effective than other assurance approaches in identifying API vulnerabilities because it leverages the skills, creativity, and diversity of a large pool of ethical hackers who can test the API from different perspectives and scenarios. A bug bounty program can also incentivize continuous testing and reporting of vulnerabilities, which can help improve the security posture of the API over time.

References:

• 10 top API security testing tools, CSO Online
• Bug Bounty Programs: What You Need to Know, ISACA Journal

Validation and certification of data destruction is the most important consideration when choosing a method for data destruction, because it provides evidence that the data has been destroyed beyond recovery and that the organization has complied with the applicable information security frameworks and legal requirements. Validation and certification can also help to prevent data breaches, avoid legal liabilities, and enhance the organization’s reputation and trustworthiness. Different methods of data destruction may have different levels of validation and certification, depending on the type of media, the sensitivity of the data, and the standards and guidelines followed. For example, some methods may require a third-party verification or audit, while others may generate a certificate of destruction or a report of erasure. Therefore, the organization should choose a method that can provide sufficient validation and certification for its specific needs and obligations.

References:

• Secure Data Disposal and Destruction: 6 Methods to Follow, KirkpatrickPrice
• Data Destruction Standards and Guidelines, BitRaser
• Best Practices for Data Destruction, U.S. Department of Education

The best answer is D. Mutual certificate authentication.

A comprehensive explanation is:

Mutual certificate authentication is a method of mutual authentication that uses public key certificates to verify the identities of both parties in a two-way communication. A public key certificate is a digital document that contains information about the identity of the certificate holder, such as their name, organization, domain name, etc., as well as their public key, which is used for encryption and digital signature. A public key certificate is issued and signed by a trusted authority, called a certificate authority (CA), that vouches for the validity of the certificate.

Mutual certificate authentication works as follows:

• Both parties have a public key certificate issued by a CA that they trust.
• When they initiate a communication, they exchange their certificates with each other.
• They verify the signatures on the certificates using the CA’s public key, which they already have or can obtain from a trusted source.
• They check that the certificates are not expired, revoked, or tampered with.
• They extract the public keys from the certificates and use them to encrypt and decrypt messages or to generate and verify digital signatures.
• They confirm that the identities in the certificates match their expectations and intentions.

By using mutual certificate authentication, both parties can be confident that they are communicating with the intended and legitimate party, and that their communication is secure and confidential.

Mutual certificate authentication is often used in conjunction with Transport Layer Security (TLS), a protocol that provides encryption and authentication for network communications. TLS supports both one-way and two-way authentication. In one-way authentication, only the server presents a certificate to the client, and the client verifies it. In two-way authentication, also known as mutual TLS or mTLS, both the server and the client present certificates to each other, and they both verify them. Mutual TLS is commonly used for secure web services, such as APIs or webhooks, that require both parties to authenticate each other.

Virtual private network (VPN), Secure Shell (SSH), and Transport Layer Security (TLS) are all technologies that can help to ensure the identities of individuals in a two-way communication are verified, but they are not methods of mutual authentication by themselves. They can use mutual certificate authentication as one of their options, but they can also use other methods, such as username and password, pre-shared keys, or tokens. Therefore, they are not as specific or accurate as mutual certificate authentication.

References:

• What is mutual authentication? | Two-way authentication1
• How to prove and verify someone’s identity2
• Identity verification - Information Security & Policy3

The primary consideration to protect against privacy violations when utilizing artificial intelligence (AI) driven business decisions is ensuring proper data sets are used to train the models. AI is a technology that enables machines or systems to perform tasks that normally require human intelligence, such as reasoning, learning, decision making, etc. AI relies on large amounts of data to train its models and algorithms to perform these tasks. However, if the data sets used to train the models are inaccurate, incomplete, biased, or outdated, they can result in privacy violations, such as discrimination, profiling, manipulation, or harm to the data subjects. Therefore, an IT privacy practitioner should ensure that the data sets used to train the models are proper, meaning that they are relevant, representative, reliable, and respectful of the data subjects’ rights and interests. References: : CDPSE Review Manual (Digital Version), page 141

A privacy risk assessment is a process of identifying, analyzing and evaluating the privacy risks associated with the collection, use, disclosure or retention of personal data. A privacy risk assessment is the best way to distinguish between a privacy risk and compliance risk, as it would help to determine the likelihood and impact of privacy incidents or breaches that could affect the rights and interests of the data subjects, as well as the legal obligations and responsibilities of the organization. A privacy risk assessment would also help to identify and implement appropriate controls and measures to mitigate or reduce the privacy risks and ensure compliance with privacy principles, laws and regulations. The other options are not as effective as conducting a privacy risk assessment in distinguishing between a privacy risk and compliance risk. Performing a privacy risk audit is a process of verifying and validating the effectiveness and adequacy of the privacy controls and measures implemented by the organization, but it does not necessarily identify or evaluate the privacy risks or compliance risks. Validating a privacy risk attestation is a process of confirming and certifying the accuracy and completeness of the privacy information or statements provided by the organization, but it does not necessarily identify or evaluate the privacy risks or compliance risks. Conducting a privacy risk remediation exercise is a process of implementing corrective actions or improvements to address the identified or reported privacy risks or compliance risks, but it does not necessarily distinguish between them1, p. 66-67 References: 1: CDPSE Review Manual (Digital Version)

To ensure the protection of personal data, privacy policies should mandate that access to information system applications be authorized by the business application owner, because they are the ones who are responsible for defining the business requirements, functions, and objectives of the applications. The business application owner can also determine the appropriate level of access for different users or groups based on their roles, responsibilities, and needs. The business application owner can also monitor and review the access control policies and procedures to ensure that they are effective and compliant with the privacy regulations and standards.

