CIPM – IAPP Flashcards
Unlock all answers in this set
Unlock answersquestion
Proactive privacy management is accomplished through three tasks
answer
1) Define your organization's privacy vision and privacy mission statements 2) Develop privacy strategy 3) Structure your privacy team
question
This is needed to structure responsibilities with business goals
answer
Strategic Management
question
Identifies alignment to organizational vision and defines the privacy leaders for an organization, along with the resources necessary to execute the vision.
answer
Strategic Management model
question
Member of the privacy team who may be responsible for privacy program framework development, management and reporting within an organization
answer
Privacy professional
question
Strategic management of privacy starts by
answer
creating or updating the company's vision and mission statement based on privacy best practice
question
Privacy best practices
answer
1) Develop vision and mission statement objectives 2) define privacy program scope 3)identify legal and regulatory compliance challenges 4) identify organization personal information legal requirements
question
This key factor that lays the groundwork for the rest of the privacy program elements and is typically comprised of a short sentence or two that describe the purpose and ideas in less than 30 seconds.
answer
Vision or mission statement
question
This explains what you do as an organization, not who you are; what the organization stands for and why what you do an an organization to protect personal information is done
answer
Mission Statement
question
What are the steps in the five step metric cycle
answer
Identify, Define, Select, Collect, Analyze
question
The first step in the selecting the correct metrics starts by what?
answer
Identifying the intended metric audience
question
The primary audience for metrics may include
answer
Legal and privacy officers, senior leadership; CIO, CSO, PM, Information Systems Owner (ISO), Information Security Officer (ISO), Others considered users and managers
question
The secondary audience includes those who may not have privacy as a primary task include
answer
CFO, Training organizations, HR, IG, HIPPA security officials
question
The tertiary audiences may be considered, based on the organization's specific or unique requirements such as who?
answer
External watch dog groups, Sponsors, Stockholders
question
The difference between metrics audiences is based on what?
answer
Level of interest, influence and responsibility to privacy within the business objectives, laws and regulations, or ownership
question
Specific to Healthcare metrics, audiences may include whom?
answer
HIPPA privacy officers, medical interdisciplinary readiness teams (MIRTs), senior executive staff, covered entity workforce, self assessment tool and risk analysis/management
question
What is the second step in the metric life cycle?
answer
Define Reporting Procedures
question
A metric owner must be able to do what?
answer
Evangelize the purpose and intent of that metric to the organization
question
This person is the process owner, champion, advocate and evangelist responsible for management of the metric throughout the metric life cycle
answer
Metric Owner
question
As Six Sigma teaches, an effective metric owner must do what?
answer
1) Know what is critical about the metric, 2) Monitor process performance with the metric, 3) Make sure the process documentation is up to date, 4) Perform regular reviews, 5) Make sure that any improvements are incorporated and maintained in the process, 6) Advocate the metric to customers, partners and others, 7) Maintain training, documentation, and materials
question
As a general practice, who should not perform the data collection tasks or perform the measurements of the metric?
answer
Metric Owner
question
What is the third step in the metric life cycle
answer
Select Privacy Metrics
question
Selecting the correct privacy metric requires what?
answer
Full understanding of the business objectives and goals, along with a clear understanding of the primary business functions.
question
Prior to selecting metrics, the reader should first understand what?
answer
Attributes of an effective metric with metric taxonomy and how to limit improper metrics.
question
An effective metric is a clear and concise metric that defines and measures what?
answer
Progress toward a business objective or goal without overburdening the reader
question
Good metrics should not do what?
answer
Overburden the reader
question
A metric should be clear in the meaning of what is being measured and what else?
answer
1) Rigorously defined, 2) Credible and relevant, 3) Objective and quantifiable 4) Associated with the baseline measurement per the organization standard metric taxonomy
question
If a standard metric taxonomy does not exist, privacy professionals can generate their own using the best practices from where?
answer
NIST, NISTIR 7564, "Directions in Security Metrics Research"
question
A mission statement should include what five items?
