Test - Cipm - Iapp - 100 PDF

12/31/2019 Test: Cipm - Iapp | Quizlet
NAME
100 Matching questions
A. Security Engineer
1. The privacy professional or organization should include
in the privacy budget the costs to generate what?
B. PbD paradigm
2. Training Programs
C. HIPPA privacy officers, medical interdisciplinary readiness
teams (MIRTs), senior executive staff, covered entity
3. Effective Metrics: workforce, self assessment tool and risk
analysis/management
4. What are the phases of the privacy operational life
cycle D. i) Assess\nii) Protect\niii) Sustain\niv) Respond
E. (1) Preventing Harm\n\n\n(2) Collection Limitations\n\n\n(3)

5. CIA triad in additional to further advanced information
Accountability\n\n\n(4) Monitoring and enforcement
security concepts are what?
F. Self-Certification
6. Tracking and bench-marking data protection indicators
through Performance Measurement is important because...
G. Defines individual program needs and way to meet specific
goals.\n\n- Org Privacy Guidance\n- Define Privacy\n-
7. Policies that govern the use and disclosure of health Laws/Regs\n- Technical Controls\n- External Privacy Orgs\n-
information about employees of the organization typically Frameworks\n- Privacy Enhancing Tech (PETs)\n-
reside with whom? Education/Awareness\n- Program Assurance
8. Generally speaking, this may be described as any H. Provide methods to inform the employee of the important
potential or actual compromise of personal information in a aspects of privacy and the basic protections a non-privacy
form that facilitates intentional or unintentional access by professional should know.
unauthorized third parties
I. Allow an affected person the opportunity to protect
themselves from identify theft or other harm
9. Developing organizational privacy policies, standards,
and/or guidelines involves:
J. Physical assets
10. Performance Measurement

K. (1) Engage privacy team\n(2) Review the facts\n(3) Conduct
analysis\n(4) Determine actions (contain, communicate,
11. The secondary audience includes those who may not etc.)\n(5) Execute\n(6) Monitor
have privacy as a primary task include
L. (1) Centralized\n\n\n(2) Distributed\n\n\n(3) Hybrid
12. Objective metrics are more desirable than what type?
M. o Assess (measure) o Protect (improve) \n\n o Sustain
13. These type of measurements use data recorded within (evaluate) \n\n o Respond (support)
a numerical-mathematical fashion
14. Size is an example of what type of metric
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 1/39
N. Confidentiality. Prevention of unauthorized disclosure of

15. The fundamental principle that should govern a
information.\n\n\nIntegrity. Ensures information is protected
privacy incident is to what?
from unauthorized or unintentional alteration, modification or
deletion.\n\n\nAvailability. Information is readily accessible
16. What is the first step when identifying Organizational to authorized users.\n\n\n+2 = Accountability, Assurance
Personal Information Legal Requirements
O. 60 days
17. Privacy best practices
P. DLM allows for identification and timely address of possible
18. POLC / Respond / Privacy Incidents / Legal issues stemming from conflict of laws and differences in
Compliance compliance with local legislation. Also, helps to decrease
amount of info.
19. Define Privacy:

Q. Stakeholders
20. Privacy Objectives are typically broad-based. What is R. (1) Enterprise Objectives\n(2) Minimalism\n(3) Simplicity of
an example of a privacy objective? Procedure and Effective Training\n(4) Adequacy of
Infrastructure\n(5) Information Security\n(6) Authenticity and
21. Performing a gap analysis will... Accuracy of One's Own Records\n(7) Retreivability\n(8)
Distribution Controls\n(9) Auditability \n(10) Consistency of
Policies\n(11) Enforcement
22. POLC / Sustain / Communicate / Targeted employee,
managment, and contractor training...
S. Mechanisms for protection of information and information
systems
23. This term relates to the protection of hardware,
software, and data against physical threats, to reduce or
T. (1) Access\n\n\n(2) Redress\n\n\n(3) Correction \n\n\n(4)
prevent disruptions to operations and services and loss of
Managing data integrity
assets
U. Provide privacy notices to 100 percent of the customer base;

24. The Sustain phase of the privacy operational life number of privacy notices.
cycle provides privacy management through what?
V. Taking a more pragmatic approach and collect the various

25. POLC/ Sustain/ Communicate / Awareness data protection requirements and "rationalize" them where
you can. Rationalizing means implementing a solution that
26. This type of metric evolves with time materially addresses the various requirements of the majority
of laws and regulations which you must comply. * must
address high risk exceptions as part of this process too!
27. POLC / Respond / Information Requests
W. i) Proactive not Reactive; Preventative not Remedial\nii)

28. 4 keys to Response? Privacy as Default Setting\niii) Privacy Embedded into
Design\niv) Full Funcationality\nv) End to End Security
29. What are the steps of Strategic Management? (Throughout Lifecyle)\nvi) Visibility and Transparency\nvii)
Respect for User Privacy
30. Major drivers impacting the increased need for

privacy metrics include what? X. Your complaint response process and documented for
resolution
31. This is a specific subset of information is extrapolated

Y. Dynamic measurements
from the larger data set, which leads to invalid/incorrect
conclusions.
Z. Selective Use
AA. Ethics, legal and compliance

32. Metric taxonomies; provide the following categories:
AB. Serve as guardians or protectors against misuse, loss, or

33. Technical Controls illegal practices.
34. Privacy is concerned with an individual's ability to AC. it ensures proper data protections are in place within
control the use of personal information while information businesses and between employees, consumers, and
security focuses on what? customers.
35. eof AD. (1) Organizational privacy office guidance\n\n\n(2) Define

privacy\n\n\n(3) Laws and Regulations\n\n\n(4) Technical
Controls\n\n\n(5) External Privacy Organizations\n\n\n(6)
36. 11 element DLM model
Industry Frameworks\n\n\n(7) Privacy Enhancing
Technologies (PETs)\n\n\n(8) Information technology
37. Vision or mission statement cutting-edge or innovation solutions\n\n\n(9) Education and
Awareness\n\n\n(10) Program assurance or the governance
38. Metrics structure
39. The form of Redress that is offered to the AE. such as implementing systems that support role-based
complainant should be clearly defined in what? access, also support the larger purposes of the privacy
program by specifically identifying and limiting who can
access the personal information in a particular database.
40. Business Case (as a step in developing the Privacy
Policy Framework)
AF. BD
41. Policies imposing general obligations on employees AG. Progress toward a business objective or goal without
may reside with whom? overburdening the reader
42. Policies and procedures that dictate certain privacy AH. Information Security (IS)
and security requirements on employees as they relate to the
technical infrastructure typically sit with whom? AI. Subjective
43. This activity triggers the pre-notification process AJ. Provide the assurances necessary to achieve the goals of
physical and data security.
44. What are the 3 high level security roles?

AK. Dealing with privacy policies should be based on clear
polices and standards and have ongoing mechanisms and
45. This ensures that privacy and security controls and processes to educate and guide employees in
aligned with an organization's tolerance for risk and its implementation. Everyone who handles personal information
compliance with regulations and commitment to building a needs to be trained in privacy policies and how to deploy
sustainable privacy-minded culture them within their area to ensure compliance with all policy
requirements. This applies to employees, management,
46. Individual executives who lead and "own" the contractors and other entities with which your organization
responsibility of the relevant activities are called what? might share personal information.
47. Privacy Program Framework is:
48. Assuming privacy incident notification is required,

organizations generally have how long to notify the affected
individuals
AL. (1) Understand key roles and responsibilities (ID key business
49. This function is more closely aligned to the privacy
stakeholders and establish incident response
group than any other function.
teams).\n\n\n(2) Develop a privacy incident response
plan\n\n\n(3) Identify elements of the privacy incident
50. This plan is typically drafted and maintained by key response plan\n\n\n(4) Integrate privacy incident response
stakeholders, spelling out departmental responsibilities and into business continuity planning
actions teams must take before, during, and after a data breach
AM. "roughing out" the scope of a privacy program by flagging
51. This is needed to structure responsibilities with areas in an organization where personal information is likely
business goals to be collected, access or used (HR, finance, marketing,
customer relationship management systems, IT)
52. Privacy goals are specific and measurable. What is an

example of a Privacy Goal? AN. Governance model it follows
AO. (1) define and measure progress toward business goals and
53. POLC/Assess/Processors and 3rd party vendor
objectives\n\n\n(2) Should be concise - large amounts of
assessment includes:
useless info is counterproductive\n\n\n(3) Should be clear in
the meaning of what is being measured\n\n\n(4) rigorously
54. An effective metric is a clear and concise metric that defined\n\n\n(5) credible and relevant\n\n\n(6) objective
defines and measures what? and quantifiable \n\n\n(7) associated with the baseline
measurement per the organization standard metric
55. Education and Awareness: taxonomy
56. Program assurance or the governance structure: AP. Privacy Notice
AQ. ...having in place as thorough a Privacy Policy Framework as

