Saturday, December 9, 2023





1. In the United States, which of the following best describes a subject’s own PII elements that the subject is required to protect?

      All PII as described by the US Data Protection Act

      Social Security number, bank account numbers, credit card numbers

      Bank account numbers, credit card numbers


2. At which point in the SDLC should a PIA be performed?

      Before requirements are developed

      After requirements are developed

      After implementation

      Before QA testing

3. For reasons unknown, an organization’s executive management refuses to deliberate or make a decision regarding a particular privacy risk that the chief privacy officer has identified. What risk treatment is being carried out in this situation?

      Risk ignorance

      Risk transfer

      Risk avoidance

      Risk acceptance

4. A data architect is developing a visual model that shows how information is transmitted among systems. What kind of a visual model has the data architect created?

      Data flow diagram

      Data architecture

      Entity-relationship diagram

      Network diagram

5. Which of the following methods is used to develop a machine-readable web services definition?





6. A typical VPN solution will protect endpoints from which of the following threats?

      Buffer overflow

      Credential stuffing

      Ping of death

      Network eavesdropping

7. An organization has been donating EOL laptop computers to local schools for years. In the past, the organization would degauss laptop HDDs to remove sensitive information. Now that laptops contain SSDs instead of HDDs, which of the following methods remains effective for removing sensitive data?

      Secure erasure


      SSD removal


8. Infrastructure as a service refers to:

      Leasing operating systems from a service provider

      Outsourcing application management to a service provider

      Outsourcing operating system management to a service provider

      Leasing computing hardware for use in a colocation facility

9. A cybercriminal group stole PII from a telephone company’s customer database and used the information obtained to open unsecured credit accounts in the names of the telephone company customers. What crime(s) has the cybercriminal group committed?

      Toll fraud

      Data theft

      Data theft and identity theft

      Identity theft

10. Which of the following is the best SLA for deploying critical security patches in a production environment that processes personal information?

      30 days

      24 hours

      7 hours

      7 days

11. What is the main purpose of a data classification program?

      Determine how long the most sensitive data has been stored.

      Discover where the most sensitive data is being stored.

      Enable automatic tagging of sensitive information.

      Enable the workforce to recognize and protect data accordingly.

12. An organization defines the roles “owner” and “steward” with regard to decisions about its databases containing personal information. Which of the following is NOT an appropriate responsibility for the role of owner?

      Review of access roles

      Physical database design

      Approval of access requests

      Logical database design

13. Which of the following personnel is responsible for the accuracy of customer PII in an organization’s database?

      Business unit leader

      Database administrator

      Chief privacy officer

      Application developer

14. A data privacy officer in a financial services organization is developing a data classification policy. What audience in the organization should be informed of the new policy once it is completed?

      All workers

      Database administrators

      Customer-facing workers

      IT workers

15. A document that describes steps to be performed within a privacy program is known as a:




      Privacy policy

16. Despite statements to the contrary in its external privacy statement, an organization intends to sell its customer list to a data brokerage. Which principle of privacy is likely to be violated if this transaction is completed?

      Data use limitation

      Data leakage

      Data sovereignty

      Data minimization

17. All of the following are important considerations in an application data migration EXCEPT:

      Availability of sufficient storage space on the destination system

      Proper transformation of data values when they are expressed in different ways

      Understanding any differences in meaning between similar source and destination fields

      Understanding any differences in the DML between the source and destination systems

18. A service provider that stores and processes sensitive information for corporate customers employs an annual SOC 2 Type 2 audit. What additional information is needed so that recipients of the SOC 2 audit reports understand whether privacy is addressed during the audit?

      Whether the SOC 2 audit includes the Privacy principle

      Whether the SOC 2 audit report is up-to-date

      Whether exceptions were encountered during the audit

      Whether the recipient has permission to read the SOC 2 audit report

19. An organization has a transaction processing application that contains a very large database with a low transaction rate. Which of the following is the best option for providing the ability to recover the database to an earlier point in time?

      Export to flat file

      Backup to magnetic tape



20. An online and storefront retail organization has an extensive transaction history spanning many years that shows all of the purchases that customers have made. Potential uses of this transaction data include all of the following EXCEPT:

      Machine learning to identify privacy violations

      Data analytics to improve inventory management

      Data analytics techniques to monetize the data and increase future sales

      AI techniques to set more competitive prices

21. What is the relationship between security and privacy requirements and an application’s test plan?

      Each requirement should be verified through testing.

      There is no relationship; each is independent of the other.

      Only requirements that can be tested via automation should be tested.

      High risk requirements should be included in the test plan.

22. The purpose of an internal privacy policy is:

      To define expected behavior regarding the protection and use of personal information

      To inform regulators about their privacy rights and remedies

      To establish a position of compliance with applicable privacy laws

      To inform customers and constituents about their privacy rights and remedies

23. Which of the following techniques is NOT effective at destroying data on an SSD?





24. In violation of its own privacy policy, an organization is selling customer data to other companies to increase revenue. This violates what privacy principle?

      Data minimization


      Basis for processing

      Data use limitation

25. The chief characteristic of PII and natural persons is:

      PII enables information to be associated with specific natural persons

      Natural persons are able to update their PII.

      Natural persons are able to delete their PII.

      Privacy laws enable organizations to store PII.

26. What is the main difference between a data warehouse and a data lake?

      A data lake is a structured data store; a data warehouse consists of data stores in their native formats.

      A data warehouse is a structured data store; the content of a data lake consists of data stores in their native formats.

      A data lake is a collection of data warehouses.

      A data warehouse is a collection of data lakes.

27. What is the purpose of a visible data classification indicator on a document?

      Indicates the document has been properly handled

      Reminds personnel of the document’s classification level

      Is readable by automated data loss prevention tools

      Indicates the document has been inventoried

28. LAMP is the common acronym related to:

      Linux, Apache, MySQL, and PHP

      Least access management practice

      Linux, Atlassian, MySQL, and Python

      Red Hat, Apache, MySQL, and Python

29. An auditor is preparing an audit plan of an organization’s data subject request (DSR) process. From which set of information should the population of DSRs be selected?

