CIPM – IAPP Flashcards

question

Proactive privacy management is accomplished through three tasks
answer

1) Define your organization’s privacy vision and privacy mission statements 2) Develop privacy strategy 3) Structure your privacy team
question

This is needed to structure responsibilities with business goals
answer

Strategic Management
question

Identifies alignment to organizational vision and defines the privacy leaders for an organization, along with the resources necessary to execute the vision.
answer

Strategic Management model
question

Member of the privacy team who may be responsible for privacy program framework development, management and reporting within an organization
answer

Privacy professional
question

Strategic management of privacy starts by
answer

creating or updating the company’s vision and mission statement based on privacy best practice
question

Privacy best practices
answer

1) Develop vision and mission statement objectives 2) define privacy program scope 3)identify legal and regulatory compliance challenges 4) identify organization personal information legal requirements
question

This key factor that lays the groundwork for the rest of the privacy program elements and is typically comprised of a short sentence or two that describe the purpose and ideas in less than 30 seconds.
answer

Vision or mission statement
question

This explains what you do as an organization, not who you are; what the organization stands for and why what you do an an organization to protect personal information is done
answer

Mission Statement
question

What are the steps in the five step metric cycle
answer

Identify, Define, Select, Collect, Analyze
question

The first step in the selecting the correct metrics starts by what?
answer

Identifying the intended metric audience
question

The primary audience for metrics may include
answer

Legal and privacy officers, senior leadership; CIO, CSO, PM, Information Systems Owner (ISO), Information Security Officer (ISO), Others considered users and managers
question

The secondary audience includes those who may not have privacy as a primary task include
answer

CFO, Training organizations, HR, IG, HIPPA security officials
question

The tertiary audiences may be considered, based on the organization’s specific or unique requirements such as who?
answer

External watch dog groups, Sponsors, Stockholders
question

The difference between metrics audiences is based on what?
answer

Level of interest, influence and responsibility to privacy within the business objectives, laws and regulations, or ownership
question

Specific to Healthcare metrics, audiences may include whom?
answer

HIPPA privacy officers, medical interdisciplinary readiness teams (MIRTs), senior executive staff, covered entity workforce, self assessment tool and risk analysis/management
question

What is the second step in the metric life cycle?
answer

Define Reporting Procedures
question

A metric owner must be able to do what?
answer

Evangelize the purpose and intent of that metric to the organization
question

This person is the process owner, champion, advocate and evangelist responsible for management of the metric throughout the metric life cycle
answer

Metric Owner
question

As Six Sigma teaches, an effective metric owner must do what?
answer

1) Know what is critical about the metric, 2) Monitor process performance with the metric, 3) Make sure the process documentation is up to date, 4) Perform regular reviews, 5) Make sure that any improvements are incorporated and maintained in the process, 6) Advocate the metric to customers, partners and others, 7) Maintain training, documentation, and materials
question

As a general practice, who should not perform the data collection tasks or perform the measurements of the metric?
answer

Metric Owner
question

What is the third step in the metric life cycle
answer

Select Privacy Metrics
question

Selecting the correct privacy metric requires what?
answer

Full understanding of the business objectives and goals, along with a clear understanding of the primary business functions.
question

Prior to selecting metrics, the reader should first understand what?
answer

Attributes of an effective metric with metric taxonomy and how to limit improper metrics.
question

An effective metric is a clear and concise metric that defines and measures what?
answer

Progress toward a business objective or goal without overburdening the reader
question

Good metrics should not do what?
answer

Overburden the reader
question

A metric should be clear in the meaning of what is being measured and what else?
answer

1) Rigorously defined, 2) Credible and relevant, 3) Objective and quantifiable 4) Associated with the baseline measurement per the organization standard metric taxonomy
question

If a standard metric taxonomy does not exist, privacy professionals can generate their own using the best practices from where?
answer

NIST, NISTIR 7564, “Directions in Security Metrics Research”
question

A mission statement should include what five items?
answer

Value the organization places on privacy, Desired organizational objectives, Strategies to drive the tactics used to achieve the intended outcomes, Clarification of roles and responsibilities
question