57. What is the difference between positive & negative
possible becomes all the more important and should be
controls?
prioritized within the organization.
58. Ten foundational elements for privacy Business Case AR. Define Privacy and Mission, Develop Privacy Strategy,
Development are: Structure Privacy Team
59. What are the 4 Parts of the Privacy Operational Life AS. Provide the MANDATORY GOVERNMENT POLICY and
Cycle guidance based on the organization's location and industry.
60. POLC / Respond / Privacy Incidents/ Follow incident AT. 1. Develop Vision and Mission Statement Objectives 2. Define
response process to ensure meeting jurisdictional, global, and Privacy Program Scope 3.Identify Legal and Regulatory
business requirements by... Compliance Challenges 4. Identify Organizational Personal

Information Legal Requirements
61. There are only 2 forms of privacy control:

AU. Quantitative measurements
62. It is best practice to have the notice of a breach AV. Direct

issued to the affected individuals by whom?
AW. i) Assessment of Business Case \nii) Gap Analysis - \niii)

63. Need for Data Life Cycle Management (DLM) Review & Monitor\niv) Communicate
64. The most time consuming task of a privacy AX. determine the capability of current privacy management to
professional was of a strategic nature, which was what? support each of the business and technical requirements
AY. (1) Negative Controls - Enable privacy but constrain business

65. Laws and regulations
(win/lose)\n\n\n(2) Positive Controls - Enable privacy and
enable business objectives (win/win)
66. Business Case
AZ. Mission Statement
67. No matter the size of an organization, if the core
business of the organization revolves around the processing of BA. i) Executive\nii) Functional\niii) Corollary
personal data...
BB. Strategic Management
68. When positioning the privacy team, you should also
consider the authority it will receive based on the what? BC. (1) Create awareness of the organization's privacy
program\n\n\n(2) Ensure policy flexibility in order to
incorporate legislative/regulatory/ market
69. Privacy professionals should always involve whom to
requirements\n\n\n(3) Develop internal and external
review, define or establish technical security controls, including
communication plans to ingrain organizational
common security controls such as firewalls, malware anti-virus,
accountability\n\n\n(4) Identify, catalog and maintain
and complex password requirements
documents requiring updates as privacy requirements
change
70. Privacy Assessment Approach (Key Areas)
BD. (1) Privacy policies\n\n\n(2) Operational privacy practices

71. This functional group traditionally functions (e.g., standard operating instructions), such as\n\n\n(a) Data
independently to assess whether controls are in place to creation/usage/retention/disposal\n(b) Access control\n(c)
protect personal information and whether people are abiding Reporting incidents\n(d) Key contacts
by these controls
BE. metrics
72. Because of their unique association with customers
and the bond of trust built carefully over time, this group is BF. (1) Evaluate processors and third party vendors, in-sourcing
often asked to notify key accounts when their data has been and outsourcing privacy risks\n (a) Privacy and information
breached security policies\n (b) Access controls\n (c) Where personal
information is being held\n (e) Who has access to personal
information\n\n\n(2) Understand and leverage the different
73. Specific to Healthcare metrics, audiences may
types of relationships.\n (a) Internal audit\n (b) Information
include whom?
security\n (c) Physical security\n (d) Data protection
authority\n\n\n(3) Risk Assessment\n\n\n(4) Contractual
74. Metric - Tertiary audience Requirements\n\n\n(5) Ongoing monitoring and auditing
75. This is a structured readiness testing activity that BG. Monitoring, auditing, and comunication
simulates an emergency situation in an informal, stress-free
setting BH. This key factor that lays the groundwork for the rest of the
privacy program elements and is typically comprised of a
76. POLC / Sustain / Audit short sentence or two that describe the purpose and ideas in
less than 30 seconds.
77. Policies that govern requirements that need to be

BI. eof
imposed on provider of third-party services that implicate
personal data typically sit with whom?
78. To establish tort liability, a third-party plaintiff must

show what?
BJ. Means of providing meaningful information on your privacy

79. Steps to Develop Privacy Policies, Standards,
regime to key stakeholders, Generational change in the use
Guidelines (4)
of technology, Rapid advancements to technology,
Catastrophes, such as data loss events, that drive tighter
80. Types of Governance Models? regulations, laws and standards, Current security and privacy
solutions that are not designed to deal with the fast pace of
81. This is a form of internal audit that does not exempt an emerging technologies or requirements, Privacy regulations
organization from fulfilling obligations under applicable laws or becoming more stringent while privacy exceptions rise,
regulations Professionals embrace security and privacy as part of their
job
82. This strategy seeks solutions that do not violate any

data privacy laws, exceed budgetary restrictions or contradict BK. Internal audit group
organization goals and objectives
BL. Positive - Enable privacy and business practices
(win/win)\n\nNegative - Enable privacy but constrain
83. What are the 7 foundation principles of Privacy by
business (win/lose)
Design?
BM. 1) Identify & Understand Legal and Regulatory Compliance

84. POLC / Respond / Privacy Incidents / Incident Challenges\nii) Identify the Data Impacted\n\nUnderstand
Response Planning Global Perspective\nCustomize Approach\nBe Aware of
Laws, Regulations, Processes, Procedures\nMonitor Legal
85. What is CIA & AA Compliance Factors
86. Privacy governance framework provides the methods BN. Confidentiality, Integrity, Availability, Accountability,
to what? Assurance
BO. Business Continuity Plan (BCP)

87. Technical Controls:
BP. (1) Align privacy operations to an internal and external

88. Rationalizing requirements (as part of creating a data compliance audit program\n\n\n(2) Audit compliance with
governance strategy) means... privacy policies and standards\n\n\n(3) Audit data integrity
and quality\n\n\n(4) Communicate audit findings with
89. In a 2011 survey of 400 IT executives, one-fifth stakeholders
indicated these events had made business continuity planning a
much higher priority in recent years? BQ. As related to your program or organization. Use all available
resources to determine the correct and appropriate
90. In the U.K., this regulation contains privacy rules for definition of privacy for your org.
any form of electronic marketing, in addition to a vast array of

statutes, regulations and voluntary codes of practice that BR. (1) Assessment of Business Case\n\n\n(2) Gap
govern direct marketing activity. Analysis\n\n\n(3) Review and monitor privacy
program\n\n\n(4) Communicate the framework
91. CIA Triad

BS. That the organization owed to him or her duty of care
92. Generic privacy metrics should be developed to BT. i) Internal Audit & Risk Management\nii) Information Tech & IT
enable analyses of which processes? Operations/Development\niii) Information Security\niv)
HR/Ethics\nv) Legal/Contracts\nvi) Process/3rd Party
93. OMB Memorandum M-07-16, Safeguarding Against Vendors\nvii) Marketing/Sales\nviii) Government
and Responding to the Breach of Personally Identifiable Relations\nix) Accounting/Finance
Information, what are five factors that should be considered in a
data breach?
BU. Nature of the data elements breach, number of individuals

94. What are the four steps in defining your organization's
affected, likelihood that the information is accessible and
privacy vision and privacy mission statements
usable, likelihood the breach may lead to harm, the
organization's ability to mitigate the risk of harm
95. This explains what you do as an organization, not who
you are; what the organization stands for and why what you do BV. External watch dog groups\nSponsors\nStockholders
an an organization to protect personal information is done
BW. Once breach investigators conclude that an actual

96. This PMM maturity level indicates procedures or compromise of sensitive information has occurred
processes exist; however, they are not fully documented and do
not cover all relevant aspects BX. o Collection (notice) o Responses to data subject inquiries
\n\n o Use \n\n o Retention \n\n o Disclosure to third parties
97. Define Privacy Program Scope \n\n o Incidents (breaches, complaints, inquiries) \n\n o
Employee training \n\n o Privacy Impact Assessment \n\n o
Privacy risk indicators \n\n o Percent of organization
98. This conclusion is based on the occurrence of
functions represented by governance mechanisms
concurrent events without substantive evidence correlating the
events
BY. Strictest Standard
99. Business Resiliency Metrics BZ. (1) Objective / Subjective\n\n\n(2) Quantitative /

Qualitative\n\n\n(3) Information Technology Metrics /
100. External Privacy Organizations: Quantitative Measurement\n\n\n(4) Static / Dynamic\n\n\n(5)
Absolute / Relative\n\n\n(6) Direct / Indirect
CA. advising the organization on privacy issues
CB. Procurement
CC. Repeatable
CD. Tools that facilitate decision making and accountability

through collection, analysis, and reporting of data. They must
be measurable, meaningful, clearly defined (with
boundaries), indicate progress, and answer a specific
question to be valuable and practical.
CE. The organization that these individuals are likely to recognize

from a prior or current relationship
CF. Natural disasters, security and terrorist threats
CG. Privacy incident
CH. 1) identify organization PI legal requirements,\n\n 2)

