B.  Determining who has access to a system

                    C.  Identifying appropriate use and protection of data

                    D.  Applying security controls to a system


               15.  Within the context of the EU GDPR, what is a data processor?

                    A.  The entity that processes personal data on behalf of the data
                        controller

                    B.  The entity that controls processing of data

                    C.  The computing system that processes data

                    D.  The network that processes data

               16.  Your organization has a large database of customer data. To
                    comply with the EU GDPR, administrators plan to use
                    pseudonymization. Which of the following best describes

                    pseudonymization?

                    A.  The process of replacing some data with another identifier

                    B.  The process of removing all personal data

                    C.  The process of encrypting data

                    D.  The process of storing data

               17.  An organization is implementing a preselected baseline of security
                    controls, but finds that some of the controls aren’t relevant to their
                    needs. What should they do?

                    A.  Implement all the controls anyway.


                    B.  Identify another baseline.

                    C.  Re-create a baseline.

                    D.  Tailor the baseline to their needs.

                    Refer the following scenario when answering questions 18 through
                    20.

                    An organization has a datacenter that processes highly sensitive
                    information and is staffed 24 hours a day. The datacenter includes