References:

• Access Control Policy and Implementation Guides, CSRC
• What is Authorization and Access Control?, ICANN

A privacy impact assessment (PIA) is a process of analyzing the potential privacy risks and impacts of collecting, using, and disclosing personal data. A PIA should be conducted when there is a change in the data processing activities that may affect the privacy of individuals or the compliance with data protection laws and regulations. One of the scenarios that should trigger the completion of a PIA is when there are new inter-organizational data flows, which means that personal data is shared or transferred between different entities or jurisdictions. This may introduce new privacy risks, such as unauthorized access, misuse, or breach of data, as well as new legal obligations, such as obtaining consent, ensuring adequate safeguards, or notifying authorities.

References:

• PIA Triggers - International Association of Privacy Professionals
• Privacy Impact Assessment - International Association of Privacy Professionals
• GDPR Privacy Impact Assessment
• Data Protection Impact Assessment triggers: Clarity or confusion?

Conducting a risk assessment of all candidate vendors is the best way to provide assurance that a potential vendor is able to comply with privacy regulations and the organization’s data privacy policy, because it allows the organization to evaluate the vendor’s privacy practices, controls, and performance against a set of criteria and standards. A risk assessment can also help to identify any gaps, weaknesses, or threats that may pose a risk to the organization’s data privacy objectives and obligations. A risk assessment can be based on various sources of information, such as self-attestations, documentation, audits, or independent verification. A risk assessment can also help to prioritize the vendors based on their level of risk and impact, and to determine the appropriate mitigation or monitoring actions.

References:

• 8 Steps to Manage Vendor Data Privacy Compliance, DocuSign
• Supplier Security and Privacy Assurance (SSPA) program, Microsoft Learn

An analysis of known threats is the best way for an organization to gain visibility into its exposure to privacy-related vulnerabilities because it helps identify the sources, methods and impacts of potential privacy breaches and assess the effectiveness of existing controls. A data loss prevention (DLP) solution, a review of historical privacy incidents and a monitoring of inbound and outbound communications are useful tools for detecting and preventing privacy violations, but they do not provide a comprehensive view of the organization’s privacy risk posture.

References:

• CDPSE Review Manual (Digital Version), Domain 1: Privacy Governance, Task 1.4: Coordinate and/or perform privacy impact assessments (PIA) and other privacy-focused assessments1
• CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, Chapter 2: Privacy Governance, Section: Privacy Risk Assessment2

The best testing method to identify and review the application’s runtime modules is dynamic application security testing (DAST). DAST is a testing technique that analyzes the application’s behavior and functionality during its execution. DAST can detect security and privacy vulnerabilities that are not visible in the source code, such as injection attacks, cross-site scripting, broken authentication, sensitive data exposure, or improper error handling. DAST can also simulate real-world attacks and test the application’s response and resilience. DAST can provide a comprehensive and realistic assessment of the application’s security and privacy posture in the pre-production environment. References:

• [ISACA Glossary of Terms]
• [OWASP Top 10 Web Application Security Risks]
• [ISACA CDPSE Review Manual, Chapter 2, Section 2.4.2]
• [ISACA Journal, Volume 6, 2018, “Dynamic Application Security Testing”]

Biometric records are personal information that can be used to identify an individual based on their physical or behavioral characteristics, such as fingerprints, facial recognition, iris scans, voice patterns, etc. Biometric records are considered sensitive personal information that require special protection and consent from the data subject. Biometric records can be used for various purposes, such as authentication, identification, security, etc., but they also pose privacy risks, such as unauthorized access, use, disclosure, or transfer of biometric data. References: : CDPSE Review Manual (Digital Version), page 25

Inferred data is the type of data that is produced by using a more complex method of analytics to find correlations between data sets and using them to categorize or profile people. Inferred data is not directly observed or collected from the data subjects, but rather derived from other sources of data, such as behavioral, transactional, or demographic data. Inferred data can be used to make assumptions or predictions about the data subjects’ preferences, interests, behaviors, or characteristics12.

References:

• CDPSE Review Manual, Chapter 3 – Data Lifecycle, Section 3.1 – Data Classification3.
• CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, Chapter 3 – Data Lifecycle, Section 3.2 – Data Classification4.

Beacons use Bluetooth low-energy (BLE) wireless technology to transmit information to nearby devices that have Bluetooth enabled. By disabling Bluetooth services on the mobile device, the user can prevent beacons from detecting and tracking their location and sending them unwanted messages or advertisements. This can help protect the user’s privacy and avoid potential security risks from malicious beacons. Disabling location services, enabling Trojan scanners, or enabling antivirus for mobile devices are not effective ways to address threats to mobile device privacy when using beacons as a tracking technology, because they do not prevent the communication between beacons and the mobile device.

