Isaca Updated CDPSE Exam Questions and Answers by seb

The value proposition of a PIA is not understood by management is the greatest obstacle to conducting a PIA, as it may result in lack of support, funding, resources or commitment for the PIA process and outcomes. Management may not appreciate or recognize the benefits of a PIA, such as enhancing privacy protection, reducing privacy risks and costs, increasing customer trust and satisfaction, and complying with privacy laws and regulations. Management may also perceive a PIA as a burden, a delay or a hindrance to the system or project development and delivery. The other options are not as significant as the value proposition of a PIA is not understood by management as obstacles to conducting a PIA. Conducting a PIA requires significant funding and resources is an obstacle to conducting a PIA, but it may be overcome by demonstrating the return on investment or the cost-benefit analysis of a PIA. PIAs need to be performed many times in a year is an obstacle to conducting a PIA, but it may be mitigated by adopting a scalable or modular approach to PIAs that can be tailored to different types or levels of systems or projects. The organization lacks knowledge of PIA methodology is an obstacle to conducting a PIA, but it may be resolved by acquiring or developing the necessary skills, tools or guidance for performing PIAs1, p. 67-68 References: 1: CDPSE Review Manual (Digital Version)

Cloud vendor agreements are the best way to ensure an organization’s data retention requirements will be met in the public cloud environment because they define the roles, responsibilities and obligations of both parties regarding the collection, storage, processing and disposal of data in the cloud. They also specify the terms and conditions for data protection, security, privacy, compliance and auditability12. Data classification schemes, automated data deletion schedules and service level agreements (SLAs) are useful tools to manage and monitor data retention, but they do not guarantee that the cloud vendor will adhere to the organization’s data retention requirements or that they will be enforceable in case of disputes.

Storing tokens of PII directly in database fields undermines the security of tokenization and risks re-identification, making it the most concerning issue. Shared drives (A) and lack of labels (B) are governance gaps, and limited third-party access (C) can be controlled contractually, but token misuse (D) poses direct privacy risk.

“Improper token storage can compromise de-identification, reintroducing privacy risk.”

However, the risks associated with long-term retention have compelled organizations to consider alternatives; one is data archival, the process of preparing data for long-term storage. When organizations are bound by specific laws to retain data for many years, archival provides a viable opportunity to remove data from online transaction systems to other systems or media.

Data archiving is the process of moving data that is no longer actively used to a separate storage device for long-term retention. Data archiving helps to reduce the cost and complexity of data storage, improve the performance and availability of data systems, and comply with data retention policies and regulations. Data archiving should document controls relating to periods of retention for personal data, such as the criteria for determining the retention period, the procedures for deleting or anonymizing data after the retention period expires, and the mechanisms for ensuring the integrity and security of archived data. References: : CDPSE Review Manual (Digital Version), page 123