CISSP PRACTICE QUESTIONS – 20190911

Effective CISSP Questions

Your company is engineering an information system to support the new business of selling toys online in the United States. The marketing department proposed that the system shall retrieve the customer profile from social media when the customer is signing up to ease and accelerate the registration process. They decide to accept domestic orders only and reject orders from EU citizens to avoid legal and regulatory risk. As a security professional, you are aware that the privacy issue should be addressed. Which of the following will most concern you?
A. Principal’s Consent
B. Use, retention and disclosure limitation
C. Legal and regulatory requirements
D. Accountability

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is C. Legal and regulatory requirements.

Privacy Principles

ISO 29100: 2011

ISO/IEC 29100:2011 provides a privacy framework which

  • specifies a common privacy terminology;
  • defines the actors and their roles in processing personally identifiable information (PII);
  • describes privacy safeguarding considerations; and
  • provides references to known privacy principles for information technology.

ISO/IEC 29100:2011 is applicable to natural persons and organizations involved in specifying, procuring, architecting, designing, developing, testing, maintaining, administering, and operating information and communication technology systems or services where privacy controls are required for the processing of PII.

Source: ISO/IEC 29100:2011 Information technology — Security techniques — Privacy framework

OECD

For several decades the OECD has been playing an important role in promoting respect for privacy as a fundamental value and a condition for the free flow of personal data across borders. The Guidelines on the Protection of Privacy and Transborder Flows of Personal Data constitute the first update of the original 1980 version that served as the first internationally agreed upon set of privacy principles.

Source: OECD Privacy Guidelines

Summary

  • Options A, B, and D are ISO privacy principles which are not mandatory or binding.
  • However, legal and regulatory requirements are binding to organizations.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s