Question 23
Domain 2: Privacy Risk ManagementA company wants a consistent way to rank privacy issues so engineering, legal, and product teams compare risks using the same language. What should the privacy technologist recommend?
Correct answer: B
Explanation
A privacy risk model gives teams a shared framework for comparing issues using the same criteria. It should evaluate “likelihood,” “impact,” and “types of harm,” because those factors define how serious a privacy risk is and let engineering, legal, and product speak the same language.
Why each option is right or wrong
A. Let each team label issues however it prefers
B. Adopt a privacy risk model that evaluates likelihood, impact, and types of harm
A privacy risk model is the appropriate control when the goal is to standardize how different functions compare issues, because it provides a common scoring structure rather than ad hoc judgment. In practice, the model should assess likelihood, impact, and the types of harm involved so the organization can rank risks consistently across teams; this aligns with the risk-based approach used in privacy programs and with NIST Privacy Framework risk analysis concepts, which focus on the probability and magnitude of adverse consequences.
C. Track only whether a control exists
D. Wait until an incident occurs and then assign severity