answer
Value the organization places on privacy, Desired organizational objectives, Strategies to drive the tactics used to achieve the intended outcomes, Clarification of roles and responsibilities
question
Strategic Management assigns roles, sets expectations grants powers and what?
answer
Verifies performance
question
This model identifies alignment to organization vision and defines the privacy leaders for an organization, along with the resources (people, policy, processes, and procedures) necessary to execute vision
answer
Strategic Management Model
question
This is a key factor that lays the groundwork for the rest of the privacy program elements and is comprised of a short sentence or two that describes purpose and ideas in less than 30 seconds
answer
Mission Statement
question
What are the four steps in defining your organization's privacy vision and privacy mission statements
answer
1. Develop Vision and Mission Statement Objectives 2. Define Privacy Program Scope 3.Identify Legal and Regulatory Compliance Challenges 4. Identify Organizational Personal Information Legal Requirements
question
What are the steps of Strategic Management?
answer
Define Privacy and Mission, Develop Privacy Strategy, Structure Privacy Team
question
This is someone who understands the importance of privacy and will act as an advocate for you and for the program. Typically, they will have experience with the organization, the respect of their colleagues and access to or ownership of budget.
answer
Program Sponsor
question
This is an executive who acts as an advocate and sponsor to further foster privacy as a core organization concept
answer
Program Champion
question
Individual executives who lead and "own" the responsibility of the relevant activities are called what?
answer
Stakeholders
question
As a rule, privacy policies and procedures are created and enforced at a what level?
answer
Functional
question
Policies imposing general obligations on employees may reside with whom?
answer
Ethics, legal and compliance
question
Policies and procedures that dictate certain privacy and security requirements on employees as they relate to the technical infrastructure typically sit with whom?
answer
IT
question
Policies that govern requirements that need to be imposed on provider of third-party services that implicate personal data typically sit with whom?
answer
Procurement
question
Policies that govern the use and disclosure of health information about employees of the organization typically reside with whom?
answer
HR
question
This approach collects the various data-protection requirements and rationalizes them where possible
answer
Pragmatic Approach
question
When defining your privacy program scope, you must first do what?
answer
Understand and identify the legal and regulatory compliance challenges of the organization and identify the data impacted
question
If your organization plans to do business within a jurisdiction that has inadequate or no data protection regulations, you should do what?
answer
Institute your organization's requirements, policies and procedures instead of reducing them to the level of the country
question
When developing your global privacy strategy, it must be relevant to what?
answer
Markets, cultures, and geographical locations
question
According to Baker and McKenzie in their looking-ahead analysis of 2012, the goal of "achieving compliance" is steadily being replaced with what?
answer
A corporate need to "achieve and maintain compliance"
question
What are examples of certain types of organizations and entities known as "covered entities"
answer
Healthcare providers (hospitals, clinics, pharmacies) and health plans (medical plans, organization benefit plans) subject to HIPPA.
question
Merchants that handle cardholder information for debit, credit, prepaid, e-purse, ATM and POS cards must be in compliance with what?
answer
Payment Card Industry Data Security Standard (PCI DSS), which is a global standard, not a law.
question
If you process personal information of any resident of a state that has adopted a breach notification law, understand that to the extent that non-encrypted data has been compromised, your compliance obligations may include notification to whom?
answer
The residents of the states, as well as government bodies or state attorney general offices.
question
What is the first step when identifying Organizational Personal Information Legal Requirements
answer
"roughing out" the scope of a privacy program by flagging areas in an organization where personal information is likely to be collected, access or used (HR, finance, marketing, customer relationship management systems, IT)
question
In the U.K., this regulation contains privacy rules for any form of electronic marketing, in addition to a vast array of statutes, regulations and voluntary codes of practice that govern direct marketing activity.
answer
Privacy and Electronic Communications Regulations
question
Based on these three things, the privacy professional will need to determine the best methods, style and practices to working within the organization.
answer
Individual culture, politics and protocols of the organization
question
This function is more closely aligned to the privacy group than any other function.