Develop V&M statement objectives, \n\n\n\n 3) identify
legal & regulatory compliance challenges, &, \n\n \n4)
define privacy program scope*,
CI. Faulty Assumptions
CJ. Mandate operational safeguards that include auditing.
CK. IT
CL. ability to rapidly adapt and respond to business disruptions
CM. CFO, Training organizations, HR, IG, HIPPA security officials
CN. Table top exercise
CO. HR
CP. Confidentiality\nIntegrity\nAvailability\n\nAccountability\nAs
surance
CQ. i) Information Requests\nii) Legal Compliance\niii) Incident

Response Planning\niv) Incident Handling
CR. Privacy and Electronic Communications Regulations
CS. An implementation road-map that provides the structure or

checklists (document privacy procedures and processes) to
guide the privacy professional through privacy management
and prompts them for the details to determine all privacy-
relevant decisions for the organization.
CT. The process of formulating or selecting metrics to evaluate

implementation, efficiency or effectiveness; gathering data
and producing quantifiable output that describes
performance.
CU. Access, protect, sustain and respond to the positive and

negative effects of all influencing factors
CV. Allows for the understanding of the role of privacy in the

context of business requirements and identification of
business benefits and risks.
93 Multiple choice questions
1. Metric Owner
A.
Five-Step Metric Life Cycle:
B.
Organizational privacy office guidance:
C.
This is a key factor that lays the groundwork for the rest of the privacy program elements and is comprised of a short
sentence or two that describes purpose and ideas in less than 30 seconds
D.
This person is the process owner, champion, advocate and evangelist responsible for management of the metric throughout
the metric life cycle
2. Strategic Management Model

A.
As a general practice, who should not perform the data collection tasks or perform the measurements of the metric?
B.
C.
The secondary audience includes those who may not have privacy as a primary task include
D.
This model identifies alignment to organization vision and defines the privacy leaders for an organization, along with the
resources (people, policy, processes, and procedures) necessary to execute vision
3. Qualitative measurements
A.
This means implementing a solution that materially addresses the various requirements of the majority of laws or regulations
with which you must comply.
B.
As part of the incident-response planning process, this group will provide guidance regarding the detection, isolation,
removal, and preservation of affected systems.
C.
Per recent industry surveys, Chief Information Security Officers seem to prefer which type of measurements?
D.
This is a data pattern that shows trends in an upwards or downward tendency i.e, privacy breaches over time
4. Should document the principles, policies, and practices that influence privacy for the organization. Provide direction on org.
privacy practices, privacy roles and responsibilities, breach or incident documents, privacy ownership, assign stakeholders. They
should also provide formal procedures for receiving and resolving privacy-related inquiries and complaints from both internal
and external sources.
A.
POLC / Respond / Privacy Incidents
B.
This plan is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams
must take before, during, and after a data breach
C.
What is a Privacy Program Framework?
D.
Internal Policy, Written Policy:
5. creating or updating the company's vision and mission statement based on privacy best practice
A.
Strategic management of privacy starts by
B.
Performing a gap analysis will...
C.
Attributes of an effective Metric
D.
Strategic Management model
6. (1) Legal Compliance\n\n\n(2) Incident Response Planning\n\n\n(3) Incident Detection\n\n\n(4) Incident Handling\n\n\n(5)
Follow incident response process to ensure meeting jurisdictional, global and business requirements\n\n\n(6) Identify incident
reduction techniques\n\n\n(7) Incident metrics - quantify the costs of a privacy incident
A.
POLC / Assess / Risk assessment:
B.
POLC/ Sustain/ Communicate / Awareness
C.
D.
POLC / Respond / Privacy Incidents / Incident Detection
7. Union Leadership
A.
After a breach occurs, the primary role for this stakeholder is to provide members with timely updates and instructions.
B.
An ethical issue, this occurs when data is knowingly and purposely omitted that may have a detrimental effect on the metric
or metric owner
C.
This PMM maturity level indicates procedures or processes are fully documented and implemented and cover all relevant
aspects
D.
As it relates to ROI metrics, the second step is to define what
8. (1) Document current baseline of your privacy\n(2) Processors and third party vendor assessment\n(3) Physical
Assessments\n(4) Mergers, acquisitions, and divestitures\n(5) Conduct analysis and assessments, as needed or as appropriate
A.
Need for Data Life Cycle Management (DLM)
B.
C.
Privacy Operational Life Cycle (POLC): Assess
D.
Member of the privacy team who may be responsible for privacy program framework development, management and
reporting within an organization
9. Identify, Define, Select, Collect, Analyze

A.
What is CIA & AA
B.
What are the steps in the five step metric cycle
C.
This is needed to structure responsibilities with business goals
D.
When developing your global privacy strategy, it must be relevant to what?
10. Performance Measurement with Metrics Selection

A.
This term relates to the protection of hardware, software, and data against physical threats, to reduce or prevent disruptions
to operations and services and loss of assets
B.
This process provides the means to evaluate business rhythms, technical systems and associated costs to the strategic
business objectives and performance of the organization.
C.
D.
This group's role during a data breach can be to work with management and PR teams to establish and maintain a positive,
consistent message, during both the crisis and the post-breach notifications
11. Binding contractual obligations and reporting requirements

A.
This is one method enforcing security and accountability in how personal data is handled by third parties
B.
The form of Redress that is offered to the complainant should be clearly defined in what?
C.
These are two complimentary processes that prepare an organization for crises and managing the business afterwards,
thereby reducing risk.
D.
This is an indicator used to measure the financial gain/loss (or value) of a project in relation to its cost
12. functional independence is assured

A.
Separation of legal, compliance, internal audit and security functions: collaboration is more challenging, but what?
B.
Organizations with a global footprint often create a governance structure that is comprised of whom?
C.
or metric owner
D.
As it relates to ROI metrics, the first step is to identify and characterize the ROI metric to address what?
13. Conduct a privacy workshop for your stakeholders to level the privacy playing field by defining privacy for the organization,
explaining the market expectations, answering questions, and reducing confusion.
A.
Privacy Assessment Approach (Key Areas)
B.
Privacy Worshop
C.
Metric - Owner
D.
What is CIA & AA
14. Hourly, daily, weekly, monthly

A.
Common reporting intervals in incident response plans include what?
B.
The form of Redress that is offered to the complainant should be clearly defined in what?
C.
Combining of legal, compliance, internal audit and security functions: collaboration is assured, but what?
D.
This is needed to structure responsibilities with business goals
15. Provide taxonomies or privacy categorization guidelines that are not law or regulation based. (Eg. ISO, GAAP)
A.
Information technology cutting-edge or innovation solutions:
B.
External Privacy Organizations:
C.
Industry frameworks:
D.
Metric - Primary Audience
16. Information Systems (IS)

A.
This is an implementation road map that provides the structure or checklists (document privacy procedures and processes) to
guide the privacy professional through privacy management and prompts them for the details to determine all privacy-
relevant decisions for the organization
B.
One method that can be used as a baseline for assessing your privacy program...
C.
What is the second step in the metric life cycle?
D.
17. Value the organization places on privacy, Desired organizational objectives, Strategies to drive the tactics used to achieve the
intended outcomes, Clarification of roles and responsibilities
A.
Many organizations create this, comprised of the same stakeholders that were identified at the start of the privacy program
implementation process. Instrumental in making strategic decisions and driving such strategies and decisions through their
own organizations.
B.
A mission statement should include what five items?
C.
Privacy best practices
D.
Privacy Operational Life Cycle (POLC): Assess
18. (1) Type of data being outsourced\n(2) Location of data\n(3) Implication of cloud computing strategy\n(4) Legal
compliance\n(5) Records retention\n(6) Contractual requirements (incident response, etc.)\n(7) Establish minimum standards
for safeguarding information
A.
How do you develop the Privacy Program Framework?
B.
POLC Assess: 1. Document current baseline of your privacy
C.
D.
19. Evangelize the purpose and intent of that metric to the organization
A.
A metric owner must be able to do what?
B.
What are the steps of the Audit Life Cycle?
C.
D.
Metric - Analyze
20. Understand and identify the legal and regulatory compliance challenges of the organization and identify the data impacted
A.
When defining your privacy program scope, you must first do what?
B.
Est. Current Baseline of PP, Data Quality:
C.
When positioning the privacy team, you should also consider the authority it will receive based on the what?
D.
Steps to Develop Privacy Policies, Standards, Guidelines (4)
21. Privacy committee or council

A.
Privacy best practices
B.
This is an executive who acts as an advocate and sponsor to further foster privacy as a core organization concept
C.
Many organizations create this, comprised of the same stakeholders that were identified at the start of the privacy program
implementation process. Instrumental in making strategic decisions and driving such strategies and decisions through their
own organizations.
D.
POLC/Assess/Processors and 3rd party vendor assessment includes:
22. Business Resiliency