Strategic Management assigns roles, sets expectations grants powers and what?
answer

Verifies performance
question

This model identifies alignment to organization vision and defines the privacy leaders for an organization, along with the resources (people, policy, processes, and procedures) necessary to execute vision
answer

Strategic Management Model
question

This is a key factor that lays the groundwork for the rest of the privacy program elements and is comprised of a short sentence or two that describes purpose and ideas in less than 30 seconds
answer

Mission Statement
question

What are the four steps in defining your organization’s privacy vision and privacy mission statements
answer

1. Develop Vision and Mission Statement Objectives 2. Define Privacy Program Scope 3.Identify Legal and Regulatory Compliance Challenges 4. Identify Organizational Personal Information Legal Requirements
question

What are the steps of Strategic Management?
answer

Define Privacy and Mission, Develop Privacy Strategy, Structure Privacy Team
question

This is someone who understands the importance of privacy and will act as an advocate for you and for the program. Typically, they will have experience with the organization, the respect of their colleagues and access to or ownership of budget.
answer

Program Sponsor
question

This is an executive who acts as an advocate and sponsor to further foster privacy as a core organization concept
answer

Program Champion
question

Individual executives who lead and “own” the responsibility of the relevant activities are called what?
answer

Stakeholders
question

As a rule, privacy policies and procedures are created and enforced at a what level?
answer

Functional
question

Policies imposing general obligations on employees may reside with whom?
answer

Ethics, legal and compliance
question

Policies and procedures that dictate certain privacy and security requirements on employees as they relate to the technical infrastructure typically sit with whom?
answer

IT
question

Policies that govern requirements that need to be imposed on provider of third-party services that implicate personal data typically sit with whom?
answer

Procurement
question

Policies that govern the use and disclosure of health information about employees of the organization typically reside with whom?
answer

HR
question

This approach collects the various data-protection requirements and rationalizes them where possible
answer

Pragmatic Approach
question

When defining your privacy program scope, you must first do what?
answer

Understand and identify the legal and regulatory compliance challenges of the organization and identify the data impacted
question

If your organization plans to do business within a jurisdiction that has inadequate or no data protection regulations, you should do what?
answer

Institute your organization’s requirements, policies and procedures instead of reducing them to the level of the country
question

When developing your global privacy strategy, it must be relevant to what?
answer

Markets, cultures, and geographical locations
question

According to Baker and McKenzie in their looking-ahead analysis of 2012, the goal of “achieving compliance” is steadily being replaced with what?
answer

A corporate need to “achieve and maintain compliance”
question

What are examples of certain types of organizations and entities known as “covered entities”
answer

Healthcare providers (hospitals, clinics, pharmacies) and health plans (medical plans, organization benefit plans) subject to HIPPA.
question

Merchants that handle cardholder information for debit, credit, prepaid, e-purse, ATM and POS cards must be in compliance with what?
answer

Payment Card Industry Data Security Standard (PCI DSS), which is a global standard, not a law.
question

If you process personal information of any resident of a state that has adopted a breach notification law, understand that to the extent that non-encrypted data has been compromised, your compliance obligations may include notification to whom?
answer

The residents of the states, as well as government bodies or state attorney general offices.
question

What is the first step when identifying Organizational Personal Information Legal Requirements
answer

“roughing out” the scope of a privacy program by flagging areas in an organization where personal information is likely to be collected, access or used (HR, finance, marketing, customer relationship management systems, IT)
question

In the U.K., this regulation contains privacy rules for any form of electronic marketing, in addition to a vast array of statutes, regulations and voluntary codes of practice that govern direct marketing activity.
answer

Privacy and Electronic Communications Regulations
question

Based on these three things, the privacy professional will need to determine the best methods, style and practices to working within the organization.
answer

Individual culture, politics and protocols of the organization
question

This function is more closely aligned to the privacy group than any other function.
answer

Information Security (IS)
question

This functional group adds processes and controls that support privacy principles. It creates processes to develop and test software and applications in a manner that does not require the use of production data decreases the chances that the data will be compromised and that individuals who have no business need will access the data
answer