References:

• Beacon Technology: What It Is and How It Impacts You1
• What Does It All Mean: Beacon Technology, GPS and Geofencing2

 Including privacy requirements in vendor contracts is the best way to ensure privacy considerations are included when working with vendors because it establishes the obligations, expectations and responsibilities of both parties regarding the protection of personal data. It also provides a legal basis for enforcing compliance and resolving disputes. Including privacy requirements in the request for proposal (RFP) process, monitoring privacy-related service level agreements (SLAs) and requiring vendors to complete privacy awareness training are helpful measures, but they do not guarantee that vendors will adhere to the privacy requirements or that they will be held accountable for any violations.

References:

• CDPSE Review Manual (Digital Version), Domain 1: Privacy Governance, Task 1.7: Participate in the management and evaluation of contracts, service levels and practices of vendors and other external parties1
• CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, Chapter 2: Privacy Governance, Section: Vendor Management2

The notice provided to customers during data collection is the most important consideration when determining retention periods for personal data, as it reflects the transparency and accountability principles of privacy and the expectations and preferences of the data subjects. The notice should inform the customers about the purposes and legal bases of the data processing, the rights and choices of the customers, and the safeguards and measures to protect the data, including how long the data will be kept and when it will be deleted or disposed of. The notice should also be consistent with the applicable laws and regulations that may prescribe or limit the retention periods for certain types of personal data. The other options are not as important as the notice provided to customers during data collection when determining retention periods for personal data. Sectoral best practices for the industry may provide some guidance or benchmarks for retention periods, but they may not reflect the specific context or needs of the organization or the customers. Data classification standards may help to categorize data according to its sensitivity and value, but they may not indicate how long the data should be retained or deleted. Storage capacity available for retained data may affect the feasibility or cost of retaining data, but it should not determine or override the retention periods based on privacy principles, laws or customer expectations1, p. 99-100 References: 1: CDPSE Review Manual (Digital Version)

Validating the privacy framework is a responsibility of the audit function in helping an organization address privacy compliance requirements, as it would help to verify and validate the effectiveness and adequacy of the privacy framework implemented by the organization to comply with privacy principles, laws and regulations. Validating the privacy framework would also help to identify and report any gaps, weaknesses or issues in the privacy framework, and to provide recommendations for improvement or remediation. The other options are not responsibilities of the audit function in helping an organization address privacy compliance requirements. Approving privacy impact assessments (PIAs) is a responsibility of management or governance function in helping an organization address privacy compliance requirements, as they would have authority and accountability for approving PIAs conducted by project teams or business units before implementing any system, project, program or initiative that involves personal data processing activities. Managing privacy notices provided to customers is a responsibility of operational function in helping an organization address privacy compliance requirements, as they would have direct contact and interaction with customers and would be responsible for providing clear and accurate information about how their personal data is collected, used, disclosed and transferred by the organization. 

Using hash values with stored personal data best enables an organization to detect changes to the data, because hash values are unique and fixed outputs that are generated from the data using a mathematical algorithm. If the data is altered in any way, even by a single bit, the hash value will change dramatically. Therefore, by comparing the current hash value of the data with the original or expected hash value, the organization can verify the integrity and authenticity of the data. If the hash values match, it means that the data has not been tampered with. If the hash values differ, it means that the data has been corrupted or modified.

References:

• Ensuring Data Integrity with Hash Codes, Microsoft Learn
• What is ‘hashing,’ and does it help avoid the obligations imposed by the new privacy regulations?, Data Privacy Dish

Restricting access to authorized users is the best control to secure application programming interfaces (APIs) that may contain personal information, as it would prevent unauthorized access, modification or disclosure of the personal information by third parties or intermediaries. Restricting access to authorized users can be achieved by using various methods, such as authentication, authorization, encryption, tokens or certificates. The other options are not effective controls to secure APIs that may contain personal information. Encrypting APIs with the organization’s private key is not a feasible or desirable method, as it would make the APIs unreadable by anyone who does not have the corresponding public key, which would defeat the purpose of using APIs for interoperability and integration. Requiring nondisclosure agreements (NDAs) when sharing APIs is not a reliable or enforceable method, as it would depend on the compliance and cooperation of the parties who receive the APIs, and it would not prevent unauthorized access, modification or disclosure of the personal information by third parties or intermediaries who are not bound by the NDAs. Sharing only digitally signed APIs is not a sufficient method, as it would only ensure the authenticity and integrity of the APIs, but it would not prevent unauthorized access, modification or disclosure of the personal information by third parties or intermediaries who can read or intercept the APIs1, p. 90-91 References: 1: CDPSE Review Manual (Digital Version)

Lawfulness and fairness is a data protection principle that states that personal data should be processed in a lawful, fair, and transparent manner in relation to the data subject. This means that personal data should be collected and used for legitimate purposes that are specified and communicated to the data subject, and that respect the rights and interests of the data subject. By posting its customer data protection notice that includes a statement indicating information is collected on how products are used, the content viewed, and the time and duration of online activities, an online business is applying the lawfulness and fairness principle. The online business is informing the customers about the purpose and scope of data collection, and obtaining their consent or legal basis for processing their personal data. References: : CDPSE Review Manual (Digital Version), page 2

