CDPSE Questions and Answers

The best way to ensure that application hardening is included throughout the software development life cycle (SDLC) is to include qualified application security personnel as part of the process. Application hardening is the process of applying security measures and techniques to an application to reduce its attack surface, vulnerabilities, and risks. Application hardening should be integrated into every stage of the SDLC, from planning and design to development and testing to deployment and maintenance. Including qualified application security personnel as part of the process helps to ensure that application hardening is performed effectively and consistently, as well as to provide guidance, feedback, and support to the developers, testers, and project managers. The other options are not as effective or sufficient as including qualified application security personnel as part of the process, as they do not address the root cause of the lack of application hardening, which is the gap in skills and knowledge among the SDLC participants.

A privacy impact assessment (PIA) is a systematic process of identifying and evaluating the potential privacy risks and impacts of a data processing activity or system. A PIA helps to ensure that privacy is considered and integrated into the design and development of data processing activities or systems, and that privacy risks are mitigated or eliminated. A PIA also helps to determine the appropriate retention periods for personal data based on the purpose and necessity of the data processing, as well as the legal and regulatory obligations that apply to the data. Therefore, a PIA helps to define data retention time in a stream-fed data lake that includes personal data. References: : CDPSE Review Manual (Digital Version), page 99

A privacy notice is a document that informs data subjects about how their personal data is collected, processed, stored, shared, and protected by an organization. The primary purpose of a privacy notice is to provide transparency to the data subject on the intended use of their personal data, as well as their rights and choices regarding their data. A privacy notice also helps the organization comply with legal and regulatory requirements, such as obtaining consent, demonstrating accountability, and fulfilling the principle of fairness and lawfulness.

The answer is B. Personal data could potentially be exfiltrated through the virtual workspace.

A comprehensive explanation is:

A virtualized workspace is a cloud-based service that provides remote access to a desktop environment, applications, and data. A virtualized workspace can enable software development teams to collaborate and work efficiently across different locations and devices. However, a virtualized workspace also poses significant privacy risks, especially when it is implemented by a third-party provider.

One of the greatest privacy concerns of using a third-party virtualized workspace is the potential for personal data to be exfiltrated through the virtual workspace. Personal data is any information that relates to an identified or identifiable individual, such as name, email, address, phone number, etc. Personal data can be collected, stored, processed, or transmitted by the software development organization or its clients, partners, or users. Personal data can also be generated or inferred by the software development activities or products.

Personal data can be exfiltrated through the virtual workspace by various means, such as:

Data breaches: A data breach is an unauthorized or unlawful access to or disclosure of personal data. A data breach can occur due to weak security measures, misconfiguration errors, human errors, malicious attacks, or insider threats. A data breach can expose personal data to hackers, competitors, regulators, or other parties who may use it for harmful purposes.

Data leakage: Data leakage is an unintentional or accidental transfer of personal data outside the intended boundaries of the organization or the virtual workspace. Data leakage can occur due to improper disposal of devices or media, insecure network connections, unencrypted data transfers, unauthorized file sharing, or careless user behavior. Data leakage can compromise personal data to third parties who may not have adequate privacy policies or practices.

Data mining: Data mining is the analysis of large and complex data sets to discover patterns, trends, or insights. Data mining can be performed by the third-party provider of the virtual workspace or by other authorized or unauthorized parties who have access to the virtual workspace. Data mining can reveal personal data that was not explicitly provided or intended by the organization or the individuals.

The exfiltration of personal data through the virtual workspace can have serious consequences for the software development organization and its stakeholders. It can result in:

Legal liability: The organization may face legal actions or penalties for violating the privacy laws, regulations, standards, or contracts that apply to the personal data in each jurisdiction where it operates or serves. For example, the General Data Protection Regulation (GDPR) in the European Union imposes strict obligations and sanctions for protecting personal data across borders.

Reputational damage: The organization may lose trust and credibility among its clients, partners, users, employees, investors, or regulators for failing to safeguard personal data. This can affect its brand image, customer loyalty, market share, revenue, or growth potential.

Competitive disadvantage: The organization may lose its competitive edge or intellectual property if its personal data is stolen or misused by its rivals or adversaries. This can affect its innovation capability, product quality, or market differentiation.

Therefore, it is essential for the software development organization to implement appropriate measures and controls to prevent or mitigate the exfiltration of personal data through the virtual workspace. Some of these measures and controls are:

Data minimization: The organization should collect and process only the minimum amount and type of personal data that is necessary and relevant for its legitimate purposes. It should also delete or anonymize personal data when it is no longer needed or required.

Data encryption: The organization should encrypt personal data at rest and in transit using strong and standardized algorithms and keys. It should also ensure that only authorized parties have access to the keys and that they are stored securely.

Data segmentation: The organization should segregate personal data into different categories based on their sensitivity and risk level. It should also apply different levels of protection and access control to each category of personal data.

Data governance: The organization should establish a clear and comprehensive policy and framework for managing personal data throughout its lifecycle. It should also assign roles and responsibilities for implementing and enforcing the policy and framework.

Data audit: The organization should monitor and review the activities and events related to personal data on a regular basis. It should also conduct periodic assessments and tests to evaluate the effectiveness and compliance of its privacy measures and controls.

Data awareness: The organization should educate and train its staff and users on the importance and best practices of protecting personal data. It should also communicate and inform its clients, partners, and regulators about its privacy policies and practices.

The other options are not as great of a concern as option B.

The third-party workspace being hosted in a highly regulated jurisdiction (A) may pose some challenges for complying with different privacy laws and regulations across borders. However it may also offer some benefits such as higher standards of privacy protection and enforcement.

The organization’s products being classified as intellectual property © may increase the value and attractiveness of the personal data related to the products, but it does not necessarily increase the risk of exfiltration of the personal data through the virtual workspace.

