매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Certified Data Privacy Solutions Engineer 온라인 연습
최종 업데이트 시간: 2025년10월03일
당신은 온라인 연습 문제를 통해 ISACA CDPSE 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 CDPSE 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 120개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
The primary reason to complete a privacy impact assessment (PIA) is to understand privacy risks associated with the collection, use, disclosure or retention of personal data. A PIA is a systematic process to identify and evaluate the potential privacy impacts of a system, project, program or initiative that involves personal data processing activities. A PIA helps to ensure that privacy risks are identified and mitigated before the implementation is executed. A PIA also helps to ensure compliance with privacy principles, laws and regulations, and alignment with customer expectations and preferences. The other options are not primary reasons to complete a PIA. To comply with consumer regulatory requirements may be a reason to complete a PIA, but it is not the primary reason, as consumer regulatory requirements may vary depending on the context and jurisdiction. To establish privacy breach response procedures may be an outcome of completing a PIA, but it is not the primary reason, as privacy breach response procedures are only one aspect of mitigating privacy risks. To classify personal data may be an activity that is part of completing a PIA, but it is not the primary reason, as personal data classification is only one aspect of understanding privacy risks1, p. 67
Reference: 1: CDPSE Review Manual (Digital Version)
정답:
Explanation:
Domain name system (DNS) sinkhole is a technology that redirects malicious or unwanted domain names to alternative destinations, such as a fake or harmless website, a warning page, or a null address. DNS sinkhole is the most effective technology deployed at an enterprise level to block malicious tracking of user internet browsing, as it would prevent users from accessing websites that use tracking technologies, such as cookies, web beacons, or fingerprinting, to collect and analyze user behavior or preferences. DNS sinkhole would also protect users from other malicious activities, such as malware distribution, phishing attempts, or botnet command and control. The other options are not as effective as DNS sinkhole in blocking malicious tracking of user internet browsing at an enterprise level. Web application firewall (WAF) is a technology that monitors and filters incoming and outgoing web traffic to protect web applications from attacks, such as cross-site scripting (XSS), SQL injection, or denial-of-service (DoS), but it does not block malicious tracking of user internet browsing. Website URL blacklisting is a method of blocking access to websites that are known or suspected to be malicious or harmful, but it does not block malicious tracking of user internet browsing from unknown or legitimate websites that use tracking technologies. Desktop antivirus software is a technology that scans and removes viruses, malware, spyware, or other threats from desktop computers or devices, but it does not block malicious tracking of user internet browsing from websites that use tracking technologies1, p. 92
Reference: 1: CDPSE Review Manual (Digital Version)
정답:
Explanation:
Reference: https://www.imperva.com/learn/data-security/role-based-access-control-rbac/ Role-based access control is a method of managing different IT staff access permissions for personal data within an organization by assigning roles to users based on their job functions and responsibilities, and granting access rights to roles based on the principle of least privilege and need to know. Role-based access control is the best way to manage different IT staff access permissions for personal data within an organization, as it would help to protect the confidentiality, integrity and availability of the personal data, and also comply with the privacy principles, laws and regulations.
Role-based access control would also simplify the administration and maintenance of access permissions, as it would reduce the complexity and redundancy of managing individual user accounts. The other options are not as effective as role-based access control in managing different IT staff access permissions for personal data within an organization. Mandatory access control is a method of managing access permissions for data or resources based on predefined security labels or classifications, such as confidential, secret or top secret, but it does not consider the job functions or responsibilities of the users. Network segmentation is a method of dividing a network into separate segments or zones with different levels of access and control, based on the sensitivity and value of the data or resources, but it does not consider the job functions or responsibilities of the users. Dedicated access system is a method of providing access to data or resources through a separate system or device that is isolated from other systems or networks, but it does not consider the job functions or responsibilities of the users1, p. 91-92
Reference: 1: CDPSE Review Manual (Digital Version)
정답:
Explanation:
Data masking is the process of hiding original data with modified content to protect sensitive data from unauthorized access or disclosure. Data masking is often used for testing purposes in non-production environments, where personal data is not needed or allowed. However, data masking can pose several challenges, especially for a global financial institution that has multiple interconnected systems and applications. One of the greatest challenges is to preserve the complex relationships within and across systems while masking the data. This means that the masked data must maintain the same format, referential integrity, semantic integrity, and uniqueness as the original data, so that the testing results are valid and reliable. For example, if a customer’s name is masked in one system, it must be masked consistently in all other systems that reference it. If a transaction amount is masked in one system, it must not violate any business rules or constraints in another system. If a credit card number is masked in one system, it must still be a valid credit card number in another system. Preserving these complex relationships can be challenging because it requires a thorough understanding of the data model, the business logic, and the dependencies among systems. It also requires a robust and flexible data masking tool that can handle different types of data and platforms.
