New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Isaca > Isaca Certification > CDPSE

CDPSE Certified Data Privacy Solutions Engineer Question and Answers

Question # 4

An organization’s data destruction guidelines should require hard drives containing personal data to go through which of the following processes prior to being crushed?

A.

Low-level formatting

B.

Remote partitioning

C.

Degaussing

D.

Hammer strike

Full Access
Question # 5

Which of the following assurance approaches is MOST effective in identifying vulnerabilities within an application programming interface (API) transferring personal data?

A.

Source code review

B.

Security audit

C.

Bug bounty program

D.

Tabletop simulation

Full Access
Question # 6

Which of the following is the MOST important consideration to ensure privacy when using big data analytics?

A.

Maintenance of archived data

B.

Disclosure of how the data is analyzed

C.

Transparency about the data being collected

D.

Continuity with business requirements

Full Access
Question # 7

Which of the following is the MOST important consideration when choosing a method for data destruction?

A.

Granularity of data to be destroyed

B.

Validation and certification of data destruction

C.

Time required for the chosen method of data destruction

D.

Level and strength of current data encryption

Full Access
Question # 8

Which of the following helps to ensure the identities of individuals in a two-way communication are verified?

A.

Virtual private network (VPN)

B.

Secure Shell (SSH)

C.

Transport Layer Security (TLS)

D.

Mutual certificate authentication

Full Access
Question # 9

Which of the following is a PRIMARY consideration to protect against privacy violations when utilizing artificial intelligence (AI) driven business decisions?

A.

De-identifying the data to be analyzed

B.

Verifying the data subjects have consented to the processing

C.

Defining the intended objectives

D.

Ensuring proper data sets are used to train the models

Full Access
Question # 10

Which of the following is the BEST way to distinguish between a privacy risk and compliance risk?

A.

Perform a privacy risk audit.

B.

Conduct a privacy risk assessment.

C.

Validate a privacy risk attestation.

D.

Conduct a privacy risk remediation exercise.

Full Access
Question # 11

To ensure the protection of personal data, privacy policies should mandate that access to information system applications be authorized by the.

A.

general counsel.

B.

database administrator.

C.

business application owner

D.

chief information officer (CIO)

Full Access
Question # 12

Which of the following is the PRIMARY objective of privacy incident response?

A.

To ensure data subjects impacted by privacy incidents are notified.

B.

To reduce privacy risk to the lowest possible level

C.

To mitigate the impact of privacy incidents

D.

To optimize the costs associated with privacy incidents

Full Access
Question # 13

Which of the following scenarios should trigger the completion of a privacy impact assessment (PIA)?

A.

Updates to data quality standards

B.

New inter-organizational data flows

C.

New data retention and backup policies

D.

Updates to the enterprise data policy

Full Access
Question # 14

Which of the following provides the BEST assurance that a potential vendor is able to comply with privacy regulations and the organization's data privacy policy?

A.

Including mandatory compliance language in the request for proposal (RFP)

B.

Obtaining self-attestations from all candidate vendors

C.

Requiring candidate vendors to provide documentation of privacy processes

D.

Conducting a risk assessment of all candidate vendors

Full Access
Question # 15

Which of the following is the BEST way for an organization to gain visibility into Its exposure to privacy-related vulnerabilities?

A.

Implement a data loss prevention (DLP) solution.

B.

Review historical privacy incidents in the organization.

C.

Monitor inbound and outbound communications.

D.

Perform an analysis of known threats.

Full Access
Question # 16

An IT privacy practitioner wants to test an application in pre-production that will be processing sensitive personal data. Which of the following testing methods is

BEST used to identity and review the application's runtime modules?

A.

Static application security testing (SAST)

B.

Dynamic application security testing (DAST)

C.

Regression testing

D.

Software composition analysis

Full Access
Question # 17

Which of the following should be considered personal information?

A.

Biometric records

B.

Company address

C.

University affiliation

D.

Age

Full Access
Question # 18

Which type of data is produced by using a more complex method of analytics to find correlations between data sets and using them to categorize or profile people?