The lack of privacy awareness and training among remote personnel (D) may increase the likelihood of human errors or negligence that could lead to exfiltration of personal data through the virtual workspace. However it is not a direct cause or source of exfiltration, and it can be addressed by providing adequate education and training.

Pseudonymization is a technique that replaces direct identifiers in a data set with pseudonyms or artificial identifiers that do not reveal the identity of the data subjects. Pseudonymization reduces the linkability of the data set with the original identity of the data subjects and thus enhances the privacy and security of the data. However, pseudonymization is not irreversible and the original identity can be re-established if the pseudonym or key is compromised. Therefore, it is important to keep the identifier separate and distinct from the data it protects and to apply additional security measures to safeguard the identifier. The other options are not relevant to pseudonymization1, p. 74-75 References: 1: CDPSE Review Manual (Digital Version)

The best course of action to prevent false positives from data loss prevention (DLP) tools is to re-establish baselines for configuration rules. False positives are events that are triggered by a DLP policy in error, meaning that the policy has mistakenly identified non-sensitive data as sensitive or blocked legitimate actions. False positives can reduce the effectiveness and efficiency of DLP tools by generating unnecessary alerts, wasting resources, disrupting workflows, and creating user frustration. To avoid false positives, DLP tools need to have accurate and updated configuration rules that define what constitutes sensitive data and what actions are allowed or prohibited. Configuration rules should be based on clear and consistent criteria, such as data classification levels, data sources, data destinations, data formats, data patterns, user roles, user behaviors, etc. Configuration rules should also be regularly reviewed and adjusted to reflect changes in business needs, regulatory requirements, or threat landscape.

Conducting additional discovery scans, suppressing the alerts generating the false positives, or evaluating new DLP tools are not the best ways to prevent false positives from DLP tools. Conducting additional discovery scans may help identify more sensitive data in the network, but it does not address the root cause of false positives, which is the misconfiguration of DLP policies. Suppressing the alerts generating the false positives may reduce the noise and annoyance caused by false positives, but it does not solve the problem of inaccurate or outdated DLP policies. Evaluating new DLP tools may offer some advantages in terms of features or performance, but it does not guarantee that false positives will be eliminated or reduced without proper configuration and tuning of DLP policies.

Anonymization is a technique that removes or modifies personal data in such a way that it can no longer be attributed to a specific data subject. Anonymization can be achieved by various methods, such as encryption, pseudonymization, aggregation, generalization, etc. When using anonymization techniques to prevent unauthorized access to personal data, the most important consideration to ensure the data is adequately protected is that the key must be kept separate and distinct from the data it protects. The key is a piece of information that is used to reverse the anonymization process and restore the original personal data. The key must be stored and managed in a secure location that is different from where the anonymized data is stored and processed. This way, even if the anonymized data is compromised, the key cannot be accessed or used to re-identify the data subjects. References: : CDPSE Review Manual (Digital Version), page 29

The most useful information for prioritizing database selection for encryption is the asset classification scheme. An asset classification scheme is a system of organizing and categorizing assets based on their value, sensitivity, criticality, or risk level. An asset classification scheme helps to determine the appropriate level of protection or handling for each asset. For example, an asset classification scheme may assign labels such as public, internal, confidential, or secret to different types of data based on their impact if compromised. Databases that contain higher-classified data should be prioritized for encryption to prevent unauthorized access, disclosure, or modification.

Database administration audit logs, historical security incidents, or penetration test results are also useful information for database security, but they are not the most useful for prioritizing database selection for encryption. Database administration audit logs are records of activities performed by database administrators or other privileged users on the database system. Database administration audit logs help to monitor and verify the actions and changes made by authorized users and detect any anomalies or violations. Historical security incidents are records of events that have compromised or threatened the security of the database system in the past. Historical security incidents help to identify and analyze the root causes, impacts, and lessons learned from previous breaches or attacks. Penetration test results are reports of simulated attacks performed by ethical hackers or security experts on the database system to evaluate its vulnerabilities and defenses. Penetration test results help to discover and exploit any weaknesses or gaps in the database security posture and recommend remediation actions.

Pseudonymization is a technique that replaces or removes direct identifiers from personal data, such as names, addresses, or social security numbers, with pseudonyms, such as codes, tokens, or random values. However, pseudonymization does not eliminate the possibility of re-identification, as the original data can still be linked back to the pseudonyms using additional information or techniques. Therefore, if a database containing pseudonymized personal data is breached, the IT privacy practitioner should be most concerned about the risk of re-identification, which could compromise the privacy and security of the data subjects. The other options are less relevant or important than the risk of re-identification.

The best way to ensure an effective data privacy policy is implemented is to align regulatory requirements with business needs, because this will help achieve compliance while also supporting the organization’s objectives, values, and strategies. A data privacy policy should reflect the legal obligations and expectations of the organization, as well as the needs and preferences of its stakeholders, such as customers, employees, partners, and regulators. A data privacy policy should also be flexible and adaptable to changing circumstances and environments12.

The best way to address the concern that data collected by a third-party vendor and provided back to the organization may not be protected according to the organization’s privacy notice is to validate contract compliance. This means that the organization should verify that the third-party vendor is adhering to the terms and conditions of the contract, which should include clauses on data protection, privacy, and security. The contract should also specify the obligations and responsibilities of both parties regarding data collection, processing, storage, transfer, retention, and disposal. By validating contract compliance, the organization can ensure that the third-party vendor is following the same privacy standards and practices as the organization.