Information Technology (IT)
question

This functional group traditionally functions independently to assess whether controls are in place to protect personal information and whether people are abiding by these controls
answer

Internal audit group
question

Many organizations create this, comprised of the same stakeholders that were identified at the start of the privacy program implementation process. Instrumental in making strategic decisions and driving such strategies and decisions through their own organizations.
answer

Privacy committee or council
question

Organizations with a global footprint often create a governance structure that is comprised of whom?
answer

Representatives from each geographic region and business function (ie., HR) in which the organization has a presence to ensure that proposed privacy policies, processes, and solutions align with local laws.
question

You first step when developing a Data-governance Strategy for Personal Information (Collection, Authorized Use, Access, Security, Destruction)
answer

Take an inventory of relevant regulations that apply to your business. Once you determine which laws apply, you must design a manageable approach to handling and protecting personal information
question

This means implementing a solution that materially addresses the various requirements of the majority of laws or regulations with which you must comply.
answer

Rationalization
question

Data-protection regulations typically include what items
answer

• Notice • Choice • Consent • Purpose limitations • Limits on retaining data • Individual rights to access • Correction and deletion of data • Obligation to safeguard data
question

Privacy professionals should always involve whom to review, define or establish technical security controls, including common security controls such as firewalls, malware anti-virus, and complex password requirements
answer

Security Engineer
question

This strategy seeks solutions that do not violate any data privacy laws, exceed budgetary restrictions or contradict organization goals and objectives
answer

Strictest Standard
question

When positioning the privacy team, you should also consider the authority it will receive based on the what?
answer

Governance model it follows
question

Executive leadership support for your governance model will have a direct impact on the level of success when implementing your privacy strategies. What are the important steps to integrate into any model?
answer

o Involve senior leadership o Involve stakeholders o Develop internal partnerships o Provide flexibility o Leverage communications o Leverage collaboration
question

This type of governance fits well in organizations used to utilize single-channel functions (where direction flows from a single source) with planning and decision making completed by one group
answer

Centralized Governance
question

This type of governance delegates decision-making authority down to the lower levels in an organization; relatively away from and lower than a central authority
answer

Local or Decentralized
question

This is an implementation road map that provides the structure or checklists (document privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization
answer

Privacy Program Framework
question

Privacy governance framework provides the methods to what?
answer

Access, protect, sustain and respond to the positive and negative effects of all influencing factors
question

This process provides the means to evaluate business rhythms, technical systems and associated costs to the strategic business objectives and performance of the organization.
answer

Performance Measurement with Metrics Selection
question

This provides quantifiable output that is measurable, meaningful, answers specific questions and is clearly defined
answer

Metrics performance
question

Major drivers impacting the increased need for privacy metrics include what?
answer

Means of providing meaningful information on your privacy regime to key stakeholders, Generational change in the use of technology, Rapid advancements to technology, Catastrophes, such as data loss events, that drive tighter regulations, laws and standards, Current security and privacy solutions that are not designed to deal with the fast pace of emerging technologies or requirements, Privacy regulations becoming more stringent while privacy exceptions rise, Professionals embrace security and privacy as part of their job
question

Privacy Objectives are typically broad-based. What is an example of a privacy objective?
answer

Privacy Notice
question

Privacy goals are specific and measurable. What is an example of a Privacy Goal?
answer

Provide privacy notices to 100 percent of the customer base; number of privacy notices.
question

These provides common language between business, operational and technical managers to discuss the relevant information (e.g., good, bad, or indifferent) related to assessing progress.
answer

Metrics
question

Generic privacy metrics should be developed to enable analyses of which processes?
answer

o Collection (notice) o Responses to data subject inquiries o Use o Retention o Disclosure to third parties o Incidents (breaches, complaints, inquiries) o Employee training o Privacy Impact Assessment o Privacy risk indicators o Percent of organization functions represented by governance mechanisms
question