      The record of incoming requests

      The DSR metrics

      The database containing stored requests

      The record of completed requests

30. The most common and consistent message imparted in privacy training and awareness programs is:

      The IT security department is responsible for the protection of personal information.

      All workers are responsible for the protection of personal information.

      The IT department is responsible for the protection of personal information.

      The privacy department is responsible for the protection of personal information.

31. Which of the following privacy laws requires a “Do Not Sell My Personal Information” feature on an organization’s web site?

      General Data Protection Regulation

      California Confidential Privacy Act

      Personal Information Protection and Electronic Documents Act

      California Consumer Privacy Act

32. What is the best approach for an organization to define PII?

      Identify applicable privacy laws and their definitions of PII.

      Use the definition from Article 5 of the GDPR.

      Use the definition from Article 4 of the GDPR.

      Use guidelines from ISO 27001/27002.

33. An organization is updating its data retention schedule to include electronic records. What differences in retention between paper records and electronic records should be established?

      Each circumstance is different and must be decided case by case.

      Electronic records should be retained for one year longer than paper records.

      No differences should be made in retention between electronic and paper records.

      Paper records should be retained for one year longer than electronic records.

34. The act of making a decision to accept or mitigate a risk is known as:

      Risk treatment

      Risk management

      Risk mitigation

      Risk reductiıon

35. What is the purpose of input field sanitization in a web application?

      Protect endpoint from exploitation.

      Block input field attacks.

      Perform range checking on input data.

      Perform type checking on input data.

36. In most industries, which of the following is considered an adequate level of paper document destruction?


      Placement in secure disposal bins

      Strip-cut shredding

      Cross-cut shredding

37. A data architect wants to create some diagrams that will visually depict the structure of data in a database. What kind of a diagram should the data architect produce?

      Warnier-Orr diagram

      Database schema

      Data flow diagram

      Entity-relationship diagram

38. Data analysts in an organization are struggling with the creation of business rules regarding employee data that resides on several different systems with no central authority. What should data analysts strive to do in this situation?

      Select one of the systems as the system of record.

      Implement data tagging to trace the flow of data.

      Build a data flow diagram to depict data flows.

      Build an entity-relationship diagram to depict schemas.

39. A program designed to make decisions and be aware of the results of those decisions for further improvement employs:

      Recursive learning

      Feedback loops

      Artificial intelligence

      Machine learning

40. In a private organization, which workers are typically held responsible for the protection of personal information?

      IT security

      IT department

      All workers

      Privacy department

41. A risk manager has created a spreadsheet that contains a list of security- and privacy-related concerns, along with potential remedies. What is the formal name for this spreadsheet?

      Risk register

      Privacy wish list

      Risk analysis

      Risk assessment

42. As a way of shifting costs away from capital spending, an organization is devising a “lift-and-shift” strategy whereby it will be leasing virtual machines from a cloud provider and discontinuing use of its own server hardware. What type of a cloud service is being considered?





43. What privacy- or security-related disadvantage is introduced through the offering of a choice of IDEs in an organization?

      Undetected intrusion into developer’s workstation

      Inconsistent compilation

      Greater risk of ransomware attack

      Security inconsistencies in source code and a potential lack of key security features

44. An organization is considering changing the configuration of its laptop computers to require VPN every time they are used to connect to non-company networks. Which of the following use cases is likely to be problematic?

      Gigabit broadband that is faster than the corporate Internet connection

      Employee using in-flight network

      Employee using home network with firewalls

      Employee working offline with no connectivity

45. The Do Not Track feature in most web browsers:

      Is a feature present in virtually all browsers

      Is used voluntarily by organizations

      Legally enforces privacy laws

      Legally requires that organizations not track visitors

46. Which of the following best describes a data lake?

      A storage system containing structured and unstructured data

      An integrated database containing data from multiple sources

      A collection of native format files, both structured and unstructured

      A data specification representing the merge of multiple schemas

47. Which of the following terms correctly refers to the practice of implementing multiple isolated application instances in an operating system?



      Bare metal computing

      Process isolation

48. The new privacy officer in an organization wants to be involved earlier in the development of new business offerings and services. The privacy officer wants to understand the implications on customer privacy for these new activities. What specific activity is the privacy officer advocating?

      Privacy impact assessment

      Qualitative risk assessment

      Business process change management

      Risk assessment

49. An organization’s marketing team wants to combine it customer data from various sources to create a database with additional PII for each customer in one place. This process is known as:

      Building a data lake




50. To be included in an organization’s marketing campaigns, the basic nature of consent as defined by the GDPR is:

      Persons are automatically opted in.

      Persons can never be opted in.

      Persons are automatically opted out after one year.

      Persons must explicitly opt in.

51. What is usually the primary objective of risk management?

      A. Fewer and less severe privacy and security incidents

      B. No privacy or security incidents

      C. Improved compliance

      D. Fewer audit findings

52. An organization is contemplating significant changes to a business process that involves the management of personal information. When should a PIA be performed?

      A. After requirements have been developed

      B. Before requirements have been developed

      C. After the process has been changed

      D. After the process design changes have been completed

53. As a part of a privacy impact assessment (PIA), a security manager

has completed a vulnerability scan and has identified numerous

vulnerabilities in production servers that could result in the exposure

of personal information. What is the best course of action?