A.
These types of audits are typically Supplier Audits because they are used where an organization has to assure itself of the
ability of a potential or existing supplier or subcontractor to meet the requirements.
B.
This is the ability to rapidly adapt and respond to business disruptions and to maintain continuous business operations
C.
This function is more closely aligned to the privacy group than any other function.
D.
What is the difference between positive & negative controls?
23. (1) Understanding applicable national laws and regulations\n\n\n(2) Understanding applicable local laws and
regulations\n\n\n(3) Understanding the penalties for noncompliance \n\n\n(4) Understanding scope and authority of oversight
agencies\n\n\n(5) Understand the privacy implications of doing business in or with countries with inadequate or without privacy
laws\n\n\n(6) Maintain the ability to manage a global privacy function\n\n\n(7) Maintain the ability to track multiple jurisdictions
for changes in privacy law\n\n\n(8) Understand international data sharing arrangements and agreements
A.
Effective Metrics:
B.
Ensuring continuous alignment to applicable laws and regulations to support the development of an organizational Privacy
Program Framework consists of:
C.
Identifies alignment to organizational vision and defines the privacy leaders for an organization, along with the resources
necessary to execute the vision.
D.
Merchants that handle cardholder information for debit, credit, prepaid, e-purse, ATM and POS cards must be in compliance
with what?
24. (1) Define what constitutes a privacy incident\n\n\n(2) Identify reporting process\n\n\n(3) Coordinate detection capabilities (w/
IT, Security, HR, Investigation team, Vendors)
A.
POLC / Respond / Privacy Incidents / Legal Compliance
B.
POLC / Sustain / Audit
C.
POLC / Sustain / Measure
D.
25. (1) Develop vision and mission statement objectives\n\n(2) Define privacy program scope\n\n\n(3) Identify legal and regulatory
compliance challenges\n\n\n(4) Identify organization personal information legal requirements
A.
Strategic management of privacy starts by creating or updating the organization vision and mission statement based on
privacy best practices that should include:
B.
C.
D.
Strategic managment
26. The way a metric is measured

A.
B.
The distinction between direct and indirect metrics is based on what?
C.
These type of assessments further assist the privacy professional in the Protect phase
D.
One tool used to determine whether a PIA should be conducted is called what?
27. (1) Acquire knowledge on privacy approaches\n\n\n(2) E valuate the intended objective\n\n\n(3) Gain executive sponsor
approval for this Privacy Vision
A.
Elements of a Privacy Strategy?
B.
What are the seven foundational principles of PbD?
C.
How do you create a company's: Privacy Vision?
D.
28. Faulty Assumptions, Selective Use, Well-chosen Average, Semi-attachment, Biased Sample, Intentional Deceit, Massaging the
Numbers, Overgeneralization
A.
The privacy professional must guard against improper conclusions such as these
B.
What are the three types of audit categories?
C.
This activity triggers the pre-notification process
D.
The Sustain phase of the privacy operational life cycle provides privacy management through what?
29. functional independence is more challenging

A.
B.
This occurs when inferences are made concerning a general data population that leads to poor conclusions
C.
Privacy ROI defines metrics to measure the effectiveness of investments to protect investments in what?
D.
30. Personal data should be relevant to the purpose for which they are to be used, and, to the extent necessary for those purposes
should be accurate, complete, and kept up-to-date.
A.
Est. Current Baseline of PP, Data Quality:
B.
Steps to Developing a Privacy Strategy (5)
C.
Specific to Healthcare metrics, audiences may include whom?
D.
Est. Current Baseline of PP, Collection Limitation:
31. Promptly allocate funds and manpower needed to resolve the breach.
A.
One of the first and arguably most critical steps taken by the top executive is to what?
B.
An effective metric is a clear and concise metric that defines and measures what?
C.
CIA triad in additional to further advanced information security concepts are what?
D.
32. (1) Identify (metric audience)\n\n\n(2) Define (the metric owner)\n\n\n(3) Select (the specific privacy metric)\n\n\n(4) Collect
(the data for the metric - Who, what, how, when, etc)\n\n\n(5) Analyze (statistical analysis, e.g., trend)
A.
To establish tort liability, a third-party plaintiff must show what?
B.
Metric - Audience
C.
D.
Questions to Ask When Determining Privacy Requirements (Legal)
33. Not all breaches require notification. There are various types of notification requirements to regulators and affected individuals.
Once it is concluded that an actual compromise of sensitive information has occurred, the pre-notification process is triggered.
Steps taken may vary depending on several factors, but the purpose is to confirm that the event does indeed constitute a
"reportable" breach.
A.
POLC / Sustain / Monitor
B.
C.
Breaches
D.
Business Case
34. A data controller should be accountable for complying with measures which give effect to the principles stated above
(Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, and Individual
Participation).
A.
Est. Current Baseline of PP, Individual Participation:
B.
What are the steps of the Metric Life Cycle
C.
Est. Current Baseline of PP, Purpose Specification:
D.
Est. Current Baseline of PP, Accountability:
35. i) Ad Hoc - Procedures informal, incomplete, inconsistently applied (not written)\nii) Repeatable - Procedures exist, partially
documented, don't cover all areas\niii) Defined - All documented, implemented, cover all relevant aspects\niv) Managed -
Reviews conducted assess effectiveness of controls\nv) Optimized - Regular reviews and feedback to ensure continuous
improvements.
A.
4 keys to Response?
B.
11 element DLM model
C.
5 Maturity Levels of the AICPA/CICA Privacy Maturity Model?
D.
36. Is not a standalone function. It is imperative that the privacy professional work closely with the IT, security, HR and legal
functions in order to take a coordinated approach to solutions.
A.
Privacy Function:
B.
Performance Measurement
C.
D.
37. Privacy Threshold Analysis (PTA)

A.
These type of measurements use data recorded within a numerical-mathematical fashion
B.
A 2012 study revealed what groups were most often the cause for privacy incidents?
C.
One tool used to determine whether a PIA should be conducted is called what?
D.
38. Key stakeholders, Execution timeline, Progress reporting and Response evaluation and modifications
A.
The primary focus when managing any privacy incident is always what?
B.
Generally, most well-conceived incident response plans account for and/or include which elements?
C.
According to Baker and McKenzie in their looking-ahead analysis of 2012, the goal of "achieving compliance" is steadily being
replaced with what?
D.
39. (1) Map data inventories, flows, and classification\n(2) Create "record of authority" of systems processing personal information
within organization\n(3) Map and document data flow in systems and applications\n(4) Analyze and classify types and uses of
data
A.
POLC/Assess/1.d. Data, systems, and process assessment involves:
B.
POLC / Respond / Privacy Incidents/ Follow incident response process to ensure meeting jurisdictional, global, and business
requirements by...
C.
Privacy Domain (third step in developing the Privacy Policy Framework)
D.
POLC / Respond / Privacy Incidents / Incident Handling
40. (1) Integrate privacy requirements and representations into functional areas across the organization
A.
Metric - Analyze
B.
Education and Awareness:
C.
POLC/ Sustain/ Communicate / Awareness
D.
POLC/ Sustain / Align
41. (1) Define Privacy Vision and Privacy Mission Statement\n\n(2) Develop Privacy Strategy\n\n(3) Structure Privacy Team
A.
Strategic Management is the first high level necessary task to implement proactive privacy management through the
following 3 subtasks:
B.
Strategic managment
C.
You first step when developing a Data-governance Strategy for Personal Information (Collection, Authorized Use, Access,
Security, Destruction)
D.
What are examples of certain types of organizations and entities known as "covered entities"
42. The residents of the states, as well as government bodies or state attorney general offices.
A.
The difference between metrics audiences is based on what?
B.
C.
In the U.K., this regulation contains privacy rules for any form of electronic marketing, in addition to a vast array of statutes,
regulations and voluntary codes of practice that govern direct marketing activity.
D.
If you process personal information of any resident of a state that has adopted a breach notification law, understand that to
the extent that non-encrypted data has been compromised, your compliance obligations may include notification to whom?
43. Local or Decentralized

A.
B.
This measurement completely excludes certain elements from the data population, thus providing on a partial set of data and
leading to false assumptions
C.
This type of metric evolves with time
D.
This type of governance delegates decision-making authority down to the lower levels in an organization; relatively away
from and lower than a central authority
44. Three to five

A.
These provides common language between business, operational and technical managers to discuss the relevant information
(e.g., good, bad, or indifferent) related to assessing progress.
B.
In a 2011 survey of 400 IT executives, one-fifth indicated these events had made business continuity planning a much higher
priority in recent years?
C.
As a basic business practice in the selection of metrics, the privacy professional should select how many key privacy metrics
that focus on the key organizational objectives
D.
This is a specific subset of information is extrapolated from the larger data set, which leads to invalid/incorrect conclusions.
45. Managed
A.
B.
Merchants that handle cardholder information for debit, credit, prepaid, e-purse, ATM and POS cards must be in compliance
with what?
C.
This PMM maturity level indicates that reviews are conducted to assess the effectiveness of the controls in place
D.
This PMM maturity level indicates procedures or processes are fully documented and implemented and cover all relevant
aspects
46. Biased Sample

