Case Studies Flashcards

1
Q

What security controls are missing from the Eureka program?

a. Storage of medical data in the cloud is not permissible under the GDPR
b. Data access is not limited to those who “need to know” for their role
c. Collection of data without a defined purpose might violate the fairness principle
d. Encryption of the data at rest prevents European users from having the right of access and the right of portability of their data

A

Data access is not limited to those who “need to know” for their role

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What step in the system development process did Manasa skip?

a. Obtain express written consent from users of the Handy Helper regarding marketing
b. Work with Sanjay to review any necessary privacy requirements to be built into the product
c. Certify that the Handy Helper meets the requirements of the EU-US Privacy Shield Framework
d. Build the AI feature so that users would not have to input sensitive information into the Handy Helper.

A

Work with Sanjay to review any necessary privacy requirements to be built into the product

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What administrative safeguards should be implemented to protect the collected data while in use by Manasa and her product management team?

a. Document the data flows for the collected data
b. Conduct a Privacy Impact Assessment to evaluate the risks involved
c. Implement a policy restricting data access on a need to know basis
d. Limit data transfers to the US by keeping data collected in Europe within a local data centre

A

Implement a policy restricting data access on a need to know basis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What element of the Privacy by Design framework might the Handy Helper violate?

a. Failure to obtain opt in consent to marketing
b. Failure to observe data localisation requirements
c. Failure to implement the least privilege access standard
d. Failure to integrate privacy throughout the system developed life cycle

A

Failure to integrate privacy throughout the system developed life cycle

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What can Sanjay do to minimize the risks of offering the product in Europe?

a. Sanjay should advise the distributor that Omnimedia has certified to the Privacy Shield framework and there should be no issues
b. Sanjay should work with Manasa to review and remediate the Handy Helper as a gating item before it is released
c. Sanjay should document the data life cycle of the data collected by the Handy Helper
d. Sanjay should write a privacy policy to include with the Handy Helper user guide

A

Sanjay should work with Manasa to review and remediate the Handy Helper as a gating item before it is released

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

To improve the facility’s system of data security, Anton should consider following through with the plan for which of the following?

a. Customer communication
b. Employee access to electronic storage
c. Employee advisement regarding legal matters
d. Controlled access at the company HQ

A

Controlled access at the company HQ

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of Anton’s plans for improving the data management of the company is most achievable?

a. His initiative to achieve regulatory compliance
b. His intention to transition to electronic storage
c. His objective for zero loss of personal information
d. His intention to send notice letters to customers and employees

A

His intention to transition to electronic storage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which important principle of Data Lifecycle Management will most likely be compromised if Anton executes his plan to limit data access to himself and Kenneth?

a. Practicing data minimalism
b. Ensuring data retrievability
c. Implementing clear policies
d. Ensuring adequacy of infrastructure

A

Ensuring data retrievability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

In terms of compliance with regulatory and legislative changes, Anton has a misconception regarding…

a. The timeline for monitoring
b. The method of recordkeeping
c. The use of internal employees
d. The type of required qualifications

A

The timeline for monitoring

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What would the company’s legal team most likely recommend to Anton regarding his planned communication with customers?

a. To send consistent communication
b. To shift to electronic communication
c. To delay communication until local authorities are informed
d. To consider under what circumstances communication is necessary

A

To consider under what circumstances communication is necessary

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Which of the following is the most effective control to enforce MessageSafe’s implementation of appropriate technical countermeasures to protect the personal data received from A&M LLP?

a. MessageSafe must apply due diligence before trusting Cloud Inc. with the personal data received from A&M LLP.
b. MessageSafe must flow-down its data protection contract terms with A&M LLP to Cloud Inc.
c. MessageSafe must apply appropriate security controls on the cloud infrastructure
d. MessageSafe must notify A&M LLP of a data breach

A

MessageSafe must flow-down its data protection contract terms with A&M LLP to Cloud Inc.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following is a TRUE statement about the relationship among the organisations?

a. Cloud Inc. must notify A&M LLP of a data breach immediately
b. MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP
c. Cloud Inc. should enter into a data processor agreement with A&M LLP
d. A&M LLP’s service contract must be amended to list Cloud Inc. as a sub-processor