A.

Observed data

B.

Inferred data

C.

Derived data

D.

Provided data

Full Access
Question # 19

Which of the following is the BEST way to address threats to mobile device privacy when using beacons as a tracking technology?

A.

Disable location services.

B.

Disable Bluetooth services.

C.

Enable Trojan scanners.

D.

Enable antivirus for mobile devices.

Full Access
Question # 20

Which of the following is the BEST way to ensure privacy considerations are included when working with vendors?

A.

Including privacy requirements in the request for proposal (RFP) process

B.

Monitoring privacy-related service level agreements (SLAS)

C.

Including privacy requirements in vendor c tracts

D.

Requiring vendors to complete privacy awareness training

Full Access
Question # 21

Which of the following is the MOST important consideration when determining retention periods for personal data?

A.

Sectoral best practices for the industry

B.

Notice provided to customers during data collection

C.

Data classification standards

D.

Storage capacity available for retained data

Full Access
Question # 22

Which of the following is a responsibility of the audit function in helping an organization address privacy compliance requirements?

A.

Approving privacy impact assessments (PIAs)

B.

Validating the privacy framework

C.

Managing privacy notices provided to customers

D.

Establishing employee privacy rights and consent

Full Access
Question # 23

Using hash values With stored personal data BEST enables an organization to

A.

protect against unauthorized access.

B.

detect changes to the data.

C.

ensure data indexing performance.

D.

tag the data with classification information

Full Access
Question # 24

Which of the following is the BEST control to secure application programming interfaces (APIs) that may contain personal information?

A.

Encrypting APIs with the organization’s private key

B.

Requiring nondisclosure agreements (NDAs) when sharing APIs

C.

Restricting access to authorized users

D.

Sharing only digitally signed APIs

Full Access
Question # 25

An online business posts its customer data protection notice that includes a statement indicating information is collected on how products are used, the content viewed, and the time and duration of online activities. Which data protection principle is applied?

A.

Data integrity and confidentiality

B.

System use requirements

C.

Data use limitation

D.

Lawfulness and fairness

Full Access
Question # 26

Within a business continuity plan (BCP), which of the following is the MOST important consideration to ensure the ability to restore availability and access to personal data in the event of a data privacy incident?

A.

Offline backup availability

B.

Recovery time objective (RTO)

C.

Recovery point objective (RPO)

D.

Online backup frequency

Full Access
Question # 27

Which of the following is the PRIMARY reason to complete a privacy impact assessment (PIA)?

A.

To comply with consumer regulatory requirements

B.

To establish privacy breach response procedures

C.

To classify personal data

D.

To understand privacy risks

Full Access
Question # 28

A project manager for a new data collection system had a privacy impact assessment (PIA) completed before the solution was designed. Once the system was released into production, an audit revealed personal data was being collected that was not part of the PIA What is the BEST way to avoid this situation in the future?

A.

Conduct a privacy post-implementation review.

B.

Document personal data workflows in the product life cycle

C.

Require management approval of changes to system architecture design.

D.

Incorporate privacy checkpoints into the secure development life cycle

Full Access
Question # 29

Which of the following is the MOST important consideration when writing an organization’s privacy policy?

A.

Using a standardized business taxonomy

B.

Aligning statements to organizational practices

C.

Ensuring acknowledgment by the organization’s employees

D.

Including a development plan for personal data handling

Full Access
Question # 30

An organization wants to ensure that endpoints are protected in line with the privacy policy. Which of the following should be the FIRST consideration?

A.

Detecting malicious access through endpoints

B.

Implementing network traffic filtering on endpoint devices

C.

Managing remote access and control

D.

Hardening the operating systems of endpoint devices

Full Access
Question # 31

Which of the following is the best way to reduce the risk of compromised credentials when an organization allows employees to have remote access?

A.

Enable whole disk encryption on remote devices.

B.

Purchase an endpoint detection and response (EDR) tool.

C.

Implement multi-factor authentication.

D.

