Certified Information Security Manager (CISM) — Question 508
Which of the following should be done FIRST when establishing security measures for personal data stored and processed on a human resources management system?
Answer options
- A. Conduct a vulnerability assessment.
- B. Move the system into a separate network.
- C. Conduct a privacy impact assessment (PIA).
- D. Evaluate data encryption technologies.
Correct answer: C
Explanation
The correct answer is C, as conducting a privacy impact assessment (PIA) is essential to identify how personal data is handled and its potential privacy risks. Options A, B, and D, while important, are secondary steps that should follow the assessment of privacy impacts to ensure that all measures address identified risks effectively.