An organization's business continuity plan or disaster recovery plan does NOT typically include what?

1. A. Recovery time objectives.
2. B. Emergency response guidelines.
3. C. Statement of organizational responsibilities.
4. D. Retention schedule for storage and destruction of information.

Correct Answer: D

What is one reason the European Union has enacted more comprehensive privacy laws than the United States?

1. A. To ensure adequate enforcement of existing laws.
2. B. To ensure there is adequate funding for enforcement.
3. C. To allow separate industries to set privacy standards.
4. D. To allow the free movement of data between member countries.

Correct Answer: D

Which statement is FALSE regarding the use of technical security controls?

1. A. Technical security controls are part of a data governance strategy.
2. B. Technical security controls deployed for one jurisdiction often satisfy another jurisdiction.
3. C. Most privacy legislation lists the types of technical security controls that must be implemented.
4. D. A person with security knowledge should be involved with the deployment of technical security controls.

Correct Answer: B

SCENARIO
Please use the following to answer the next QUESTION:
Ben works in the IT department of IgNight, Inc., a company that designs lighting solutions for its clients. Although IgNight's customer base consists primarily of offices in the US, some individuals have been so impressed by the unique aesthetic and energy-saving design of the light fixtures that they have requested IgNight's installations in their homes across the globe.
One Sunday morning, while using his work laptop to purchase tickets for an upcoming music festival, Ben happens to notice some unusual user activity on company files. From a cursory review, all the data still appears to be where it is meant to be but he can't shake off the feeling that something is not right. He knows that it is a possibility that this could be a colleague performing unscheduled maintenance, but he recalls an email from his company's security team reminding employees to be on alert for attacks from a known group of malicious actors specifically targeting the industry.
Ben is a diligent employee and wants to make sure that he protects the company but he does not want to bother his hard-working colleagues on the weekend. He is going to discuss the matter with this manager first thing in the morning but wants to be prepared so he can demonstrate his knowledge in this area and plead his case for a promotion.
If this were a data breach, how is it likely to be categorized?

1. A. Availability Breach.
2. B. Authenticity Breach.
3. C. Confidentiality Breach.
4. D. Integrity Breach.

Correct Answer: C

SCENARIO
Please use the following to answer the next QUESTION:
Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used the same vendor to operate all aspects of an online store for several years. As a small nonprofit, the Society cannot afford the higher-priced options, but you have been relatively satisfied with this budget vendor, Shopping Cart Saver (SCS). Yes, there have been some issues. Twice, people who purchased items from the store have had their credit card information used fraudulently subsequent to transactions on your site, but in neither case did the investigation reveal with certainty that the Society’s store had been hacked. The thefts could have been employee-related.
Just as disconcerting was an incident where the organization discovered that SCS had sold information it had collected from customers to third parties. However, as Jason Roland, your SCS account representative, points out, it took only a phone call from you to clarify expectations and the “misunderstanding” has not occurred again.
As an information-technology program manager with the Society, the role of the privacy professional is only one of many you play. In all matters, however, you must consider the financial bottom line. While these problems with privacy protection have been significant, the additional revenues of sales of items such as shirts and coffee cups from the store have been significant. The Society’s operating budget is slim, and all sources of revenue are essential.
Now a new challenge has arisen. Jason called to say that starting in two weeks, the customer data from the store would now be stored on a data cloud. “The good news,” he says, “is that we have found a low-cost provider in Finland, where the data would also be held. So, while there may be a small charge to pass through to you, it won’t be exorbitant, especially considering the advantages of a cloud.”
Lately, you have been hearing about cloud computing and you know it’s fast becoming the new paradigm for various applications. However, you have heard mixed reviews about the potential impacts on privacy protection. You begin to research and discover that a number of the leading cloud service providers have signed a letter of intent to work together on shared conventions and technologies for privacy protection. You make a note to find out if Jason’s Finnish provider is signing on.
What is the best way to prevent the Finnish vendor from transferring data to another party?

1. A. Restrict the vendor to using company security controls
2. B. Offer company resources to assist with the processing
3. C. Include transfer prohibitions in the vendor contract
4. D. Lock the data down in its current location

Correct Answer: C