nerdexam
Isaca

CDPSE · Question #182

What would be the BEST reason to include log generation in the design of a system from a privacy perspective?

The correct answer is B. Facilitate early detection of abuse or misuse of the data that a system processes.. Logging system operations related to personal data primarily serves a proactive privacy purpose by enabling early detection of unauthorized access or misuse before harm to data subjects escalates.

Privacy Architecture

Question

What would be the BEST reason to include log generation in the design of a system from a privacy perspective?

Options

  • AAllow to save the evidence of all operations carried out with the system.
  • BFacilitate early detection of abuse or misuse of the data that a system processes.
  • CFacilitate the recovery of information in case of system damage.
  • DInvestigate fraud after it has occurred.

How the community answered

(28 responses)
  • A
    18% (5)
  • B
    71% (20)
  • C
    4% (1)
  • D
    7% (2)

Why each option

Logging system operations related to personal data primarily serves a proactive privacy purpose by enabling early detection of unauthorized access or misuse before harm to data subjects escalates.

AAllow to save the evidence of all operations carried out with the system.

Saving evidence of all operations is a forensic and audit goal, which is reactive rather than the best privacy-oriented reason for including log generation in system design.

BFacilitate early detection of abuse or misuse of the data that a system processes.Correct

From a privacy-by-design perspective, logs allow organizations to detect anomalous access patterns, unauthorized queries, or data exfiltration attempts in near real-time, enabling timely intervention. This proactive detection capability directly protects data subjects and is the most privacy-centric justification for building logging into a system's design.

CFacilitate the recovery of information in case of system damage.

Facilitating recovery of information in case of system damage is a business continuity and availability concern, not a privacy rationale.

DInvestigate fraud after it has occurred.

Investigating fraud after it has occurred is a reactive security measure and does not represent the best privacy-oriented justification for proactive log generation.

Concept tested: Privacy by design - logging for proactive data misuse detection

Source: https://www.enisa.europa.eu/publications/privacy-and-data-protection-by-design

Topics

#Logging#Privacy Monitoring#System Design#Data Misuse Detection

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice