Domain 2 Quiz: Asset Security

A FinTech Company X analyst discovers a spreadsheet containing applicants' full names, national IDs, and credit scores. The company has a four-tier classification scheme: Public, Internal, Confidential, and Restricted. Which classification BEST fits this dataset, and who is ultimately responsible for assigning that label?

• A. Internal — the IT Security team assigns labels based on sensitivity scans
• B. Confidential — the Data Custodian assigns labels when ingesting data into the DLP system
• C. Restricted — the Data Owner assigns the classification based on business impact and regulatory requirement
• D. Restricted — the Chief Privacy Officer mandates all PII be labeled by legal counsel

A government security agency classifies a document as "Secret." According to the U.S. government classification scheme, what is the correct ordering from lowest to highest classification level?

• A. Unclassified → Sensitive → Confidential → Secret → Top Secret
• B. Unclassified → Confidential → Secret → Top Secret
• C. Public → Internal → Confidential → Restricted → Top Secret
• D. Confidential → Sensitive → Secret → Top Secret → Compartmented

A fintech company publishes its quarterly earnings report on its investor relations website. Under a commercial classification policy, this information should be labeled as which of the following?

• A. Internal — only employees and regulators may read it
• B. Confidential — financial data always requires the highest protection
• C. Public — it is intentionally disclosed to all without restriction
• D. Restricted — regulatory filings carry legal sensitivity

A FinTech Company X data engineer proposes classifying all machine-learning training datasets as "Internal" to avoid administrative overhead. The training data includes anonymized borrower behavioral signals derived from Restricted PII. Which principle BEST explains why this proposal is problematic?

• A. Anonymized data cannot be re-identified, so Internal is actually too high a classification
• B. Classification must reflect the most sensitive element in a dataset, not the derived output alone
• C. ML training data should always be classified as Restricted per regulatory guidance
• D. Only the Data Custodian, not a data engineer, may propose classification changes

During a classification review, a manager asks whether the same classification label should apply to a database and a printed report derived from that database. What is the ISC² correct position?

• A. The printed report may carry a lower classification because physical documents are harder to exfiltrate at scale
• B. Classification follows the data, not the medium — both must bear the same label if they contain the same information
• C. Physical media is classified separately from digital media under a different policy framework
• D. Only the database needs classification; derived reports inherit protection from the access control list

Partner A's Vietnam operations store loan repayment histories for micro-finance customers. The legal team notes that Vietnam's Decree 13/2023 on personal data protection classifies certain financial data as "sensitive personal data." How should this regulatory designation affect Partner A's internal classification scheme?

• A. Regulatory designations are advisory only; Partner A's internal scheme takes precedence
• B. The internal classification must be at least as protective as the regulatory designation — regulatory requirements set the floor
• C. Partner A should adopt Decree 13/2023 terminology verbatim to avoid compliance gaps
• D. Financial data regulated under Decree 13/2023 is automatically classified as Top Secret under ISC² standards

A CISSP candidate is reviewing classification criteria. Which of the following is the PRIMARY criterion an organization should use when determining a classification label for a specific dataset?

• A. The storage cost of implementing controls at each classification tier
• B. The value, sensitivity, and potential damage to the organization if the data were disclosed, altered, or destroyed
• C. The number of users who need access — higher access volume justifies a lower classification
• D. The format of the data (structured vs. unstructured) because controls differ by format

FinTech Company X's eKYC Vendor team stores facial recognition templates for identity verification. A government agency requests access to these templates for law enforcement purposes. Before granting access, the Data Owner reviews the request. What classification consideration is MOST relevant?

• A. Biometric templates are always Unclassified because they are derived from public-facing interactions
• B. Biometric templates qualify as sensitive personal data under the PH DPA and likely Restricted under internal policy, restricting disclosure without legal authority
• C. Government requests automatically override internal classification and access controls
• D. The Data Custodian should make the access decision because they manage the storage system

An organization's classification policy states that data classified as "Confidential" must be encrypted at rest. A developer argues that a Confidential dataset stored on an encrypted disk partition is compliant, even though individual files are not encrypted. Is this interpretation correct?

• A. Yes — full-disk encryption satisfies file-level encryption requirements under any reasonable interpretation
• B. No — the policy specifies data-at-rest encryption; the Data Owner must clarify whether full-disk or file-level encryption satisfies the control
• C. No — only AES-256-CTR is acceptable for Confidential data under ISC² standards
• D. Yes — encryption at the partition level exceeds file-level encryption and therefore over-satisfies the policy

A financial institution uses a three-tier commercial classification: Public, Internal, and Confidential. A newly hired compliance officer proposes adding a fourth tier "Regulated" specifically for data subject to PCI-DSS and local banking regulations. What is the BEST reason to support or reject this proposal?

• A. Reject — four-tier schemes are more complex and increase misclassification risk
• B. Support — a dedicated tier for regulated data simplifies compliance mapping and makes regulatory controls explicit
• C. Reject — PCI-DSS mandates that card data must always be classified as Confidential, not in a separate tier
• D. Support — only adding tiers increases classification precision; there is no downside

A security manager receives a request to declassify a dataset that previously contained Restricted PII after the data has been anonymized. What process MUST occur before reclassification is approved?

• A. A DLP tool scan confirming no PII fields remain in the dataset
• B. A formal re-identification risk assessment reviewed and approved by the Data Owner
• C. An audit by the external privacy regulator confirming the anonymization is complete
• D. Reclassification is automatic once anonymization tools are applied — no further process is needed

In the U.S. government classification system, who has the authority to originally classify information as "Top Secret"?

• A. Any federal employee who determines the information meets the Top Secret criteria
• B. Only the President and Vice President of the United States
• C. Officials designated as Original Classification Authorities (OCAs) by the President or agency heads
• D. The Director of National Intelligence and the Secretary of Defense jointly

FinTech Company X maintains two separate data repositories: one for loan application data (Restricted) and one for marketing analytics (Internal). A data scientist wants to join these two datasets to build a churn prediction model. What classification should the resulting joined dataset receive?

• A. Internal — the marketing dataset dominates because it has more rows
• B. Restricted — the joined dataset inherits the highest classification of any source dataset
• C. Confidential — joining datasets creates a new category that is one tier below the highest
• D. The classification depends entirely on whether the join key is a PII field

A healthcare company's classification policy requires all "Sensitive" data to be labeled with a visible header/footer on printed documents. An employee prints a patient record but forgets to add the header. Who is PRIMARILY responsible for this policy violation?