The primary reason to complete a privacy impact assessment (PIA) is to understand privacy risks associated with the collection, use, disclosure or retention of personal data. A PIA is a systematic process to identify and evaluate the potential privacy impacts of a system, project, program or initiative that involves personal data processing activities. A PIA helps to ensure that privacy risks are identified and mitigated before the implementation is executed. A PIA also helps to ensure compliance with privacy principles, laws and regulations, and alignment with customer expectations and preferences. The other options are not primary reasons to complete a PIA. To comply with consumer regulatory requirements may be a reason to complete a PIA, but it is not the primary reason, as consumer regulatory requirements may vary depending on the context and jurisdiction. To establish privacy breach response procedures may be an outcome of completing a PIA, but it is not the primary reason, as privacy breach response procedures are only one aspect of mitigating privacy risks. To classify personal data may be an activity that is part of completing a PIA, but it is not the primary reason, as personal data classification is only one aspect of understanding privacy risks1, p. 67 References: 1: CDPSE Review Manual (Digital Version)

Incorporating privacy checkpoints into the secure development life cycle (SDLC) is the best way to avoid collecting personal data that was not part of the privacy impact assessment (PIA). Privacy checkpoints are stages in the SDLC where privacy requirements and risks are reviewed and validated, and any changes or deviations from the original PIA are identified and addressed. Privacy checkpoints help ensure that privacy is embedded throughout the system design and development, and that any changes are documented and approved.

References:

• ISACA, CDPSE Review Manual 2021, Chapter 3: Privacy by Design, Section 3.2: Privacy Engineering, p. 97-98.

The most important consideration when writing an organization’s privacy policy is to align the statements to the organizational practices, because this will help ensure that the policy is accurate, consistent, and transparent. A privacy policy is a document that explains how the organization collects, uses, discloses, and protects personal data from its customers, employees, partners, and other stakeholders. A privacy policy should reflect the actual data processing activities and privacy measures of the organization, as well as comply with the applicable laws and regulations. A privacy policy that is not aligned with the organizational practices may lead to confusion, mistrust, or legal liability12.

References:

• CDPSE Review Manual, Chapter 1 – Privacy Governance, Section 1.2 – Privacy Policy3.
• CDPSE Certified Data Privacy Solutions Engineer All-in-One Exam Guide, Chapter 1 – Privacy Governance, Section 1.2 – Data Privacy Laws and Regulations4.

The first consideration for ensuring that endpoints are protected in line with the privacy policy is hardening the operating systems of endpoint devices. Hardening is a process of applying security configurations and controls to reduce the attack surface and vulnerabilities of an operating system. Hardening can include disabling unnecessary services and features, applying security patches and updates, enforcing strong passwords and encryption, configuring firewall and antivirus settings, and implementing least privilege principles. Hardening the operating systems of endpoint devices can help prevent unauthorized access, data leakage, malware infection, or other threats that may compromise the privacy of personal data stored or processed on those devices.

Detecting malicious access through endpoints, implementing network traffic filtering on endpoint devices, and managing remote access and control are also important aspects of endpoint security, but they are not the first consideration. Rather, they are dependent on or complementary to hardening the operating systems of endpoint devices. For example, detecting malicious access requires having a baseline of normal activity and behavior on the endpoint device, which can be established by hardening. Implementing network traffic filtering requires having a firewall or other network security tool installed and configured on the endpoint device, which is part of hardening. Managing remote access and control requires having authentication and authorization mechanisms in place on the endpoint device, which is also part of hardening.

References: Manage endpoint security policies in Microsoft Intune, ENDPOINT SECURITY POLICY, How To Build An Effective Endpoint Security Policy And Prevent Cyberattacks

Implementing multi-factor authentication is the best way to reduce the risk of compromised credentials when an organization allows employees to have remote access, as it adds an extra layer of security and verification to the authentication process. Multi-factor authentication requires the user to provide two or more pieces of evidence to prove their identity, such as something they know (e.g., password, PIN), something they have (e.g., token, smart card), or something they are (e.g., fingerprint, face scan)135. References: 1 Domain 2, Task 8;

Data sanitization is a process of permanently erasing or destroying data from a storage device or media to prevent unauthorized access or recovery of the data. Data sanitization methods can include physical destruction, degaussing, overwriting, encryption or cryptographic erasure. The most important consideration when using advanced data sanitization methods to ensure privacy data will be unrecoverable is the type of media on which the data is stored, as different media types may require different methods or techniques to achieve effective sanitization. For example, physical destruction may be suitable for optical disks or tapes, but not for solid state drives (SSDs) or flash memory devices. Degaussing may be effective for magnetic disks or tapes, but not for optical disks or SSDs. Overwriting may work for hard disk drives (HDDs) or SSDs, but not for tapes or optical disks. Encryption or cryptographic erasure may be applicable for any media type, but may require additional security measures to protect the encryption keys or certificates. The other options are not as important as the type of media when using advanced data sanitization methods. Subject matter expertise may be helpful, but not essential, as long as the appropriate method is selected and applied correctly. Regulatory compliance requirements may influence the choice of method, but not necessarily determine it, as different methods may meet different standards or criteria. Location of data may affect the feasibility or cost of applying a method, but not its effectiveness or suitability., p. 93-94 References: : CDPSE Review Manual (Digital Version)

Asymmetric encryption is a method of encrypting and decrypting data using two different keys: a public key and a private key. The public key can be shared with anyone, while the private key is kept secret by the owner. Data encrypted with the public key can only be decrypted with the private key, and vice versa. Asymmetric encryption ensures the security of encryption keys when transferring data containing personal information between cloud applications, by providing the following benefits:

• It can prevent unauthorized access or use of the data, as only the intended recipient who has the matching private key can decrypt the data sent by the sender who has the public key.
• It can prevent man-in-the-middle attacks, where an attacker intercepts and modifies the data or keys in transit, as any tampering with the data or keys will result in decryption failure or error.
• It can enable digital signatures, where the sender encrypts a message digest of the data with their private key, and the recipient verifies it with the sender’s public key. Digital signatures can ensure the authenticity and integrity of the data and the sender.