De-identification is a technique that removes or modifies direct and indirect identifiers in a data set to prevent or limit the identification of the data subjects. De-identification reduces the risk of re-identification and thus limits the organization’s potential exposure in the event of consumer data loss. De-identification also maintains the traceability of the data by preserving some characteristics or patterns of the original data that can be used for analysis or research purposes. The other options are not effective ways to limit exposure and maintain traceability1, p. 75-76 References: 1: CDPSE Review Manual (Digital Version)

The practice that best indicates an organization follows the data minimization principle is that data is regularly reviewed for its relevance. The data minimization principle is one of the core principles of data protection under various laws and regulations, such as the GDPR or the CCPA. It states that personal data should be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. By regularly reviewing the data they hold, organizations can ensure that they do not collect or retain excessive or unnecessary data that may pose privacy risks or violate data subject rights.

Data is pseudonymized when being backed up, data is encrypted before storage, or data is only accessible on a need-to-know basis are also good practices for data protection, but they do not directly indicate that the organization follows the data minimization principle. Pseudonymization is a process of replacing identifying information in data with artificial identifiers or pseudonyms. Pseudonymization can help enhance the privacy of data by reducing the linkability between data and data subjects, but it does not prevent re-identification or inference attacks. Encryption is a process of transforming data into an unreadable form using a secret key or algorithm. Encryption can help protect the confidentiality, integrity, and availability of data by preventing unauthorized access, disclosure, or modification. Access control is a process of restricting who can access, modify, or delete data based on their roles, permissions, or credentials. Access control can help prevent unauthorized or inappropriate use of data by limiting the scope of access.

 Transparency is the most important attribute of a privacy policy because it informs the users about how their personal data is collected, used, shared, and protected by the organization. Transparency also helps to build trust and confidence with the users, and to comply with legal and ethical obligations regarding data privacy.

National data privacy legislative and regulatory requirements in each relevant jurisdiction are the most important data protection consideration for a global organization that is planning to implement a customer relationship management (CRM) system to be used in offices based in multiple countries, as they would determine the legal obligations and responsibilities of the organization with respect to the collection, use, disclosure and transfer of customer personal data across different jurisdictions. National data privacy legislative and regulatory requirements may vary significantly from country to country, depending on the type or nature of personal data or data processing activities, and may impose different rules and standards for obtaining consent, providing notice, ensuring security, enforcing rights, reporting breaches, appointing representatives or transferring data. The organization would need to comply with the national data privacy legislative and regulatory requirements in each relevant jurisdiction where it operates or where its customers are located, and to implement appropriate measures and safeguards to ensure compliance. The other options are not as important as national data privacy legislative and regulatory requirements in each relevant jurisdiction as data protection considerations for a global organization that is planning to implement a CRM system to be used in offices based in multiple countries. Industry best practice related to information security standards in each relevant jurisdiction may provide some guidance or benchmarks for ensuring security of customer personal data, but they may not reflect the specific context or needs of the organization or the customers, or comply with the legal obligations and responsibilities of the organization. Identity and access management mechanisms to restrict access based on need to know may help to protect customer personal data from unauthorized access, modification or disclosure by internal or external parties, but they may not address other aspects of data protection, such as consent, notice, rights, breaches, representatives or transfers. Encryption algorithms for securing customer personal data at rest and in transit may help to protect customer personal data from unauthorized access, modification or disclosure by internal or external parties, but they may not address other aspects of data protection, such as consent, notice, rights, breaches, representatives or transfers1, p. 63-64 References: 1: CDPSE Review Manual (Digital Version)

A privacy notice’s foremost role is transparency—clearly informing individuals about what data is collected, for what purposes, and on what legal basis. Education on safeguards (B), accountability statements (C), or complaint procedures (D) may appear in notices, but they are secondary to the core objective of transparency on intended use.

“Provide individuals with clear, accessible information about processing purposes, lawful basis, recipients, and data subject rights.”

Anonymization is a technique that removes or modifies all identifiers in a data set to prevent or limit the identification of the data subjects. Anonymization is the IT privacy practitioner’s best recommendation for an organization that uses analytics derived from archived transaction data to create individual customer profiles for customizing product and service offerings, as it would protect the privacy of the customers by reducing the linkability of the data set with their original identity, and also comply with the data minimization principle that requires limiting the collection, storage and processing of personal data to what is necessary and relevant for the intended purposes. Anonymization would also preserve some characteristics or patterns of the original data that can be used for analysis or customization purposes, without compromising the accuracy or quality of the results. The other options are not as effective as anonymization in this situation. Discontinuing the creation of profiles is not a feasible or desirable option, as it would prevent the organization from achieving its business objectives and providing value to its customers. Implementing strong access controls is a security measure that restricts who can access, view or modify the data, but it does not address the issue of collecting or retaining more personal data than necessary or relevant. Encrypting data at rest is a security measure that transforms plain text data into cipher text using an algorithm and a key, making it unreadable by unauthorized parties, but it does not address the issue of collecting or retaining more personal data than necessary or relevant, and may require additional security measures to protect the encryption keys or certificates1, p. 75-76 References: 1: CDPSE Review Manual (Digital Version)

The value proposition of a PIA is not understood by management is the greatest obstacle to conducting a PIA, as it may result in lack of support, funding, resources or commitment for the PIA process and outcomes. Management may not appreciate or recognize the benefits of a PIA, such as enhancing privacy protection, reducing privacy risks and costs, increasing customer trust and satisfaction, and complying with privacy laws and regulations. Management may also perceive a PIA as a burden, a delay or a hindrance to the system or project development and delivery. The other options are not as significant as the value proposition of a PIA is not understood by management as obstacles to conducting a PIA. Conducting a PIA requires significant funding and resources is an obstacle to conducting a PIA, but it may be overcome by demonstrating the return on investment or the cost-benefit analysis of a PIA. PIAs need to be performed many times in a year is an obstacle to conducting a PIA, but it may be mitigated by adopting a scalable or modular approach to PIAs that can be tailored to different types or levels of systems or projects. The organization lacks knowledge of PIA methodology is an obstacle to conducting a PIA, but it may be resolved by acquiring or developing the necessary skills, tools or guidance for performing PIAs1, p. 67-68 References: 1: CDPSE Review Manual (Digital Version)