What are the steps of the Metric Life Cycle
answer

o Identify the intended audience – Who will use the data o Define the data sources – Who is the data owner and how is that data accessed o Select privacy metrics – what metrics to use based on the audience, reporting resources and final selection of the best metric o Collect and refine systems/applications collection point – where will the data come from to finalize the metric collection report? When will the data be collected? Why is that data important? o Analyze the data/metrics to provide value to the organization and provide a feedback quality mechanism
question

This lists the metric characteristics that delineate boundaries between metric categories
answer

Metric taxonomy
question

Metric taxonomies provide what categories?
answer

Objective/Subjective, Quantitative/Qualitative, IT Metrics/Quantitative Measurement, Static/Dynamic, Absolute/Relative, Direct/Indirect
question

Objective metrics are more desirable than what type?
answer

Subjective
question

These measurements typically map to best practices
answer

Qualitative measurements
question

These type of measurements use data recorded within a numerical-mathematical fashion
answer

Quantitative measurements
question

Per recent industry surveys, Chief Information Security Officers seem to prefer which type of measurements?
answer

Qualitative measurements
question

This type of metric evolves with time
answer

Dynamic measurements
question

The distinction between direct and indirect metrics is based on what?
answer

The way a metric is measured
question

Size is an example of what type of metric
answer

Direct
question

Quality or complexity can only be measured how?
answer

Indirectly by extrapolation from other measured factors
question

The privacy professional must guard against improper conclusions such as these
answer

Faulty Assumptions, Selective Use, Well-chosen Average, Semi-attachment, Biased Sample, Intentional Deceit, Massaging the Numbers, Overgeneralization
question

This conclusion is based on the occurrence of concurrent events without substantive evidence correlating the events
answer

Faulty Assumptions
question

This is a specific subset of information is extrapolated from the larger data set, which leads to invalid/incorrect conclusions.
answer

Selective Use
question

Many times the mean is used for a metric, but it is sometimes more appropriate to use the median or mode rather than the true mean/average
answer

Well-chosen Average
question

When an individual is unable to provide their point, this may result with the exclusion of elements of a measurement when conveying results
answer

Semi-attachment
question

This measurement completely excludes certain elements from the data population, thus providing on a partial set of data and leading to false assumptions
answer

Biased Sample
question

An ethical issue, this occurs when data is knowingly and purposely omitted that may have a detrimental effect on the metric or metric owner
answer

Intentional Deciet
question

This is slightly adjusting measurements to provide the appearance of success or other-than-actual results, leading the reviewer to believe the metric is more successful than it actually may be
answer

Massaging the Numbers
question

This occurs when inferences are made concerning a general data population that leads to poor conclusions
answer

Over-generalizations
question

As a basic business practice in the selection of metrics, the privacy professional should select how many key privacy metrics that focus on the key organizational objectives
answer

Three to five
question

This is a data pattern that shows trends in an upwards or downward tendency i.e, privacy breaches over time
answer

Time series
question

This is an indicator used to measure the financial gain/loss (or value) of a project in relation to its cost
answer

Return on Investment (ROI)
question

Return on Investment (ROI) is measured how
answer

(Benefits – Costs) / Costs
question

Privacy ROI defines metrics to measure the effectiveness of investments to protect investments in what?
answer

Physical assets, Personnel assets, IT assets, Operational assets
question

This term relates to the protection of hardware, software, and data against physical threats, to reduce or prevent disruptions to operations and services and loss of assets
answer

Physical assets
question

These are measures to reduce the likelihood and severity of accidental and intentional alteration, destruction, misappropriation, misuse, misconfiguration, unauthorized distribution and unavailability of an organization’s logical and physical assets, as the result of action or inaction by insiders and known outsiders, like business partners
answer

Personnel assets
question

Inherent technical features that collectively protect the organizational infrastructure, achieving and sustaining confidentiality, integrity, availability, and accountability.
answer

IT assets
question

As it relates to ROI metrics, the first step is to identify and characterize the ROI metric to address what?
answer

The specific risk that control or feature is supposed to mitigate
question

As it relates to ROI metrics, the second step is to define what
answer

the value of the asset
question

This is the ability to rapidly adapt and respond to business disruptions and to maintain continuous business operations
answer

