Your company collects and processes consumer information for business purposes and shall comply with laws and regulations that require it to properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. If a disposal company will be employed, which of the following least likely belongs to your company’s due diligence? (Wentz QOTD)
A. Review an independent audit of the disposal company’s operations.
B. Review and evaluate the disposal company’s information security policies.
C. Enter into and monitor compliance with a contract with the disposal company.
D. Require that the disposal company be certified by a recognized trade association.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Enter into and monitor compliance with a contract with the disposal company.
Entering into and monitor compliance with a contract with the disposal company implies the “investigation” or due diligence has been completed. If the investigation is still undergoing, the contract won’t be signed, and monitoring compliance won’t happen.
When it comes to due diligence and due care, it’s common for CISSP aspirants to use mnemonics like DD for “Do Detect” and DC for “Do Correct.” Due Diligence (DD) is more specific than Due Care (DC) because DD has explicit “standards,” while DC is implicit and relies on a judge’s inner conviction per the prudent man rule.
“Investigation” is a generally accepted “standard” of DD across industries. Some laws or regulations may define the standard of DD in certain subject domains. For example, the US regulation, 16 CFR § 682.3, defines the DD standard for the proper disposal of consumer information.
§ 682.3 Proper disposal of consumer information.
(a) Standard. Any person who maintains or otherwise possesses consumer information for a business purpose must properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
(b) Examples. Reasonable measures to protect against unauthorized access to or use of consumer information in connection with its disposal include the following examples. These examples are illustrative only and are not exclusive or exhaustive methods for complying with the rule in this part.
(1) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer information so that the information cannot practicably be read or reconstructed.
(2) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed.
(3) After due diligence, entering into and monitoring compliance with a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer information, in a manner consistent with this rule. In this context, due diligence could include reviewing an independent audit of the disposal company’s operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company’s information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.
(4) For persons or entities who maintain or otherwise possess consumer information through their provision of services directly to a person subject to this part, implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer information, and disposing of such information in accordance with examples (b)(1) and (2) of this section.
(5) For persons subject to the Gramm-Leach-Bliley Act, 15 U.S.C. 6081 et seq., and the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”), incorporating the proper disposal of consumer information as required by this rule into the information security program required by the Safeguards Rule.
A BLUEPRINT FOR YOUR SUCCESS IN CISSP
My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.
- It is available on Amazon.
- Readers from countries or regions not supported by Amazon can get your copy from the author’s web site.
您的公司出於商業目的收集和處理消費者信息，並應遵守法律和法規，這些法規要求其採取合理的措施來妥善廢棄(dispose)此類信息，以防止因處置不當而造成未經授權訪問或使用有關的信息。 如果將僱用一家處置公司，那麼以下哪項最不可能屬於您公司的盡職調查？(Wentz QOTD)
A. 審查對處置公司(disposal company)日常營運的獨立稽核報告