      A. Recommend that vulnerabilities be remediated.

      B. Notify regulators.

      C. Notify system owners.

      D. Add individual vulnerability entries to the risk register.

54. A security manager is performing a risk assessment on a business application. The security manager has determined that security patches have not been installed for more than a year. This finding is known as a:

      A. Probability

      B. Threat

      C. Vulnerability

      D. Risk

55. Program responsibilities over the activities of managing data subject requests lie with:

      A. Customer support

      B. The chief marketing officer

      C. The chief information security officer

      D. The chief privacy officer

56. A privacy manager is advocating the use of VDI for a call center. What is the primary privacy benefit of using VDI?

      A. Reduces impact of malware

      B. Prevents local programs from being installed

      C. Reduces likelihood of data leakage

      D. Logs all transactions

57. A privacy officer wants to restrict the direct database queries that analysts can run, so that they can view records only for customers who reside in the United States. Which is the best remedy that will achieve this?

      A. Encrypt the records that the analysts should not be permitted to


      B. Provide a weekly extract of only the records they are permitted to


      C. Create a database view containing only the records the analysts

may view.

      D. Implement a VDI located in the United States.

58. An organization is migrating its servers from physical to virtual. What privacy risks does the organization need to be concerned about concerning this migration?

      A. Guest OS privilege escalation

      B. Eavesdropping of sensitive network traffic

      C. Security hardening of the container layer

      D. Security hardening of the hypervisor layer

59. What is the primary risk related to split tunneling?

      A. Reduces network traffic visibility

      B. Creates excessive amounts of backhaul traffic

      C. Creates routing loops

      D. Decreases performance

60. At which stage of the life cycle of a software application is source code management no longer necessary?

      A. After the application is designed

      B. After the application is retired

      C. After initial implementation

      D. After formal requirements definition

61. To improve software quality, an organization wants to incorporate code scanning into the process so that developers will get immediate feedback during development. What tooling should be used to fulfill this purpose?

      A. Code scanning built into the IDE

      B. Code scanning built into the build system

      C. Code scanning built into the check-in process

      D. Code scanning performed quarterly by an outside firm

62. A software development manager is developing a policy and a set of principles that will result in better software hardening. Which organization should the software development manager use as the best source for software hardening information?

      A. DISA

      B. SANS

      C. EFF

      D. OWASP

63. Katherine recently resigned her position from a company after an investigation wrongly accused her of violating company policy. Using “the right to be forgotten” provisions in applicable privacy law, Katherine has requested the former employer remove her from employment records. How should the company respond?

      A. Update its records retention schedule to comply with the request.

      B. File a countersuit, arguing that the organization is not permitted to remove this data.

      C. Comply with applicable privacy law and discard the records as requested.

      D. Reply that applicable employment law forbids erasure of this data.

64. An organization’s marketing department purchases PII data from a data broker to embellish and update specific data fields for its existing customers. Upon examining the purchased data contents, marketing personnel realize that additional subjects are contained in the purchased data. What should be done with this additional data?

      A. Discard the additional data.

      B. Encrypt and retain the data for future use.

      C. Declare a privacy breach and begin response proceedings.

      D. Develop a marketing campaign and target the additional subjects.

65. Why is it important for users of corporate laptops to use VPN when communicating on open Wi-Fi hot spots?

      A. VPNs protect stored data on public networks.

      B. A VPN is necessary to reach an internal corporate network.

      C. Traffic on open Wi-Fi networks is not encrypted.

      D. Privacy laws require that corporate data be encrypted in transit.

66. A gaming software startup company does not employ penetration testing of its software. This is an example of:

      A. High tolerance of risk

      B. Noncompliance

      C. Irresponsibility

      D. Outsourcing

67. While gathering and examining various privacy-related business records, the privacy officer has determined that the organization has no privacy or security incident log. What conclusion can the privacy  officer make from this?

      A. The organization does not have privacy or security incident detection capabilities.

      B. The organization has not yet experienced a privacy or security incident.

      C. The organization is recording privacy or security incidents in its risk register.

      D. The organization has effective privacy policies.

68. An organization has performed a first-time data discovery scan on file servers and has identified numerous files that violate data handling standards. What is the best course of action to take?

      A. Investigate all files to determine their legitimacy.

      B. Delete all files that violate policy.

      C. Encrypt all files that violate policy.

      D. Contact the data owners.

69. A privacy auditor has observed that PII fields in a relational database are encrypted with the DES algorithm with 64-bit keys. Keys are held in split custody between two teams of operations specialists. What should the auditor conclude from this observation?

      A. The database encryption is strong.

      B. The database encryption is weak.

      C. The key management method is weak.

      D. The encryption cipher is adequate.

70. An organization is replacing an internally developed, on-premises ERP application with a SaaS application. What must the organization do to make legacy data available on the SaaS platform?

      A. Migrate data from the SaaS platform to the legacy platform.

      B. Import the data into the new application.

      C. Write a migration program.

      D. Develop a data flow diagram.

71. What is the best course of action for an organization to ensure that its customers’ PII is always properly handled?

      A. Implement a cloud access security broker (CASB).

      B. Implement NetFlow to detect unauthorized data movement.

      C. Implement data usage governance with policies, controls, and


      D. Implement static DLP discovery scanning of databases and file


72. An e-commerce organization has elected to purchase information from a data broker in order to add more details to its existing customer database. What term describes this process?

      A. Data embellishment

      B. Data aggregation

      C. Data infiltration

      D. Data exfiltration

73. An organization periodically copies its customer database to a test environment. When doing so, names and other sensitive fields are substituted with made-up names and numbers. What substitution process is the organization performing?

      A. Data scrubbing

      B. Anonymization

      C. Pseudonymization

      D. Field erasure

74. An organization relying on physical access controls has migrated its on-premises applications to cloud service providers. What compensating control should be enacted for access to cloud-based applications since physical access is less of a factor?

      A. Multifactor authentication

      B. Biometrics

      C. Single sign-on

      D. Reduced sign-on

75. A risk manager is planning a first-ever risk assessment in an organization. What is the best approach for ensuring success?