Data privacy standards are the set of rules, guidelines, and best practices that define the requirements and expectations for the collection, processing, storage, sharing, and disposal of personal data. Data privacy standards help to ensure that personal data is treated in a fair, lawful, transparent, and secure manner, as well as to comply with the applicable privacy laws and regulations. Data privacy standards also help to define the data retention time in a stream-fed data lake that includes personal data, as they specify the criteria and conditions for how long personal data can be kept in the data lake, based on factors such as the purpose, necessity, relevance, and quality of the data. Data retention time is an important aspect of data privacy, as it affects the risk of data breaches, unauthorized access, or misuse of personal data.

One of the most common vulnerabilities that can compromise the access to personal information is end users using weak passwords. Weak passwords are passwords that are easy to guess, crack, or steal, such as passwords that are short, simple, common, or reused. Weak passwords can allow unauthorized or malicious parties to gain access to personal information and cause privacy breaches, leaks, or misuse. Multi-factor authentication is an effective way to mitigate this vulnerability, as it requires end users to provide more than one piece of evidence to verify their identity, such as something they know (e.g., password), something they have (e.g., token), or something they are (e.g., biometric). Multi-factor authentication makes it harder for attackers to bypass the authentication process and access personal information. References: : CDPSE Review Manual (Digital Version), page 107

Biometric records are personal information that can be used to identify an individual based on their physical or behavioral characteristics, such as fingerprints, facial recognition, iris scans, voice patterns, etc. Biometric records are considered sensitive personal information that require special protection and consent from the data subject. Biometric records can be used for various purposes, such as authentication, identification, security, etc., but they also pose privacy risks, such as unauthorized access, use, disclosure, or transfer of biometric data. References: : CDPSE Review Manual (Digital Version), page 25

Storing tokens of PII directly in database fields undermines the security of tokenization and risks re-identification, making it the most concerning issue. Shared drives (A) and lack of labels (B) are governance gaps, and limited third-party access (C) can be controlled contractually, but token misuse (D) poses direct privacy risk.

“Improper token storage can compromise de-identification, reintroducing privacy risk.”

User consent to share personal data is the most important factor when designing APIs that enable mobile device applications to access personal data, as it ensures that the user is informed and agrees to the purpose, scope, and duration of the data sharing. User consent also helps to comply with the data protection principles and regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), that require user consent for certain types of data processing and sharing134. References: 1 Domain 2, Task 7

Synthetic data generation is a recognized privacy-enhancing technology (PET) because it allows realistic model training and analysis without exposing actual personal data. PKI (A) provides authentication, not privacy preservation; blockchain (B) increases transparency but may conflict with privacy; identity management (D) supports security but is not a PET by itself.

“Synthetic data preserves patterns while removing identifiable personal information, enabling safe processing.”

A PIA is a systematic process to identify and evaluate the potential privacy impacts of a system, project, program or initiative that involves the collection, use, disclosure or retention of personal data. A PIA should be conducted as early as possible in the system lifecycle, preferably during the development stage, to ensure that privacy risks are identified and mitigated before the system is deployed. Conducting a PIA during functional testing, UAT or production stages may be too late to address privacy issues effectively and may result in costly rework or delays1, p. 67 References: 1: CDPSE Review Manual (Digital Version)

Height, weight, and activities are the most legitimate information to collect for business reasons in this situation, as they are directly related to the purpose and functionality of a wellness smartwatch application that aims to monitor and improve the health and fitness of its users. Collecting height, weight, and activities would also comply with the data minimization principle that requires limiting the collection, storage and processing of personal data to what is necessary and relevant for the intended purposes. The other options are not legitimate information to collect for business reasons in this situation, as they are not related to the purpose and functionality of a wellness smartwatch application and may violate the privacy rights and preferences of its users. Collecting sleep schedule and calorie intake may be useful for some users who want to track their sleep quality and nutrition intake, but they are not essential for a wellness smartwatch application and may require additional consent or justification from the users. Collecting education and profession may be irrelevant for a wellness smartwatch application and may be used for other purposes, such as marketing or profiling, without the consent or knowledge of the users. Collecting race, age, and gender may be sensitive for some users who do not want to disclose their personal characteristics or identity, and may require additional safeguards or measures to protect their privacy1, p. 75-76 References: 1: CDPSE Review Manual (Digital Version)

A raw zone is a zone within a data lake that contains unprocessed or unstructured data that is ingested from various sources without any transformation or validation. A raw zone may contain sensitive data that has not been identified or classified yet, such as personal data. Therefore, sensitive data in a raw zone should be encrypted or tokenized to protect its confidentiality and integrity. Encryption is a process of transforming data into an unreadable form using a secret key or algorithm. Tokenization is a process of replacing sensitive data with non-sensitive substitutes called tokens. Both encryption and tokenization help to prevent unauthorized or unlawful access, use, disclosure, or transfer of sensitive data in a raw zone. References: : CDPSE Review Manual (Digital Version), page 169

The primary means by which an organization communicates customer rights as it relates to the use of their personal information is publishing a privacy notice. A privacy notice is a document that informs the customers about how their personal information is collected, used, shared, stored, and protected by the organization, as well as what rights they have regarding their personal information, such as access, rectification, erasure, portability, objection, etc. A privacy notice should be clear, concise, transparent, and easily accessible to the customers, and should comply with the applicable privacy regulations and standards. A privacy notice helps to establish trust and transparency between the organization and the customers, and enables the customers to exercise their rights and choices over their personal information. References: : CDPSE Review Manual (Digital Version), page 39

Providing data subjects direct access through a profile page is the best practice because it supports transparency and control while fulfilling data subject rights (e.g., access, rectification). Limiting edits (A) or disabling modifications (D) restricts rights. Using email to generate IDs (B) is unrelated to enabling data subject access.

