Between November 30th and December 2nd, 2013, cybercriminals successfully infected the credit card payment systems and bypassed security controls of a United States-based retailer with malware that exfiltrated 40 million credit card numbers. Six months prior, the retailer had malware detection software installed to prevent against such an attack.
Which of the following would best explain why the retailer's consumer data was still exfiltrated?
A. The detection software alerted the retailer's security operations center per protocol, but the information security personnel failed to act upon the alerts.
B. The U.S Department of Justice informed the retailer of the security breach on Dec. 12th, but the retailer took three days to confirm the breach and eradicate the malware.
C. The IT systems and security measures utilized by the retailer's third-party vendors were in compliance with industry standards, but their credentials were stolen by black hat hackers who then entered the retailer's system.
D. The retailer's network that transferred personal data and customer payments was separate from the rest of the corporate network, but the malware code was disguised with the name of software that is supposed to protect this information.
What risk is mitigated when routing video traffic through a company's application servers, rather than sending the video traffic directly from one user to another?
A. The user is protected against phishing attacks.
B. The user's identity is protected from the other user.
C. The user's approximate physical location is hidden from the other user.
D. The user is assured that stronger authentication methods have been used.
Which of the following is a privacy consideration for NOT sending large-scale SPAM type emails to a database of email addresses?
A. Poor user experience.
B. Emails are unsolicited.
C. Data breach notification.
D. Reduction in email deliverability score.
In order to prevent others from identifying an individual within a data set, privacy engineers use a cryptographically-secure hashing algorithm. Use of hashes in this way illustrates the privacy tactic known as what?
A. Isolation.
B. Obfuscation.
C. Perturbation.
D. Stripping.
What is the main issue pertaining to data protection with the use of 'deep fakes'?
A. Misinformation.
B. Non-conformity with the accuracy principle.
C. Issues with establishing non-repudiation.
D. Issues with confidentiality of the information.
Which technique is most likely to facilitate the deletion of every instance of data associated with a deleted user account from every data store held by an organization?
A. Auditing the code which deletes user accounts.
B. Building a standardized and documented retention program for user data deletion.
C. Monitoring each data store for presence of data associated with the deleted user account.
D. Training engineering teams on the importance of deleting user accounts their associated data from all data stores when requested.
An organization must terminate their cloud vendor agreement immediately. What is the most secure way to make the encrypted data stored inaccessible?
A. Extract a copy of the data into a protected environment before requesting deletion.
B. Replace Personally Identifiable Information (PII) with tokenized data.
C. Obtain a destruction certificate from the cloud vendor.
D. Destroy all encryption keys associated with the data.
A jurisdiction requiring an organization to place a link on the website that allows a consumer to opt-out of sharing is an example of what type of requirement?
A. Functional
B. Procedural
C. Operational
D. Technical
An organization has changed its policies to allow its employees to work remotely. However, it is concerned about employees working and processing personal data in jurisdictions outside of its own. Which of the following would allow the organization to mitigate the risk?
A. Geofencing
B. l-diversity
C. Pseudonymization
D. Multi-Factor Authentication
When deploying a consumer gadget that incorporates speech recognition, where is the speech generally best processed, from a privacy by design perspective?
A. Within the subject's jurisdiction
B. On the remote server
C. On the local device
D. In the cloud