A

A&M LLP’s service contract must be amended to list Cloud Inc. as a sub-processor

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following is NOT an obligation of MessageSafe as the email continuity service provider for A&M LLP?

a. Privacy compliesance
b. Security commitment
c. Certifications to relevant frameworks
d. Data breach notification to A&M LLP

A

Certifications to relevant frameworks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Richard believes that a transition from the use of fax machine to internet facing provides all of the following security benefits EXPECT…

a. Greater accessibility to the faxes at an offsite location
b. The ability to encrypt the transmitted faxes through a secure server
c. Reduction of the risk of data being seen or copied by unauthorised personnel
d. The ability to store faxes electronically, either on the user’s PC or a password protected network server

A

Greater accessibility to the faxes at an offsite location

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

As Richard begins to research more about Data Lifecycle Management, he discovers that the law office can lower the risk of a data breach by doing what?

a. Prioritising the data by order of importance
b. Minimising the time it takes to retrieve the sensitive data
c. Reducing the volume and the type of data that is stored in its system
d. Increasing the number of experienced staff to code and categorize the incoming data

A

Reducing the volume and the type of data that is stored in its system

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What Data Lifecycle Management principle should the company follow if they end up allowing departments to interpret the privacy policy differently?

a. Prove the authenticity of the company’s records
b. Arrange for official credentials for staff members
c. Adequately document reasons for inconsistencies
d. Create categories to reflect degrees of data importance

A

Adequately document reasons for inconsistencies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is the most likely reason the CIO believes that generating a list of needed IT equipment is NOT adequate?

a. The company needs to have policies and procedures in place to guide the purchasing decisions
b. The privacy notice for customers and the Business Continuity Plan still needs to be reviewed
c. Staff members across departments need time to review technical information concerning any new database
d. Senior staff members need to first commit to adopting a minimum number of Privacy Enhancing Technologies

A

The company needs to have policies and procedures in place to guide the purchasing decisions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

If Amira and Sadie’s ideas about adherence to the company’s privacy policy go unchecked, the Federal Communications Commission could potentially take action against NatGen for what?

a. Deceptive practices
b. Failing to institute the hotline
c. Failure to notify of processing
d. Negligence in consistent training

A

Failing to institute the hotline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What additional change will increase the effectiveness of the privacy compliance hotline?

a. Outsourcing the hotline
b. A system for staff education
c. Strict communication channels
d. An ethics complaint department

A

Outsourcing the hotline

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which of the following would be most effectively used as a guide to a systems approach to implementing data protection?

a. Data Lifecycle Management Standards
b. United Nations Privacy Agency Standards
c. International Organisation for Standardisation 9000 Series
d. International Organisation for Standardisation 27000 Series

A

International Organisation for Standardisation 27000 Series

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How can Consolidated’s privacy training program best be further developed?

a. Through targeted curricula designed for specific departments
b. By adopting e-learning to reduce the need for instructors
c. By using industry standard off the shelf programs
d. Through a review of recent data breaches

A

Through targeted curricula designed for specific departments

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What process could most effectively be used to add privacy protections to a new, comprehensive program being developed at Consolidated?

a. Privacy by Design
b. Privacy Step Assessment
c. Information Security Planning
d. Innovation Privacy Standards

A

Privacy by Design

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What stage of the privacy operational lifecycle best describes Consolidated’s current privacy program?

a. Assess
b. Protect
c. Respond
d. Sustain

A

Protect

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which is the best way to ensure that data on personal equipment is protected?

a. User risk training
b. Biometric security
c. Encryption of the data
d. Frequent data backups

A

Encryption of the data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

From a business standpoint, what is the most productive way to view employee use of personal equipment for work-related tasks?

a. The use of personal equipment is a cost-effective measure that leads to no greater security risks than are always present in a modern organisation
b. Any computer or other equipment is company property whenever it is used for company business
c. While the company may not own the equipment, it is required to protect the business-related data on any equipment used by its employees.
d. The use of personal equipment must be reduced as it leads to inevitable security risks

A

While the company may not own the equipment, it is required to protect the business-related data on any equipment used by its employees.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

In order to determine the best course of action, how should this incident most productively be viewed?