Business Resiliency
question

The privacy professional or organization should include in the privacy budget the costs to generate what?
answer

metrics
question

The most time consuming task of a privacy professional was of a strategic nature, which was what?
answer

advising the organization on privacy issues
question

What are the phases of the privacy operational life cycle
answer

o Assess (measure) o Protect (improve) o Sustain (evaluate) o Respond (support)
question

What are the PMM maturity levels?
answer

Ad hoc, Repeatable, Defined, Managed, Optimized
question

This PMM maturity level indicates procedures or processes are generally informal, incomplete, and inconsistently applied
answer

Ad hoc
question

This PMM maturity level indicates procedures or processes exist; however, they are not fully documented and do not cover all relevant aspects
answer

Repeatable
question

This PMM maturity level indicates procedures or processes are fully documented and implemented and cover all relevant aspects
answer

Defined
question

This PMM maturity level indicates that reviews are conducted to assess the effectiveness of the controls in place
answer

Managed
question

This PMM maturity level indicates that regular review and feedback is used to ensure continuous improvement towards optimization of the given process
answer

Optimized
question

What are the seven foundational principles of PbD?
answer

Proactive not Reactive-Preventative not Remedial; Privacy as the Default Setting; Privacy Embedded into Design; Full Functionality-Positive Sum not Zero-sum; End-to-End Security-Full Life Cycle Protection; Visibility and Transparency; Respect for User Privacy
question

This ensures that privacy and security controls and aligned with an organization’s tolerance for risk and its compliance with regulations and commitment to building a sustainable privacy-minded culture
answer

PbD paradigm
question

One tool used to determine whether a PIA should be conducted is called what?
answer

Privacy Threshold Analysis (PTA)
question

These type of assessments further assist the privacy professional in the Protect phase
answer

PIA, risk assessments, security assessments
question

This is a policy-based approach to manage the flow of information through a life cycle from creation to final disposition
answer

DLM/ILM
question

Main drivers of DLM/ILM
answer

1. Enterprise data growth 2. Growth in unstructured data 3. Limitations in relational database management system performance 4. Information access and security concerns 5. Lack of effective methods for classifying data 6. Difficulty in assessing productivity of systems, applications and databases
question

Main benefits of DLM and ILM are what?
answer

Increased control over data, regulatory compliance (thereby minimizing business risk) and reduced costs (by eliminating redundancies in data storage
question

In the EU, who retains legal liability for any harm associated with the collected data?
answer

Data Controller
question

OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, what are five factors that should be considered in a data breach?
answer

Nature of the data elements breach, number of individuals affected, likelihood that the information is accessible and usable, likelihood the breach may lead to harm, the organization’s ability to mitigate the risk of harm
question

What does the Federal government guidance state when a breach poses little or no risk of harm?
answer

Notification could create unnecessary concern and confusion
question

To establish tort liability, a third-party plaintiff must show what?
answer

That the organization owed to him or her duty of care
question

A breach will typically involve
answer

Third party hacker who intentionally exploits vulnerabilities of the customer system, Customer failure to properly operate, use or secure its systems, Lost or stolen computer equipment, Misconduct of customer employees
question

As part of the incident-response planning process, this group will provide guidance regarding the detection, isolation, removal, and preservation of affected systems.
answer

Information Systems (IS)
question

One of this group’s primary role after a breach is to advise corporate privacy and executive teams on response notification requirements, in particular, who should be notified, how and when
answer

Legal
question

In the aftermath of a data breach, this group may serve as the organization’s informational conduit, working closely with PR or corporate communications to inform and update employees about the incident
answer

HR
question

This group’s role during a data breach can be to work with management and PR teams to establish and maintain a positive, consistent message, during both the crisis and the post-breach notifications
answer

Marketing
question

Because of their unique association with customers and the bond of trust built carefully over time, this group is often asked to notify key accounts when their data has been breached
answer

BD
question

When a data breach occurs, these stakeholders quickly assume their position on the front lines, preparing for the response to potential media inquiries and coordinating internal and external status updates
answer