Deploy single sign-on with complex password requirements.

Full Access
Question # 32

Which of the following rights is an important consideration that allows data subjects to request the deletion of their data?

A.

The right to object

B.

The right to withdraw consent

C.

The right to access

D.

The right to be forgotten

Full Access
Question # 33

Which of the following is the MOST important consideration when using advanced data sanitization methods to ensure privacy data will be unrecoverable?

A.

Subject matter expertise

B.

Type of media

C.

Regulatory compliance requirements

D.

Location of data

Full Access
Question # 34

Which of the following is the BEST method to ensure the security of encryption keys when transferring data containing personal information between cloud applications?

A.

Whole disk encryption

B.

Asymmetric encryption

C.

Digital signature

D.

Symmetric encryption

Full Access
Question # 35

Which of the following is MOST important when designing application programming interfaces (APIs) that enable mobile device applications to access personal data?

A.

The user’s ability to select, filter, and transform data before it is shared

B.

Umbrella consent for multiple applications by the same developer

C.

User consent to share personal data

D.

Unlimited retention of personal data by third parties

Full Access
Question # 36

Which of the following is the BEST way to protect personal data in the custody of a third party?

A.

Have corporate counsel monitor privacy compliance.

B.

Require the third party to provide periodic documentation of its privacy management program.

C.

Include requirements to comply with the organization’s privacy policies in the contract.

D.

Add privacy-related controls to the vendor audit plan.

Full Access
Question # 37

Which of the following should be done NEXT after a privacy risk has been accepted?

A.

Monitor the risk landscape for material changes.

B.

Determine the risk appetite With management.

C.

Adjust the risk rating to help ensure it is remediated

D.

Reconfirm the risk during the next reporting period

Full Access
Question # 38

Which of the following is an example of data anonymization as a means to protect personal data when sharing a database?

A.

The data is encrypted and a key is required to re-identify the data.

B.

Key fields are hidden and unmasking is required to access to the data.

C.

Names and addresses are removed but the rest of the data is left untouched.

D.

The data is transformed such that re-identification is impossible.

Full Access
Question # 39

As part of a major data discovery initiative to identify personal data across the organization, the project team has identified the proliferation of personal data held as unstructured data as a major risk. What should be done FIRST to address this situation?

A.

Identify sensitive unstructured data at the point of creation.

B.

Classify sensitive unstructured data.

C.

Identify who has access to sensitive unstructured data.

D.

Assign an owner to sensitive unstructured data.

Full Access
Question # 40

Which of the following is the BEST course of action to prevent false positives from data loss prevention (DLP) tools?

A.

Conduct additional discovery scans.

B.

Suppress the alerts generating the false positives.

C.

Evaluate new data loss prevention (DLP) tools.

D.

Re-establish baselines tor configuration rules

Full Access
Question # 41

Which of the following is the GREATEST concern for an organization subject to cross-border data transfer regulations when using a cloud service provider to store and process data?

A.

The service provider has denied the organization’s request for right to audit.

B.

Personal data stored on the cloud has not been anonymized.

C.

The extent of the service provider’s access to data has not been established.

D.

The data is stored in a region with different data protection requirements.

Full Access
Question # 42

Which of the following BEST enables an IT privacy practitioner to ensure appropriate protection for personal data collected that is required to provide necessary services?

A.

Understanding the data flows within the organization

B.

Implementing strong access controls on a need-to-know basis

C.

Anonymizing privacy data during collection and recording

D.

Encrypting the data throughout its life cycle

Full Access
Question # 43

Which of the following is the MOST important privacy consideration for video surveillance in high security areas?

A.

Video surveillance recordings may only be viewed by the organization.

B.

Those affected must be informed of the video surveillance_

C.

There is no limitation for retention of this data.

D.

Video surveillance data must be stored in encrypted format.

Full Access
Question # 44

An organization is creating a personal data processing register to document actions taken with personal data. Which of the following categories should document controls relating to periods of retention for personal data?

A.

Data archiving

B.

Data storage

C.