      A. Interview personnel separately so that their responses can be


      B. Select a framework that matches the organization’s control


      C. Work with executive management to determine the correct


      D. Do not inform executive management until the risk assessment

has been completed.

76. When would it make sense to spend $50,000 to protect an asset worth


      A. If the protective measure reduced threat impact by more than 90


      B. It would never make sense to spend $50,000 to protect an asset

worth $10,000.

      C. If the asset was required for realization of $500,000 monthly


      D. If the protective measure reduced threat probability by more than

90 percent

77. Privacy responsibilities are included in which of these IT positions?

      A. Security engineer

      B. Application developer

      C. Database administrator

      D. All of these

78. An organization has received a data subject request that asks the organization to remove all personal information on file. How should the organization respond?

      A. Pseudonymize the data subject’s personal information.

      B. Anonymize the data subject’s personal information.

      C. Remove or anonymize the data subject’s personal information.

      D. Remove or anonymize the data subject’s personal information as permitted by other applicable laws.

79. An organization wants to limit the use of USB external storage for the storage of personal information. What is the best first step to accomplish this?

      A. Implement software to detect uses of USB storage of personal information.

      B. Implement software to block uses of USB storage of personal information.

      C. Create a policy that defines limitations of USB storage.

      D. Disable USB ports on end-user computers.

80. An auditor is developing a plan for auditing privacy controls in a retail organization. What type of evidence should the auditor collect to determine whether data subject requests are recorded properly?

      A. Interview data subjects.

      B. Interview control owners.

      C. Examine business records.

      D. Examine privacy policy.

81. What is the best approach for developing a privacy policy in an organization subject to multiple privacy regulations?

      A. Include requirements for the regulation with the greatest number of requirements.

      B. Include only the requirements for the most recent privacy regulation.

      C. Include only the requirements common to all applicable privacy regulations.

      D. Include requirements from all applicable privacy regulations

82. A privacy and security steering committee empowered to make risktreatment decisions has chosen to accept a specific risk. What is the best course of action?

      A. Refer the risk to a qualified external security audit firm.

      B. Perform additional risk analysis to identify residual risk.

      C. Reopen the risk item for reconsideration after one year.

      D. Mark the risk item as permanently closed.

83. A new security manager is concerned about the increase in connected devices that are present on the enterprise network. What action would best mitigate this matter?

      A. Implement a SIEM.

      B. Use network segmentation.

      C. Use VLANs.

      D. Use network access controls.

84. An organization is considering moving its on-premises servers to an IaaS service. Which security controls will the organization need to continue operating?

      A. Operating system and network

      B. Operating system, network, and user access

      C. Physical only

      D. Physical, operating system, network, and user access

85. An organization is going to migrate its on-premises application to a SaaS environment. Which security controls will the organization need to continue operating?

      A. Operating system and network

      B. Physical

      C. User access

      D. Operating system and user access

86. An organization will be introducing smart TVs and other connected

devices into the enterprise network. Which of the following security

controls will most effectively protect the enterprise?

      A. Data loss prevention

      B. Annual penetration testing

      C. Adding smart devices to configuration management systems

      D. Network segmentation

87. A privacy manager is concerned that there may be excessive instances of PII on unstructured file shares. Which tool would best confirm or refute this suspicion?

      A. NAC

      B. DLP discovery

      C. CASB

      D. EUBA

88. An organization has developed data governance to gain visibility and control over the protection and use of personal information. What does management need to do to determine whether governance is having its intended effect?

      A. Direct control assessments to determine control effectiveness.

      B. Implement data management policies.

      C. Develop data management and handling training.

      D. Lead by example and demonstrate proper data handling.

89. The term legitimate interest refers to what privacy activity?

      A. The basis for a user access request

      B. Whether data collection is allowed by law

      C. The legal basis for processing personal information

      D. An alternative to lawful processing of personal information

90. When reviewing the classification of data files and databases, a privacy manager has identified a set of data files containing customer PII that has been classified as Public. What should the privacy manager do about this?

      A. No action is required.

      B. Reclassify the data files according to the data classification policy.

      C. Direct the de-identification of these files.

      D. Direct the removal of these files.

91. An organization wants to implement a control to provide the ability to detect bulk data transfers at network boundaries. What solution should be used?

      A. NetFlow

      B. Static DLP

      C. USB storage limitation

      D. Data tagging

92. How frequently should an organization revise its security and privacy standards?

      A. Annually and whenever significant new laws have been enacted

      B. Quarterly and whenever significant new laws have been enacted

      C. Annually

      D. Quarterly

93. At what point in the software development life cycle can detailed test plans be created?

      A. After coding has been completed

      B. After design has been finalized

      C. After requirements have been finalized

      D. After tests have been completed

94. A privacy officer wants to better understand where personal information appears in a system—in particular, which individual personal information elements (such as date of birth, address) exist. What design element should the privacy officer examine?

      A. Physical network diagram

      B. Logical network diagram

      C. Entity-relationship diagram

      D. Data flow diagram

95. Who performs unit testing, and what is its purpose?

      A. End users perform unit testing to confirm module functionality.

      B. Developers perform unit testing to confirm module functionality.

      C. Management performs unit testing to confirm developer


      D. End users perform unit testing to confirm screen-object


96. The computers used by call center personnel utilize solid-state drives (SSDs). Upon retirement, computers are removed from service and donated to a charity. What precautions should first be taken to ensure that all PII on these computers is destroyed?

      A. Run an erasure program on the HDDs.

      B. Shred the SSDs.

      C. Delete all files and reformat the SSDs.

      D. Run an erasure program on the SSDs.

97. An auditor is interviewing a network engineer who describes the enterprise network as being “flat.” To which of the following is the network engineer referring?