“Data subjects should have the ability to view and manage their own information directly.”

Encryption is a security practice that transforms data into an unreadable format using a secret key or algorithm. Encryption protects the confidentiality and integrity of data, especially when they are transferred using email or other communication channels. Encryption ensures that only authorized parties can access and use the data, while unauthorized parties cannot decipher or modify the data without the key or algorithm. Encryption also helps to comply with data protection laws and regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), which require data controllers and processors to implement appropriate technical and organizational measures to safeguard personal data.

Centrally managed encryption is a type of encryption that is implemented and controlled by a central authority or system, such as an organization or a service provider. Centrally managed encryption has the following advantages over end user-managed encryption, private cloud storage space, or password-protected .zip files, for reducing the risk of compromise when transferring personal information using email:

It can enforce consistent and standardized encryption policies and procedures across the organization or the service, such as the encryption standards, algorithms, keys, modes, and formats.

It can automate the encryption and decryption processes for the users, without requiring them to perform any manual actions or install any software or plug-ins on their devices.

It can monitor and audit the encryption activities and incidents, and provide visibility and accountability for the data protection and compliance status.

It can reduce the human errors or negligence that may compromise the encryption security, such as losing or sharing the keys, forgetting or reusing the passwords, or sending the data to the wrong recipients.

The applicable privacy legislation needs to be identified first to define the privacy requirements to use when assessing the selection of IT systems, because it sets the legal obligations and standards for the organization to comply with when processing personal data. The type of data, the control frameworks, and the technology platforms are all dependent on the privacy legislation that applies to the organization and its data processing activities. Therefore, the privacy legislation is the primary source of privacy requirements for IT systems.

The primary purpose of a privacy audit framework is to confirm and demonstrate effectiveness of the privacy program in achieving objectives and regulatory compliance. Historical breaches (B) and benchmarking (D) are by-products; maximizing staff effort (C) is about audit efficiency, not program assurance.

“Privacy audits validate the effectiveness and compliance of the privacy program.”

Degaussing is a hard drive sanitation method that uses a powerful magnetic field to erase or destroy the data stored on a magnetic disk or tape. Degaussing should be used to sanitize hard drives containing personal data prior to being crushed, as it provides an additional layer of assurance that data has been permanently erased and cannot be recovered by any means. Degaussing also damages the drive itself, making it unusable for future storage. The other options are not effective or necessary hard drive sanitation methods prior to being crushed. Low-level formatting is a hard drive sanitation method that erases the data and the partition table on the drive, but it may leave some traces of data that can be recovered by forensic tools or software. Remote partitioning is a hard drive sanitation method that creates separate logical sections on the drive, but it does not erase or destroy the data on the drive. Hammer strike is a hard drive sanitation method that physically damages the drive by hitting it with a hammer, but it may not erase or destroy the data completely or prevent data recovery by advanced tools or techniques1, p. 93-94 References: 1: CDPSE Review Manual (Digital Version)

Public key infrastructure (PKI) is a system that enables the use of public key cryptography, which is a method of encrypting and authenticating data using a pair of keys: a public key and a private key. Public key cryptography can protect against man-in-the-middle (MITM) attacks, which are attacks where an attacker intercepts and modifies the communication between two parties. PKI makes public key cryptography feasible by providing a way to generate, distribute, verify, and revoke public keys. PKI also uses digital certificates, which are documents that bind a public key to an identity, and certificate authorities, which are trusted entities that issue and validate certificates. By using PKI, the parties can ensure that they are communicating with the intended recipient and that the data has not been tampered with by an attacker.

Using hash values with stored personal data best enables an organization to detect changes to the data, because hash values are unique and fixed outputs that are generated from the data using a mathematical algorithm. If the data is altered in any way, even by a single bit, the hash value will change dramatically. Therefore, by comparing the current hash value of the data with the original or expected hash value, the organization can verify the integrity and authenticity of the data. If the hash values match, it means that the data has not been tampered with. If the hash values differ, it means that the data has been corrupted or modified.

The greatest privacy risk for client-side application processing is an employee loading personal information on a company laptop. Client-side application processing refers to performing data processing operations on the user’s device or browser, rather than on a server or cloud. This can improve performance and user experience, but also pose privacy risks if the user’s device is lost, stolen, hacked, or infected with malware. An employee loading personal information on a company laptop is exposing that information to potential threats on the client-side, such as unauthorized access, use, disclosure, modification, or loss. Therefore, an organization should implement appropriate security measures to protect personal information on client-side devices, such as encryption, authentication, authorization, logging, monitoring, etc. References: : CDPSE Review Manual (Digital Version), page 153

Data anonymization is a method of protecting personal data by modifying or removing any information that can be used to identify an individual, either directly or indirectly, in a data set. Data anonymization aims to prevent the re-identification of the data subjects, even by the data controller or processor, or by using additional data sources or techniques. Data anonymization also helps to comply with data protection laws and regulations, such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), which require data controllers and processors to respect the privacy rights and preferences of the data subjects.

The data is transformed such that re-identification is impossible is an example of data anonymization, as it involves applying irreversible techniques, such as aggregation, generalization, perturbation, or synthesis, to alter the original data in a way that preserves their utility and meaning, but eliminates their identifiability. For example, a database of customer transactions can be anonymized by replacing the names and addresses of the customers with random codes, and by adding noise or rounding to the amounts and dates of the transactions.