answer
Information Security (IS)
question
This functional group adds processes and controls that support privacy principles. It creates processes to develop and test software and applications in a manner that does not require the use of production data decreases the chances that the data will be compromised and that individuals who have no business need will access the data
answer
Information Technology (IT)
question
This functional group traditionally functions independently to assess whether controls are in place to protect personal information and whether people are abiding by these controls
answer
Internal audit group
question
Many organizations create this, comprised of the same stakeholders that were identified at the start of the privacy program implementation process. Instrumental in making strategic decisions and driving such strategies and decisions through their own organizations.
answer
Privacy committee or council
question
Organizations with a global footprint often create a governance structure that is comprised of whom?
answer
Representatives from each geographic region and business function (ie., HR) in which the organization has a presence to ensure that proposed privacy policies, processes, and solutions align with local laws.
question
You first step when developing a Data-governance Strategy for Personal Information (Collection, Authorized Use, Access, Security, Destruction)
answer
Take an inventory of relevant regulations that apply to your business. Once you determine which laws apply, you must design a manageable approach to handling and protecting personal information
question
This means implementing a solution that materially addresses the various requirements of the majority of laws or regulations with which you must comply.
answer
Rationalization
question
Data-protection regulations typically include what items
answer
• Notice • Choice • Consent • Purpose limitations • Limits on retaining data • Individual rights to access • Correction and deletion of data • Obligation to safeguard data
question
Privacy professionals should always involve whom to review, define or establish technical security controls, including common security controls such as firewalls, malware anti-virus, and complex password requirements
answer
Security Engineer
question
This strategy seeks solutions that do not violate any data privacy laws, exceed budgetary restrictions or contradict organization goals and objectives
answer
Strictest Standard
question
When positioning the privacy team, you should also consider the authority it will receive based on the what?
answer
Governance model it follows
question
Executive leadership support for your governance model will have a direct impact on the level of success when implementing your privacy strategies. What are the important steps to integrate into any model?
answer
o Involve senior leadership o Involve stakeholders o Develop internal partnerships o Provide flexibility o Leverage communications o Leverage collaboration
question
This type of governance fits well in organizations used to utilize single-channel functions (where direction flows from a single source) with planning and decision making completed by one group
answer
Centralized Governance
question
This type of governance delegates decision-making authority down to the lower levels in an organization; relatively away from and lower than a central authority
answer
Local or Decentralized
question
This is an implementation road map that provides the structure or checklists (document privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization
answer
Privacy Program Framework
question
Privacy governance framework provides the methods to what?
answer
Access, protect, sustain and respond to the positive and negative effects of all influencing factors
question
This process provides the means to evaluate business rhythms, technical systems and associated costs to the strategic business objectives and performance of the organization.
answer
Performance Measurement with Metrics Selection
question
This provides quantifiable output that is measurable, meaningful, answers specific questions and is clearly defined
answer
Metrics performance
question
Major drivers impacting the increased need for privacy metrics include what?
answer
Means of providing meaningful information on your privacy regime to key stakeholders, Generational change in the use of technology, Rapid advancements to technology, Catastrophes, such as data loss events, that drive tighter regulations, laws and standards, Current security and privacy solutions that are not designed to deal with the fast pace of emerging technologies or requirements, Privacy regulations becoming more stringent while privacy exceptions rise, Professionals embrace security and privacy as part of their job
question
Privacy Objectives are typically broad-based. What is an example of a privacy objective?
answer
Privacy Notice
question
Privacy goals are specific and measurable. What is an example of a Privacy Goal?
answer
Provide privacy notices to 100 percent of the customer base; number of privacy notices.
question
These provides common language between business, operational and technical managers to discuss the relevant information (e.g., good, bad, or indifferent) related to assessing progress.
answer
Metrics
question
Generic privacy metrics should be developed to enable analyses of which processes?