      A. The organization’s internal firewalls are set to “any any.”

      B. The organization’s network uses private addressing.

      C. The organization’s network consists of several collision domains.

      D. The organization’s network contains no internal access controls.

98. Which of the following is considered a best practice with regard to event logging?

      A. Retain all event logs on the systems that create them.

      B. Transmit all event logs to a central log server.

      C. Suppress the creation of event logs on all systems.

      D. Encrypt all event logs on the systems that create them.

99. All of the following are forms of control assessment except:

      A. Document review

      B. Control self-assessment

      C. Internal audit

      D. External audit

100. The concept of privacy and security tasks in the context of a SaaS or an IaaS environment is depicted in a:

      A. Discretionary control model

      B. Mandatory control model

      C. Monte Carlo risk model

      D. Shared responsibility model

101. What are the categories of risk treatment?

      A. Risk avoidance, risk transfer, risk mitigation, and risk acceptance

      B. Risk avoidance, risk transfer, and risk mitigation

      C. Risk avoidance, risk reduction, risk transfer, risk mitigation, and

risk acceptance

      D. Risk avoidance, risk treatment, risk mitigation, and risk


102. The inclusion of privacy requirements in a new software development project is a direct offshoot of which principle?

      A. GDPR Article 21

      B. People, process, and technology

      C. Privacy by design and by default

      D. All answers are correct

103. What is the primary data privacy law in Canada?

      A. PIPEDA

      B. CCPA

      C. GDPR

      D. CICEDA

104. What is the purpose of data discovery scanning?

      A. Determine the presence of personal information in structured Data.

      B. Determine the presence of personal information in unstructured data.

      C. Observe the movement of personal information in internal network

      D. Observe the movement of personal information in external networks.

105. A new security manager is concerned about the increase in connected devices that may be present on the enterprise network. What tool(s) can best determine the extent of this situation?

      A. Network discovery scans

      B. Examine firewall logs

      C. Examine CASB logs

      D. Asset loss prevention plan

106. What risks will an organization with network-based IPS be assuming when its workforce is working remotely?

      A. Remote systems not on VPN will not be protected by the

network-based IPS.

      B. Network administrators will not be able to update the IPS as


      C. Network-based IPS only protects devices physically in an

internal network.

      D. There’s no change in risk because network-based IPS systems

protect all devices regardless of location.

107. A privacy manager is developing a data classification program. She has established a matrix that consists of a total of 12 classifications that align to privacy, as well as intellectual property and payment information. What is the most likely scenario for the adoption of this program in the organization?

      A. Orderly adoption if training takes place

      B. Workforce will refuse to adopt

      C. Clear and determined adoption

      D. Confusion as the classification scheme is too complicated

108. All of the following tools can supplement dynamic DLP tools except which one?

      A. Cloud access security broker

      B. Web content filtering

      C. File integrity monitoring

      D. NetFlow

109. A privacy manager has developed a policy that requires that all human-readable files be marked according to their classification. What is the meaning of document marking?

      A. A metadata tag

      B. A machine-readable watermark

      C. A human-readable phrase citing the classification level

      D. A human-readable watermark

110. An organization performs annual true-ups of its data inventory and finds numerous discrepancies. What change should be undertaken to reduce or eliminate these discrepancies?

      A. Automate the data inventory with daily scans.

      B. Increase the frequency of data inventory.

      C. Incorporate data inventory updates into the change management


      D. Implement dynamic DLP.

111. Privacy governance is most concerned with:

      A. Privacy policy

      B. Security policy

      C. Privacy strategy

      D. Security executive compensation

112. The best definition of a strategy is:

      A. The objective to achieve a plan

      B. The plan to achieve an objective

      C. The plan to achieve business alignment

      D. The plan to reduce risk

113. The primary factor related to the selection of a control framework is:

      A. Industry vertical

      B. Current process maturity level

      C. Size of the organization

      D. Compliance level

114. As part of understanding the organization’s current state, a privacy strategist is examining the organization’s privacy policy. What does the policy tell the strategist?

      A. The level of management commitment to privacy

      B. The compliance level of the organization

      C. The maturity level of the organization

      D. None of these

115. A privacy strategist has examined a business process and has determined that personnel who perform the process do so consistently, but there is no written process document. The maturity level of this process is:

      A. Initial

      B. Repeatable

      C. Defined

      D. Managed

116. A privacy strategist has examined several business processes and has found that their individual maturity levels range from Repeatable to Optimizing. What is the best future state for these business processes?

      A. All processes should be changed to Repeatable.

      B. All processes should be changed to Optimizing.

      C. There is insufficient information to determine the desired end states of these processes.

      D. Processes that are Repeatable should be changed to Defined.

117. An organization wants to fast-track the development of a consumer social media product and skip the requirements definition. What is the likely privacy-related consequence of this?

      A. Users will have to be re-registered.

      B. Audit logs will need to be scrubbed of PII.

      C. Rework will be necessary to comply with privacy laws.

      D. Personal information will need to be encrypted in storage.

118. A US state has enacted a sweeping new extraterritorial privacy regulation that focuses on cross-state border data transfer. What is the first step that an online social media vendor should take?

      A. Retain expert privacy counsel to opine on applicability and interpretation.

      B. Wait until the law takes effect to begin making changes to systems.

      C. Wait until there is sufficient case law to see whether the law is enforceable.

      D. Direct developers to make changes to the system to comply with the new law.

119. Marketing analysts want to create a data lake containing all CRM records and customer purchase information to help them better understand purchasing patterns. Because this is not a production system, marketing argues that PII should remain in the data lake to fulfill their research objectives. How should the privacy manager respond to this request?

      A. The data lake should be created as requested.

      B. All PII should be anonymized after insertion into the data lake.

      C. All PII should be pseudonymized before insertion into the data lake.

      D. All PII should be anonymized before insertion into the data lake.

120. To reduce the risk of credit card fraud, an organization has modified its CRM system so that only the last four digits of customers’ credit card numbers are displayed to call center personnel. What technique is being used?