The other options are not examples of data anonymization, but of other methods of protecting personal data that do not guarantee the impossibility of re-identification. The data is encrypted and a key is required to re-identify the data is an example of data pseudonymization, which is a method of replacing direct identifiers with pseudonyms, such as codes or tokens, that can be linked back to the original data with a key or algorithm. Data pseudonymization does not prevent re-identification by authorized parties who have access to the key or algorithm, or by unauthorized parties who can break or bypass the encryption. Key fields are hidden and unmasking is required to access to the data is an example of data masking, which is a method of concealing or obscuring sensitive data elements, such as names or credit card numbers, with characters, symbols or blanks. Data masking does not prevent re-identification by authorized parties who have permission to unmask the data, or by unauthorized parties who can infer or guess the hidden data from other sources or clues. Names and addresses are removed but the rest of the data is left untouched is an example of data deletion, which is a method of removing direct identifiers from a data set. Data deletion does not prevent re-identification by using indirect identifiers, such as age, gender, occupation or location, that can be combined or matched with other data sources to re-establish the identity of the data subjects.

Sensitive personal data is a subset of personal data that reveals or relates to more intimate or confidential aspects of a person’s identity, such as their racial or ethnic origin, religious or philosophical beliefs, health status, sexual orientation, political opinions, trade union membership, biometric or genetic data, or criminal record. Sensitive personal data is subject to more stringent legal and regulatory protections and requires a higher level of consent from the data subject to be processed. Mailing address, bank account login ID, and contact phone number are examples of personal data, but not sensitive personal data, as they do not reveal or relate to such intimate or confidential aspects of a person’s identity.

An enterprise architecture (EA) management team ensures technology use is coordinated, reducing duplication and inconsistency that increase privacy risk. A privacy committee (B) sets governance but does not address technical duplication; penetration testing (C) identifies vulnerabilities, not redundancy; training (D) improves awareness but not systemic technology alignment.

“Enterprise architecture ensures consistent, standardized technology deployment, reducing unnecessary duplication and privacy risks.”

The best way to ensure data confidentiality across databases is to use data anonymization, which is a process of removing or modifying personal or sensitive data from a dataset so that it cannot be linked or attributed to a specific individual or entity. Data anonymization helps protect the privacy and security of the data subjects, as well as comply with the applicable data protection laws and regulations. Data anonymization can be achieved by using various techniques, such as masking, encryption, aggregation, generalization, perturbation, or synthetic data generation12.

The most important thing to consider when managing changes to the provision of services by a third party that processes personal data is the business impact due to the changes. Changes to the provision of services by a third party can affect the organization’s ability to meet its business objectives and legal obligations related to data processing activities. For example, changes to the service level agreement (SLA), the scope of services, the security measures, the location of servers, etc., can have implications for the quality, availability, confidentiality, integrity, and compliance of personal data processing. Therefore, an IT privacy practitioner should assess and evaluate the business impact due to the changes, and ensure that they are aligned with the organization’s privacy policies and applicable privacy regulations and standards. References: : CDPSE Review Manual (Digital Version), page 41

The first thing that an IT privacy practitioner should do before an organization migrates personal data from an on-premise solution to a cloud-hosted solution is to perform a privacy impact assessment (PIA). A PIA is a systematic process of identifying and evaluating the potential privacy risks and impacts of a data processing activity or system. A PIA helps to ensure that privacy is considered and integrated into the design and development of data processing activities or systems, and that privacy risks are mitigated or eliminated. A PIA also helps to determine the appropriate measures to protect personal data in a cloud-hosted solution, such as encryption, pseudonymization, anonymization, access control, audit trail, breach notification, etc. A PIA also helps to comply with the applicable privacy regulations and standards that govern data processing activities in a cloud-hosted solution. References: : CDPSE Review Manual (Digital Version), page 99

The best testing method to identify and review the application’s runtime modules is dynamic application security testing (DAST). DAST is a testing technique that analyzes the application’s behavior and functionality during its execution. DAST can detect security and privacy vulnerabilities that are not visible in the source code, such as injection attacks, cross-site scripting, broken authentication, sensitive data exposure, or improper error handling. DAST can also simulate real-world attacks and test the application’s response and resilience. DAST can provide a comprehensive and realistic assessment of the application’s security and privacy posture in the pre-production environment. References:

[ISACA Glossary of Terms]

[OWASP Top 10 Web Application Security Risks]

[ISACA CDPSE Review Manual, Chapter 2, Section 2.4.2]

[ISACA Journal, Volume 6, 2018, “Dynamic Application Security Testing”]

API keys are codes that are used to identify and authenticate an application or user when accessing an API. API keys could be stored insecurely, such as in plain text, in public repositories, or in unencrypted files. This could expose the API keys to unauthorized access, theft, or misuse by malicious actors, who could then access the API and the data it contains. This could result in data breaches, privacy violations, fraud, or other damages.

The primary reason for an organization to use hash functions when hardening application systems involved in biometric data processing is to reduce the risk of sensitive data breaches, because hash functions are one-way mathematical functions that transform biometric data into a unique and irreversible representation that cannot be reconstructed or reversed. This means that even if an attacker gains access to the hashed biometric data, they cannot use it to identify or impersonate the individual. Hash functions also help preserve the privacy and confidentiality of biometric data by preventing unauthorized access, modification, or disclosure.

Continuous monitoring dashboards provide ongoing, real-time visibility into privacy posture, allowing senior management to track performance trends and risk levels over time. PIAs (B) are project-specific and point-in-time; metadata inventories (A) document assets but are not monitoring tools; vulnerability results (C) are technical and periodic, not enterprise-level posture tracking.

“Dashboards provide ongoing, measurable insights into privacy compliance and posture for executive oversight.”