answer
o Collection (notice) o Responses to data subject inquiries o Use o Retention o Disclosure to third parties o Incidents (breaches, complaints, inquiries) o Employee training o Privacy Impact Assessment o Privacy risk indicators o Percent of organization functions represented by governance mechanisms
question
What are the steps of the Metric Life Cycle
answer
o Identify the intended audience - Who will use the data o Define the data sources - Who is the data owner and how is that data accessed o Select privacy metrics - what metrics to use based on the audience, reporting resources and final selection of the best metric o Collect and refine systems/applications collection point - where will the data come from to finalize the metric collection report? When will the data be collected? Why is that data important? o Analyze the data/metrics to provide value to the organization and provide a feedback quality mechanism
question
This lists the metric characteristics that delineate boundaries between metric categories
answer
Metric taxonomy
question
Metric taxonomies provide what categories?
answer
Objective/Subjective, Quantitative/Qualitative, IT Metrics/Quantitative Measurement, Static/Dynamic, Absolute/Relative, Direct/Indirect
question
Objective metrics are more desirable than what type?
answer
Subjective
question
These measurements typically map to best practices
answer
Qualitative measurements
question
These type of measurements use data recorded within a numerical-mathematical fashion
answer
Quantitative measurements
question
Per recent industry surveys, Chief Information Security Officers seem to prefer which type of measurements?
answer
Qualitative measurements
question
This type of metric evolves with time
answer
Dynamic measurements
question
The distinction between direct and indirect metrics is based on what?
answer
The way a metric is measured
question
Size is an example of what type of metric
answer
Direct
question
Quality or complexity can only be measured how?
answer
Indirectly by extrapolation from other measured factors
question
The privacy professional must guard against improper conclusions such as these
answer
Faulty Assumptions, Selective Use, Well-chosen Average, Semi-attachment, Biased Sample, Intentional Deceit, Massaging the Numbers, Overgeneralization
question
This conclusion is based on the occurrence of concurrent events without substantive evidence correlating the events
answer
Faulty Assumptions
question
This is a specific subset of information is extrapolated from the larger data set, which leads to invalid/incorrect conclusions.
answer
Selective Use
question
Many times the mean is used for a metric, but it is sometimes more appropriate to use the median or mode rather than the true mean/average
answer
Well-chosen Average
question
When an individual is unable to provide their point, this may result with the exclusion of elements of a measurement when conveying results
answer
Semi-attachment
question
This measurement completely excludes certain elements from the data population, thus providing on a partial set of data and leading to false assumptions
answer
Biased Sample
question
An ethical issue, this occurs when data is knowingly and purposely omitted that may have a detrimental effect on the metric or metric owner
answer
Intentional Deciet
question
This is slightly adjusting measurements to provide the appearance of success or other-than-actual results, leading the reviewer to believe the metric is more successful than it actually may be
answer
Massaging the Numbers
question
This occurs when inferences are made concerning a general data population that leads to poor conclusions
answer
Over-generalizations
question
As a basic business practice in the selection of metrics, the privacy professional should select how many key privacy metrics that focus on the key organizational objectives
answer
Three to five
question
This is a data pattern that shows trends in an upwards or downward tendency i.e, privacy breaches over time
answer
Time series
question
This is an indicator used to measure the financial gain/loss (or value) of a project in relation to its cost
answer
Return on Investment (ROI)
question
Return on Investment (ROI) is measured how
answer
(Benefits - Costs) / Costs
question
Privacy ROI defines metrics to measure the effectiveness of investments to protect investments in what?
answer
Physical assets, Personnel assets, IT assets, Operational assets
question
This term relates to the protection of hardware, software, and data against physical threats, to reduce or prevent disruptions to operations and services and loss of assets
answer
Physical assets
question
These are measures to reduce the likelihood and severity of accidental and intentional alteration, destruction, misappropriation, misuse, misconfiguration, unauthorized distribution and unavailability of an organization's logical and physical assets, as the result of action or inaction by insiders and known outsiders, like business partners
answer
Personnel assets
question
Inherent technical features that collectively protect the organizational infrastructure, achieving and sustaining confidentiality, integrity, availability, and accountability.
answer
IT assets
question
As it relates to ROI metrics, the first step is to identify and characterize the ROI metric to address what?