      A. Data hiding

      B. Pseudonymization

      C. Anonymization

      D. Data masking

121. After an organization implemented dynamic DLP controls, the organization has observed numerous instances where PII is copied to USB external storage devices. What first steps should be taken?

      A. Investigate the usage of PII being copied to USB storage devices.

      B. Block the use of USB storage devices.

      C. Discipline the personnel copying PII to USB storage devices.

      D. Declare a privacy breach and begin incident response procedures.

122. A privacy manager is reviewing the organization’s practices of data collection from its customers. The privacy manager has observed that the organization collects PII fields that are not subsequently used. What recommendation should the privacy manager make?

      A. Discard all customer records containing the unneeded fields.

      B. Change the entry of unneeded fields from “required” to “optional.”

      C. Discontinue collection of unneeded PII fields.

      D. Discontinue collection of unneeded PII fields and discard those already collected.

123. An organization performs its periodic data retention procedure in which specific data files are being identified for removal. Analysts have identified some data files on backup tapes that qualify for removal. How should the organization proceed?

      A. Remove expired files from backup tapes.

      B. Retain backup tapes until all files have expired.

      C. Retain backup tapes until they are rotated out.

      D. Discard the backup tapes containing expired files.

124. An auditor has noted that an organization’s network routers are administered via the TELNET protocol. What should the auditor conclude from this?

      A. The organization employs a flat network.

      B. A sight-impaired administrator administers network routers.

      C. Network routers are adequately protected.

      D. A more secure protocol than TELNET should be used.

125. A messaging system employs hashes that accompany each message. What function can hashing perform in this context?

      A. Verify the integrity of a message.

      B. Verify the integrity and origination of a message.

      C. Guarantee the confidentiality of a message.

      D. Verify the origination of a message.

126. The purpose of a privacy and security steering committee includes:

      A. Business alignment

      B. Policy approval

      C. Risk decisions

      D. All of these

127. A privacy strategist is developing a privacy awareness program. What is the best method for ensuring that employees have retained important content?

      A. Measure the time it takes for employees to complete training.

      B. Include competency quizzes at the end of training sessions.

      C. Note how quickly employees complete training after being asked.

      D. Include videos in privacy training content.

128. What is the purpose of the cloud services shared responsibility model?

      A. Defines responsibilities when assigned to a project team

      B. Defines which parties are responsible for which aspects of privacy

      C. Defines which parties are responsible for which aspects of security and privacy

      D. Defines which parties are responsible for which aspects of security

129. Which of the following statements is true about compliance risk?

      A. Compliance risk can be tolerated when fines cost less than


      B. Compliance risk is just another risk that needs to be measured.

      C. Compliance risk can never be tolerated.

      D. Compliance risk can be tolerated when it is optional.

130. A privacy steering committee has voted to mitigate a specific risk. Some residual risk remains. What is the best course of action regarding the residual risk?

      A. Accept the residual risk and close the risk ledger item.

      B. Continue cycles of risk treatment until the residual risk reaches an acceptable level.

      C. Continue cycles of risk treatment until the residual risk reaches zero.

      D. Accept the residual risk and keep the risk ledger item open.

131. A security manager is developing a strategy for making improvements to the organization’s incident management process. Why would the organization’s privacy officer be requesting that a PIA be performed regarding the planned changes?

      A. To reduce the impact of privacy incidents

      B. To reduce the probability of privacy incidents

      C. To ensure that privacy incidents do not occur

      D. To ensure that a privacy incident is properly managed

132. The primary risks of end users being local administrators on their endpoints include all of the following except:

      A. Malware will execute at a privileged level and do more damage.

      B. Malware will not require human intervention to execute.

      C. Malware will be able to move laterally.

      D. Malware will be able to obtain password hashes.

133. An organization’s board of directors wants to see quarterly metrics on risk reduction. What would be the best metric for this purpose?

      A. Number of data subject requests received

      B. Viruses blocked by antivirus programs

      C. Packets dropped by the firewall

      D. Time to patch vulnerabilities on critical servers

134. Which of the following metrics is the best example of a leading indicator?

      A. Average time to mitigate security incidents

      B. Increase in the number of attacks blocked by the intrusion

prevention system (IPS)

      C. Increase in the number of attacks blocked by the firewall

      D. Percentage of critical servers being patched within service level

agreements (SLAs)

135. One primary difference between GDPR and CCPA is:

      A. GDPR requires an opt out while CCPA requires an opt in.

      B. Only GDPR asserts extraterritorial jurisdiction.

      C. Only CCPA asserts extraterritorial jurisdiction.

      D. GDPR requires an opt in while CCPA requires an opt out.

136. In an organization using HIPAA as its control framework, the conclusion of a recent risk assessment stipulates that additional  controls not present in HIPAA but present in ISO/IEC 27001 should be enacted. What is the best course of action in this situation?

      A. Adopt ISO/IEC 27001 as the new control framework.

      B. Retain HIPAA as the control framework and update process documentation.

      C. Add the required controls to the existing control framework.

      D. Adopt NIST SP 800-53 as the new control framework.

137. A privacy strategist is seeking to improve the privacy program in an organization with a strong but casual culture. What is the best approach here?

      A. Conduct focus groups to discuss possible avenues of approach.

      B. Enact new detective controls to identify personnel who are violating policy.

      C. Implement security awareness training that emphasizes new required behavior.

      D. Lock users out of their accounts until they agree to be compliant.

138. A privacy strategist recently joined a retail organization that operates with slim profit margins and has discovered that the organization lacks several important privacy capabilities. What is the best strategy here?

      A. Insist that management support an aggressive program quickly to improve the program.

      B. Develop a risk ledger that highlights all identified risks.

      C. Recommend that the biggest risks be avoided.

      D. Develop a risk-based strategy that implements changes slowly over an extended period of time.

139. An organization is implementing dynamic DLP in the form of USB storage device control. The use of USB storage devices will be prohibited according to data classification and security policy. How should the organization implement this control? 