The other options are less effective or irrelevant for ensuring the security of encryption keys when transferring data containing personal information between cloud applications. Whole disk encryption is a method of encrypting all the data on a disk or device, such as a laptop or a smartphone. It does not protect the data when they are transferred over a network or stored on a cloud server. Symmetric encryption is a method of encrypting and decrypting data using the same key. It requires both parties to securely exchange and store the key, which may be difficult or risky in a cloud environment. Digital signature is not a method of encryption, but an application of asymmetric encryption that can provide additional security features for data transmission.

User consent to share personal data is the most important factor when designing APIs that enable mobile device applications to access personal data, as it ensures that the user is informed and agrees to the purpose, scope, and duration of the data sharing. User consent also helps to comply with the data protection principles and regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), that require user consent for certain types of data processing and sharing134. References: 1 Domain 2, Task 7

In GDPR parlance, organizations that use third-party service providers are often, but not always, considered data controllers, which are entities that determine the purposes and means of the processing of personal data, which can include directing third parties to process personal data on their behalf. The third parties that process data for data controllers are known as data processors.

The best way to protect personal data in the custody of a third party is to include requirements to comply with the organization’s privacy policies in the contract. This means that the organization should specify the terms and conditions of data processing, such as the purpose, scope, duration, and security measures, and ensure that they are consistent with the organization’s privacy policies and applicable privacy regulations. The contract should also define the roles and responsibilities of both parties, such as data controller and data processor, and establish mechanisms for monitoring, reporting, auditing, and resolving any issues or incidents related to data privacy. References: : CDPSE Review Manual (Digital Version), page 41

After a privacy risk has been accepted, the next step is to monitor the risk landscape for material changes. This means that the organization should keep track of any internal or external factors that may affect the likelihood or impact of the risk, such as new threats, vulnerabilities, regulations, technologies, or business processes. Monitoring the risk landscape can help the organization identify if the risk acceptance decision is still valid, or if it needs to be revisited or revised. Monitoring can also help the organization prepare for potential incidents or consequences that may arise from the accepted risk.

Data anonymization is a method of protecting personal data by modifying or removing any information that can be used to identify an individual, either directly or indirectly, in a data set. Data anonymization aims to prevent the re-identification of the data subjects, even by the data controller or processor, or by using additional data sources or techniques. Data anonymization also helps to comply with data protection laws and regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), which require data controllers and processors to respect the privacy rights and preferences of the data subjects.

The data is transformed such that re-identification is impossible is an example of data anonymization, as it involves applying irreversible techniques, such as aggregation, generalization, perturbation, or synthesis, to alter the original data in a way that preserves their utility and meaning, but eliminates their identifiability. For example, a database of customer transactions can be anonymized by replacing the names and addresses of the customers with random codes, and by adding noise or rounding to the amounts and dates of the transactions.

The other options are not examples of data anonymization, but of other methods of protecting personal data that do not guarantee the impossibility of re-identification. The data is encrypted and a key is required to re-identify the data is an example of data pseudonymization, which is a method of replacing direct identifiers with pseudonyms, such as codes or tokens, that can be linked back to the original data with a key or algorithm. Data pseudonymization does not prevent re-identification by authorized parties who have access to the key or algorithm, or by unauthorized parties who can break or bypass the encryption. Key fields are hidden and unmasking is required to access to the data is an example of data masking, which is a method of concealing or obscuring sensitive data elements, such as names or credit card numbers, with characters, symbols or blanks. Data masking does not prevent re-identification by authorized parties who have permission to unmask the data, or by unauthorized parties who can infer or guess the hidden data from other sources or clues. Names and addresses are removed but the rest of the data is left untouched is an example of data deletion, which is a method of removing direct identifiers from a data set. Data deletion does not prevent re-identification by using indirect identifiers, such as age, gender, occupation or location, that can be combined or matched with other data sources to re-establish the identity of the data subjects.

References:

• Big Data Deidentification, Reidentification and Anonymization - ISACA, section 2: “Anonymization is the ability for the data controller to anonymize the data in a way that it is impossible for anyone to establish the identity of the data.”
• Data Anonymization - Overview, Techniques, Advantages, section 1: “Data anonymization is a method of ensuring that the company understands and enforces its duty to secure sensitive, personal, and confidential data in a world of highly complex data protection mandates that can vary depending on where the business and the customers are based.”