A.
Policies that govern requirements that need to be imposed on provider of third-party services that implicate personal data
typically sit with whom?
B.
This PMM maturity level indicates that regular review and feedback is used to ensure continuous improvement towards
optimization of the given process
C.
D.
or metric owner
47. Look to the strictest standard when seeking a solution; provided it does not violate any (1) data privacy laws (2) exceed
budgetary restrictions (3) contradict organization goals and objectives.
A.
Strictest Standard (another data governance strategy for personal information)
B.
POLC/Assess/1.d. Data, systems, and process assessment involves:
C.
CIA triad in additional to further advanced information security concepts are what?
D.
Second step of developing a Privacy Policy Framework?
48. Identification of the intended audience: WHO will use the data?
A.
Metric - Identification
B.
A breach will typically involve
C.
D.
Policies imposing general obligations on employees may reside with whom?
49. Identifies alignment to organizational vision and defines the privacy leaders for an organization, along with the resources
necessary to execute the vision.
A.
Metric - Collection
B.
Strategic Management model
C.
D.
Metric taxonomies provide what categories?
50. Metric owner must:\n\n\n(1) Know what is critical about the metric. Why the output is important and understand how this metric
fits into the business objectives.\n\n\n(2) Monitor process performance with the metric. Predictors of performance and
monitoring data compiled by other metric owners, processes, or dependencies (operation, strategic, or tactical). \n\n\n(3)
Make sure the process documentation is up to date.\n\n\n(4) Perform regular reviews. Determine if the metric is still required,
capable to meet goals, and provides value to the organization.\n\n\n(5) Make sure that any improvements are incorporated
and maintained in the process.\n\n\n(6) Advocate the metric to customers, partners, and others.\n\n\n(7) Maintain training,
documentation, and materials.
A.
Metric - Tertiary audience
B.
Metric - Sigma Six
C.
Business Case
D.
Define Privacy:
51. People, Processes, Technology

A.
B.
Reporting resources can be found with the technical and business characteristics of an organization that include
C.
D.
52. Increased control over data, regulatory compliance (thereby minimizing business risk) and reduced costs (by eliminating
redundancies in data storage
A.
B.
Est. Current Baseline of PP, Accountability:
C.
D.
Main benefits of DLM and ILM are what?
53. The purposes for which personal data are collected should be specified not later than at the time of data collection and the
subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as
are specified on each occasion of change of purpose.
A.
Est. Current Baseline of PP, Purpose Specification:
B.
Data-protection regulations typically include what items
C.
D.
Selecting the correct privacy metric requires what?
54. i) ID Stakeholders and Internal Partnerships\nii) Leverage Key Functions\niii) Create a Process for Interfacing\niv) Develop a
Data Governance Strategy\nv) *Conduct a Privacy Workshop
A.
B.
Steps to Develop Privacy Policies, Standards, Guidelines (4)
C.
What are the 3 high level security roles?
D.
Strategic management (3 subtasks)
55. Insiders and third parties

A.
As it relates to ROI metrics, the second step is to define what
B.
A 2012 study revealed what groups were most often the cause for privacy incidents?
C.
D.
The first step in the selecting the correct metrics starts by what?
56. Privacy Domain - determines the privacy elements, such as industry, privacy organizations and other data, that will provide the
necessary laws, standards, guidelines and other factors that should be evaluated.
A.
Privacy Framework benefits include:
B.
Privacy Domain (third step in developing the Privacy Policy Framework)
C.
Strictest Standard (another data governance strategy for personal information)
D.
Privacy Function:
57. A corporate need to "achieve and maintain compliance"

A.
According to Baker and McKenzie in their looking-ahead analysis of 2012, the goal of "achieving compliance" is steadily being
replaced with what?
B.
Policies that govern requirements that need to be imposed on provider of third-party services that implicate personal data
typically sit with whom?
C.
What are the 4 Parts of the Privacy Operational Life Cycle
D.
This type of governance fits well in organizations used to utilize single-channel functions (where direction flows from a single
source) with planning and decision making completed by one group
58. Metrics performance

A.
This provides quantifiable output that is measurable, meaningful, answers specific questions and is clearly defined
B.
These type of measurements use data recorded within a numerical-mathematical fashion
C.
This ensures that privacy and security controls and aligned with an organization's tolerance for risk and its compliance with
regulations and commitment to building a sustainable privacy-minded culture
D.
The Sustain phase of the privacy operational life cycle provides privacy management through what?
59. Full understanding of the business objectives and goals, along with a clear understanding of the primary business functions.
A.
When defining your privacy program scope, you must first do what?
B.
Business Case (as a step in developing the Privacy Policy Framework)
C.
The primary audience for metrics may include
D.
60. (1) Define organization's (a) Privacy Vision and (b) Privacy Mission Statement\n\n\n(2) Develop Privacy Strategy\n\n\n(3)
Structure Privacy Team
A.
B.
C.
Attributes of an effective Metric
D.
Strategic Management assigns roles, sets expectations grants powers and what?
61. The process of formulating or selecting metrics to evaluate implementation, efficiency or effectiveness.
A.
POLC / Sustain / Communicate
B.
Types of Protection Models (4)
C.
Prior to selecting metrics, the reader should first understand what?
D.
62. DLM/ILM
A.
This is a policy-based approach to manage the flow of information through a life cycle from creation to final disposition
B.
C.
D.
63. Objective/Subjective, Quantitative/Qualitative, IT Metrics/Quantitative Measurement, Static/Dynamic, Absolute/Relative,

Direct/Indirect
A.
B.
C.
How do you create a company's: Privacy Vision?
D.
64. Program Champion

A.
Internal Policy, Designated Point of Contact:
B.
C.
This is an executive who acts as an advocate and sponsor to further foster privacy as a core organization concept
D.
This functional group traditionally functions independently to assess whether controls are in place to protect personal
information and whether people are abiding by these controls
65. • Notice • Choice \n\n • Consent \n\n • Purpose limitations \n\n • Limits on retaining data \n\n • Individual rights to access \n\n •
Correction and deletion of data \n • Obligation to safeguard data
A.
What are the phases of the privacy operational life cycle
B.
C.
D.
First step of developing a Privacy Policy Framework?
66. Process owner, champion, advocate and evangelist responsible for management of the metric throughout the metric life cycle
A.
Metric - Owner
B.
An effective metric is a clear and concise metric that defines and measures what?
C.
D.
Technical Controls:
67. Implementation roadmap that provides structure or checklists to guide privacy professionals through management and
prompts for details to determine privacy relevant decisions.
A.
What are the 7 foundation principles of Privacy by Design?
B.
C.
What is the third step in the metric life cycle
D.
68. o Identify the intended audience - Who will use the data o Define the data sources - Who is the data owner and how is that
data accessed \n\n o Select privacy metrics - what metrics to use based on the audience, reporting resources and final
selection of the best metric \n\n o Collect and refine systems/applications collection point - where will the data come from to
finalize the metric collection report? When will the data be collected? Why is that data important? \n\n o Analyze the
data/metrics to provide value to the organization and provide a feedback quality mechanism
A.
B.
Est. Current Baseline of PP, Individual Participation:
C.
Privacy Program activities usually consist of:
D.
69. Third party hacker who intentionally exploits vulnerabilities of the customer system, Customer failure to properly operate, use
or secure its systems, Lost or stolen computer equipment, Misconduct of customer employees
A.
B.
C.
This functional group adds processes and controls that support privacy principles. It creates processes to develop and test
software and applications in a manner that does not require the use of production data decreases the chances that the data
will be compromised and that individuals who have no business need will access the data
D.
Privacy professional
70. (Benefits - Costs) / Costs

A.
B.
Program assurance or the governance structure:
C.
Quality or complexity can only be measured how?
D.
Return on Investment (ROI) is measured how
71. IT assets
A.
When an individual is unable to provide their point, this may result with the exclusion of elements of a measurement when
conveying results
B.
C.
Inherent technical features that collectively protect the organizational infrastructure, achieving and sustaining confidentiality,
integrity, availability, and accountability.
D.
These are measures to reduce the likelihood and severity of accidental and intentional alteration, destruction,
misappropriation, misuse, misconfiguration, unauthorized distribution and unavailability of an organization's logical and
physical assets, as the result of action or inaction by insiders and known outsiders, like business partners
72. Overburden the reader

A.
Good metrics should not do what?
B.
C.
D.
What are the steps in the five step metric cycle
73. (1) The value the organization places on privacy\n\n\n(2) Desired organizational objectives\n\n\n(3) Strategies to drive the
tactics used to achieve the intended outcomes\n\n\n(4) Clarification of roles and responsibilities
A.
The fundamental principle that should govern a privacy incident is to what?
B.
The privacy statement should indicate:
C.
Metric - Identification
D.
74. Physical assets, Personnel assets, IT assets, Operational assets