The primary reason to complete a privacy impact assessment (PIA) is to understand privacy risks associated with the collection, use, disclosure or retention of personal data. A PIA is a systematic process to identify and evaluate the potential privacy impacts of a system, project, program or initiative that involves personal data processing activities. A PIA helps to ensure that privacy risks are identified and mitigated before the implementation is executed. A PIA also helps to ensure compliance with privacy principles, laws and regulations, and alignment with customer expectations and preferences. The other options are not primary reasons to complete a PIA. To comply with consumer regulatory requirements may be a reason to complete a PIA, but it is not the primary reason, as consumer regulatory requirements may vary depending on the context and jurisdiction. To establish privacy breach response procedures may be an outcome of completing a PIA, but it is not the primary reason, as privacy breach response procedures are only one aspect of mitigating privacy risks. To classify personal data may be an activity that is part of completing a PIA, but it is not the primary reason, as personal data classification is only one aspect of understanding privacy risks1, p. 67 References: 1: CDPSE Review Manual (Digital Version)

Some organizations, typically those that manage large amounts of personal information related to employees, customers, or constituents, will employ a chief privacy officer (CPO). Some organizations have a CPO because applicable regulations such as the Gramm-Leach-Bliley Act (GLBA) require it. Other regulations such as the Health Information Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), and the GLBA place a slate of responsibilities upon an organization that compels them to hire an executive responsible for overseeing compliance.

The chief privacy officer (CPO) is the senior executive who is responsible for establishing and maintaining the organization’s privacy vision, strategy, and program. The CPO oversees the development and implementation of privacy policies, procedures, standards, and controls, and ensures that they align with the organization’s business objectives and legal obligations. The CPO also leads the privacy governance structure, such as the privacy steering committee, and coordinates with other stakeholders, such as the chief data officer (CDO), the information security steering committee, and the legal counsel, to ensure that privacy is integrated into all aspects of the organization’s operations. References: : CDPSE Review Manual (Digital Version), page 21

Application hardening measures are the most important action to protect a mobile banking app and its data against manipulation and disclosure because they prevent attackers from reverse engineering, tampering, or injecting malicious code into the app. Application hardening measures include techniques such as code obfuscation, encryption, integrity checks, anti-debugging, and anti-tampering mechanisms. These measures make the app more resilient and secure against various types of cyberattacks.

Validating the privacy framework is a responsibility of the audit function in helping an organization address privacy compliance requirements, as it would help to verify and validate the effectiveness and adequacy of the privacy framework implemented by the organization to comply with privacy principles, laws and regulations. Validating the privacy framework would also help to identify and report any gaps, weaknesses or issues in the privacy framework, and to provide recommendations for improvement or remediation. The other options are not responsibilities of the audit function in helping an organization address privacy compliance requirements. Approving privacy impact assessments (PIAs) is a responsibility of management or governance function in helping an organization address privacy compliance requirements, as they would have authority and accountability for approving PIAs conducted by project teams or business units before implementing any system, project, program or initiative that involves personal data processing activities. Managing privacy notices provided to customers is a responsibility of operational function in helping an organization address privacy compliance requirements, as they would have direct contact and interaction with customers and would be responsible for providing clear and accurate information about how their personal data is collected, used, disclosed and transferred by the organization. 

The right to be forgotten is a privacy right that allows individuals to request the deletion or removal of their personal data from a data controller’s records or systems under certain conditions. One of these conditions is when the data is no longer required for the purpose originally collected, meaning that the data has become obsolete, irrelevant or excessive for fulfilling the initial purpose for which it was obtained or processed by the data controller. The other options are not valid conditions for exercising the right to be forgotten. The data is being used to comply with legal obligations or public interest is an exception that may prevent the data controller from deleting or removing the data upon request, as there may be overriding legitimate grounds for retaining the data for legal compliance or public interest reasons. The individual objects despite legitimate grounds for processing is a condition for exercising the right to object, not the right to be forgotten, which allows individuals to oppose the processing of their personal data based on their particular situation or for direct marketing purposes. The individual’s legal residence status has recently changed is not a relevant factor for exercising the right to be forgotten, as it does not affect the necessity or relevance of the data for its original purpose1, p. 107-108 References: 1: CDPSE Review Manual (Digital Version)

Extended detection and response (XDR) is a security solution that collects and analyzes data from multiple sources, such as endpoints, networks, servers, cloud, and applications, to detect and respond to threats in real time. XDR should be installed to address the increase in threats originating from endpoints, as it provides a holistic and integrated view of the threat landscape, as well as automated and coordinated actions to contain and remediate the threats. XDR also helps to improve the visibility, efficiency, and effectiveness of the security operations, as well as to reduce the complexity and costs of managing multiple security tools.

The best way to validate compliance with agreed-upon service levels established with a third party that processes personal data is to have a contractual right to audit, which means that the organization can conduct audits or inspections of the third party’s privacy practices, policies, and procedures to verify that they meet the contractual obligations and expectations. A contractual right to audit can also help identify and address any privacy risks or gaps that may arise from the third party’s processing of personal data12.

Data flows are the most important to review before using an application programming interface (API) to help mitigate related privacy risk. Data flows are the paths or routes that data take from their sources to their destinations through various processes, transformations, or exchanges. Data flows can help understand how data are collected, used, shared, stored, or deleted by an API and its related applications. Data flows can also help identify the potential privacy risks or impacts that may arise from data processing activities involving an API and its related applications. Data flows can be represented by diagrams, maps, models, or documents that show the sources, destinations, types, formats, volumes, frequencies, purposes, or legal bases of data.