      A. After announcements, activate the control after giving adequate notice.

      B. Initially implement in detective mode.

      C. Implement in active mode, one department at a time.

      D. Implement with a pilot group first.

140. A new privacy leader is making recommendations for a set of activities to ensure proper management of personal and other information across the organization. What needs to be put into place?

      A. Controls

      B. Data classification

      C. Data governance

      D. Data handling

141. An organization is migrating its customer database from an onpremises CRM to a cloud-based CRM. In the process of the migration, the organization created an intermediate flat-file database. How long should the intermediate flat-file database be retained?

      A. In perpetuity

      B. Until the migration is verified as completed

      C. According to the data classification guidelines

      D. According to the data retention schedule

142. To reduce risk, a privacy manager is advocating removing PII fields from an older database. What process is the privacy manager proposing?

      A. Anonymization

      B. Pseudonymization

      C. Hashing

      D. Masking

143. An organization has determined that its waterfall SDLC does not provide sufficient agility for the organization to respond to rapidly changing market forces. What steps should the organization take?

      A. Migrate to a SaaS application.

      B. Move to a DevSecOps development model.

      C. Migrate to a PaaS platform.

      D. Migrate to an object-oriented system.

144. Which of the following do web applications use to manage and distinguish users from one another?

      A. Session cookies

      B. Persistent cookies

      C. Flash local storage

      D. Web beacons

145. Which of the following best describes symmetric encryption?

      A. Plaintext and ciphertext occupy the same amount of storage.

      B. Encryption and decryption use the same algorithm.

      C. All parties have a copy of the encryption key.

      D. All parties have a copy of public keys.

146. The best first step in building privacy operations is:

      A. Perform a risk assessment.

      B. Identify requirements.

      C. Perform data discovery.

      D. Conduct a penetration test.

147. An organization requests that each data subject submit an image of their driver’s license as a means of authentication when submitting data subject requests. Should subsequent data subject requests cite the driver’s license as collected information?

      A. Yes, because authentication data is always subject to data access requests.

      B. No, because the driver’s license was collected outside of the collection period.

      C. No, because information submitted as a part of authentication is exempt.

      D. Yes, because the data subject’s driver’s license was collected by the organization.

148. What is the best method for ensuring that privacy incident responders are familiar with incident response procedures?

      A. Include incident responders in tabletop testing.

      B. Direct incident responders to develop incident response plans.

      C. Direct incident responders to respond to the next incident.

      D. Direct incident responders to review incident response plans.

149. Why is twisted pair considered more secure than Wi-Fi?

      A. Physical security controls must be compromised to reach wired


      B. Twisted pair uses better encryption algorithms.

      C. Physical security controls must be compromised to reach

wireless networks.

      D. Twisted pair has higher throughput capability.

150. The main reason for implementing application whitelisting on endpoints is:

      A. Permits end users to install only approved programs

      B. Prevents end users from installing applications

      C. Prevents end users from installing utilities

      D. Prevents malware from executing

151. A privacy manager has developed a scheme that prescribes required methods to protect information at rest, in motion, and in transit. This is known as a(n):

      A. Data classification policy

      B. Asset classification policy

      C. Data loss prevention plan

      D. Asset loss prevention plan

152. A privacy manager has been directed by executive management not to document a specific risk in the risk register. This course of action is known as:

      A. Burying the risk

      B. Transferring the risk

      C. Accepting the risk

      D. Ignoring the risk

153. A security manager is performing a risk assessment on a data center. The security manager has determined that unauthorized personnel can enter the data center through the loading dock door and shut off utility power to the building. This finding is known as a:

      A. Probability

      B. Threat

      C. Vulnerability

      D. Risk

154. An organization has begun implementation of its data classification program and wants to know the extent of storage of personal information on file servers. What is the first step that the organization should undertake?

      A. File integrity monitoring

      B. Dynamic DLP

      C. Dynamic discovery scan

      D. Static discovery scan

155. The purpose of a data classification and handling policy consists of all of the following except which one?

      A. A single method for data protection

      B. Efficient protection of information

      C. Risk-driven protection of information

      D. Direction to the workforce to apply proper handling procedures

156. Why would an organization with operations in Europe implement controls to ensure the accuracy of its customers’ PII?

      A. Required by CCPA

      B. Increases profit margins

      C. Increases revenue

      D. Required by GDPR

157. What is the purpose of system classification?

      A. Determine what files can be stored on a system

      B. Develop levels of protection

      C. Prerequisite to network segmentation

      D. Determine which systems require FIM

158. What is the purpose of identifying a data owner in a data inventory? 

      A. Data owners are responsible for data protection.

      B. Data owners respond to security incidents.

      C. Data owners approve DLP scanning.

      D. Data owners approve access requests.

159. An organization will be introducing voice-command smart TVs into the enterprise network. What is the primary risk associated with the introduction of such devices?

      A. Data leakage

      B. Unencrypted network traffic revealing PII

      C. Many smart devices cannot be patched

      D. Eavesdropping on private conversations

160. A privacy officer wants to better understand where personal information appears in a system. Which design element should the privacy officer examine?

      A. Physical network diagram

      B. Logical network diagram

      C. Entity-relationship diagram

      D. Data flow diagram

161. An organization stores unstructured data in a cloud-based storage service. In its routine data retention procedures, the organization has identified specific files stored by the storage service that need to be destroyed. How should the organization implement this control?

      A. Ask the owners of expired files to delete them.

      B. Delete expired files and remove any file recovery copies that may exist.

      C. Delete expired files.

      D. Ask the cloud storage service to shred the respective HDDs.

162. Personnel in an organization are discussing the de-identification of its older customer records. Marketing personnel are arguing that deidentification removes their ability to learn how specific customers buy services. How should the privacy manager respond? 