answer
The specific risk that control or feature is supposed to mitigate
question
As it relates to ROI metrics, the second step is to define what
answer
the value of the asset
question
This is the ability to rapidly adapt and respond to business disruptions and to maintain continuous business operations
answer
Business Resiliency
question
The privacy professional or organization should include in the privacy budget the costs to generate what?
answer
metrics
question
The most time consuming task of a privacy professional was of a strategic nature, which was what?
answer
advising the organization on privacy issues
question
What are the phases of the privacy operational life cycle
answer
o Assess (measure) o Protect (improve) o Sustain (evaluate) o Respond (support)
question
What are the PMM maturity levels?
answer
Ad hoc, Repeatable, Defined, Managed, Optimized
question
This PMM maturity level indicates procedures or processes are generally informal, incomplete, and inconsistently applied
answer
Ad hoc
question
This PMM maturity level indicates procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects
answer
Repeatable
question
This PMM maturity level indicates procedures or processes are fully documented and implemented and cover all relevant aspects
answer
Defined
question
This PMM maturity level indicates that reviews are conducted to assess the effectiveness of the controls in place
answer
Managed
question
This PMM maturity level indicates that regular review and feedback is used to ensure continuous improvement towards optimization of the given process
answer
Optimized
question
What are the seven foundational principles of PbD?
answer
Proactive not Reactive-Preventative not Remedial; Privacy as the Default Setting; Privacy Embedded into Design; Full Functionality-Positive Sum not Zero-sum; End-to-End Security-Full Life Cycle Protection; Visibility and Transparency; Respect for User Privacy
question
This ensures that privacy and security controls and aligned with an organization's tolerance for risk and its compliance with regulations and commitment to building a sustainable privacy-minded culture
answer
PbD paradigm
question
One tool used to determine whether a PIA should be conducted is called what?
answer
Privacy Threshold Analysis (PTA)
question
These type of assessments further assist the privacy professional in the Protect phase
answer
PIA, risk assessments, security assessments
question
This is a policy-based approach to manage the flow of information through a life cycle from creation to final disposition
answer
DLM/ILM
question
Main drivers of DLM/ILM
answer
1. Enterprise data growth 2. Growth in unstructured data 3. Limitations in relational database management system performance 4. Information access and security concerns 5. Lack of effective methods for classifying data 6. Difficulty in assessing productivity of systems, applications and databases
question
Main benefits of DLM and ILM are what?
answer
Increased control over data, regulatory compliance (thereby minimizing business risk) and reduced costs (by eliminating redundancies in data storage
question
In the EU, who retains legal liability for any harm associated with the collected data?
answer
Data Controller
question
OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, what are five factors that should be considered in a data breach?
answer
Nature of the data elements breach, number of individuals affected, likelihood that the information is accessible and usable, likelihood the breach may lead to harm, the organization's ability to mitigate the risk of harm
question
What does the Federal government guidance state when a breach poses little or no risk of harm?
answer
Notification could create unnecessary concern and confusion
question
To establish tort liability, a third-party plaintiff must show what?
answer
That the organization owed to him or her duty of care
question
A breach will typically involve
answer
Third party hacker who intentionally exploits vulnerabilities of the customer system, Customer failure to properly operate, use or secure its systems, Lost or stolen computer equipment, Misconduct of customer employees
question
As part of the incident-response planning process, this group will provide guidance regarding the detection, isolation, removal, and preservation of affected systems.
answer
Information Systems (IS)
question
One of this group's primary role after a breach is to advise corporate privacy and executive teams on response notification requirements, in particular, who should be notified, how and when
answer
Legal
question
In the aftermath of a data breach, this group may serve as the organization's informational conduit, working closely with PR or corporate communications to inform and update employees about the incident
answer
HR
question
This group's role during a data breach can be to work with management and PR teams to establish and maintain a positive, consistent message, during both the crisis and the post-breach notifications
answer
Marketing
question
Because of their unique association with customers and the bond of trust built carefully over time, this group is often asked to notify key accounts when their data has been breached
answer
BD
question
When a data breach occurs, these stakeholders quickly assume their position on the front lines, preparing for the response to potential media inquiries and coordinating internal and external status updates
answer
Communications and PR
question
After a breach occurs, the primary role for this stakeholder is to provide members with timely updates and instructions.
