CDPSE · Question #220
When configuring information systems for the communication and transport of personal data, an organization should:
The correct answer is B. review configuration settings for compliance.. Reviewing configuration settings for compliance (B) is correct because organizations handling personal data must actively verify that system settings align with applicable privacy regulations (e.g., GDPR, HIPAA) and security standards - default or permissive configurations freque
Question
When configuring information systems for the communication and transport of personal data, an organization should:
Options
- Aadopt the default vendor specifications.
- Breview configuration settings for compliance.
- Cimplement the least restrictive mode.
- Denable essential capabilities only.
How the community answered
(22 responses)- A18% (4)
- B68% (15)
- C5% (1)
- D9% (2)
Explanation
Reviewing configuration settings for compliance (B) is correct because organizations handling personal data must actively verify that system settings align with applicable privacy regulations (e.g., GDPR, HIPAA) and security standards - default or permissive configurations frequently expose data to unnecessary risk.
Why the distractors fail:
- A is wrong because vendor defaults are designed for broad usability, not regulatory compliance; they often leave unnecessary features enabled and security controls loosened.
- C is the opposite of sound data protection practice - least restrictive means maximum exposure, violating the principle of least privilege.
- D sounds close but is subtly wrong: "essential capabilities only" describes a hardening approach (like disabling unused features), but the question asks what an organization should do when configuring systems - the primary obligation is compliance review, not just capability reduction.
Memory tip: Think "configure = comply." Any time personal data moves through a system, your first obligation is to measure the configuration against a compliance standard - not to trust defaults, not to open access, and not to simply strip features without verifying against requirements.
Topics
Community Discussion
No community discussion yet for this question.