• A. The IT team, for failing to configure the print system to add headers automatically
• B. The employee, for failing to follow the labeling policy when handling sensitive data
• C. The Data Custodian, for not enforcing technical controls that prevent unlabeled printing
• D. The Data Owner, for failing to communicate the policy clearly enough to users

An organization uses a mandatory access control (MAC) system where classification labels are enforced by the OS. A user with "Secret" clearance attempts to write a file containing Top Secret data to a Secret-labeled directory. What does the Bell-LaPadula model mandate in this scenario?

• A. Allow the write — the user's clearance covers Secret and the directory accepts Secret files
• B. Deny the write — writing TS data to a Secret directory would violate the "no write-down" rule
• C. Allow the write — the simple security property permits users to write at any level they can read
• D. Deny the read but allow the write — MAC only restricts reading, not writing

A fintech startup operating in the Philippines processes credit card numbers, CVVs, and expiry dates. The Chief Information Security Officer (CISO) wants to classify this data under the internal scheme. Under PCI-DSS, which elements are considered "Sensitive Authentication Data" (SAD) and may NEVER be stored after authorization, regardless of encryption?

• A. Primary Account Number (PAN), cardholder name, and expiry date
• B. CVV/CVC codes, PIN blocks, and full magnetic stripe data
• C. PAN and expiry date only — CVVs may be stored if encrypted
• D. All cardholder data must be deleted after authorization under PCI-DSS

A data governance team is designing classification criteria. Which of the following criteria would be LEAST appropriate as a primary classification driver?

• A. Regulatory obligations associated with the data type
• B. Competitive damage if the information were disclosed to a competitor
• C. The age of the data — older data is inherently less sensitive
• D. Privacy implications for individuals whose data is included

FinTech Company X's Platform B platform applies a 30-day soft-delete policy for customer records before permanent deletion. During this 30-day window, the data remains in the database flagged as "deleted." A legal hold is placed on an account on Day 25. What is the CORRECT action, and how does the classification of the data affect the hold decision?

• A. Delete the data immediately on Day 30 regardless of the legal hold — the retention schedule takes precedence
• B. Suspend the deletion process for all legal-hold records regardless of the 30-day schedule; classification does not affect the hold
• C. The legal hold overrides the retention schedule; the data's classification (Restricted, containing PII) requires additional access controls while under hold
• D. Notify the regulator and delete on Day 30 — legal holds only apply to financial records, not PII

A CISSP is reviewing a classification policy that allows business unit managers to reclassify data downward (e.g., from Confidential to Internal) without additional approval. What risk does this policy create, and what control would BEST mitigate it?

• A. No significant risk — managers closest to the data are best positioned to classify it accurately
• B. Risk of accidental downgrade; mitigate by requiring dual authorization from both the manager and the Data Steward for any downward reclassification
• C. Risk of systematic downgrade to reduce compliance burden; mitigate by requiring Data Owner approval and a documented re-identification or impact assessment for any downward reclassification
• D. Risk of regulatory breach; mitigate by prohibiting all downward reclassification permanently

A FinTech Company X security architect is mapping data flows in a microservices environment. An API endpoint receives Restricted customer PII, processes it, and returns only a tokenized ID to the calling service. The architect proposes classifying the API response (tokenized ID) as Internal. What consideration MOST threatens this classification decision?

• A. Tokens are random and cannot be linked to PII, so Internal is appropriate
• B. If the tokenization vault is compromised, the token becomes a surrogate for Restricted PII — the token's classification must reflect the de-tokenization risk
• C. API responses should always inherit the classification of the input data regardless of transformation
• D. Only the API's Data Owner can determine classification; the architect's proposal is advisory only

A FinTech Company X product manager decides that the borrower loan-application database should only be accessible to the Credit Risk and Compliance teams. The IT DBA team receives this directive and implements the access controls in the database management system. Which roles are correctly described here?

• A. Product manager = Data Custodian; DBA team = Data Owner
• B. Product manager = Data Owner; DBA team = Data Custodian
• C. Product manager = Data Steward; DBA team = Data Owner
• D. Product manager = Data User; DBA team = Data Steward

A Data Custodian at a bank notices that a critical customer database is not being backed up according to the schedule specified in the data protection policy. What is the MOST appropriate action for the Custodian to take?

• A. Independently determine a new backup schedule based on technical best practices and implement it
• B. Report the gap to the Data Owner and recommend corrective action, then implement the fix once authorized
• C. Escalate directly to the CISO and implement emergency backups without notifying the Data Owner
• D. Wait for the next scheduled audit — operational issues are outside the Custodian's scope

Under GDPR, an organization that determines the purposes and means of processing personal data is called the _____, while an organization that processes data on behalf of another entity is called the _____.

• A. Data Controller; Data Processor
• B. Data Owner; Data Custodian
• C. Data Steward; Data User
• D. Data Principal; Data Fiduciary

FinTech Company X contracts Card Processor to process card transaction data. FinTech Company X defines what data is collected and why; Card Processor only processes it according to a written agreement. Under GDPR and PH DPA frameworks, which entity bears ultimate accountability to the data subjects (cardholders) for this processing?

• A. Card Processor, because they perform the actual processing and have physical custody of transaction records
• B. FinTech Company X, as the Data Controller/Owner that determines purposes and means of processing
• C. Accountability is equally shared — both entities sign the DPA and are jointly liable
• D. The payment scheme (Visa/Mastercard), because they govern the card transaction rules

A Data Steward at a financial institution is asked to approve a data quality improvement project that will relabel 50,000 loan records with corrected income-bracket codes. What is WITHIN the Data Steward's authority to approve?

• A. Approving the reclassification of the dataset from Confidential to Internal to simplify the project
• B. Approving the data quality correction process itself, as data quality is the Steward's domain
• C. Approving a new access control policy granting the project team permanent access to the dataset
• D. Approving the deletion of all records that cannot be corrected, to maintain dataset integrity

An employee in the collections department accesses the customer loan repayment database daily to update payment statuses. In ISC² terminology, this employee's role with respect to this data is BEST described as:

• A. Data Owner — they update the data and therefore control it
• B. Data Custodian — they maintain the data on behalf of the organization
• C. Data User — they access and use the data within authorized parameters
• D. Data Steward — they ensure data quality by keeping records current

A CISSP exam scenario: The VP of Marketing owns the customer contact database. The database is hosted on servers managed by the IT Operations team. A data analyst needs read-only access to run campaign reports. Who should GRANT this access?

