Exam CISSP topic 1 question 480 discussion

The FIRST action an organization should take to establish a privacy program to ensure that personally identifiable information (PII) is properly protected is to appoint a senior official to oversee the privacy program (Option A). The senior official should have the authority to implement and manage the privacy program across the organization. This person should have a clear understanding of the importance of privacy and the relevant laws and regulations that apply to the organization's operations. Appointing a senior official to oversee the privacy program demonstrates the organization's commitment to protecting personal information, and provides clear leadership and accountability for the privacy program.

C, Developing a cohesive strategic plan will also encompass appointing a leader.

Going with A. Thats more inline with senior management buy-in. Which is a MUST.

ANSWER: C. Develop a strategic organizational privacy plan. This link also has first step as develop a plan - no mention of appointing a CPO https://www.linkedin.com/pulse/six-steps-developing-robust-privacy-program/

ANSWER: C. Develop a strategic organizational privacy plan. There is no mention of appointing a senior official in the NIST publication; it only talks about creating a privacy plan and the safeguards for privacy. https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-122.pdf#page=24&zoom=100,92,96 It does make sense to appoint someone to be the privacy officer, but if I can't find that in the documentation, I"m not using that answer on the test.

Answer A) Appoint a senior official to oversee the privacy program. my reasoning is based on "which came first, the chicken or egg" You need someone to lead and develop the program....if not, how are you going to come up with a strategy

A. Appoint a senior official to oversee the privacy program. The first action an organization should take when establishing a privacy program is to appoint a senior official, such as a Chief Privacy Officer (CPO) or Data Protection Officer (DPO), to oversee the program. This individual will be responsible for ensuring that privacy policies and procedures are developed, implemented, and enforced throughout the organization. They play a crucial role in championing privacy initiatives, monitoring compliance with privacy laws and regulations, and acting as a point of contact for privacy-related matters. Once this senior official is in place, they can then proceed with allocating resources, developing a strategic plan, and monitoring privacy laws and policy changes as part of the broader privacy program.

This is what I found in NIST 800-122: To establish a comprehensive privacy program that addresses the range of privacy issues that organizations may face, organizations should take steps to establish policies and procedures that address all of the Fair Information Practices. Nothing mentioned about opt. A. Going with C.

Why the answer is not C but A?

Determining the session timeout requirement for an application based on its specific requirements is the best approach because it ensures that the timeout setting will be appropriate for the application's particular security and usability needs.