Communications and PR
question

After a breach occurs, the primary role for this stakeholder is to provide members with timely updates and instructions.
answer

Union Leadership
question

One of the first and arguably most critical steps taken by the top executive is to what?
answer

Promptly allocate funds and manpower needed to resolve the breach.
question

This plan is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during, and after a data breach
answer

Business Continuity Plan (BCP)
question

In a 2011 survey of 400 IT executives, one-fifth indicated these events had made business continuity planning a much higher priority in recent years?
answer

Natural disasters, security and terrorist threats
question

This is a structured readiness testing activity that simulates an emergency situation in an informal, stress-free setting
answer

Table top exercise
question

Generally speaking, this may be described as any potential or actual compromise of personal information in a form that facilitates intentional or unintentional access by unauthorized third parties
answer

Privacy incident
question

A 2012 study revealed what groups were most often the cause for privacy incidents?
answer

Insiders and third parties
question

This is the internal process of employees alerting supervisors about a security-related incident, who in turn report the details to a predefined list of experts
answer

Escalation
question

This is the process of informing affected individuals that their personal data has been breached
answer

Notification
question

Assuming privacy incident notification is required, organizations generally have how long to notify the affected individuals
answer

60 days
question

This is one method enforcing security and accountability in how personal data is handled by third parties
answer

Binding contractual obligations and reporting requirements
question

This activity triggers the pre-notification process
answer

Once breach investigators conclude that an actual compromise of sensitive information has occurred
question

Generally, most well-conceived incident response plans account for and/or include which elements?
answer

Key stakeholders, Execution timeline, Progress reporting and Response evaluation and modifications
question

Common reporting intervals in incident response plans include what?
answer

Hourly, daily, weekly, monthly
question

Reporting resources can be found with the technical and business characteristics of an organization that include
answer

People, Processes, Technology
question

These are two complimentary processes that prepare an organization for crises and managing the business afterwards, thereby reducing risk.
answer

Business Continuity and Disaster Recovery Planning (BCDR)
question

Privacy is concerned with an individual’s ability to control the use of personal information while information security focuses on what?
answer

Mechanisms for protection of information and information systems
question

CIA triad in additional to further advanced information security concepts are what?
answer

Confidentiality, Integrity, Availability, Accountability, Assurance
question

Separation of legal, compliance, internal audit and security functions: collaboration is more challenging, but what?
answer

functional independence is assured
question

Combining of legal, compliance, internal audit and security functions: collaboration is assured, but what?
answer

functional independence is more challenging
question

What are the steps of the Audit Life Cycle?
answer

Planning, Preparation, Audit, Report, Follow-up
question

What are the three types of audit categories?
answer

First party/internal audit, Second-party audits, Third-party/external audits
question

These audits are a form of “self-evaluation”
answer

First-party/internal audits
question

These types of audits are typically Supplier Audits because they are used where an organization has to assure itself of the ability of a potential or existing supplier or subcontractor to meet the requirements.
answer

Second-party audits
question

This is a form of internal audit that does not exempt an organization from fulfilling obligations under applicable laws or regulations
answer

Self-Certification
question

A well known self certification framework is what?
answer

US-EU Safe Harbor
question

The Sustain phase of the privacy operational life cycle provides privacy management through what?
answer

Monitoring, auditing, and comunication
question

The Respond phase of the privacy operational life cycle includes which principles?
answer

Information requests, legal compliance, incident response planning and incident handling
question

The form of Redress that is offered to the complainant should be clearly defined in what?
answer

Your complaint response process and documented for resolution
question

Data integrity issues are often the results of what?
answer

Human failure or systemic error.
question

The fundamental principle that should govern a privacy incident is to what?
answer

Allow an affected person the opportunity to protect themselves from identify theft or other harm
question

The primary focus when managing any privacy incident is always what?
answer

Harm prevention and/or minimization
question

It is best practice to have the notice of a breach issued to the affected individuals by whom?
answer

The organization that these individuals are likely to recognize from a prior or current relationship

Get instant access to
all materials

Become a Member