• A. The IT Operations team, because they manage the servers and the database
• B. The VP of Marketing (Data Owner), because access decisions are the Owner's responsibility
• C. The data analyst's direct manager, because they are accountable for the analyst's work
• D. The DBA, because they can technically provision the access quickly

A cloud provider hosts FinTech Company X's customer PII on behalf of FinTech Company X. The cloud provider's SRE team accesses the data briefly during a debugging session to resolve a production outage. In ISC² role terms, the cloud provider is acting as:

• A. Data Owner — they are in physical control of the infrastructure
• B. Data Custodian — they maintain the infrastructure under a contractual agreement
• C. Data User — they access the data to perform their job duties
• D. Data Processor — they process personal data under GDPR on behalf of FinTech Company X

A new regulation requires that all customer financial records be retained for 7 years. The Data Owner wants to shorten retention to 3 years to reduce storage costs. Who has final authority to resolve this conflict?

• A. The Data Owner, because they have ultimate authority over their data
• B. The Chief Information Officer, because storage cost is an IT budget issue
• C. Senior management or Legal/Compliance, because regulatory requirements supersede the Data Owner's discretion
• D. The Data Custodian, because they implement retention schedules and understand the technical implications

Partner E Lhuillier processes remittance data on behalf of FinTech Company X under a formal data processing agreement. Partner E's IT team accidentally deletes a batch of transaction records. Under the data processing agreement, who must Partner E notify FIRST?

• A. The National Privacy Commission (NPC) of the Philippines — regulators must be notified of any data incident
• B. The affected data subjects directly — they have a right to know their data was lost
• C. FinTech Company X as the Data Controller/Owner — the Processor notifies the Controller who then manages regulatory reporting
• D. Partner E's own legal team — internal notification precedes any external communication

A data governance framework lists the following responsibilities: "ensures data quality standards are met, maintains data dictionaries, resolves data definition disputes across business units." These responsibilities BEST describe which role?

• A. Data Owner
• B. Data Custodian
• C. Data Steward
• D. Data Protection Officer

A penetration tester is granted temporary read access to the production database to perform a security assessment. After the test, the Data Owner instructs the DBA to revoke the tester's access. The DBA delays this for three days due to a backlog. Who bears ACCOUNTABILITY for the access overstay?

• A. The penetration tester, for not voluntarily relinquishing access after the engagement ended
• B. The DBA (Custodian), for failing to implement the Owner's revocation instruction in a timely manner
• C. The Data Owner, because they are ultimately accountable for all access to their data
• D. Both the DBA and the Data Owner share equal accountability

Under GDPR, which of the following obligations falls on the Data Processor (ISC² Custodian) rather than the Data Controller (ISC² Owner)?

• A. Determining the lawful basis for processing personal data
• B. Responding to data subject access requests directly
• C. Implementing appropriate technical and organizational measures to secure processing activities
• D. Conducting Data Protection Impact Assessments (DPIAs) for high-risk processing

A CISSP is designing a data governance framework. She proposes that the Data Owner role should be assigned to the CISO because the CISO is responsible for security. A senior manager disagrees. Who is correct, and why?

• A. The CISSP is correct — the CISO's accountability for security makes them the logical Data Owner
• B. The senior manager is correct — the Data Owner should be the business manager who understands the business value and use of the data, not a security officer
• C. Both are wrong — Data Owners must be designated by the board of directors under corporate governance rules
• D. The senior manager is correct — the CISO can only be a Data Custodian because CISOs are technical roles

FinTech Company X's Partner A loan division generates operational reports from customer loan data. The report template is created by a data analyst, the underlying data is owned by the Credit Risk VP, and the reports are stored on a shared drive managed by IT. If the reports contain PII, who bears responsibility for ensuring the shared drive applies appropriate controls?

• A. The data analyst, because they created the report
• B. The Credit Risk VP (Data Owner), because the reports contain their data
• C. IT Operations (Custodian), because they manage the shared drive
• D. All three share equal responsibility under a collective ownership model

A merger between two fintech companies creates a data governance problem: both companies had separate Data Owners for identical customer segments. Post-merger, both legacy Owners claim authority over the merged customer database. What is the BEST resolution strategy from an ISC² governance perspective?

• A. Allow both Owners to retain authority and resolve conflicts through a joint committee
• B. Assign ownership to the more senior executive as a tiebreaker
• C. Senior management must designate a single Data Owner for the merged dataset, clearly defined in the updated data governance policy
• D. Temporarily assign ownership to the CISO until the merger integration is complete

A Data Owner approves a third-party vendor's access to customer PII for analytics purposes. The vendor sub-contracts a portion of the work to a sub-processor. The sub-processor suffers a breach. Under the Philippine Data Privacy Act (RA 10173), who bears liability to the data subjects?

• A. Only the sub-processor, because they caused the breach
• B. The vendor (Processor), because they chose the sub-processor
• C. FinTech Company X (Data Controller), because it is ultimately accountable to data subjects, though vendors share liability through the processing chain
• D. The sub-processor and vendor equally, but FinTech Company X is fully exempt because they did not directly cause the breach

A Data Protection Officer (DPO) under GDPR disagrees with a Data Controller's decision to proceed with a high-risk processing activity without a DPIA. What authority does the DPO have in this situation?

• A. The DPO can halt the processing unilaterally, as their compliance role grants veto power
• B. The DPO must advise, document their objection, and escalate to senior management — but cannot unilaterally block the processing
• C. The DPO should report directly to the supervisory authority (e.g., NPC or CNIL) without informing the Controller
• D. The DPO has no relevant authority — processing decisions belong exclusively to the Data Controller

FinTech Company X's eKYC Vendor system captures and stores biometric facial templates during loan applicant verification. The product team wants to repurpose these templates for a marketing personalization feature. From a data governance perspective, what must happen FIRST?

• A. The Data Custodian must confirm the database can technically support the new use case
• B. The Data Owner must assess whether the new purpose is compatible with the original consent given by applicants, and obtain new consent if required
• C. The DPO must approve the repurposing as biometric data falls under DPO jurisdiction
• D. A penetration test must be conducted on the marketing platform before biometric data is used

A CISSP candidate is told: "This person determines what data is collected, why it is processed, and who may access it. They accept accountability for any harm arising from misuse." This description applies to which role REGARDLESS of whether the organization uses ISC², GDPR, or Philippine DPA terminology?