a. As the accidental loss of personal property containing data that must be restored
b. As a potential compromise of personal information through unauthorised access
c. As an incident that requires the abrupt initiation of a notification campaign
d. As the premediated theft of company data, until shown otherwise

A

As a potential compromise of personal information through unauthorised access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What should you do first to ascertain additional information about the loss of data?

a. Interview the person reporting the incident following a standard protocol
b. Call the police to investigate even if you are unsure a crime occurred
c. Investigate the background of the person reporting the incident
d. Check company records of the latest backups to see what data may be recoverable

A

Interview the person reporting the incident following a standard protocol

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the most realistic step the organisation can take to help diminish liability in the event of another incident?

a. Requiring the vendor to perform periodic internal audits
b. Specific mandatory data protection practices in vendor contracts
c. Keeping the majority of processing activities within the organisation
d. Obtaining customer consent for any 3rd party processing of personal data

A

Specific mandatory data protection practices in vendor contracts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Nationwide Grill needs to create better employee awareness of the company’s privacy program by doing what?

a. Varying the modes of communication
b. Communicating to the staff more often
c. Improving inter-departmental cooperation
d. Requiring acknowledgement of company memos

A

Varying the modes of communication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

How could the objection to Spencer’s training suggestion be addressed?

a. By requiring training only on an as-needed basis
b. By offering alternative delivery methods for training
c. By introducing a system of periodic refreshing trainings
d. By customising training based on length of employee tenure

A

By offering alternative delivery methods for training

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

The senior advisor, Spencer, has a misconception regarding?

a. The amount of responsibility that a data controller retains
b. The appropriate role of an organisation’s security department
c. The degree to which training can lessen the number of security incidents
d. The role of HR employees in an organisation’s privacy program

A

The amount of responsibility that a data controller retains

32
Q

What does this example best illustrate about training requirements for privacy protection?

a. Training needs must be weighed against financial costs
b. Training on local laws must be implemented for all personnel
c. Training must be repeated frequently to respond to new legislation
d. Training must include assessments to verify that the material is mastered

A

Training on local laws must be implemented for all personnel

33
Q

Knowing that the regulator is now investigating, what would be the best step to take?

a. Consult an attorney experienced in privacy law and litigation
b. Use your background and knowledge to set a course of action
c. If you know the organisation is guilty, advise it to accept the punishment
d. Negotiate the terms of a settlement before formal legal action takes place

A

If you know the organisation is guilty, advise it to accept the punishment

34
Q

What should you advise this company regarding the status of security cameras at their offices in the US?

a. Add security cameras at facilities that are now without them
b. Set policies about the purpose and use of the security cameras
c. Reduce the number of security cameras located inside the building
d. Restrict access to surveillance video taken by the security cameras and destroy the recordings after a designated period of time

A

Set policies about the purpose and use of the security cameras

35
Q

Since it is too late to restructure the contract with the vendor or prevent the app from being deployed, what is the best step for you to take next?

a. Implement a more comprehensive suite of information security controls than the one used by the vendor
b. Ask the vendor for verifiable information about their privacy protections so weaknesses can be identified
c. Develop security protocols for the vendor and mandate that they be deployed
d. Insist on an audit of the vendor’s privacy procedures and safeguards

A

Ask the vendor for verifiable information about their privacy protections so weaknesses can be identified

36
Q

Which is the best first step in understanding the data security practices of a potential vendor?

a. Requiring the vendor to complete a questionnaire assessing International Organisation for Standardisation 27001 compliance
b. Conducting a physical audit of the vendor’s facilities
c. Conducting a penetrating test of the vendor’s data security structure
d. Examining investigation records of any breaches the vendor has experienced

A

Requiring the vendor to complete a questionnaire assessing International Organisation for Standardisation 27001 compliance

37
Q

What safeguard can most efficiently ensure that privacy protection is a dimension of relationships with vendors?

a. Include appropriate language about privacy protection in vendor contracts
b. Perform a privacy audit on any vendor under consideration
c. Require that a person trained in privacy protection be part of all vendor selection teams
d. Do business only with vendors who are members of privacy trade associations

A

Include appropriate language about privacy protection in vendor contracts

38
Q

You want to point out that normal protocols have NOT been followed in this matter. Which process in particular has been neglected?