정답:
Explanation:
Reference: https://cprosenjit.medium.com/masking-sensitive-data-in-azure-data-lake-dd47b02b9098
Data masking is a technique that replaces sensitive or confidential data with realistic but fictitious data, such as random characters or numbers, to prevent unauthorized access or disclosure of the original data. Data masking is the best way to hide sensitive personal data that is in use in a data lake, as it would protect the privacy of the data subjects by reducing the linkability of the data set with their original identity, and also comply with the data minimization principle that requires limiting the collection, storage and processing of personal data to what is necessary and relevant for the intended purposes. Data masking would also preserve some characteristics or patterns of the original data that can be used for analysis or research purposes, without compromising the accuracy or quality of the results. The other options are not as effective as data masking in hiding sensitive personal data that is in use in a data lake. Data truncation is a technique that removes some portions of data from a document or file, such as digits from a credit card number or characters from an email address, to prevent unauthorized access or disclosure of the original data, but it may affect the accuracy or quality of the analysis or research results, as some characteristics or patterns of the original data may be lost or distorted. Data encryption is a technique that transforms plain text data into cipher text using an algorithm and a key, making it unreadable by unauthorized parties, but it does not reduce the linkability of the data set with the original identity of the data subjects and may require additional security measures to protect the encryption keys or certificates. Data minimization is a principle that requires limiting the collection, storage and processing of personal data to what is necessary and relevant for the intended purposes, but it does not address how to hide sensitive personal data that is already in use in a data lake1, p. 74-75
Reference: 1: CDPSE Review Manual (Digital Version)
정답:
Explanation:
Reference: https://www.cloudflare.com/ru-ru/learning/access-management/what-is-mutual-authentication/
Mutual certificate authentication is a method of verifying the identities of individuals in two-way communication by using digital certificates that are issued and signed by a trusted third party, such as a certificate authority (CA). Mutual certificate authentication ensures that both parties in the communication are who they claim to be, and that they can trust each other’s identity and credentials. Mutual certificate authentication also provides confidentiality, integrity and non-repudiation of the data exchanged between the parties, as it uses encryption, hashing and digital signatures. The other options are not as effective as mutual certificate authentication in verifying the identities of individuals in two-way communication. Virtual private network (VPN) is a technology that creates a secure and encrypted connection between two parties over a public network, such as the internet, but it does not verify the identities of the parties, only their locations. Transport Layer Security (TLS) is a cryptographic protocol that provides end-to-end communication security between two parties over a network, such as the internet, but it does not verify the identities of the parties, only their servers. Secure Shell (SSH) is a network protocol that provides secure and encrypted remote access to a system or server, but it does not verify the identities of the parties, only their usernames and passwords1, p. 90-91
Reference: 1: CDPSE Review Manual (Digital Version)
정답:
Explanation:
Irreversible disposal is a process of removing or destroying data from a storage device or media to prevent unauthorized access or recovery of the data. Irreversible disposal is the most important thing to establish within a data storage policy to protect data privacy, as it reflects the principles of data minimization and storage limitation, which require limiting the collection, storage and processing of personal data to what is necessary and relevant for the intended purposes, and deleting or disposing of personal data when it is no longer needed or justified. Irreversible disposal also helps to reduce the privacy risks and costs associated with data storage and retention, such as data breaches, unauthorized access, misuse or loss of data. The other options are not as important as irreversible disposal in protecting data privacy within a data storage policy. Data redaction is a technique that removes or obscures sensitive or confidential information from a document or file, but it does not address the issue of data retention or deletion. Data quality assurance (QA) is a process of ensuring that the data meets the standards and specifications of accuracy, completeness, consistency and reliability, but it does not address the issue of data retention or deletion. Collection limitation is a principle that requires limiting the collection of personal data to what is necessary and relevant for the intended purposes, but it does not address the issue of data retention or deletion1, p. 75-76
Reference: 1: CDPSE Review Manual (Digital Version)
정답:
Explanation:
A retention schedule is a document that specifies how long different types of records or data should be kept and when they should be deleted or disposed of, based on legal, regulatory, operational or historical requirements. A retention schedule is the best indication of an effective records management program for personal data, as it reflects the principles of data minimization and storage limitation, which require limiting the collection, storage and processing of personal data to what is necessary and relevant for the intended purposes, and deleting or disposing of personal data when it is no longer needed or justified. A retention schedule also helps to reduce the privacy risks and costs associated with data storage and retention, such as data breaches, unauthorized access, misuse or loss of data. The other options are not as indicative of an effective records management program for personal data as a retention schedule. Archived data is used for future analytics may indicate that the organization is leveraging its data assets for business intelligence or research purposes, but it may not comply with the principles of data minimization and storage limitation, or the privacy rights and preferences of the data subjects. The legal department has approved the retention policy may indicate that the organization has obtained legal advice or guidance on its records management program for personal data, but it may not reflect the actual implementation or execution of the retention policy. All sensitive data has been tagged may indicate that the organization has implemented a data classification scheme for its records or data, but it may not indicate how long the records or data should be kept or when they should be deleted or disposed of1, p. 99-100
Reference: 1: CDPSE Review Manual (Digital Version)
정답:
Explanation:
Reference: https://www.sciencedirect.com/topics/computer-science/network-sniffer
Transport layer encryption is the most effective way to protect against the use of a network sniffer, because it encrypts the data packets that are transmitted over a network, making them unreadable and useless for anyone who intercepts them. Transport layer encryption can be implemented using protocols such as Secure Sockets Layer (SSL), Transport Layer Security (TLS), or Secure Shell (SSH), which provide end-to-end encryption and authentication between the sender and the receiver of the data. By using transport layer encryption, the data can only be decrypted by the intended recipient, who has the proper key or certificate to do so. Therefore, even if a network sniffer captures the data packets, they cannot access or modify the sensitive information contained in them.