• A. Data Custodian / Data Processor / Personal Information Processor
• B. Data Steward / Data Quality Officer / Data Fiduciary
• C. Data Owner / Data Controller / Personal Information Controller
• D. Data User / Data Subject / Registered Individual

FinTech Company X's AES-256-CTR encryption protects customer PII stored in the core database server. A security auditor notes the encryption only applies when data is not being processed by the application server. Which data state is NOT protected by this control?

• A. Data at Rest — the database files on disk are unencrypted
• B. Data in Transit — the network path from database to application server is unencrypted
• C. Data in Use — data decrypted in application memory is exposed while being processed
• D. Data in Archive — backup tapes use a different encryption scheme

A FinTech Company X engineer is designing the security architecture for customer PII as it moves from the mobile app to the API gateway to the database. Which combination of controls BEST addresses all three data states?

• A. TLS 1.3 for transit; AES-256 for rest; access controls for in-use
• B. VPN for transit; BitLocker for rest; antivirus for in-use
• C. SSH tunneling for transit; RAID for rest; DLP for in-use
• D. PKI for transit; HSM for rest; IDS for in-use

Which of the following CORRECTLY lists the typical phases of the data security lifecycle in order?

• A. Create → Store → Use → Share → Archive → Destroy
• B. Collect → Process → Analyze → Report → Delete
• C. Input → Processing → Output → Storage → Archival
• D. Create → Classify → Use → Retain → Archive → Purge

Partner A sends daily loan repayment summaries from Vietnam to FinTech Company X's headquarters in Singapore via an SFTP connection. During transmission, an attacker performs a man-in-the-middle attack and intercepts the file. Which data state was exposed, and what control SHOULD have been in place?

• A. Data at Rest — the file was cached on the SFTP server; end-to-end encryption of stored files is needed
• B. Data in Use — the file was being parsed by the receiving application; memory protection is needed
• C. Data in Transit — TLS/SFTP with certificate validation and mutual authentication should have been enforced
• D. Data in Archive — the file was in a backup queue; archive encryption would have prevented the breach

FinTech Company X's Platform B platform implements a 30-day soft-delete before permanent deletion. During the soft-delete window, data is still in the database but flagged as "deleted." What lifecycle phase does this 30-day window BEST represent?

• A. Destroy — the data is logically deleted and no longer active
• B. Archive — the data is retained for a defined period before final disposition
• C. Use — the application still reads the soft-deleted records for compliance purposes
• D. Store — the data remains in primary storage with full at-rest protections applying

During the "Create" phase of the data lifecycle, which security activity is MOST critical from an ISC² perspective?

• A. Encrypting the data immediately upon creation using AES-256
• B. Assigning the appropriate classification label and notifying the Data Owner
• C. Backing up the data to ensure availability from the moment of creation
• D. Registering the data in the SIEM for immediate audit logging

A cloud-based analytics platform decrypts customer behavioral data, processes it for scoring, and then re-encrypts the output. During which phase is the data MOST vulnerable, and what emerging technology addresses this gap?

• A. Data at Rest — addressed by client-side encryption before upload
• B. Data in Transit — addressed by quantum-resistant cryptography
• C. Data in Use (during decryption and processing) — addressed by Homomorphic Encryption or Trusted Execution Environments (TEEs)
• D. Data in Archive — addressed by tape encryption with AES-256

A security policy states that Restricted data must be reviewed for continued necessity every 12 months. After review, data no longer needed for business or legal purposes must be destroyed. A department head ignores this policy for three years. What is the PRIMARY risk created by this inaction?

• A. Regulatory fines for retaining data longer than necessary — data minimization violations
• B. Increased storage costs — the main risk is financial, not privacy or security
• C. Breach of the backup SLA — retaining data past its lifecycle may cause backup system overloads
• D. Loss of data classification accuracy — old data inevitably becomes unclassified

During the "Share" phase of the data lifecycle, a FinTech Company X data engineer sends customer credit profiles to a partner credit bureau via API. What security control is MOST critical at this phase specifically?

• A. DLP (Data Loss Prevention) policies to prevent unauthorized sharing channels
• B. API encryption (TLS) only — the bureau handles security on its end
• C. A data sharing agreement defining purpose, scope, controls, and liability, combined with transport encryption
• D. Requiring the partner to sign an NDA before any data sharing begins

A laptop containing unencrypted Confidential salary data is stolen from an employee's car. The attacker removes the hard drive and connects it to another computer. Which data state is compromised, and what single control would have MOST effectively prevented this breach?

• A. Data in Transit — a VPN would have prevented the theft
• B. Data at Rest — full-disk encryption (e.g., BitLocker/FileVault) would have protected the drive when offline
• C. Data in Use — locking the screen would have prevented unauthorized access
• D. Data in Archive — the data should have been stored on a server, not locally

A data security lifecycle review identifies that a dataset classified as Restricted is being shared on an internal Slack channel without restriction. At which lifecycle phase did the control fail, and what is the BEST corrective action?

• A. Create phase — the data was misclassified initially; reclassify as Internal
• B. Share phase — implement DLP controls on collaboration tools and enforce data sharing policy training
• C. Store phase — move the data to an access-controlled repository and restrict the Slack channel
• D. Archive phase — move the dataset to a read-only archive to prevent further sharing

A FinTech Company X application processes loan scoring in real-time. Developers log all scoring inputs and outputs to a debug log for troubleshooting. The debug log is stored unencrypted on the application server. What risk does this create?

• A. The scoring algorithm is exposed, risking intellectual property theft
• B. Customer PII in the log is now data at rest without classification-appropriate controls, creating a data exposure risk
• C. Debug logs are transient and present no meaningful risk if stored temporarily
• D. The log creates a data-in-transit risk because it may be sent to monitoring systems

An organization moves from a 5-year data retention policy to a 3-year policy for customer transaction data. What must happen to data currently past the new 3-year threshold?

• A. It can remain indefinitely — changing future policy does not affect existing data
• B. It must be reviewed for legal hold or regulatory retention obligations before disposition
• C. It must be immediately deleted upon the policy change to minimize compliance risk
• D. It should be reclassified as Public since it is no longer actively retained

A database administrator uses column-level encryption (CLE) to protect the national_id column in the customer table. The remaining columns (name, address, phone) are stored in plaintext. Which statement BEST describes the security posture?

• A. CLE provides complete protection — since the most sensitive field is encrypted, the risk is acceptable
• B. CLE protects the national_id column at rest, but the other PII columns in plaintext create residual data-at-rest risk and may enable re-identification via aggregation
• C. CLE is ineffective because column encryption is always weaker than full-disk encryption
• D. The design is correct — encrypting only the highest-sensitivity field is the standard practice

FinTech Company X receives raw credit bureau data from an external provider. The data is ingested into the data lake, transformed by a data pipeline, and used by risk models. At the STORE phase, what is the MOST important security consideration beyond encryption?

• A. Compression ratio — higher compression reduces breach exposure by making files smaller
• B. Access control enforcement — who may read, write, or delete the data must align with the classification
• C. Network segmentation of the storage layer — stored data should be on a separate VLAN
• D. Backup frequency — data stored longer needs more frequent backups to ensure availability

FinTech Company X migrates its customer database from an on-premises server to a cloud provider. During the migration window, data exists simultaneously in both environments. What is the PRIMARY security risk during this transition phase?

• A. Data is in transit during migration — TLS must be used for all transfer connections
• B. Duplicate copies of Restricted data exist in two environments with potentially different access controls, increasing the attack surface
• C. The cloud provider becomes a Data Owner during the migration window
• D. Migration is a Create phase event — data must be reclassified upon arrival in the new environment

An employee pastes Restricted customer PII from a secure database into a Microsoft Teams message to share it with a colleague. Which data state transition is MOST concerning from a security perspective?

• A. The data moved from At Rest to In Use when the employee opened the database
• B. The data transitioned from a controlled In Use environment to an uncontrolled In Transit / Shared state via an unauthorized channel
• C. The data moved from In Transit to At Rest when it was stored in Teams' servers
• D. There is no concern if Teams uses end-to-end encryption — the data state transition is secure

During a security review, a CISSP discovers that FinTech Company X's Vietnam operations store Partner A micro-loan customer data on a SaaS CRM platform not listed in the approved vendor registry. The CRM vendor processes data under its own privacy policy. What is the MOST serious governance failure here?

• A. The CRM vendor has not signed a data processing agreement — FinTech Company X lacks contractual control over the data
• B. Using a SaaS CRM is inherently insecure — all data should be stored on-premises
• C. The CRM was not approved, so its security controls are unknown — the risk cannot be assessed without a vendor security review
• D. Vietnam's Decree 13/2023 prohibits storing personal data on foreign cloud platforms

A FinTech Company X data engineer proposes using a data lake as a "schema-on-read" repository where all ingested data is stored raw and classified later at query time. From an ISC² asset security perspective, what is the MOST critical concern with this approach?

• A. Schema-on-read lakes are technically inferior to schema-on-write databases for financial data
• B. Storing data without classification labels means appropriate access controls, encryption, and retention policies cannot be applied at ingestion — creating a "data swamp" governance risk
• C. Raw data cannot be encrypted — all data must be transformed before encryption can be applied
• D. Query-time classification is acceptable as long as the data lake has strong perimeter controls

FinTech Company X's risk model uses customer behavioral data that is 4 years old. A data scientist argues that old data is less risky and proposes removing encryption to improve query performance. The Data Owner must decide. What is the CORRECT ISC² position?

• A. Agree — data older than 3 years can be downgraded to Internal classification to reduce overhead
• B. Agree — encryption is only mandatory during the active business use period, not for historical data
• C. Disagree — the Data Owner must conduct a formal review before changing controls; age alone does not justify reducing protection
• D. Disagree — historical data must always be encrypted regardless of reclassification; ISC² mandates lifetime encryption of all PII

An organization wants to dispose of 200 HDDs containing Restricted customer PII. The security team proposes degaussing. Which statement about degaussing HDDs is CORRECT?

• A. Degaussing is ineffective on HDDs — only physical shredding achieves NIST SP 800-88 "Clear" level
• B. Degaussing destroys the magnetic field on HDD platters, rendering data unrecoverable and meeting NIST SP 800-88 "Purge" level for magnetic media
• C. Degaussing is equally effective on HDDs and SSDs because both use magnetic storage
• D. Degaussing only reaches "Clear" level — overwriting is required to reach "Purge" level for HDDs

FinTech Company X is retiring 50 NVMe SSDs from its Singapore data center that contained Restricted PII. The IT team proposes a 7-pass DoD overwrite. What is WRONG with this proposal?

• A. 7-pass overwrite is overkill — 1-pass is sufficient for SSDs per NIST SP 800-88
• B. Overwriting is unreliable on SSDs because wear-leveling algorithms may leave residual data in reserved cells not accessible to the OS
• C. DoD overwrite only works on HDDs — SSDs require degaussing to achieve Purge level
• D. NVMe SSDs cannot be overwritten — they must be encrypted before use and then the key destroyed

A CISSP uses the term "Cryptographic Erasure" (CE) to sanitize an SSD. What does this method entail, and what is its LIMITATION?

• A. CE overwrites all sectors with random cryptographic keys; limitation is that it voids the manufacturer warranty
• B. CE destroys the encryption key protecting data on a self-encrypting drive (SED); limitation is that data recovery remains theoretically possible if the key is later recovered
• C. CE applies a 256-bit AES key to overwrite each sector; limitation is that it takes 24+ hours for large drives
• D. CE erases the encryption key of a SED; limitation is that it only works if the drive was encrypted from the start — unencrypted data is not addressed

According to NIST SP 800-88, which sanitization method provides the HIGHEST assurance of data irretrievability for all media types?

• A. Clear — overwriting all user-addressable storage locations
• B. Purge — using targeted techniques such as secure erase or degaussing that make recovery infeasible with state-of-the-art techniques
• C. Destroy — physical or chemical destruction of the media so it cannot function as a storage device
• D. Archive — moving data to a secure cold storage facility under strict access control

A FinTech Company X employee reformats an HDD containing Confidential data and then donates the drive to a charity. Is this an acceptable sanitization method?

• A. Yes — formatting removes all file system pointers, making data effectively inaccessible
• B. No — formatting only removes file system metadata; the underlying data remains recoverable with common forensic tools
• C. Yes — if the format is a "full format" (not quick format), all sectors are overwritten and meet NIST Clear level
• D. It depends — if the charity signs an NDA, the residual data risk is transferred contractually

Partner A is decommissioning a cloud-based virtual machine that processed Restricted micro-loan applicant data. The underlying physical hardware is managed by the cloud provider. What is the MOST appropriate sanitization approach?