Data acquisition

D.

Data input

Full Access
Question # 45

Which of the following is MOST important to capture in the audit log of an application hosting personal data?

A.

Server details of the hosting environment

B.

Last logins of privileged users

C.

Last user who accessed personal data

D.

Application error events

Full Access
Question # 46

Which of the following is BEST used to validate compliance with agreed-upon service levels established with a third party that processes personal data?

A.

Key risk indicators (KRIs)

B.

Key performance indicators (KPIS)

C.

Industry benchmarks

D.

Contractual right to audit

Full Access
Question # 47

Which of the following is the BEST indication of a highly effective privacy training program?

A.

Members of the workforce understand their roles in protecting data privacy

B.

Recent audits have no findings or recommendations related to data privacy

C.

No privacy incidents have been reported in the last year

D.

HR has made privacy training an annual mandate for the organization_

Full Access
Question # 48

Which of the following should an IT privacy practitioner review FIRST to understand where personal data is coming from and how it is used within the organization?

A.

Data process flow diagrams

B.

Data inventory

C.

Data classification

D.

Data collection standards

Full Access
Question # 49

The MOST effective way to incorporate privacy by design principles into applications is to include privacy requirements in.

A.

senior management approvals.

B.

secure coding practices

C.

software development practices.

D.

software testing guidelines.

Full Access
Question # 50

A data processor that handles personal data tor multiple customers has decided to migrate its data warehouse to a third-party provider. What is the processor

obligated to do prior to implementation?

A.

Seek approval from all in-scope data controllers.

B.

Obtain assurance that data subject requests will continue to be handled appropriately

C.

Implement comparable industry-standard data encryption in the new data warehouse

D.

Ensure data retention periods are documented

Full Access
Question # 51

An organization Wishes to deploy strong encryption to its most critical and sensitive databases. Which of the following is the BEST way to safeguard the encryption

keys?

A.

Ensure key management responsibility is assigned to the privacy officer.

B.

Ensure the keys are stored in a remote server.

C.

Ensure the keys are stored in a cryptographic vault.

D.

Ensure all access to the keys is under dual control_

Full Access
Question # 52

Which of the following scenarios poses the GREATEST risk to an organization from a privacy perspective?

A.

The organization lacks a hardware disposal policy.

B.

Emails are not consistently encrypted when sent internally.

C.

Privacy training is carried out by a service provider.

D.

The organization’s privacy policy has not been reviewed in over a year.

Full Access
Question # 53

Which of the following is the BEST way to explain the difference between data privacy and data security?

A.

Data privacy is about data segmentation, while data security prevents unauthorized access.

B.

Data privacy protects the data subjects, while data security is about protecting critical assets.

C.

Data privacy stems from regulatory requirements, while data security focuses on consumer rights.

D.

Data privacy protects users from unauthorized disclosure, while data security prevents compromise.

Full Access
Question # 54

Which key stakeholder within an organization should be responsible for approving the outcomes of a privacy impact assessment (PIA)?

A.

Data custodian

B.

Privacy data analyst

C.

Data processor

D.

Data owner

Full Access
Question # 55

During which of the following system lifecycle stages is it BEST to conduct a privacy impact assessment (PIA) on a system that holds personal data?

A.

Functional testing

B.

Development

C.

Production

D.

User acceptance testing (UAT)

Full Access
Question # 56

Which of the following BEST enables an organization to ensure consumer credit card numbers are accurately captured?

A.

Input reference controls

B.

Access controls

C.

Input validation controls

D.

Reconciliation controls

Full Access
Question # 57

Which of the following would MOST effectively reduce the impact of a successful breach through a remote access solution?

A.

Compartmentalizing resource access

B.

Regular testing of system backups

C.

Monitoring and reviewing remote access logs

D.

Regular physical and remote testing of the incident response plan

Full Access
Question # 58

Which of the following should be used to address data kept beyond its intended lifespan?

A.

Data minimization

B.

Data anonymization

C.

Data security

D.

Data normalization

Full Access