      A. No de-identification is necessary.

      B. Records should be archived.

      C. Records should be pseudonymized.

      D. Records should be anonymized.

163. A privacy manager is attending a planning meeting in which marketing personnel argue for the collection of PII from customers  that may be used sometime in the future. How should the privacy manager respond?

      A. Permit the collection of the additional PII fields.

      B. Require that the additional PII fields be encrypted.

      C. Forbid the collection of the additional PII fields.

      D. Update the data retention schedule to include the additional PII


164. Which of the following statements is true about data migration programs?

      A. Data migration programs are used for cross-border data transfers.

      B. Data migration programs are provided by software vendors.

      C. Data migration programs become a permanent part of the new


      D. Data migration programs transfer information from an old

system to a new system.

165. In the context of cryptosystems, the term plaintext refers to which of the following?

      A. An unformatted text file

      B. An encryption key

      C. An unencrypted message

      D. An encrypted message

166. What is the most significant factor that compels an organization to implement a new control?

      A. Security or privacy breach

      B. New regulation

      C. Results of a risk assessment

      D. Contents of a control framework

167. Which of the following network media is used to carry broadband traffic in bulk?

      A. Twisted-pair

      B. 4G

      C. 5G

      D. Fiber-optic cable

168. Which protocol is most often transported on fiber-optic cabling by telecommunications providers?

      A. SONET

      B. DSL

      C. ISDN

      D. T-1

169. An organization wants to implement a data loss prevention (DLP) system. Which of the following is considered the best approach for such an implementation?

      A. Employ DLP in passive mode initially.

      B. Employ DLP in active mode initially.

      C. Set DLP in high-sensitivity mode.

      D. Employ DLP on e-mail systems first.

170. A privacy manager has directed that the team managing encryption keys update the password protecting encryption keys in a way that half the team members know one half of the password, and the other half of the team knows the other half of the password. What control has been implemented?

      A. Fail closed

      B. Least privilege

      C. Segregation of duties

      D. Split custody


Ujian ISACA CDPSE (Certified Data Privacy Solutions Engineer)

Ujian CDPSE dari ISACA adalah sertifikasi yang dirancang untuk para profesional yang terlibat dalam solusi privasi data. Fokusnya adalah pada implementasi teknis dan manajemen solusi privasi, yang selaras dengan praktik dan regulasi terbaru dalam privasi data. Sertifikasi CDPSE menilai kemampuan seseorang untuk menerapkan privasi secara desain, yang mengarah pada kepatuhan, manajemen data, dan perlindungan data yang lebih baik di dalam organisasi.

Manfaat Sertifikasi CDPSE

Pengakuan Profesional: Menunjukkan keahlian dalam privasi data dan memposisikan individu sebagai insinyur solusi privasi yang berharga.

Pengembangan Karir: Membuka peluang dalam bidang privasi data yang berkembang pesat.

Kredibilitas: Menambah kredibilitas profesional di bidang privasi dan perlindungan data.

Kekinian: Memastikan profesional tetap up-to-date dengan regulasi dan teknologi privasi yang berkembang.

Domain Ujian CDPSE

Ujian CDPSE mencakup tiga domain utama:

Privacy Governance: Pemahaman dan penerapan kerangka kerja serta prinsip tata kelola privasi.

Privacy Architecture: Desain dan implementasi arsitektur serta infrastruktur privasi data.

Data Lifecycle: Pengelolaan data sepanjang siklus hidupnya, memastikan privasi dan perlindungan.

Cara Mengambil Ujian

Pendaftaran Online: Mendaftar untuk ujian CDPSE melalui situs web ISACA.

Pilih Jadwal dan Lokasi Ujian: Ujian biasanya ditawarkan di pusat pengujian terakreditasi.

Biaya Ujian

Biaya ujian CDPSE bervariasi berdasarkan keanggotaan ISACA dan lokasi geografis. Informasi biaya terbaru dapat ditemukan di situs web ISACA.

Persyaratan Ujian

Pengalaman Kerja: Pengalaman relevan di bidang privasi data atau bidang terkait disarankan.

Latar Belakang Pendidikan: Latar belakang di IT, hukum, privasi, atau perlindungan data bermanfaat, tetapi tidak wajib.

Jumlah Soal dan Durasi Ujian

Ujian CDPSE terdiri dari pertanyaan pilihan ganda, dan durasinya biasanya 3,5 jam (dapat bervariasi, sehingga disarankan untuk memeriksa panduan ujian terbaru dari ISACA).

Manfaat Latihan Soal Ujian

Latihan soal ujian membantu dalam memahami format, meningkatkan pengetahuan tentang domain kunci, mengidentifikasi area yang perlu diperbaiki, dan membangun kepercayaan diri untuk ujian sebenarnya.

Profil Trainer Bapak Hery Purnama sebagai Trainer CDPSE Berpengalaman

Mengenai profil Bapak Hery Purnama sebagai trainer CDPSE berpengalaman

Sertifikasi CDPSE: Memegang sertifikasi CDPSE yang berlaku.

Pengalaman Praktis: Pengalaman luas dalam privasi dan perlindungan data.

Keterampilan Mengajar: Kemampuan untuk menyampaikan konsep-konsep kompleks secara efektif dan mempersiapkan kandidat untuk ujian.

Pengetahuan Terkini: Selalu mengikuti tren dan regulasi privasi data terbaru.

Sumber Daya Pelatihan: Menyediakan materi studi dan soal latihan yang berkualitas.

Seorang trainer berpengalaman seperti Bapak Hery Purnama dapat memainkan peran krusial dalam membimbing kandidat melalui proses sertifikasi CDPSE, menawarkan wawasan dari pengalaman dunia nyata dan membantu dalam persiapan ujian yang komprehensif.


Post a Comment

Silahkan isikan comment box untuk komentar Anda..