All of the following are factors in determining whether an organization can craft a common solution to the privacy requirements of multiple jurisdictions EXCEPT:

A. Effective date of most restrictive law.

B. Implementation complexity.

C. Legal regulations.

D. Expense considerations.

Effective date of most restrictive law.

Under the FCRA, if inaccurate information is discovered in a consumer's file, what is the usual time period in which the credit reporting agency must examine the disputed information?

A. In a timely manner.

B. Within 30 days of notification.

C. Within 45 days of notification.

D. Within 60 days of notification.

Within 30 days of notification.

Which of the following is NOT a good reason to perform a privacy audit on a supplier?

A. The vendor management team is validating the supplier as part of a regular onboarding process.

B. The finance team has concerns that their supplier is inflating their pass-through expense costs.

C. The legal team received notification of a personal data breach caused by the supplier.

D. The IT team received a notice that the supplier is changing their cloud-storage subprocessors.

The finance team has concerns that their supplier is inflating their pass-through

A healthcare organization began integrating the concept of privacy into all facets of their organization, to include targeted and specialized training for handling of sensitive information, along with the adoption within the conceptual and design phases of new business processes, IT systems, contractual agreements, devices and policies. What is this concept of applying privacy solutions into early phases of development known as?

A. Pseudonymization.

B. Data minimization.

C. Privacy by design.

D. Security by design.

Privacy by design.

An example of media sanitization would be:

A. Installing a password on a laptop and requiring password to be changed on a scheduled basis.

B. Restricting employees' thumb drive access to locked drives provided by the organization.

C. Performing a manufacturer's reset to restore an office printer to its factory default settings.

D. Implementing a blocker to limit the ability of connected devices to access specific online sites.

Implementing a blocker to limit the ability of connected devices to access specific online sites.

What role would data loss prevention software have in a privacy program?

A. Prevention of all data breaches caused through human error by employees.

B. Protection from an external hacker trying to infiltrate an organization's networks.

C. Training for staff on data governance and proper data classification procedures.

D. Monitoring of certain types of personal data disclosures to outside entities.

Monitoring of certain types of personal data disclosures to outside entities.

When should stakeholders be identified in the development of a privacy framework?

A. After the privacy team has established its agenda.

B. After the data inventory is complete.

C. During the business case development process.

D. During the review of written policies.

During the business case development process.

Which of the following is NOT one of the four principles an organization should consider when aligning information privacy and information security technologies?

A. Prioritize the expense of the technology and supplement any shortfalls with alternate programs (Cost-based priority).

B. Ensure privacy, information security and development teams work together to evaluate controls (Teaming).

C. Ensure security risks are part of the privacy risk framework to include correctly implemented controls (Stay aware).

D. Prioritize risks and allocate resources accordingly so higher risk concerns are addressed first (Rank and prioritize).

Prioritize the expense of the technology and supplement any shortfalls with alternate programs (Cost-based priority).

Access to an organization's information systems should be tied to an employee's role and, therefore, determined by basic security principles for role-based access controls (RBAC).

Which of the following contains the correct role-based access controls principles?

A. Least privilege, segregation of duties, need-to-know access.

B. Right-to-access, need-to-know access, segregation of duties.

C. Functional role access, segregation of duties, least privilege.

D. Segregation of duties, need-to-know access, access privilege.

Least privilege, segregation of duties, need-to-know access.

Where should an organization's procedures for resolving consumer complaints about privacy protection be found?

A. In the emergency response plan.

B. In memoranda from the CEO.

C. In written policies regarding privacy.

D. In the minutes of organizational board meetings.

In written policies regarding privacy.