Question 1

Information classification of personal information may trigger specific regulatory obligations. Which statement is the BEST response from a privacy perspective:

Options :

A : Personally identifiable financial information includes only consumer report information

B : Public personal information includes only web or online identifiers

C :

Personally identifiable information and personal data are similar in context, but may have different legal definitions based upon jurisdiction

D :

Personally Identifiable Information and Protected Healthcare Information require the exact same data protection safequards

Answer: C

Question 2

Which factor is MOST important when scoping assessments of cloud-based third parties that access, process, and retain personal data?

Options :

A :

The geographic location of the vendor-s outsourced datacenters since assessments are only required for international data transfers

B :

The identification of the type of cloud hosting deployment or service model in order to confirm responsibilities between the third party and the cloud hosting provider

C :

The definition of requirements for backup capabilities for power generation and redundancy in the resilience plan

D :

The contract terms for the configuration of the environment which may prevent conducting the assessment

Answer: B

Question 3

When defining due diligence requirements for the set of vendors that host web applications which of the

following is typically NOT part of evaluating the vendor's patch

management controls?

Options :

A : The capability of the vendor to apply priority patching of high-risk systems

B : Established procedures for testing of patches, service packs, and hot fixes prior to installation

C : A documented process to gain approvals for use of open source applications

D : The existence of a formal process for evaluation and prioritization of known vulnerabilities

Answer: C

Question 4

Which statement is FALSE regarding the primary factors in determining vendor risk classification?

Options :

A : The geographic area where the vendor is located may trigger specific regulatory obligations

B : The importance to the outsourcer-s recovery objectives may trigger a higher risk tier

C :

The type and volume of personal data processed may trigger a higher risk rating based on the criticality of the systems

D :

Network connectivity or remote access may trigger a higher vendor risk classification only for third parties that process personal information

Answer: D

Question 5

Which statement BEST reflects the factors that help you determine the frequency of cyclical assessments?

Options :

A :

Vendor assessments should be conducted during onboarding and then be replaced by continuous monitoring

B :

Vendor assessment frequency should be based on the level of risk and criticality of the vendor to your operations as determined by their vendor risk score

C : Vendor assessments should be scheduled based on the type of services/products provided

D : Vendor assessment frequency may need to be changed if the vendor has disclosed a data breach

Answer: B