nerdexam
Isaca

CDPSE · Question #220

When configuring information systems for the communication and transport of personal data, an organization should:

The correct answer is B. review configuration settings for compliance.. Reviewing configuration settings for compliance (B) is correct because organizations handling personal data must actively verify that system settings align with applicable privacy regulations (e.g., GDPR, HIPAA) and security standards - default or permissive configurations freque

Privacy Architecture

Question

When configuring information systems for the communication and transport of personal data, an organization should:

Options

  • Aadopt the default vendor specifications.
  • Breview configuration settings for compliance.
  • Cimplement the least restrictive mode.
  • Denable essential capabilities only.

How the community answered

(22 responses)
  • A
    18% (4)
  • B
    68% (15)
  • C
    5% (1)
  • D
    9% (2)

Explanation

Reviewing configuration settings for compliance (B) is correct because organizations handling personal data must actively verify that system settings align with applicable privacy regulations (e.g., GDPR, HIPAA) and security standards - default or permissive configurations frequently expose data to unnecessary risk.

Why the distractors fail:

  • A is wrong because vendor defaults are designed for broad usability, not regulatory compliance; they often leave unnecessary features enabled and security controls loosened.
  • C is the opposite of sound data protection practice - least restrictive means maximum exposure, violating the principle of least privilege.
  • D sounds close but is subtly wrong: "essential capabilities only" describes a hardening approach (like disabling unused features), but the question asks what an organization should do when configuring systems - the primary obligation is compliance review, not just capability reduction.

Memory tip: Think "configure = comply." Any time personal data moves through a system, your first obligation is to measure the configuration against a compliance standard - not to trust defaults, not to open access, and not to simply strip features without verifying against requirements.

Topics

#Data Transport Security#Configuration Compliance Review#Personal Data Protection#Privacy Controls

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice