Effective CISSP Questions

You work for a nationwide telecommunications company subject to GDPR. Customers often exercise their right to data portability to request their subscriptions to be transferred from one telco to another. Which of the following is the best measure to support the transfer request? (Wentz QOTD)
A. Build lock-in mechanisms
B. Implement an opt-in regime
C. Enforce the acceptable use policy
D. Standardize data representation through XML

Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.

My suggested answer is D. Standardize data representation through XML.

Data portability means the free transfer of data between systems, that can be facilitated by common technical standards. XML is a rigid and commonly used standard for data exchange. A group of European Telecoms has collaborated to define a common data portability standard to improve users’ ability to port their personal data as required under General Data Protection Regulation (GDPR), which came into effect in May 2018.

  • Data portability is a solution to the vendor lock-in problem. “In economics, vendor lock-in, also known as proprietary lock-in or customer lock-in, makes a customer dependent on a vendor for products and services, unable to use another vendor without substantial switching costs.” (Wikipedia)
  • The opt-in or opt-out regime is used to acquire the data subject’s consent to personal data processing. However, GDPR allows explicit opt-in consent only.
  • Acceptable use policies are an integral part of the framework of information security policies; it is often common practice to ask new members of an organization to sign an AUP before they are given access to its information systems.” (Wikipedia)

Data Portability

Data portability is a concept to protect users from having their data stored in “silos” or “walled gardens” that are incompatible with one another, i.e. closed platforms, thus subjecting them to vendor lock-in and making the creation of data backups difficult.

Data portability requires common technical standards to facilitate the transfer from one data controller to another, such as the ability to export user data into a user-accessible local file, thus promoting interoperability, as well as facilitate searchability with sophisticated tools such as grep.

Data portability applies to personal data. It involves access to the personal data without implying data ownership per se.

Source: Wikipedia


Extensible Markup Language (XML) is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. The World Wide Web Consortium’s XML 1.0 Specification of 1998 and several other related specifications—all of them free open standards—define XML.

The design goals of XML emphasize simplicity, generality, and usability across the Internet. It is a textual data format with strong support via Unicode for different human languages. Although the design of XML focuses on documents, the language is widely used for the representation of arbitrary data structures such as those used in web services.

Source: Wikipedia



My new book, The Effective CISSP: Security and Risk Management, helps CISSP aspirants build a solid conceptual security model. It is not only a tutorial for information security but also a study guide for the CISSP exam and an informative reference for security professionals.

您在一家受GDPR規範的全國性電信公司工作。客戶經常行使其數據可移植性(right to data portability)的權利,以請求將其租用的服務從一家電信公司轉移到另一家。以下哪項是支持這個轉移請求的最佳措施?
A. 建立鎖定(lock-in)機制
B. 實行選擇加入(opt-in)制度
C. 執行可接受的使用政策(AUP)
D. 通過XML來標準化數據呈現

Leave a Reply