CDPSEFree trialFree trial

By isaca
Aug, 2025

Verified

25Q per page

Question 1

What should be the PRIMARY consideration of a multinational organization deploying a user and entity behavior analytics (UEBA) tool to centralize the monitoring of anomalous employee behavior?

  • A: Cross-border data transfer
  • B: Support staff availability and skill set
  • C: User notification
  • D: Global public interest

Question 2

Which of the following is the PRIMARY reason to complete a privacy impact assessment (PIA)?

  • A: To comply with consumer regulatory requirements
  • B: To establish privacy breach response procedures
  • C: To classify personal data
  • D: To understand privacy risks

Question 3

How can an organization BEST ensure its vendors are complying with data privacy requirements defined in their contracts?

  • A: Review self-attestations of compliance provided by vendor management.
  • B: Obtain independent assessments of the vendors’ data management processes.
  • C: Perform penetration tests of the vendors’ data security.
  • D: Compare contract requirements against vendor deliverables.

Question 4

Before executive leadership approves a new data privacy policy, it is MOST important to ensure:

  • A: a training program is developed.
  • B: a privacy committee is established.
  • C: a distribution methodology is identified.
  • D: a legal review is conducted.

Question 5

Which of the following is an IT privacy practitioner’s BEST recommendation to reduce privacy risk before an organization provides personal data to a third party?

  • A: Tokenization
  • B: Aggregation
  • C: Anonymization
  • D: Encryption

Question 6

Which of the following is a responsibility of the audit function in helping an organization address privacy compliance requirements?

  • A: Approving privacy impact assessments (PIAs)
  • B: Validating the privacy framework
  • C: Managing privacy notices provided to customers
  • D: Establishing employee privacy rights and consent

Question 7

An online retail company is trying to determine how to handle users’ data if they unsubscribe from marketing emails generated from the website. Which of the following is the BEST approach for handling personal data that has been restricted?

  • A: Encrypt users’ information so it is inaccessible to the marketing department.
  • B: Reference the privacy policy to see if the data is truly restricted.
  • C: Remove users’ information and accounts from the system.
  • D: Flag users’ email addresses to make sure they do not receive promotional information.

Question 8

Which of the following should be done FIRST when developing an organization-wide strategy to address data privacy risk?

  • A: Obtain executive support.
  • B: Develop a data privacy policy.
  • C: Gather privacy requirements from legal counsel.
  • D: Create a comprehensive data inventory.

Question 9

Which of the following is the BEST way to protect the privacy of data stored on a laptop in case of loss or theft?

  • A: Strong authentication controls
  • B: Remote wipe
  • C: Regular backups
  • D: Endpoint encryption

Question 10

Which of the following should be established FIRST before authorizing remote access to a data store containing personal data?

  • A: Privacy policy
  • B: Network security standard
  • C: Multi-factor authentication
  • D: Virtual private network (VPN)

Question 11

Which of the following should be of GREATEST concern when an organization wants to store personal data in the cloud?

  • A: The organization’s potential legal liabilities related to the data
  • B: The data recovery capabilities of the storage provider
  • C: The data security policies and practices of the storage provider
  • D: Any vulnerabilities identified in the cloud system

Question 12

Which of the following helps define data retention time is a stream-fed data lake that includes personal data?

  • A: Information security assessments
  • B: Privacy impact assessments (PIAs)
  • C: Data privacy standards
  • D: Data lake configuration

Question 13

As part of a major data discovery initiative to identify personal data across the organization, the project team has identified the proliferation of personal data held as unstructured data as a major risk. What should be done FIRST to address this situation?

  • A: Identify sensitive unstructured data at the point of creation.
  • B: Classify sensitive unstructured data.
  • C: Identify who has access to sensitive unstructured data.
  • D: Assign an owner to sensitive unstructured data.

Question 14

Which types of controls need to be applied to ensure accuracy at all stages of processing, storage, and deletion throughout the data life cycle?

  • A: Processing flow controls
  • B: Time-based controls
  • C: Purpose limitation controls
  • D: Integrity controls

Question 15

Which of the following is the BEST approach to minimize privacy risk when collecting personal data?

  • A: Use a third party to collect, store, and process the data.
  • B: Collect data through a secure organizational web server.
  • C: Collect only the data necessary to meet objectives.
  • D: Aggregate the data immediately upon collection.

Question 16

Which of the following should be done FIRST to establish privacy by design when developing a contact-tracing application?

  • A: Conduct a privacy impact assessment (PIA).
  • B: Conduct a development environment review.
  • C: Identify privacy controls for the application.
  • D: Identify differential privacy techniques.

Question 17

A software development organization with remote personnel has implemented a third-party virtualized workspace to allow the teams to collaborate. Which of the following should be of GREATEST concern?

  • A: The third-party workspace is hosted in a highly regulated jurisdiction.
  • B: Personal data could potentially be exfiltrated through the virtual workspace.
  • C: The organization’s products are classified as intellectual property.
  • D: There is a lack of privacy awareness and training among remote personnel.

Question 18

Which of the following is MOST important when designing application programming interfaces (APIs) that enable mobile device applications to access personal data?

  • A: The user’s ability to select, filter, and transform data before it is shared
  • B: Umbrella consent for multiple applications by the same developer
  • C: User consent to share personal data
  • D: Unlimited retention of personal data by third parties

Question 19

A migration of personal data involving a data source with outdated documentation has been approved by senior management. Which of the following should be done NEXT?

  • A: Review data flow post migration.
  • B: Ensure appropriate data classification.
  • C: Engage an external auditor to review the source data.
  • D: Check the documentation version history for anomalies.

Question 20

Which of the following is the best way to reduce the risk of compromised credentials when an organization allows employees to have remote access?

  • A: Enable whole disk encryption on remote devices.
  • B: Purchase an endpoint detection and response (EDR) tool.
  • C: Implement multi-factor authentication.
  • D: Deploy single sign-on with complex password requirements.

Question 21

Which of the following is the PRIMARY objective of privacy incident response?

  • A: To ensure data subjects impacted by privacy incidents are notified.
  • B: To reduce privacy risk to the lowest possible level
  • C: To mitigate the impact of privacy incidents
  • D: To optimize the costs associated with privacy incidents

Question 22

An organization wants to ensure that endpoints are protected in line with the privacy policy. Which of the following should be the FIRST consideration?

  • A: Detecting malicious access through endpoints
  • B: Implementing network traffic filtering on endpoint devices
  • C: Managing remote access and control
  • D: Hardening the operating systems of endpoint devices

Question 23

When evaluating cloud-based services for backup, which of the following is MOST important to consider from a privacy regulation standpoint?

  • A: Data classification labeling
  • B: Data residing in another country
  • C: Volume of data stored
  • D: Privacy training for backup users

Question 24

An organization has a policy requiring the encryption of personal data if transmitted through email. Which of the following is the BEST control to ensure the effectiveness of this policy?

  • A: Provide periodic user awareness training on data encryption.
  • B: Implement a data loss prevention (DLP) tool.
  • C: Conduct regular control self-assessments (CSAs).
  • D: Enforce annual attestation to policy compliance.

Question 25

Which of the following is MOST important to include when defining an organization’s privacy requirements as part of a privacy program plan?

  • A: Data classification process
  • B: Privacy management governance
  • C: Privacy protection infrastructure
  • D: Lessons learned documentation
Page 1 of 10 • Questions 1-25 of 229
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!