Classifying sensitive unstructured data should be done first to address the situation of the proliferation of personal data held as unstructured data, as it helps to identify the types, locations, and owners of the data, and to apply the appropriate privacy controls and measures based on the data classification level. Classifying sensitive unstructured data also facilitates the data discovery, data minimization, data retention, and data disposal processes. References: 2 Domain 3, Task 2; 5 Page 9

The best course of action to prevent false positives from data loss prevention (DLP) tools is to re-establish baselines for configuration rules. False positives are events that are triggered by a DLP policy in error, meaning that the policy has mistakenly identified non-sensitive data as sensitive or blocked legitimate actions. False positives can reduce the effectiveness and efficiency of DLP tools by generating unnecessary alerts, wasting resources, disrupting workflows, and creating user frustration. To avoid false positives, DLP tools need to have accurate and updated configuration rules that define what constitutes sensitive data and what actions are allowed or prohibited. Configuration rules should be based on clear and consistent criteria, such as data classification levels, data sources, data destinations, data formats, data patterns, user roles, user behaviors, etc. Configuration rules should also be regularly reviewed and adjusted to reflect changes in business needs, regulatory requirements, or threat landscape.

Conducting additional discovery scans, suppressing the alerts generating the false positives, or evaluating new DLP tools are not the best ways to prevent false positives from DLP tools. Conducting additional discovery scans may help identify more sensitive data in the network, but it does not address the root cause of false positives, which is the misconfiguration of DLP policies. Suppressing the alerts generating the false positives may reduce the noise and annoyance caused by false positives, but it does not solve the problem of inaccurate or outdated DLP policies. Evaluating new DLP tools may offer some advantages in terms of features or performance, but it does not guarantee that false positives will be eliminated or reduced without proper configuration and tuning of DLP policies.

References: False Positives Handling| Endpoint Data Loss Prevention - ManageEngine …, Scenario-based troubleshooting guide - DLP Issues, Respond to a DLP policy violation in Power BI - Power BI

One of the key principles of data protection is transparency, which means that individuals have the right to be informed about the collection and use of their personal data. This applies to video surveillance as well, especially in high security areas where the impact on privacy may be significant. Therefore, it is important to inform those affected by video surveillance about the purpose, scope, retention and access policies of the data collected.

References:

• ISACA Certified Data Privacy Solutions Engineer (CDPSE) Exam Content Outline, Domain 2: Privacy Architecture, Task 2.1: Design privacy controls based on privacy principles and legal requirements, Subtask 2.1.1: Identify applicable privacy principles and legal requirements.
• How can we comply with the data protection principles when using surveillance systems? | ICO

However, the risks associated with long-term retention have compelled organizations to consider alternatives; one is data archival, the process of preparing data for long-term storage. When organizations are bound by specific laws to retain data for many years, archival provides a viable opportunity to remove data from online transaction systems to other systems or media.

Data archiving is the process of moving data that is no longer actively used to a separate storage device for long-term retention. Data archiving helps to reduce the cost and complexity of data storage, improve the performance and availability of data systems, and comply with data retention policies and regulations. Data archiving should document controls relating to periods of retention for personal data, such as the criteria for determining the retention period, the procedures for deleting or anonymizing data after the retention period expires, and the mechanisms for ensuring the integrity and security of archived data. References: : CDPSE Review Manual (Digital Version), page 123

An audit log is a record of the activities and events that occur in an information system, such as an application hosting personal data. An audit log can help to monitor, detect, investigate and prevent unauthorized or malicious access, use, modification or deletion of personal data. An audit log can also help to demonstrate compliance with data protection laws and regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). An audit log should capture the following information for each event: 9

• The date and time of the event
• The identity of the user or system that performed the event
• The type and description of the event
• The outcome or result of the event
• The personal data that were accessed, used, modified or deleted

The last user who accessed personal data is the most important information to capture in the audit log, as it can help to identify who is responsible for any data breach or misuse of personal data. It can also help to verify that only authorized and legitimate users have access to personal data, and that they follow the data use policy and the principle of least privilege. The last user who accessed personal data can also help to support data subjects’ rights, such as the right to access, rectify, erase or restrict their personal data.

The other options are less important or irrelevant to capture in the audit log of an application hosting personal data. Server details of the hosting environment are not related to personal data, and they can be obtained from other sources, such as network logs or configuration files. Last logins of privileged users are important to capture in a separate audit log for user account management, but they do not indicate what personal data were accessed or used by those users. Application error events are important to capture in a separate audit log for system performance and reliability, but they do not indicate what personal data were affected by those errors.

References:

• IS Audit Basics: Auditing Data Privacy, section 4: “Audit logs should be maintained for all systems that process PII.”
• Data Protection Audit Manual, section 3.2: “Audit trails should be kept for all processing operations involving personal data.”
• Audit Logging Best Practices, section 2: “An audit log entry should contain enough information to answer who did what and when.”

The best way to validate compliance with agreed-upon service levels established with a third party that processes personal data is to have a contractual right to audit, which means that the organization can conduct audits or inspections of the third party’s privacy practices, policies, and procedures to verify that they meet the contractual obligations and expectations. A contractual right to audit can also help identify and address any privacy risks or gaps that may arise from the third party’s processing of personal data12.

References:

• CDPSE Exam Content Outline, Domain 1 – Privacy Governance (Governance, Management & Risk Management), Task 7: Participate in the management and evaluation of contracts, service levels and practices of vendors and other external parties3.
• CDPSE Review Manual, Chapter 1 – Privacy Governance, Section 1.4 – Third-Party Management4.

