Free Practice Questions for Isaca CDPSE Exam

Answer : B

The best testing method to identify and review the application's runtime modules is dynamic application security testing (DAST). DAST is a testing technique that analyzes the application's behavior and functionality during its execution. DAST can detect security and privacy vulnerabilities that are not visible in the source code, such as injection attacks, cross-site scripting, broken authentication, sensitive data exposure, or improper error handling. DAST can also simulate real-world attacks and test the application's response and resilience. DAST can provide a comprehensive and realistic assessment of the application's security and privacy posture in the pre-production environment.Reference:

[ISACA Glossary of Terms]

[OWASP Top 10 Web Application Security Risks]

[ISACA CDPSE Review Manual, Chapter 2, Section 2.4.2]

[ISACA Journal, Volume 6, 2018, ''Dynamic Application Security Testing'']

Answer : C

Asymmetric encryption, also known as public-key encryption, encrypts and decrypts data using two separate yet mathematically connected cryptographic keys. One key is called the public key and can be shared with anyone, while the other key is called the private key and must be kept secret. The public key is used to encrypt the data, and only the corresponding private key can decrypt it. Likewise, the private key can be used to sign the data, and only the corresponding public key can verify it. This method provides confidentiality, integrity, authentication and non-repudiation for data.

Answer : A

A privacy audit is a systematic and independent examination of an organization's privacy policies, procedures, practices, and controls to assess their compliance with applicable laws, regulations, standards, and best practices. A privacy audit may result in various outputs, such as findings, recommendations, observations, or opinions. Among the options given, the output that is most likely to trigger remedial action is the identification of deficiencies in how personal data is shared with third parties. This is because such deficiencies may pose significant risks to the privacy and security of the data subjects, as well as to the reputation and legal liability of the organization. Remedial action may include implementing contractual safeguards, technical measures, or organizational changes to ensure that third parties respect and protect the personal data they receive from the organization.

Answer : D

Performing a full wipe and reimage of the laptops is the best control to prevent the exposure of personal information when redeploying laptops within an organization. This is because a full wipe and reimage ensures that all data, including personal information, is securely erased from the laptops and replaced with a fresh installation of the operating system and applications. This reduces the risk of data leakage, unauthorized access, or data recovery by malicious actors or unauthorized users. The other options are not as effective or sufficient as a full wipe and reimage, as they do not guarantee the complete removal of personal information from the laptops.

Answer : A

Critical data elements are the data elements that are essential for the organization to achieve its business objectives, comply with legal and regulatory requirements, and protect the privacy and security of the data subjects. Critical data elements should be mapped to the data process flow, which is a graphical representation of how data is collected, processed, stored, shared, and disposed of within the organization. Mapping critical data elements to the data process flow helps to identify the sources, destinations, transformations, and dependencies of the data, as well as the potential risks and controls associated with each step of the data lifecycle.