Data taxonomy, data classification, and data collection are also important for privacy risk mitigation when using an API, but they are not the most important. Data taxonomy is a system of organizing and categorizing data into groups, classes, or hierarchies based on their characteristics, attributes, or relationships. Data taxonomy can help understand the structure, meaning, context, or value of data. Data classification is a process of assigning labels or tags to data based on their sensitivity, confidentiality, criticality, or risk level. Data classification can help determine the appropriate level of protection or handling for data. Data collection is a process of gathering or obtaining data from various sources for a specific purpose or objective. Data collection can help obtain the necessary information or evidence for decision making or problem solving.

Code review is a primary element of application and software hardening. Code review is a process of examining the source code of an application or software to identify and fix errors, vulnerabilities, or inefficiencies that may compromise its functionality, security, or performance. Code review can help prevent common security risks such as buffer overflows, SQL injections, cross-site scripting, or logic flaws. Code review can also help improve the quality, readability, maintainability, and usability of the code. Code review can be done manually by developers or peers, or automatically by tools such as static code analyzers or code quality checkers.

Vulnerability analysis, database configuration, and software repository are also important for application and software hardening, but they are not primary elements. Vulnerability analysis is a process of identifying and assessing the weaknesses or flaws in an application or software that may expose it to attacks or exploitation. Vulnerability analysis can be done by tools such as vulnerability scanners or penetration testers. Database configuration is a process of setting up and managing the parameters, options, or features of a database system that stores or processes data for an application or software. Database configuration can include aspects such as access control, encryption, backup, recovery, performance tuning, or replication. Software repository is a location where the source code, binaries, or documentation of an application or software are stored and managed. Software repository can facilitate version control, collaboration, distribution, or deployment of the application or software.

Classifying sensitive unstructured data should be done first to address the situation of the proliferation of personal data held as unstructured data, as it helps to identify the types, locations, and owners of the data, and to apply the appropriate privacy controls and measures based on the data classification level. Classifying sensitive unstructured data also facilitates the data discovery, data minimization, data retention, and data disposal processes. References: 2 Domain 3, Task 2; 5 Page 9

Senior leadership must define the roles and responsibilities of the person with oversight, who is responsible for ensuring compliance with the data privacy policy and applicable laws and regulations. This person may also be known as the data protection officer, the privacy officer, or the chief privacy officer, depending on the organization and jurisdiction. The person with oversight should have the authority, resources, and independence to perform their duties effectively.

Online behavioral tracking is a tracking technology associated with unsolicited targeted advertisements that presents the greatest privacy risk. Online behavioral tracking is a technique that collects and analyzes personal data about users’ online activities, preferences, interests, and behaviors across different websites or platforms. Online behavioral tracking is used to create user profiles and deliver personalized or targeted advertisements that match users’ needs or wants. Online behavioral tracking poses a privacy risk because it can invade users’ privacy by collecting sensitive or intimate personal data without their knowledge or consent, such as health conditions, political views, sexual orientation, etc. Online behavioral tracking can also expose users to unwanted or inappropriate advertisements that may influence their decisions or actions. References: : CDPSE Review Manual (Digital Version), page 139

Validation and certification of data destruction is the most important consideration when choosing a method for data destruction, because it provides evidence that the data has been destroyed beyond recovery and that the organization has complied with the applicable information security frameworks and legal requirements. Validation and certification can also help to prevent data breaches, avoid legal liabilities, and enhance the organization’s reputation and trustworthiness. Different methods of data destruction may have different levels of validation and certification, depending on the type of media, the sensitivity of the data, and the standards and guidelines followed. For example, some methods may require a third-party verification or audit, while others may generate a certificate of destruction or a report of erasure. Therefore, the organization should choose a method that can provide sufficient validation and certification for its specific needs and obligations.

The greatest benefit of adopting data minimization practices is that the associated threat surface is reduced. Data minimization is a privacy principle that states that personal data should be adequate, relevant, and limited to what is necessary for the purposes for which they are processed. Data minimization helps to protect data privacy by reducing the amount and type of personal data that are collected, stored, processed, or shared by an organization. This in turn reduces the exposure of personal data to potential threats, such as unauthorized access, use, disclosure, modification, or loss. References: : CDPSE Review Manual (Digital Version), page 29

The primary consideration to ensure control of remote access is aligned to the privacy policy is that access is only granted to authorized users. This means that the organization should implement and enforce policies and procedures to identify, authenticate, and authorize users who need to access personal data remotely, such as employees, contractors, or service providers. The organization should also define and communicate the roles and responsibilities of remote users, and the terms and conditions of remote access, such as the purpose, scope, duration, and security measures. By granting access only to authorized users, the organization can protect data privacy by preventing unauthorized or unnecessary access, use, disclosure, or transfer of personal data. References: : CDPSE Review Manual (Digital Version), page 107

Sectoral is a privacy protection reference model that refers to a system of laws and regulations that apply to specific sectors or industries within a jurisdiction, such as health, finance, education or telecommunications. Sectoral privacy protection is typically characterized by having different rules and standards for different types of personal data or data processing activities, depending on the sensitivity and value of the data or the impact and risk of the processing. When a government’s health division established the complete privacy regulation for only the health market, it is using a sectoral privacy protection reference model, as it is addressing the specific needs and challenges of the health sector in terms of privacy protection. The other options are not applicable in this scenario. Co-regulatory is a privacy protection reference model that refers to a system of laws and regulations that are supplemented by self-regulation mechanisms, such as codes of conduct, standards or certification schemes, developed by industry associations or professional bodies with oversight from government agencies or regulators. Comprehensive is a privacy protection reference model that refers to a system of laws and regulations that apply to all sectors and industries within a jurisdiction, regardless of the type or nature of personal data or data processing activities. Self-regulatory is a privacy protection reference model that refers to a system of laws and regulations that rely on voluntary compliance by organizations with their own policies and procedures, without any external oversight or enforcement from government agencies or regulators1, p. 63-64 References: 1: CDPSE Review Manual (Digital Version)