nerdexam
Isaca

CDPSE · Question #388

An assessment of an organization's cloud infrastructure has determined that for some services, the metadata of some transactions is transmitted through different jurisdictions. Which of the following

The correct answer is D. Assess the risk associated with the metadata being transmitted.. When cross-jurisdictional metadata transmission is discovered, the organization must first assess the associated risk before taking any corrective or escalation actions.

Data Life Cycle

Question

An assessment of an organization's cloud infrastructure has determined that for some services, the metadata of some transactions is transmitted through different jurisdictions. Which of the following should be done FIRST?

Options

  • AAssess the mitigating controls in place to protect metadata.
  • BInvoke the privacy incident response plan.
  • CReview the organization's risk appetite and tolerance.
  • DAssess the risk associated with the metadata being transmitted.

How the community answered

(48 responses)
  • A
    4% (2)
  • B
    8% (4)
  • C
    4% (2)
  • D
    83% (40)

Why each option

When cross-jurisdictional metadata transmission is discovered, the organization must first assess the associated risk before taking any corrective or escalation actions.

AAssess the mitigating controls in place to protect metadata.

Assessing mitigating controls is a step that occurs after the risk itself has been identified and quantified, as controls must be evaluated against a known risk level.

BInvoke the privacy incident response plan.

Invoking the incident response plan is premature without first confirming through a risk assessment that a privacy incident or regulatory violation has actually occurred.

CReview the organization's risk appetite and tolerance.

Reviewing risk appetite and tolerance is a governance activity that follows risk assessment, as appetite can only be meaningfully compared against a quantified or qualified risk.

DAssess the risk associated with the metadata being transmitted.Correct

Risk assessment is the necessary first step because the organization cannot determine the appropriate response without understanding the nature and severity of the risk posed by cross-jurisdictional metadata transmission. The assessment determines whether applicable data protection laws in the involved jurisdictions restrict such transfers, what the potential harm to data subjects is, and what mitigating factors exist. All subsequent actions - including reviewing controls, notifying authorities, or invoking incident response - depend on the findings of this initial risk assessment.

Concept tested: Risk assessment priority before action on data transfer discovery

Source: https://www.edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en

Topics

#Privacy Risk Assessment#Cross-border Data Transfers#Cloud Privacy#Metadata Protection

Community Discussion

No community discussion yet for this question.

Full CDPSE Practice