The best indication of a highly effective privacy training program is that members of the workforce understand their roles in protecting data privacy, because this shows that the training program has successfully raised the awareness and knowledge of the workforce on the importance, principles and practices of data privacy, and how they can contribute to the organization’s privacy objectives and compliance. According to ISACA, one of the key elements of a privacy training program is to define and communicate the roles and responsibilities of the workforce in relation to data privacy1. Members of the workforce who understand their roles in protecting data privacy are more likely to follow the privacy policies and procedures, report any privacy incidents or issues, and support the privacy culture of the organization2. Recent audits have no findings or recommendations related to data privacy, no privacy incidents have been reported in the last year, and HR has made privacy training an annual mandate for the organization are not as reliable as members of the workforce understand their roles in protecting data privacy, as they do not necessarily reflect the effectiveness of the privacy training program, but rather the performance of other factors such as audit processes, incident management systems, or HR policies.

A data inventory is a comprehensive list of the data that an organization collects, processes, stores, transfers, and disposes of. It includes information such as the type, source, location, owner, purpose, and retention period of the data. A data inventory is essential for understanding where personal data is coming from and how it is used within the organization, as well as for complying with data privacy laws and regulations. A data inventory also helps to identify and mitigate data privacy risks and gaps.

References:

• ISACA, CDPSE Review Manual 2021, Chapter 2: Privacy Governance, Section 2.2: Data Inventory and Data Mapping, p. 40-41.
• ISACA, Data Privacy Audit/Assurance Program, Control Objective 3: Data Inventory and Classification, p. 7-81

The most effective way to incorporate privacy by design principles into applications is to include privacy requirements in software development practices, because this ensures that privacy is considered and integrated from the early stages of the design process and throughout the entire lifecycle of the application. Software development practices include activities such as defining the scope, objectives, and specifications of the application, identifying and analyzing the privacy risks and impacts, selecting and implementing the appropriate privacy-enhancing technologies and controls, testing and validating the privacy functionality and performance, and monitoring and reviewing the privacy compliance and effectiveness of the application. By including privacy requirements in software development practices, the organization can achieve a proactive, preventive, and embedded approach to privacy that aligns with the privacy by design principles.

References:

• CDPSE Review Manual, 2023 Edition, Domain 2: Privacy Architecture, Section 2.1.2: Privacy Requirements, p. 75
• CDPSE Review Manual, 2023 Edition, Domain 2: Privacy Architecture, Section 2.2.1: Privacy by Design Methodology, p. 79-80
• The 7 Principles of Privacy by Design | Blog | OneTrust1

A data processor that handles personal data for multiple customers has decided to migrate its data warehouse to a third-party provider. The processor is obligated to seek approval from all in-scope data controllers prior to implementation. A data controller is an entity that determines the purposes and means of processing personal data. A data processor is an entity that processes personal data on behalf of a data controller. A third-party provider is an entity that provides services or resources to another entity, such as a cloud service provider or a hosting provider.

According to various privacy laws and regulations, such as the GDPR or the CCPA, a data processor must obtain explicit consent from the data controller before engaging another processor or transferring personal data to a third country or an international organization. The consent must specify the identity of the other processor or the third country or international organization, as well as the safeguards and guarantees for the protection of personal data. The consent must also be documented in a written contract or other legal act that binds the processor to respect the same obligations as the controller.

Seeking approval from all in-scope data controllers can help ensure that the processor complies with its contractual and legal obligations, respects the rights and preferences of the data subjects, and maintains transparency and accountability for its processing activities.

Obtaining assurance that data subject requests will continue to be handled appropriately, implementing comparable industry-standard data encryption in the new data warehouse, or ensuring data retention periods are documented are also good practices for a data processor that migrates its data warehouse to a third-party provider, but they are not obligations prior to implementation. Rather, they are requirements or recommendations during or after implementation.

Obtaining assurance that data subject requests will continue to be handled appropriately is a requirement for a data processor that processes personal data on behalf of a data controller. Data subject requests are requests made by individuals to exercise their rights regarding their personal data, such as access, rectification, erasure, restriction, portability, or objection. A data processor must assist the data controller in fulfilling these requests within a reasonable time frame and without undue delay.

Implementing comparable industry-standard data encryption in the new data warehouse is a recommendation for a data processor that transfers personal data to another system or location. Data encryption is a process of transforming data into an unreadable form using a secret key or algorithm. Data encryption can help protect the confidentiality, integrity, and availability of personal data by preventing unauthorized access, disclosure, or modification.

Ensuring data retention periods are documented is a requirement for a data processor that stores personal data on behalf of a data controller. Data retention periods are the durations for which personal data are kept before they are deleted or anonymized. Data retention periods must be determined by the purpose and necessity of processing personal data and must comply with legal and regulatory obligations.

References: Data warehouse migration tips: preparation and discovery - Google Cloud, Plan a data warehouse migration - Cloud Adoption Framework, Migrating your traditional data warehouse platform to BigQuery …

The best way to safeguard the encryption keys is to ensure that they are stored in a cryptographic vault. A cryptographic vault is a secure hardware or software module that provides cryptographic services and protects the keys from unauthorized access, modification, or disclosure. A cryptographic vault can also provide other functions, such as key generation, key backup, key rotation, key destruction, and key auditing. A cryptographic vault can enhance the security and privacy of the encrypted data by preventing key compromise, leakage, or misuse. A cryptographic vault can also comply with the security standards and best practices for key management, such as the ISO/IEC 27002, NIST SP 800-57, or PCI DSS. References:

• [ISACA Glossary of Terms]
• [ISACA CDPSE Review Manual, Chapter 3, Section 3.3.3]
• [ISACA Journal, Volume 4, 2019, “Key Management in the Multi-Cloud Environment”]
• [ISACA CDPSE Review Manual, Chapter 3, Section 3.3.4]

The scenario that poses the greatest risk to an organization from a privacy perspective is that the organization lacks a hardware disposal policy. A hardware disposal policy is a policy that defines how the organization should dispose of or destroy hardware devices that contain or process personal data, such as laptops, servers, hard drives, USBs, etc. A hardware disposal policy should ensure that personal data is securely erased or overwritten before the hardware device is discarded, recycled, donated, or sold. A hardware disposal policy should also comply with the applicable privacy regulations and standards that govern data retention and destruction. By lacking a hardware disposal policy, the organization exposes personal data to potential threats, such as theft, loss, or unauthorized access, use, disclosure, or transfer. References: : CDPSE Review Manual (Digital Version), page 123

Data privacy and data security are related but distinct concepts that are both essential for protecting personal data. Data privacy is about ensuring that personal data are collected, used, shared and disposed of in a lawful, fair and transparent manner, respecting the rights and preferences of the data subjects. Data privacy also involves implementing policies, procedures and controls to comply with data protection laws and regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA). Data privacy protects users from unauthorized disclosure of their personal data, which may result in harm, such as identity theft, fraud, discrimination or reputational damage.

Data security is about safeguarding the confidentiality, integrity and availability of data from unauthorized or malicious access, use, modification or destruction. Data security also involves implementing technical and organizational measures to prevent or mitigate data breaches or incidents, such as encryption, authentication, backup or incident response. Data security prevents compromise of data, which may result in loss, corruption or disruption of data.

References:

• The Difference Between Data Privacy and Data Security - ISACA, section 1: “Data privacy is focused on the use and governance of personal data—things like putting policies in place to ensure that consumers’ personal information is being collected, shared and used in appropriate ways.”
• Practical Data Security and Privacy for GDPR and CCPA - ISACA, section 1: “Data security is the practice of protecting digital information from unauthorized access, corruption or theft throughout its life cycle.”

A PIA is a systematic process to identify and evaluate the potential privacy impacts of a system, project, program or initiative that involves the collection, use, disclosure or retention of personal data. A PIA should be conducted as early as possible in the system lifecycle, preferably during the development stage, to ensure that privacy risks are identified and mitigated before the system is deployed. Conducting a PIA during functional testing, UAT or production stages may be too late to address privacy issues effectively and may result in costly rework or delays1, p. 67 References: 1: CDPSE Review Manual (Digital Version)

Input validation controls are the best way to ensure consumer credit card numbers are accurately captured. Input validation controls are methods that check the format, type, range, and length of the input data before accepting, processing, or storing it. Input validation controls can help prevent errors, fraud, or data loss by rejecting invalid, incomplete, or malicious input. For example, input validation controls can verify that a credit card number follows the Luhn algorithm1, has the correct number of digits2, and matches the card issuer’s prefix3. Input validation controls can also prevent SQL injection attacks4 or cross-site scripting attacks5 that may compromise the security and privacy of the data.

Input reference controls, access controls, and reconciliation controls are also important for data quality and security, but they do not directly ensure the accuracy of consumer credit card numbers. Input reference controls are methods that compare the input data with a predefined list of values or a reference table to ensure consistency and validity. For example, input reference controls can check if a country name or a postal code is valid by looking up a database of valid values. Access controls are methods that restrict who can access, modify, or delete the data based on their roles, permissions, or credentials. For example, access controls can prevent unauthorized users from accessing or tampering with consumer credit card numbers. Reconciliation controls are methods that compare the data from different sources or systems to ensure completeness and accuracy. For example, reconciliation controls can check if the transactions recorded in the accounting system match the transactions processed by the payment gateway.

References: Luhn algorithm, Credit card number, Bank card number, SQL injection, Cross-site scripting

Compartmentalizing resource access is a security technique that divides a system or network into separate segments or zones with different levels of access and control, based on the sensitivity and value of the data or resources. Compartmentalizing resource access would most effectively reduce the impact of a successful breach through a remote access solution, as it would limit the scope and extent of the breach, and prevent unauthorized access to other segments or zones that contain more critical or sensitive data or resources. The other options are not as effective as compartmentalizing resource access in reducing the impact of a successful breach through a remote access solution. Regular testing of system backups is a security technique that verifies the availability and recoverability of data in case of a system failure or disaster, but it does not prevent or limit unauthorized access to data. Monitoring and reviewing remote access logs is a security technique that records and analyzes the activities and events related to remote access sessions, but it does not prevent or limit unauthorized access to data. Regular physical and remote testing of the incident response plan is a security technique that evaluates and improves the readiness and effectiveness of an organization’s response to security incidents, but it does not prevent or limit unauthorized access to data1, p. 91-92 References: 1: CDPSE Review Manual (Digital Version)