A.
The Respond phase of the privacy operational life cycle includes which principles?
B.
Developing organizational privacy policies, standards, and/or guidelines involves:
C.
D.
75. Level of interest, influence and responsibility to privacy within the business objectives, laws and regulations, or ownership
A.
The difference between metrics audiences is based on what?
B.
POLC / Respond / Privacy Incidents / Incident Handling
C.
D.
76. Healthcare providers (hospitals, clinics, pharmacies) and health plans (medical plans, organization benefit plans) subject to
HIPPA.
A.
What are examples of certain types of organizations and entities known as "covered entities"
B.
What are the 3 high level security roles?
C.
D.
77. Second-party audits

A.
This is slightly adjusting measurements to provide the appearance of success or other-than-actual results, leading the
reviewer to believe the metric is more successful than it actually may be
B.
C.
This lists the metric characteristics that delineate boundaries between metric categories
D.
78. (1) Measure\n\n\n(2) Align\n\n\n(3) Audit\n\n\n(4) Communicate\n\n\n(5) Monitor

A.
What is CIA & AA
B.
Metric - Owner
C.
POLC / Sustain
D.
Metric - Selection
79. Return on Investment (ROI)

A.
This occurs when inferences are made concerning a general data population that leads to poor conclusions
B.
C.
This strategy seeks solutions that do not violate any data privacy laws, exceed budgetary restrictions or contradict
organization goals and objectives
D.
80. Planning, Preparation, Audit, Report, Follow-up

A.
B.
C.
D.
Data integrity issues are often the results of what?
81. First party/internal audit, Second-party audits, Third-party/external audits

A.
B.
The Respond phase of the privacy operational life cycle includes which principles?
C.
D.
What is CIA & AA
82. Legal and privacy officers, senior leadership; CIO, CSO, PM, Information Systems Owner (ISO), Information Security Officer
(ISO), Others considered users and managers
A.
B.
C.
The primary audience for metrics may include
D.
83. Identifying the intended metric audience

A.
Third and final step of developing a Privacy Policy Framework?
B.
C.
Data integrity issues are often the results of what?
D.
The first step in the selecting the correct metrics starts by what?
84. Privacy Program Framework

A.
This is an implementation road map that provides the structure or checklists (document privacy procedures and processes) to
guide the privacy professional through privacy management and prompts them for the details to determine all privacy-
relevant decisions for the organization
B.
This approach collects the various data-protection requirements and rationalizes them where possible
C.
D.
This is the process of informing affected individuals that their personal data has been breached
85. Time series

A.
This provides quantifiable output that is measurable, meaningful, answers specific questions and is clearly defined
B.
This approach collects the various data-protection requirements and rationalizes them where possible
C.
D.
This is a form of internal audit that does not exempt an organization from fulfilling obligations under applicable laws or
regulations
86. Collection and refinement of systems/application collection points: WHERE will the data come from to finalize the metric
collection report? WHEN will the data be collected? WHY is tat data important?
A.
Metric - Collection
B.
C.
D.
Metric - Owner
87. APEC Privacy - regional data transfers\nPIPEDA (Canada) & AIPP (Australian)\nOCED\nPrivacy by Design\nUS Government
A.
B.
Metric - Owner
C.
Education and Awareness:
D.
Popular Frameworks (6)
88. Data Controller

A.
Metric - Definition
B.
C.
This person is the process owner, champion, advocate and evangelist responsible for management of the metric throughout
the metric life cycle
D.
In the EU, who retains legal liability for any harm associated with the collected data?
89. Definition of data sources: WHO is the data owner and HOW is that data accessed?
A.
Privacy professionals should always involve whom to review, define or establish technical security controls, including
common security controls such as firewalls, malware anti-virus, and complex password requirements
B.
Metric - Definition
C.
The fundamental principle that should govern a privacy incident is to what?
D.
This is someone who understands the importance of privacy and will act as an advocate for you and for the program.
Typically, they will have experience with the organization, the respect of their colleagues and access to or ownership of
budget.
90. (1) Faulty Assumptions\n\n\n(2) Selective Use\n\n\n(3) The Well-chosen Average\n\n\n(4) Semi-attachment\n\n\n(5) Biased
Sample\n\n\n(6) Intentional Deceit\n\n\n(7) Massaging the Numbers\n\n\n(8) Over-generalization
A.
B.
Metric - Collection
C.
Technical Controls:
D.
Metrics - Improper
91. Functional
A.
As a rule, privacy policies and procedures are created and enforced at a what level?
B.
Key aspects of Internal Policy include:
C.
D.
Metric - Definition
92. Rationalization
A.
B.
Many times the mean is used for a metric, but it is sometimes more appropriate to use the median or mode rather than the
true mean/average
C.
D.
93. Analyze the data/metric to provide value to the organization and provide a feedback quality mechanism
A.
B.
A metric owner must be able to do what?
C.
Effective Metrics:
D.
Metric - Analyze
99 True/False questions
1. (1) Understanding key roles and responsibilities\n\n\n(2) Develop a communications plan to notify executive
management → POLC / Respond / Information Requests
True
False
2. Markets, cultures, and geographical locations → Privacy governance framework provides the methods to what?
True
False
3. Define Reporting Procedures → What is the second step in the metric life cycle?
True
False
4. Optimized → This PMM maturity level indicates that regular review and feedback is used to ensure continuous improvement
towards optimization of the given process
True
False
5. Proactive not Reactive-Preventative not Remedial; Privacy as the Default Setting; Privacy Embedded into Design; Full
Functionality-Positive Sum not Zero-sum; End-to-End Security-Full Life Cycle Protection; Visibility and Transparency; Respect
for User Privacy → What are the seven foundational principles of PbD?
True
False
6. Human failure or systemic error. → Data integrity issues are often the results of what?
True
False
7. the value of the asset → As it relates to ROI metrics, the second step is to define what
True
False
8. Information Technology (IT) → This functional group adds processes and controls that support privacy principles. It creates
processes to develop and test software and applications in a manner that does not require the use of production data
decreases the chances that the data will be compromised and that individuals who have no business need will access the data
True
False
9. Consider how valuable, sensitive, or confidential the personal information is and what damage or distress could be caused to
individuals if there was a security breach. → One method that can be used as a baseline for assessing your privacy program...
True
False
10. Representatives from each geographic region and business function (ie., HR) in which the organization has a presence to
ensure that proposed privacy policies, processes, and solutions align with local laws. → Strictest Standard (another data
governance strategy for personal information)
True
False
11. Conducting a data inventory reveals where personal data resides, which will identify the data as it moves across various systems
and thus how data is shared and organized and its locations. That data is then categorized by subject area, which identifies
inconsistent data versions, enabling identification and mitigation of data disparities. The data inventory offers a good starting
point for the privacy team to prioritize resources, efforts, risk assessments and current policy in response to
incidents. → Business Case
True
False
12. 1) Rigorously defined, 2) Credible and relevant, \n\n 3) Objective and quantifiable, and \n\n 4) Associated with the baseline
measurement per the organization standard metric taxonomy. → POLC / Sustain / Communicate / Targeted employee,
managment, and contractor training...
True
False
13. Semi-attachment → When an individual is unable to provide their point, this may result with the exclusion of elements of a
measurement when conveying results
True
False
14. Selection of privacy metrics: WHAT metrics to use based on the audience, reporting resources, and final selection of the best
metric? → Metric - Tertiary audience
True
False
15. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and,
where appropriate, with the knowledge or consent of the data subject. → Second step of developing a Privacy Policy
Framework?
True
False
16. Legal → This type of governance fits well in organizations used to utilize single-channel functions (where direction flows from a
single source) with planning and decision making completed by one group
True
False
17. Indirectly by extrapolation from other measured factors → What are the three types of audit categories?
True
False
18. Privacy professional → Member of the privacy team who may be responsible for privacy program framework development,
management and reporting within an organization
True
False
19. 1) Define your organization's privacy vision and privacy mission statements 2) Develop privacy strategy 3) Structure your
privacy team → A metric should be clear in the meaning of what is being measured and what else?
True
False
20. Chief Financial officer\nTraining organizations\nHuman resources\nInspectors general\nHIPAA security officials → Metric -