a. Forensic inquiry
b. Data mapping
c. Privacy breach prevention
d. Vendor due diligence vetting

A

Vendor due diligence vetting

39
Q

You see evidence that company employees routinely circumvent the privacy officer in developing new initiatives. How can you best draw attention to the scope of this problem?

a. Insist upon one-on-one consultation with each person who works around the privacy officer
b. Develop a metric showing the number of initiatives launched without consultation and include it in reports, presentations, and consultation
c. Hold discussions with the department head of anyone who fails to consult with the privacy officer
d. Take your concerns straight to the CEO

A

Develop a metric showing the number of initiatives launched without consultation and include it in reports, presentations, and consultation

40
Q

What would be the best kind of audit to recommend for Gadgo?

a. A supplier audit
b. An internal audit
c. A 3rd party audit
d. A self-certification

A

A 3rd party audit

41
Q

What phase in the Privacy Maturity Model does Gadgo’s privacy program best exhibit?

a. Ad hoc
b. Defined
c. Repeatable
d. Managed

A

Ad hoc

42
Q

Incipia Corporation just trained the last of its 300 employees on their new privacy policies and procedures. If Incipia wanted to analyse the effectiveness of the training over the next 6 months, which form of trend analysis should they use?

a. Cyclical
b. Irregular
c. Statistical
d. Standard variance

A

Cyclical

43
Q

To determine the steps to follow, what would be the most appropriate internal guide for Ben to review?

a. Incident Response Plan
b. Code of Business Conduct
c. IT Systems and Operations Handbook
d. Business Continuity and Disaster Recovery Plan

A

Incident Response Plan

44
Q

If this were a data breach, how is it likely to be categorized?

a. Availability Breach
b. Authenticity Breach
c. Confidentiality Breach
d. Integrity Breach

A

Confidentiality Breach

45
Q

Going forward, what is the best way for IgNight to prepare its IT team to manage these kind of security events?

a. Tabletop exercises
b. Update its data inventory
c. IT security awareness training
d. Share communications relating to scheduled maintenance

A

Tabletop exercises

46
Q

In consideration of the company’s new initiatives, which of the following laws and regulations would be most appropriate for Albert to mention at the interview as a priority concern for the privacy team?

a. Gramm-Leach-Bliley Act (GLBA)
b. GDPR
c. The Telephone Consumer Protection Act (TCPA)
d. Health Insurance Portability and Accountability Act (HIPAA)

A

Health Insurance Portability and Accountability Act (HIPAA)

47
Q

On which of the following topics does Albert most likely need additional knowledge?

a. The role of privacy in retail companies
b. The necessary maturity level of privacy programs
c. The possibility of delegating responsibilities related to privacy
d. The requirements for a managerial position with privacy protection duties

A

The requirements for a managerial position with privacy protection duties

48
Q

Based on Albert’s observations, executive leadership should most likely pay closer attention to what?

a. Awareness campaigns with confusing information
b. Obsolete data processing systems
c. Outdated security frameworks
d. Potential in-house threats

A

Potential in-house threats

49
Q

Based on Albert’s observations regarding recent security incidents, which of the following should he suggest as a priority for Treasure Box?

a. Appointing an internal ombudsman to address employee complaints regarding hours and pay
b. Using a 3rd party auditor to address privacy protection issues not recognised by the prior internal audits
c. Working with the HR department to make screening procedures for potential employees more rigorous
d. Evaluating the company’s ability to handle personal health information if the plan to acquire the medical supply company goes forward

A

Working with the HR department to make screening procedures for potential employees more rigorous

50
Q

What is one important factor that Albert fails to consider regarding Treasure Box’s response to their recent security incident?

a. Who has access to the data
b. What the nature of the data is
c. How data at the company is collected
d. How long data at the company is kept

A

What the nature of the data is

51
Q

The company may start to earn back the trust of its customer base by following Albert’s suggestion regarding which handling procedure?

a. Access
b. Correction
c. Escalation
d. Data integrity

A

Access

52
Q

To establish the current baseline of Ace Space’s privacy maturity, Penny should consider all of the following factors EXCEPT?