• A. Request the cloud provider to physically shred the host server's drives
• B. Terminate the VM — cloud providers guarantee data erasure upon VM termination per their SLA
• C. Use Cryptographic Erasure by deleting all encryption keys used for the VM's storage volumes, then confirm via provider's data destruction certificate
• D. Overwrite the VM's virtual disk with zeros before termination to achieve NIST Clear level

A FinTech Company X compliance officer is developing a data retention schedule. What is the PRIMARY factor that should drive the minimum retention period for customer financial records?

• A. The cost of storage — longer retention is only justified if storage is inexpensive
• B. The classification level — Restricted data must be retained for at least 5 years regardless of regulation
• C. Applicable regulatory and legal requirements — these set the mandatory floor for retention
• D. Business value — data should be retained as long as the analytics team finds it useful

A legal team issues a litigation hold for all communications related to a disputed loan. An automated data retention system deletes the relevant emails three days later as per the 90-day email policy. The deletion was not intentional. What legal concept describes this situation, and what is the likely consequence?

• A. Data minimization — the deletion was compliant with data minimization principles and creates no liability
• B. Spoliation — the negligent destruction of evidence subject to a legal hold can result in adverse inference instructions or sanctions
• C. Data breach — automated deletion of PII is a reportable privacy incident under RA 10173
• D. Chain of custody failure — the court will demand re-creation of the deleted emails

FinTech Company X receives a government subpoena for customer transaction records. The records include data from accounts that have already been soft-deleted under the Platform B 30-day policy. Can FinTech Company X comply with the subpoena by responding that the data was deleted per policy?

• A. Yes — if the data was deleted before the subpoena was received, FinTech Company X has no obligation to produce it
• B. It depends on whether the deletion occurred before or after FinTech Company X reasonably anticipated the legal demand, and whether the data is within the 30-day soft-delete window and recoverable
• C. No — all deleted data must be restored and produced regardless of when it was deleted
• D. Yes — soft-deleted data is legally considered destroyed and is not producible under any circumstance

An organization uses a "Clear" sanitization method (single-pass overwrite) on HDDs containing Confidential data before re-deploying them internally. Under NIST SP 800-88, is this appropriate?

• A. No — Clear is only appropriate for Public data; Confidential data requires Purge
• B. Yes — Clear is appropriate when media is being reused within the same organization or released to a trusted party at the same classification level
• C. No — all redeployment scenarios require Purge-level sanitization regardless of data sensitivity
• D. Yes — as long as the new user does not have access to forensic tools, Clear is sufficient for any redeployment

FinTech Company X uses a third-party e-waste vendor to destroy decommissioned HDDs. What control MOST reduces the risk that the vendor improperly disposes of data?

• A. Requiring the vendor to sign an NDA prohibiting them from disclosing customer data
• B. Performing on-site degaussing before the drives are handed to the vendor, and obtaining a Certificate of Destruction
• C. Selecting a vendor with a good reputation and verifying their ISO 9001 certification
• D. Auditing the vendor annually — the audit will deter improper disposal between visits

An organization's data retention policy specifies that employee HR records must be retained for 7 years after employment ends, while customer transaction records must be kept for 5 years. An employee is also a former customer. How long must their combined record be retained?

• A. 5 years — the shorter retention period takes precedence to minimize risk
• B. 7 years — the longer retention obligation applies to the combined record
• C. Records must be separated and each component retained per its applicable policy
• D. 6 years — average of the two retention periods as a compromise

A legal hold is placed on all FinTech Company X emails related to a disputed transaction. The IT team implements the hold in the email archiving system. Two weeks later, an employee manually deletes the emails from their local client, unaware of the hold. What should the CISO prioritize IMMEDIATELY?

• A. Terminate the employee for violating the legal hold policy
• B. Check if the email archive captured the messages before local deletion, restore from archive, and notify legal counsel of the incident
• C. File an emergency data recovery request with the email vendor and conduct a forensic investigation
• D. Notify the opposing party in the dispute that evidence was inadvertently destroyed

FinTech Company X uses self-encrypting NVMe drives (SEDs) with AES-256 hardware encryption enabled from deployment. Upon decommission, the team performs Cryptographic Erasure by destroying the media encryption key (MEK). A forensic auditor challenges the method, saying recovery might still be possible. What is the CORRECT assessment?

• A. The auditor is correct — hardware encryption can be bypassed by manufacturer backdoors, so physical destruction is required
• B. The auditor is correct — the MEK may be backed up in firmware, so destroying the software key does not guarantee erasure
• C. CE on a properly implemented SED meets NIST SP 800-88 Purge level — the encrypted data is computationally unrecoverable without the MEK, which has been destroyed
• D. The auditor is correct — CE only meets Clear level, not Purge, and the drive must be overwritten after CE for Purge level

An organization uses tape backups for disaster recovery. The tapes contain a mix of Restricted and Internal data. The tapes are 10 years old and are being retired. What is the MOST appropriate sanitization method for tape media?

• A. Degaussing — magnetic tape is erased by a strong magnetic field, meeting NIST Purge level
• B. Overwriting the tape with zeros using the backup software — this meets NIST Clear level
• C. Physical shredding — tape cannot be reliably overwritten, so destruction is the only option
• D. Leaving the tapes in a secured vault — stored data poses no risk if physically protected

FinTech Company X processes PH DPA-subject personal data of Filipino customers. A customer exercises their "right to erasure" (right to be forgotten). However, the customer's loan account is still active and subject to a BSP (Bangko Sentral ng Pilipinas) mandatory 5-year retention requirement. How should the Data Owner respond?

• A. Immediately erase all data — the customer's right to erasure is absolute under RA 10173
• B. Deny the request entirely and refer the customer to BSP if they disagree
• C. Partially comply — erase data not subject to regulatory retention, restrict access to retained data, and inform the customer of the legal basis for continued retention
• D. Erase data after the 5-year BSP retention period expires, without notifying the customer until that time

A data governance review finds that FinTech Company X retains customer data "indefinitely" for analytics purposes. The DPO warns this violates the storage limitation principle. Under GDPR/RA 10173, which exception, if any, legitimately allows indefinite retention?

• A. Business necessity — if the analytics team needs the data, retention is justified indefinitely
• B. Anonymization — if data is irreversibly anonymized, it no longer constitutes personal data and the storage limitation principle does not apply
• C. Consent — if customers consented to analytics use, data may be retained forever
• D. Data minimization — the DPO is incorrect; retention schedules are advisory, not mandatory

A CISSP at FinTech Company X is designing the e-discovery process. Which of the following best describes the correct order of steps in an e-discovery response?