Secondary audience
True
False
21. There should be a general policy of openness about developments, practices, and policies with respect to personal data.
Means should be readily available to establish the existence and nature of personal data, and the main purpose of their use, as
well as the identify and usual residence of the data controller. → Est. Current Baseline of PP, Openness:
True
False
22. Well-chosen Average → Many times the mean is used for a metric, but it is sometimes more appropriate to use the median or
mode rather than the true mean/average
True
False
23. o Involve senior leadership o Involve stakeholders \n\n o Develop internal partnerships \n\n o Provide flexibility \n\n o
Leverage communications \n\n o Leverage collaboration → Executive leadership support for your governance model will have
a direct impact on the level of success when implementing your privacy strategies. What are the important steps to integrate
into any model?
True
False
24. First-party/internal audits → These audits are a form of "self-evaluation"
True
False
25. i) Enterprise Objectives\nii) Minimalism\niii) Simplicity of Procedures & Training\niv) Adequacy of Infrastructure\nv) Information
Security\nvi) Authenticity and Accuracy of Records\nvii) Retrievabiliyt\nviii) Distribution Controls\nix) Auditability\nx)
Consistency of Policies\nxi) Enforcement → 11 Principles of the Data Life Cycle Management Model
True
False
26. Vision or mission statement → This key factor that lays the groundwork for the rest of the privacy program elements and is
typically comprised of a short sentence or two that describe the purpose and ideas in less than 30 seconds.
True
False
27. Pragmatic Approach → This is the process of informing affected individuals that their personal data has been breached
True
False
28. i) Monitor\nii) Audit\niii) Communicate → Industry frameworks:
True
False
29. If developed, offers the best staring point. This should be the first step, regardless of the program maturity. → The fundamental
principle that should govern a privacy incident is to what?
True
False
30. Includes: \n\n\nLegal and privacy officers\nSenior leadership; chief information officer\nChief security officer\nProgram
managers\nInformation system owner\nInformation security officer → Metric - Primary Audience
True
False
31. (1) Collection Limitation\n(2) Data Quality\n(3) Purpose Specification\n(4) Use Limitation\n(5) Security Safeguards\n(6)
Openness\n(7) Individual Participation\n(8) Accountability → Examples of Compliance Metrics
True
False
32. Individual culture, politics and protocols of the organization → This model identifies alignment to organization vision and
defines the privacy leaders for an organization, along with the resources (people, policy, processes, and procedures)
necessary to execute vision
True
False
33. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access,
destruction, use, modification or disclosure of data. → POLC/Assess/1.d. Data, systems, and process assessment involves:
True
False
34. 1. Enterprise data growth 2. Growth in unstructured data \n\n 3. Limitations in relational database management system
performance \n\n 4. Information access and security concerns\n5. Lack of effective methods for classifying data \n6. Difficulty
in assessing productivity of systems, applications and databases → Main drivers of DLM/ILM
True
False
35. i) Sectoral (US)\nii) Comprehensize (EU, Canada, Russia)\niii) Co-Regulatory (Australia)\niv) Self Regulated (US, Japan,
Singapore) → Types of Protection Models (4)
True
False
36. E.g., Privacy Office or Privacy Officer. This contact can also serve as the liaison to information security, legal and human
resources. → Internal Policy, Designated Point of Contact:
True
False
37. PIA, risk assessments, security assessments → These type of assessments further assist the privacy professional in the Protect
phase
True
False
38. Assessment of the Business Case for the current (or forthcoming) privacy program or privacy requirements for privacy policies,
standards, and/or guidelines. → Est. Current Baseline of PP, Security Safguards:
True
False
39. Member of the privacy team who may be responsible for privacy program framework development, management and
reporting within an organization → This person is the process owner, champion, advocate and evangelist responsible for
management of the metric throughout the metric life cycle
True
False
40. Taking an inventory of relevant regulations that apply to your business. → Third and final step of developing a Privacy Policy
Framework?
True
False
41. (1) Collection (notice)\n(2) Responses to data subject inquiries\n(3) Use\n(4) Retention\n(5) Disclosure to third parties\n(6)
Incidents (breaches, complaints, inquiries)\n(7) Employees trained\n(8) PIA metrics\n(9) Privacy risk indicators\n(10) % of
company functions represented by governance mechanisms → Examples of Compliance Metrics
True
False
42. Define privacy technology standards developed soley to be used for the transmission, storage and use of privacy data. → Est.
Current Baseline of PP, Openness:
True
False
43. Verifies performance → This occurs when inferences are made concerning a general data population that leads to poor
conclusions
True
False
44. Provides the methods to access, protect, sustain, and respond to the positive and negative effects of all influencing factors.
This master plan, or framework, thereby provides reusable procedures and checklists that outline the operational life cycle
courses of action, research, and subject matter expertise, constituting a "best practice" approach to an idea, thought or subject.
Like maps, frameworks provide inquiry topics and direction (e.g., problem definition, purpose, literature review, methodology,
data collection and analysis) to ensure quality through repeatable steps throughout program management, thereby reducing
errors or gaps in knowledge or experience. → Privacy Assessment Approach (Key Areas)
True
False
45. Take an inventory of relevant regulations that apply to your business. Once you determine which laws apply, you must design a
manageable approach to handling and protecting personal information → The difference between metrics audiences is based
on what?
True
False
46. Is the first high level task necessary to implement proactive privacy management. → Strategic Management assigns roles, sets
expectations grants powers and what?
True
False
47. While, stakeholders at all levels should be involved in the selection and management of any metric to ensure buy-in and a
sense of ownership, ISOs are seen as a primary audience for metrics data because they have a higher level of interest,
influence, and responsibility to privacy with the business objectives, laws and regulations, or ownership. → ISOs ( Information
Security Owner or Information Security Officer)
True
False
48. Business Continuity and Disaster Recovery Planning (BCDR) → These type of assessments further assist the privacy professional
in the Protect phase
True
False
49. Payment Card Industry Data Security Standard (PCI DSS), which is a global standard, not a law. → If a standard metric
taxonomy does not exist, privacy professionals can generate their own using the best practices from where?
True
False
50. 1) Know what is critical about the metric, 2) Monitor process performance with the metric, \n\n 3) Make sure the process
documentation is up to date,\n4) Perform regular reviews, \n5) Make sure that any improvements are incorporated and
maintained in the process, \n6) Advocate the metric to customers, partners and others, and \n\n 7) Maintain training,
documentation, and materials. → What are the four steps in defining your organization's privacy vision and privacy mission
statements
True
False
51. - Who collects, uses, maintians Personal Information\n- What are the types of Personal Information\n- What are the legal
requirements for the PI\n- Where is the PI stored\n- How is the PI collected\n- Why is the PI collected → Individual executives
who lead and "own" the responsibility of the relevant activities are called what?
True
False
52. Centralized Governance → This term relates to the protection of hardware, software, and data against physical threats, to
reduce or prevent disruptions to operations and services and loss of assets
True
False
53. Clear and concise metric that defines and measures progress toward a business objective or goal without overburdening the
reader → Strategic management (3 subtasks)
True
False
54. (1) Define program scope and charter\n\n\n(2) Identify the sources, types, and uses of Personal Information (PI) within the org.
and the applicable laws\n\n\n(3) Develop a Privacy Strategy → How do you create a company's: Privacy Vision?
True
False
55. (1) a formal written policy and\n(2) designated points of contact → Key aspects of Internal Policy include:
True
False
56. Defined → This PMM maturity level indicates procedures or processes are fully documented and implemented and cover all
relevant aspects
True
False
57. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except with
the consent of the data subject or by the authority of law. → Est. Current Baseline of PP, Use Limitation:
True
False
58. Reduce risk; avoid incident of data loss; sustain organization market value and reputation and provide measurement in
compliance to laws, regulations, and standards. → Privacy Framework benefits include:
True
False
59. (a) Education and awareness\n(b) Monitoring and responding to regulatory environment\n(c) Internal policy compliance\n(d)
Data, systems and process assessment\n(e) Risk assessment\n(f) Incident response\n(g) Remediation\n(h) Determine desired
state and perform gap analysis against an accepted standard or law\n(i) Program assurance, including audits → POLC Assess: 1.
Document current baseline of your privacy
True
False
60. Over-generalizations → This is the process of informing affected individuals that their personal data has been breached
True
False
61. (1) Develop organizational privacy policies, standards, and/or guidelines\n\n\n(2) Define Privacy Program activities → How do
you develop the Privacy Program Framework?
True
False
62. Review and Monitor the program and Communicate the Privacy Policy Framework. → Third and final step of developing a
Privacy Policy Framework?
True
False
63. US-EU Safe Harbor → What is the third step in the metric life cycle
True
False
64. Escalation → This is the internal process of employees alerting supervisors about a security-related incident, who in turn report
the details to a predefined list of experts
True
False
65. Notification → This is the process of informing affected individuals that their personal data has been breached
True
False
66. Harm prevention and/or minimization → The tertiary audiences may be considered, based on the organization's specific or
unique requirements such as who?
True
False
67. (1) Information Requests\n\n\n(2) Privacy Incidents → POLC / Respond
True
False
68. 3 - 5 → # of Metrics a Privacy Professional should select?
True
False
69. (1) Quantify the costs of technical controls\n\n\n(2) Manage data retention with respect to the organization's policies \n\n\n(3)
Define the methods for physical and electronic data destruction\n\n\n(4) Define the roles and responsibilities for managing the
sharing and disclosure of data for internal and external use → POLC/ Sustain / Align
True
False
70. (1) Education and awareness\n\n\n(2) Monitoring and responding to the regulatory environment\n\n\n(3) Internal policy
compliance\n\n\n(4) Data inventories, data flows, and classification\n\n\n(5) Risk assessment (Privacy Impact Assessments,
etc.)\n\n\n(6) Incident response and process, including jurisdictional regulations\n\n\n(7) Remediation\n\n\n(8) Program
assurance, including audits → Structuring the Privacy Team involves:
True
False
71. (1) Awareness\n\n\n(2) Targeted employee, management, and contractor training → POLC / Sustain / Communicate
True
False
72. (1) Identifying and Establishing the appropriate Governance Model for your organization (usually based on size)\n\n\n(2)
Responsibilities and reporting structure for Governance Model and Organization\n\n\n(3) Designate a point of contact for
Privacy Issues\n\n\n(4) Establish/endorse the measurement of professional competency → POLC / Sustain / Measure
True
False
73. (1) Data life cycle (creation to deletion)\n\n\n(2) Information Security Practices\n\n\n(3) Privacy by Design → POLC / Protect
True
False
74. Communications and PR → This is the process of informing affected individuals that their personal data has been breached
True
False
75. i) Centralized\nii) Local/Decentralized\niii) Hybrid → What are the 3 high level security roles?
True
False
76. Attributes of an effective metric with metric taxonomy and how to limit improper metrics. → What enables you to create a
data-governance strategy for your organization?
True
False
77. Ad hoc, Repeatable, Defined, Managed, Optimized → What are the PMM maturity levels?
True
False
78. (1) Environment (e.g., systems, applications) monitoring\n\n\n(2) Monitor compliance with established privacy policies\n\n\n(3)
Monitor regulatory and legislative changes\n\n\n(4) Compliance monitoring (e.g., collection, use, and retention) - can be done
by : Internal Audits, Self-Regulation, Retention Strategy, or Exit Strategy → POLC / Sustain / Monitor
True
False
79. Information requests, legal compliance, incident response planning and incident handling → The Respond phase of the privacy
operational life cycle includes which principles?
True
False
80. External watch dog groups, Sponsors, Stockholders → The tertiary audiences may be considered, based on the organization's
specific or unique requirements such as who?
True
False
81. A gap analysis of the information collected for the Business Case, ensuring there are no gaps or holes in the current or
developing privacy program. → Selecting the correct privacy metric requires what?
True
False
82. Institute your organization's requirements, policies and procedures instead of reducing them to the level of the
country → Individual executives who lead and "own" the responsibility of the relevant activities are called what?
True
False
83. (1) Communicating the Framework to internal and external stakeholders\n\n\n(2) Ensuring continuous alignment to applicable
laws and regulations to support the development of an organizational Privacy Program Framework → Implementing the
Privacy Policy Framework consists of:
True
False
84. 1) identify organization PI *legal requirements,2) Develop V&M statement objectives,3) identify legal & regulatory compliance
challenges, &,4) define privacy program scope, → Privacy best practices
True
False
85. Select Privacy Metrics → What is the third step in the metric life cycle
True
False
86. Massaging the Numbers → This is slightly adjusting measurements to provide the appearance of success or other-than-actual
results, leading the reviewer to believe the metric is more successful than it actually may be
True
False
87. Marketing → This strategy seeks solutions that do not violate any data privacy laws, exceed budgetary restrictions or
contradict organization goals and objectives
True
False
88. Personnel assets → These audits are a form of "self-evaluation"
True
False
89. Intentional Deciet → An ethical issue, this occurs when data is knowingly and purposely omitted that may have a detrimental
effect on the metric or metric owner
True
False
90. Involve the use of newer or unregulated technology, such as social networking and the new Internet web cookie policy for
eGov 2.0 → Selecting the correct privacy metric requires what?
True
False
91. (1) Business Alignment\n\n\n(2) Develop a data governance strategy for personal information (collection, authorized use,
access, and destruction)\n\n\n(3) Plan inquiry/complaint handing procedures (customers, regulators, etc.) → Elements of a
Privacy Strategy?
True
False
92. The specific risk that control or feature is supposed to mitigate → This is a data pattern that shows trends in an upwards or
downward tendency i.e, privacy breaches over time
True
False
93. Program Sponsor → This is someone who understands the importance of privacy and will act as an advocate for you and for
the program. Typically, they will have experience with the organization, the respect of their colleagues and access to or
ownership of budget.
True
False
94. Metric taxonomy → This lists the metric characteristics that delineate boundaries between metric categories
True
False
95. Primary, secondary, and tertiary stakeholders who obtain value from a metric → Metric - Audience
True
False
96. NIST, NISTIR 7564, "Directions in Security Metrics Research" → If a standard metric taxonomy does not exist, privacy
professionals can generate their own using the best practices from where?
True
False
97. An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data
controller has data relating to him; (b) to have communicated to him, data relating to him within a reasonable time; at a charge,
if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; (c) to be given reasons if a
request made under sub-paragraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) challenge data
relating to him and, if the challenge is successful, to have the data erased, rectified, completed, or amended. → What are the
steps of the Metric Life Cycle
True
False
98. Notification could create unnecessary concern and confusion → What does the Federal government guidance state when a
breach poses little or no risk of harm?
True
False
99. Ad hoc → This approach collects the various data-protection requirements and rationalizes them where possible
True
False