answer
Union Leadership
question
One of the first and arguably most critical steps taken by the top executive is to what?
answer
Promptly allocate funds and manpower needed to resolve the breach.
question
This plan is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during, and after a data breach
answer
Business Continuity Plan (BCP)
question
In a 2011 survey of 400 IT executives, one-fifth indicated these events had made business continuity planning a much higher priority in recent years?
answer
Natural disasters, security and terrorist threats
question
This is a structured readiness testing activity that simulates an emergency situation in an informal, stress-free setting
answer
Table top exercise
question
Generally speaking, this may be described as any potential or actual compromise of personal information in a form that facilitates intentional or unintentional access by unauthorized third parties
answer
Privacy incident
question
A 2012 study revealed what groups were most often the cause for privacy incidents?
answer
Insiders and third parties
question
This is the internal process of employees alerting supervisors about a security-related incident, who in turn report the details to a predefined list of experts
answer
Escalation
question
This is the process of informing affected individuals that their personal data has been breached
answer
Notification
question
Assuming privacy incident notification is required, organizations generally have how long to notify the affected individuals
answer
60 days
question
This is one method enforcing security and accountability in how personal data is handled by third parties
answer
Binding contractual obligations and reporting requirements
question
This activity triggers the pre-notification process
answer
Once breach investigators conclude that an actual compromise of sensitive information has occurred
question
Generally, most well-conceived incident response plans account for and/or include which elements?
answer
Key stakeholders, Execution timeline, Progress reporting and Response evaluation and modifications
question
Common reporting intervals in incident response plans include what?
answer
Hourly, daily, weekly, monthly
question
Reporting resources can be found with the technical and business characteristics of an organization that include
answer
People, Processes, Technology
question
These are two complimentary processes that prepare an organization for crises and managing the business afterwards, thereby reducing risk.
answer
Business Continuity and Disaster Recovery Planning (BCDR)
question
Privacy is concerned with an individual's ability to control the use of personal information while information security focuses on what?
answer
Mechanisms for protection of information and information systems
question
CIA triad in additional to further advanced information security concepts are what?
answer
Confidentiality, Integrity, Availability, Accountability, Assurance
question
Separation of legal, compliance, internal audit and security functions: collaboration is more challenging, but what?
answer
functional independence is assured
question
Combining of legal, compliance, internal audit and security functions: collaboration is assured, but what?
answer
functional independence is more challenging
question
What are the steps of the Audit Life Cycle?
answer
Planning, Preparation, Audit, Report, Follow-up
question
What are the three types of audit categories?
answer
First party/internal audit, Second-party audits, Third-party/external audits
question
These audits are a form of "self-evaluation"
answer
First-party/internal audits
question
These types of audits are typically Supplier Audits because they are used where an organization has to assure itself of the ability of a potential or existing supplier or subcontractor to meet the requirements.
answer
Second-party audits
question
This is a form of internal audit that does not exempt an organization from fulfilling obligations under applicable laws or regulations
answer
Self-Certification
question
A well known self certification framework is what?
answer
US-EU Safe Harbor
question
The Sustain phase of the privacy operational life cycle provides privacy management through what?
answer
Monitoring, auditing, and comunication
question
The Respond phase of the privacy operational life cycle includes which principles?
answer
Information requests, legal compliance, incident response planning and incident handling
question
The form of Redress that is offered to the complainant should be clearly defined in what?
answer
Your complaint response process and documented for resolution
question
Data integrity issues are often the results of what?
answer
Human failure or systemic error.
question
The fundamental principle that should govern a privacy incident is to what?
answer
Allow an affected person the opportunity to protect themselves from identify theft or other harm
question
The primary focus when managing any privacy incident is always what?
answer
Harm prevention and/or minimization
question
It is best practice to have the notice of a breach issued to the affected individuals by whom?
answer
The organization that these individuals are likely to recognize from a prior or current relationship