a. Ace Space’s documented procedures
b. Ace Space’s employee training program
c. Ace Space’s vendor engagement protocols
d. Ace Space’s content sharing practices on social media

A

Ace Space’s content sharing practices on social media

53
Q

What is the best way for Penny to understand the location, classification and processing purpose of the personal data Ace Space has?

a. Analyse the data inventory to map data flows
b. Audit all vendors’ privacy practices and safeguards
c. Conduct a Privacy Impact Assessment for the company
d. Review all cloud contracts to identify the location of data servers used

A

Analyse the data inventory to map data flows

54
Q

What information will be LEAST crucial from a privacy perspective in Penny’s review of vendor contracts?

a. Audit rights
b. Liability for a data breach
c. Pricing for data security protections
d. The data a vendor will have access to

A

Pricing for data security protections

55
Q

To help Penny and her CEO with their objectives, what would be the most helpful approach to address her IT concerns?

a. Roll out an encryption policy
b. Undertake a tabletop exercise
c. Ensure inventory of IT assets is maintained
d. Host a town hall discussion for all IT employees

A

Undertake a tabletop exercise

56
Q

Collection, Access and Destruction are aspects of what privacy management process?

a. The data governance strategy
b. The breach response plan
c. The metric lifecycle
d. The business case

A

The data governance strategy

57
Q

After conducting research, you discover a primary data protection issue with cloud computer. Which of the following should be your biggest concern?

a. An open programming model that results in easy access
b. An unwillingness of cloud providers to provide security information
c. A lack of vendors in the cloud computing market
d. A reduced resilience of data structures that may lead to data loss

A

An open programming model that results in easy access

58
Q

What is the best way to prevent the Finnish vendor from transferring data to another party?

a. Restrict the vendor to using company security controls
b. Offer company resources to assist with the processing
c. Include transfer prohibitions in the vendor contract
d. Lock the data down in its current location

A

Include transfer prohibitions in the vendor contract

59
Q

What process can best answer your questions about vendor’s data security safeguards?

a. A 2nd part of supplier audit
b. A reference check with other clients
c. A table top demonstration of a potential threat
d. A public records search for earlier legal violations

A

A 2nd part of supplier audit

60
Q

What is the best way for your vendor to be clear about the Society’s breach notification expectations?

a. Include notification provisions in the vendor contract
b. Arrange regular telephone check-ins reviewing expectations
c. Send a memorandum of understanding on breach notification
d. Email the regulations that require breach notifications

A

Include notification provisions in the vendor contract

61
Q

Which of the following elements of the incident did you adequately determine?

a. The nature of the data elements impacted
b. The likelihood the incident may lead to harm
c. The likelihood that the information is accessible and useable
d. The number of individuals whose information was affected

A

The number of individuals whose information was affected

62
Q

Regarding the notification, which of the following would be the greatest concern?

a. Informing the affected individuals that data from other individuals may have also been affected
b. Collecting more personally identifiable information than necessary to provide updates to the effected individuals (Correct, it doesn’t call this out in the case study but this is the biggest concern I think – Joe)
c. Using a postcard with the logo of the vendor who made the mistake instead of your company’s logo
d. Trusting a vendor to send out a notice when they already failed once by not encrypting the database

A

Collecting more personally identifiable information than necessary to provide updates to the effected individuals

63
Q

What is the most concerning limitation of the incident response council?

a. You convened it to diffuse blame
b. The council has an overabundance of attorneys
c. It takes 8 hours of emails to come to a decision
d. The leader just joined the company as a consultant

A

It takes 8 hours of emails to come to a decision

64
Q

Regarding the credit monitoring, which of the following would be the greatest concern?

a. The vendor’s representative does not have enough experience
b. Signing a contract with CRUDLOK which lasts longer than 1 year
c. The company did not collect enough identifiers to monitor one’s creditT
d. You are going to notify affected individuals via a letter followed by an email

A

The company did not collect enough identifiers to monitor one’s credit

65
Q

Which of the following was done CORRECTLY during the above incident?

a. The process by which affected individuals sign up for email notifications
b. Your assessment of which credit monitoring company you should hire
c. The speed at which you sat down to reflect and document the incident
d. Finding a vendor who will offer the affected individuals additional services