Reference: What is Packet Sniffing Attack in Network Sniffing?, EC-Council
Packet Sniffing Meaning, Methods, Examples and Best Practices, Spiceworks What is a packet sniffing attack? + how to prevent it, Norton
정답:
Explanation:
User behavior analytics is a technology that uses data analysis and machine learning to monitor, detect and respond to anomalous or malicious user activities, such as accessing sensitive personal customer information to use for unauthorized purposes. User behavior analytics is the best choice to mitigate this risk, as it would help to identify and prevent insider threats, data breaches, fraud or misuse of data by authorized individuals. User behavior analytics can also help to enforce policies and controls, such as access control, audit trail or data loss prevention. The other options are not as effective as user behavior analytics in mitigating this risk. Email filtering system is a technology that scans and blocks incoming or outgoing emails that contain spam, malware or phishing attempts, but it does not address the issue of authorized individuals accessing sensitive personal customer information to use for unauthorized purposes. Intrusion monitoring is a technology that monitors and alerts on unauthorized or malicious attempts to access a system or network, but it does not address the issue of authorized individuals accessing sensitive personal customer information to use for unauthorized purposes. Mobile device management (MDM) is a technology that manages and secures mobile devices that are used to access or store organizational data, but it does not address the issue of authorized individuals accessing sensitive personal customer information to use for unauthorized purposes1, p. 92
Reference: 1: CDPSE Review Manual (Digital Version)
정답:
Explanation:
National data privacy legislative and regulatory requirements in each relevant jurisdiction are the most important data protection consideration for a global organization that is planning to implement a customer relationship management (CRM) system to be used in offices based in multiple countries, as they would determine the legal obligations and responsibilities of the organization with respect to the collection, use, disclosure and transfer of customer personal data across different jurisdictions. National data privacy legislative and regulatory requirements may vary significantly from country to country, depending on the type or nature of personal data or data processing activities, and may impose different rules and standards for obtaining consent, providing notice, ensuring security, enforcing rights, reporting breaches, appointing representatives or transferring data. The organization would need to comply with the national data privacy legislative and regulatory requirements in each relevant jurisdiction where it operates or where its customers are located, and to implement appropriate measures and safeguards to ensure compliance. The other options are not as important as national data privacy legislative and regulatory requirements in each relevant jurisdiction as data protection considerations for a global organization that is planning to implement a CRM system to be used in offices based in multiple countries. Industry best practice related to information security standards in each relevant jurisdiction may provide some guidance or benchmarks for ensuring security of customer personal data, but they may not reflect the specific context or needs of the organization or the customers, or comply with the legal obligations and responsibilities of the organization. Identity and access management mechanisms to restrict access based on need to know may help to protect customer personal data from unauthorized access, modification or disclosure by internal or external parties, but they may not address other aspects of data protection, such as consent, notice, rights, breaches, representatives or transfers. Encryption algorithms for securing customer personal data at rest and in transit may help to protect customer personal data from unauthorized access, modification or disclosure by internal or external parties, but they may not address other aspects of data protection, such as consent, notice, rights, breaches, representatives or transfers1, p. 63-64
Reference: 1: CDPSE Review Manual (Digital Version)
정답:
Explanation:
Reference: https://en.wikipedia.org/wiki/Right_to_be_forgotten
The right to be forgotten is a privacy right that allows individuals to request the deletion or removal of their personal data from a data controller’s records or systems under certain conditions. The right to be forgotten is an important consideration that allows data subjects to request the deletion of their data, as it reflects the principles of data minimization and storage limitation, which require limiting the collection, storage and processing of personal data to what is necessary and relevant for the intended purposes, and deleting or disposing of personal data when it is no longer needed or justified. The right to be forgotten also empowers the data subjects to exercise control and choice over their personal data and to protect their privacy interests. The other options are not relevant to the consideration that allows data subjects to request the deletion of their data. The right to object is a privacy right that allows individuals to oppose the processing of their personal data based on their particular situation or for direct marketing purposes, but it does not necessarily result in the deletion or removal of their data. The right to withdraw consent is a privacy right that allows individuals to revoke their permission or agreement for the processing of their personal data for specific purposes, but it does not necessarily result in the deletion or removal of their data. The right to access is a privacy right that allows individuals to obtain a copy or confirmation of their personal data held by a data controller, but it does not necessarily result in the deletion or removal of their data1, p. 107-108