Test - Cipm - Iapp - 100 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Test - Cipm - Iapp - 100 PDF

Uploaded by

Copyright:

Available Formats

12/31/2019 Test: Cipm - Iapp | Quizlet

100 Matching questions

E. (1) Preventing Harm\n\n\n(2) Collection Limitations\n\n\n(3)

10. Performance Measurement

14. Size is an example of what type of metric

N. Confidentiality. Prevention of unauthorized disclosure of

19. Define Privacy:

U. Provide privacy notices to 100 percent of the customer base;

V. Taking a more pragmatic approach and collect the various

W. i) Proactive not Reactive; Preventative not Remedial\nii)

30. Major drivers impacting the increased need for

31. This is a specific subset of information is extrapolated

AA. Ethics, legal and compliance

AB. Serve as guardians or protectors against misuse, loss, or

35. eof AD. (1) Organizational privacy office guidance\n\n\n(2) Define

44. What are the 3 high level security roles?

47. Privacy Program Framework is:

48. Assuming privacy incident notification is required,

52. Privacy goals are specific and measurable. What is an

56. Program assurance or the governance structure: AP. Privacy Notice

AQ. ...having in place as thorough a Privacy Policy Framework as

business requirements by... Compliance Challenges 4. Identify Organizational Personal

61. There are only 2 forms of privacy control:

62. It is best practice to have the notice of a breach AV. Direct

AW. i) Assessment of Business Case \nii) Gap Analysis - \niii)

AY. (1) Negative Controls - Enable privacy but constrain business

BD. (1) Privacy policies\n\n\n(2) Operational privacy practices

77. Policies that govern requirements that need to be

78. To establish tort liability, a third-party plaintiff must

BJ. Means of providing meaningful information on your privacy

82. This strategy seeks solutions that do not violate any

BM. 1) Identify & Understand Legal and Regulatory Compliance

BO. Business Continuity Plan (BCP)

BP. (1) Align privacy operations to an internal and external

any form of electronic marketing, in addition to a vast array of

91. CIA Triad

BU. Nature of the data elements breach, number of individuals

BW. Once breach investigators conclude that an actual

99. Business Resiliency Metrics BZ. (1) Objective / Subjective\n\n\n(2) Quantitative /

CA. advising the organization on privacy issues

CD. Tools that facilitate decision making and accountability

CE. The organization that these individuals are likely to recognize

CF. Natural disasters, security and terrorist threats

CG. Privacy incident

CH. 1) identify organization PI legal requirements,\n\n 2)

CI. Faulty Assumptions

CJ. Mandate operational safeguards that include auditing.

CL. ability to rapidly adapt and respond to business disruptions

CM. CFO, Training organizations, HR, IG, HIPPA security officials

CN. Table top exercise

CQ. i) Information Requests\nii) Legal Compliance\niii) Incident

CR. Privacy and Electronic Communications Regulations

CS. An implementation road-map that provides the structure or

CT. The process of formulating or selecting metrics to evaluate

CU. Access, protect, sustain and respond to the positive and

CV. Allows for the understanding of the role of privacy in the

93 Multiple choice questions

2. Strategic Management Model

9. Identify, Define, Select, Collect, Analyze

10. Performance Measurement with Metrics Selection

11. Binding contractual obligations and reporting requirements

12. functional independence is assured

14. Hourly, daily, weekly, monthly