A

The speed at which you sat down to reflect and document the incident

66
Q

You are charged with making sure that privacy safeguards are in place for new product and initiatives. What is the best way to do this?

a. Hold a meeting with stakeholders to create an interdepartmental protocol for new initiatives
b. Institute Privacy by Design principles and practices across the organisation
c. Develop a plan for introducing privacy protections into the product development stage
d. Conduct a gap analysis after deployment of new products, then mend any gaps that are revealed

A

Institute Privacy by Design principles and practices across the organisation

67
Q

The CEO likes what he’s seen of the company’s improved privacy program, but wants additional assurance that it is fully compliant with industry standards and reflects emerging best practices. What would best help accomplish this goal?

a. An external audit conducted by a panel of industry experts
b. An internal audit team accountable to upper management
c. Creation of a self-certification framework based on company policies
d. Revision of the strategic plan to provide a system of technical controls

A

An internal audit team accountable to upper management

68
Q

The company has achieved a level of privacy protection that established new best practices for the industry. What is a logical next step to help ensure a high level of protection?

a. Brainstorm methods for developing an enhanced privacy framework
b. Develop a strong marketing strategy to communicate the company’s privacy practices
c. Focus on improving the incident response plan in preparation for any breaks in protection
d. Shift attention to privacy for emerging technologies as the company begins to use them

A

Shift attention to privacy for emerging technologies as the company begins to use them

69
Q

What metric can Goddard use to assess whether costs associated with implementing new privacy protections are justified?

a. Compliance ratio
b. Cost-effective mean
c. Return on investment
d. Implementation measure

A

Return on investment

70
Q

You give a presentation to your CEO about privacy program maturity. What does it mean to have a “managed” privacy program, according to the AICPA/CICA Privacy Maturity Model?

a. Procedures or processes exist however they are not fully documented and do not cover all relevant aspects
b. Procedures and processes are fully documented and implemented, and cover all relevant aspects.
c. Reviews are conducted to assess the effectiveness of the controls in place
d. Regular review and feedback are used to ensure continuous improvement toward optimisation of the given process.

A

Reviews are conducted to assess the effectiveness of the controls in place

71
Q

Which of the following best demonstrates the effectiveness of a firm’s privacy incident response process?

a. The decrease of security breaches
b. The decrease of notifiable breaches
c. The increase of privacy incidents reported by users
d. The decrease of mean time to resolve privacy incidents

A

The decrease of mean time to resolve privacy incidents

72
Q

If the IT engineers had originally set the default for customer credit card information to, “do not save”, this action would have been in line with what concept?

a. Use limitation
b. Privacy by Design
c. Harm minimisation
d. Reactive risk management

A

Privacy by Design

73
Q

What key mistake set the company up to be vulnerable to a security breach?

a. Collecting too much information and keeping it for too long
b. Overlooking the need to organise and categorize data
c. Failing to outsource training and data management to professionals
d. Neglecting to make a backup copy of archived electronic files

A

Collecting too much information and keeping it for too long

74
Q

How would a strong data lifecycle management policy have helped prevent the breach?

a. Information would have been ranked according to importance and stored in separate locations
b. The most sensitive information would have been immediately erased and destroyed
c. The most important information would have been regularly assessed and tested for security
d. Information would have been categorised and assigned a deadline for destruction

A

Information would have been categorised and assigned a deadline for destruction

75
Q

How was Pacific Suites responsible for protecting the sensitive information of its offshoot, PHT?

a. As the parent company, it should have transferred personnel to oversee the secure handling of PHT’s data
b. As a parent company, it should have performed an assessment of PHT’s infrastructure and confirmed complete separation of the two networks.
c. As the parent company, it should have ensured its existing data access and storage procedures were integrated into PHT’s system
d. As the parent company, it should have replaced PHT’s electronic files with hard-copy documents stored securely on site

A

As the parent company, it should have ensured its existing data access and storage procedures were integrated into PHT’s system

76
Q

What must Pacific Suite’s primary focus be as it manages this security breach?

a. Minimising the amount of harm to the effected individuals
b. Investigating the cause and assigning responsibility
c. Determining whether the affected individuals should be notified
d. Maintaining operations and preventing publicity

A

Minimising the amount of harm to the effected individuals