Reference: 1: CDPSE Review Manual (Digital Version)
정답:
Explanation:
Restricting access to authorized users is the best control to secure application programming interfaces (APIs) that may contain personal information, as it would prevent unauthorized access, modification or disclosure of the personal information by third parties or intermediaries. Restricting access to authorized users can be achieved by using various methods, such as authentication, authorization, encryption, tokens or certificates. The other options are not effective controls to secure APIs that may contain personal information. Encrypting APIs with the organization’s private key is not a feasible or desirable method, as it would make the APIs unreadable by anyone who does not have the corresponding public key, which would defeat the purpose of using APIs for interoperability and integration. Requiring nondisclosure agreements (NDAs) when sharing APIs is not a reliable or enforceable method, as it would depend on the compliance and cooperation of the parties who receive the APIs, and it would not prevent unauthorized access, modification or disclosure of the personal information by third parties or intermediaries who are not bound by the NDAs. Sharing only digitally signed APIs is not a sufficient method, as it would only ensure the authenticity and integrity of the APIs, but it would not prevent unauthorized access, modification or disclosure of the personal information by third parties or intermediaries who can read or intercept the APIs1, p. 90-91
Reference: 1: CDPSE Review Manual (Digital Version)
정답:
Explanation:
A privacy impact assessment (PIA) is a systematic process to identify and evaluate the potential privacy impacts of a system, project, program or initiative that involves the collection, use, disclosure or retention of personal data. A PIA should be done first when planning a new implementation for tracking consumer web browser activity, as it would help to ensure that privacy risks are identified and mitigated before the implementation is executed. A PIA would also help to ensure compliance with privacy principles, laws and regulations, and alignment with consumer expectations and preferences. The other options are not as important as conducting a PIA when planning a new implementation for tracking consumer web browser activity. Seeking approval from regulatory authorities may be required or advisable for some types of personal data or data processing activities, but it may not be necessary or sufficient for tracking consumer web browser activity, depending on the context and jurisdiction. Obtaining consent from the organization’s clients may be required or advisable for some types of personal data or data processing activities, but it may not be necessary or sufficient for tracking consumer web browser activity, depending on the context and jurisdiction. Reviewing and updating the cookie policy may be required or advisable for some types of personal data or data processing activities, but it may not be necessary or sufficient for tracking consumer web browser activity, depending on the context and jurisdiction1, p. 67
Reference: 1: CDPSE Review Manual (Digital Version)
정답:
Explanation:
Reference: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/encryption/encryption-and-data-transfer/
Transport Layer Security Protocol (TLS) is a cryptographic protocol that provides end-to-end communication security between two parties over a network, such as the internet. TLS protects the confidentiality, integrity and authenticity of the data exchanged between the parties, such as personal data, by using encryption, hashing and digital signatures. TLS is the best protocol to protect end-to-end communication of personal data, as it prevents unauthorized access, modification or tampering of the data by third parties or intermediaries. The other options are not as effective as TLS in protecting end-to-end communication of personal data. Transmission Control Protocol (TCP) is a network protocol that provides reliable and ordered delivery of data packets between two parties over a network, but it does not provide any security or encryption of the data. Secure File Transfer Protocol (SFTP) is a network protocol that provides secure and encrypted file transfer between two parties over a network, but it does not provide end-to-end communication security for other types of data or messages. Hypertext Transfer Protocol (HTTP) is a network protocol that defines how data is formatted and transmitted over the web, but it does not provide any security or encryption of the data1, p. 90-91
Reference: 1: CDPSE Review Manual (Digital Version)