Isaca CDPSE Exam Questions

The best way to ensure that application hardening is included throughout the software development life cycle (SDLC) is to include qualified application security personnel as part of the process. Application hardening is the process of applying security measures and techniques to an application to reduce its attack surface, vulnerabilities, and risks. Application hardening should be integrated into every stage of the SDLC, from planning and design to development and testing to deployment and maintenance. Including qualified application security personnel as part of the process helps to ensure that application hardening is performed effectively and consistently, as well as to provide guidance, feedback, and support to the developers, testers, and project managers. The other options are not as effective or sufficient as including qualified application security personnel as part of the process, as they do not address the root cause of the lack of application hardening, which is the gap in skills and knowledge among the SDLC participants.

A data processor that handles personal data for multiple customers has decided to migrate its data warehouse to a third-party provider. The processor is obligated to seek approval from all in-scope data controllers prior to implementation. A data controller is an entity that determines the purposes and means of processing personal dat

a. A data processor is an entity that processes personal data on behalf of a data controller. A third-party provider is an entity that provides services or resources to another entity, such as a cloud service provider or a hosting provider.

According to various privacy laws and regulations, such as the GDPR or the CCPA, a data processor must obtain explicit consent from the data controller before engaging another processor or transferring personal data to a third country or an international organization. The consent must specify the identity of the other processor or the third country or international organization, as well as the safeguards and guarantees for the protection of personal data. The consent must also be documented in a written contract or other legal act that binds the processor to respect the same obligations as the controller.

Seeking approval from all in-scope data controllers can help ensure that the processor complies with its contractual and legal obligations, respects the rights and preferences of the data subjects, and maintains transparency and accountability for its processing activities.

Obtaining assurance that data subject requests will continue to be handled appropriately, implementing comparable industry-standard data encryption in the new data warehouse, or ensuring data retention periods are documented are also good practices for a data processor that migrates its data warehouse to a third-party provider, but they are not obligations prior to implementation. Rather, they are requirements or recommendations during or after implementation.

Obtaining assurance that data subject requests will continue to be handled appropriately is a requirement for a data processor that processes personal data on behalf of a data controller. Data subject requests are requests made by individuals to exercise their rights regarding their personal data, such as access, rectification, erasure, restriction, portability, or objection. A data processor must assist the data controller in fulfilling these requests within a reasonable time frame and without undue delay.

Implementing comparable industry-standard data encryption in the new data warehouse is a recommendation for a data processor that transfers personal data to another system or location. Data encryption is a process of transforming data into an unreadable form using a secret key or algorithm. Data encryption can help protect the confidentiality, integrity, and availability of personal data by preventing unauthorized access, disclosure, or modification.

Ensuring data retention periods are documented is a requirement for a data processor that stores personal data on behalf of a data controller. Data retention periods are the durations for which personal data are kept before they are deleted or anonymized. Data retention periods must be determined by the purpose and necessity of processing personal data and must comply with legal and regulatory obligations.

Privacy by design is an approach that embeds privacy principles and considerations into the design and development of products, services, systems, and processes that involve personal dat

a. Privacy by design aims to protect the privacy and security of the data subjects, as well as to comply with the applicable privacy laws and regulations. One of the key principles of privacy by design is to obtain the consent and choice of the data subjects regarding the collection, use, and disclosure of their personal data. Therefore, the best example of privacy by design in the development of a consumer mobile application is to require consent before sharing locations, as this gives the data subjects control and transparency over their personal data. The other options are not as effective or sufficient as requiring consent before sharing locations, as they do not address the principle of consent and choice, or they may violate other privacy principles or requirements.

Asymmetric encryption, also known as public-key encryption, encrypts and decrypts data using two separate yet mathematically connected cryptographic keys. One key is called the public key and can be shared with anyone, while the other key is called the private key and must be kept secret. The public key is used to encrypt the data, and only the corresponding private key can decrypt it. Likewise, the private key can be used to sign the data, and only the corresponding public key can verify it. This method provides confidentiality, integrity, authentication and non-repudiation for data.

Performing a full wipe and reimage of the laptops is the best control to prevent the exposure of personal information when redeploying laptops within an organization. This is because a full wipe and reimage ensures that all data, including personal information, is securely erased from the laptops and replaced with a fresh installation of the operating system and applications. This reduces the risk of data leakage, unauthorized access, or data recovery by malicious actors or unauthorized users. The other options are not as effective or sufficient as a full wipe and reimage, as they do not guarantee the complete removal of personal information from the laptops.