• A. Collect → Identify → Preserve → Process → Review → Produce
• B. Identify → Preserve → Collect → Process → Review → Produce
• C. Preserve → Identify → Collect → Review → Process → Produce
• D. Identify → Collect → Process → Preserve → Review → Produce

A FinTech Company X security manager must choose a sanitization method for 300 flash drives (USB) containing Restricted data before repurposing them for a different department. Which method meets NIST SP 800-88 Purge level for flash media?

• A. Full-format via operating system — this overwrites all sectors
• B. ATA Secure Erase or the vendor's built-in Sanitize command
• C. Degaussing — strong magnetic field destroys flash memory cells
• D. Storing them in a secure cabinet for 6 months before reuse

FinTech Company X's Vietnam operations manager tells a security auditor: "We keep all customer data for 10 years regardless of purpose because storage is cheap." Vietnam's Decree 13/2023 requires personal data to be retained only as long as necessary for its processing purpose. What is the PRIMARY violation, and what should be implemented?

• A. No violation — organizational retention policies are self-determined and Decree 13/2023 is advisory
• B. Violation of the storage limitation principle — purpose-based retention schedules with defined periods per data type must be implemented
• C. Minor violation — the 10-year policy needs to be documented formally to be compliant
• D. Violation of data minimization — less data should be collected at source to avoid long-term retention

A data scientist replaces customer names and national IDs in a loan dataset with randomly generated codes. A mapping table linking codes to real identities is kept in a separate secured database. What technique is described, and what is its KEY risk?

• A. Anonymization — risk is that the coding algorithm may be reverse-engineered
• B. Pseudonymization — risk is that re-identification is possible if the mapping table is compromised
• C. Tokenization — risk is that payment card industry rules may prohibit this approach
• D. Encryption — risk is key management complexity at scale

FinTech Company X's Card Processor card tokenization replaces the 16-digit PAN with a surrogate token for use in transactions. The token vault is hosted by Card Processor. Under GDPR/PH DPA, does the token (stored by FinTech Company X) constitute personal data?

• A. No — tokens are random strings with no inherent meaning; they are not personal data
• B. Yes — because FinTech Company X has a contractual relationship with Card Processor that enables de-tokenization, the token is effectively linkable to an individual and may constitute personal data in context
• C. No — PCI-DSS classifies tokens as non-PCI data, which by extension means they are not personal data under privacy laws
• D. Yes — all data related to financial services is automatically classified as personal data under RA 10173

What is the FUNDAMENTAL difference between anonymization and pseudonymization from a GDPR compliance perspective?

• A. Anonymization uses AES-256; pseudonymization uses SHA-256 hashing
• B. Anonymized data is no longer subject to GDPR because re-identification is not reasonably possible; pseudonymized data remains personal data because re-identification is possible with additional information
• C. Pseudonymization provides stronger protection than anonymization because the mapping table can be secured
• D. Both are equivalent under GDPR — neither technique affects the classification of data as personal

Privacy by Design (PbD) was developed by Ann Cavoukian and is embedded in GDPR Article 25. Which of the following BEST describes the "Privacy as the Default" principle of PbD?

• A. Privacy controls should be available as an opt-in feature that power users can activate
• B. The most privacy-protective settings should be the default — individuals should not have to take action to protect their privacy
• C. Privacy features should be the default only for sensitive data categories such as health and biometric data
• D. Default settings should balance privacy and functionality — the organization decides the appropriate default based on business needs

A FinTech Company X product manager wants to build a loan eligibility feature. A privacy engineer proposes using Privacy by Design from the beginning. Which of the following is a PbD principle being applied?

• A. Collecting all possible customer data fields first, then filtering to what is needed during post-processing
• B. Building consent management and data minimization into the feature's requirements before any code is written
• C. Adding a privacy policy link to the UI after the feature is built and tested
• D. Requesting a privacy audit annually after deployment to identify issues retroactively

A DLP system at FinTech Company X triggers an alert when an employee emails a file containing 20+ national ID numbers to an external address. The security analyst must decide on the BEST response. What action should be taken FIRST?

• A. Block the email and terminate the employee immediately for policy violation
• B. Allow the email to send — DLP alerts are informational and do not justify blocking business email
• C. Block the outbound email pending review; investigate whether the transmission was authorized, and escalate based on findings
• D. Quarantine the email, notify the recipient's domain that a potential breach occurred, and file an NPC report

Under the Philippine Data Privacy Act (Republic Act 10173), which of the following is classified as "sensitive personal information" requiring heightened protection?

• A. Full name, email address, and home address
• B. Race, ethnic origin, health information, biometric data, and commission of offenses
• C. Professional title, employer name, and work address
• D. Date of birth, marital status, and educational background

A data analyst at FinTech Company X publishes a public research report using a dataset that has been k-anonymized (k=5) from the original customer database. A researcher later demonstrates that specific individuals can be re-identified using publicly available social media data combined with the quasi-identifiers in the report. What attack technique is described?

• A. Inference attack — deriving sensitive attributes from public model outputs
• B. Linkage attack — re-identifying individuals by joining the anonymized dataset with external data sources
• C. Aggregation attack — combining multiple low-sensitivity data points to derive high-sensitivity conclusions
• D. Replay attack — reusing a prior session token to access the database

FinTech Company X deploys a DLP solution to prevent PII exfiltration. The DLP is configured to scan outbound emails. A user circumvents DLP by encoding the national ID as Base64 before attaching it. What does this expose about the DLP implementation?

• A. The DLP system needs more memory to handle Base64 decoding in real-time
• B. Content-aware DLP must include encoding/obfuscation detection to prevent trivial bypass techniques
• C. DLP systems cannot inspect encrypted files — users should be banned from encrypting attachments
• D. Base64 is itself encryption; the organization should deploy an encryption key management system to address this gap

A GDPR data subject submits a Subject Access Request (SAR) to FinTech Company X asking for "all personal data you hold about me." FinTech Company X holds: loan application data, behavioral scoring inputs, eKYC Vendor biometric templates, and internal fraud risk scores. Which of these MUST be disclosed under GDPR Article 15?

• A. All four categories must be disclosed in full with no exceptions
• B. Loan application data and behavioral scoring inputs must be disclosed; biometric templates may be withheld for security reasons; fraud scores are exempt as internally derived data
• C. All four must generally be disclosed; however, fraud scores may be withheld under the prevention of crime exemption if disclosure would prejudice fraud detection, and biometric templates may be withheld under proportionality
• D. Only the loan application data must be disclosed — scoring and biometric data are proprietary and exempt

FinTech Company X processes biometric data (facial templates from eKYC Vendor) for identity verification in the Philippines. Under RA 10173, what is the MINIMUM lawful basis required for processing sensitive personal information like biometric data?

• A. Legitimate interest — biometric verification is in the organization's interest and implicitly consented to by loan applicants
• B. Explicit written consent of the data subject, OR processing is necessary for a purpose authorized by law
• C. A Privacy Impact Assessment (PIA) submitted to the NPC — approval grants lawful processing authority
• D. Registration with the NPC as a personal information controller — registration constitutes lawful basis

Vietnam's Decree 13/2023 on Personal Data Protection requires a Data Protection Impact Assessment (DPIA) for high-risk processing. FinTech Company X's Partner A operations plan to process sensitive financial data of 500,000 customers using automated profiling for loan eligibility. Does this processing require a DPIA under Decree 13/2023, and what factors determine this?

• A. No — DPIAs are only required for government agencies processing Vietnamese citizen data
• B. Yes — large-scale processing of sensitive financial data using automated profiling is high-risk and requires a DPIA
• C. Only if Partner A is incorporated in Vietnam — foreign-incorporated entities are not subject to Decree 13/2023
• D. No — DPIAs are a GDPR requirement only; Decree 13/2023 does not mandate DPIAs

FinTech Company X transfers customer behavioral data from Vietnam to Singapore for processing by the central data science team. Vietnam's Decree 13/2023 restricts cross-border personal data transfers. What is the MOST appropriate mechanism to legitimize this transfer?

• A. Anonymizing the data before transfer — anonymized data is not subject to cross-border transfer restrictions
• B. Obtaining approval from Vietnam's Ministry of Public Security for the cross-border transfer, or establishing that Singapore has adequate data protection standards
• C. Encrypting the data in transit with TLS 1.3 — encrypted data transfer satisfies cross-border transfer requirements
• D. Including a clause in employee contracts that consent to data transfer to Singapore — employee consent satisfies the requirement

Under GDPR, a data subject exercises their "right to data portability" and requests their loan application data in a machine-readable format. FinTech Company X's legacy system only exports data in a proprietary binary format. What obligation does GDPR Article 20 impose?

• A. GDPR allows any format the controller chooses — the requirement is to provide the data, not a specific format
• B. The data must be provided in a "structured, commonly used and machine-readable format" (e.g., JSON or CSV) — proprietary binary formats do not fulfill this requirement
• C. The right to portability only applies to data actively provided by the data subject — profiling or derived data is excluded
• D. Portability requests must be fulfilled within 90 days — there is no format requirement under Article 20

A FinTech Company X data analyst builds a credit scoring model trained on historical loan data. A civil society group argues the model is discriminatory against a protected ethnic group based on correlated behavioral signals. Under fairness and privacy frameworks, what is the MOST relevant concept, and what should the Data Owner do?

• A. Model bias is a product liability issue, not a privacy issue — refer to the legal department only
• B. The model uses legitimate business correlations; bias claims do not require a governance response
• C. Algorithmic fairness and anti-discrimination principles intersect with privacy law — the Data Owner should commission a fairness audit and, if discrimination is found, retrain or constrain the model
• D. The model should be immediately disabled pending full regulatory review before retraining

FinTech Company X suffers a data breach exposing 50,000 customer records containing national IDs and credit scores. Under the Philippine Data Privacy Act (RA 10173), what are the notification timelines and recipients?

• A. Notify the NPC within 72 hours; notify affected individuals within 7 days of confirmation of breach
• B. Notify the NPC within 72 hours of discovery; notify affected individuals as soon as practicable but within 5 days of confirming the breach
• C. No mandatory timeline — notification is required only "without undue delay" at the organization's discretion
• D. Notify affected individuals within 24 hours; notify the NPC within 30 days of breach discovery

FinTech Company X's eKYC Vendor facial recognition system processes biometric data in real time. The security team wants to apply the principle of data minimization. Which design choice BEST embodies this principle?

• A. Store the raw facial image and the derived biometric template — raw images provide a fallback for re-processing
• B. Store only the biometric template needed for comparison; delete the raw facial image immediately after template extraction
• C. Store all biometric data in encrypted form — encryption satisfies data minimization requirements
• D. Retain biometric data for 7 years to ensure availability for future model retraining

A senior manager at FinTech Company X argues: "We don't need a formal privacy program — we have strong encryption and access controls. Security is privacy." A CISSP must correct this misconception. What is the BEST response?

• A. The manager is correct — encryption and access controls together constitute a complete privacy program
• B. Security is a necessary but insufficient condition for privacy. Privacy additionally requires purpose limitation, consent management, data subject rights fulfillment, transparency, and retention governance — technical controls alone cannot satisfy these obligations
• C. Privacy programs are only required for organizations over a certain size — small teams can rely on security controls
• D. Privacy is a subset of security — a mature security program automatically satisfies all privacy obligations

FinTech Company X's new mobile app collects device location data continuously, even when the app is running in the background. The privacy engineer warns this violates data minimization. The product manager argues location data improves fraud detection and customer experience. What is the ISC²-aligned resolution?

• A. Collection of location data is legitimate because fraud detection is a compelling business interest that overrides minimization
• B. A Data Protection Impact Assessment (DPIA) must be conducted to assess the proportionality of continuous collection versus the privacy intrusion; collection should be limited to what is necessary and proportionate to the fraud detection purpose
• C. The privacy engineer should be overruled — product decisions are the product manager's authority, not the privacy team's
• D. Collect all location data initially and then delete what is not used after 30 days — this satisfies minimization retrospectively

A CISSP sitting the exam is asked: "An organization collects customer PII for loan origination. The same data is later used for marketing analytics without additional consent. Under both GDPR and PH DPA principles, which concept is violated, and what is the MINIMUM remediation?" This is Q100 — the capstone question integrating D2 principles.

• A. Purpose limitation is violated. Minimum remediation: obtain fresh explicit consent for marketing analytics, OR establish an alternative lawful basis, AND conduct a compatibility assessment if relying on legitimate interest
• B. Data minimization is violated. Remediation: delete excess data collected beyond what the loan origination purpose requires
• C. Storage limitation is violated. Remediation: establish a defined retention period for marketing analytics data separate from loan origination data
• D. Integrity and confidentiality is violated. Remediation: encrypt marketing analytics datasets to the same standard as loan origination data