Professional Documents
Culture Documents
NAME
A. Security Engineer
1. The privacy professional or organization should include
in the privacy budget the costs to generate what?
B. PbD paradigm
2. Training Programs
C. HIPPA privacy officers, medical interdisciplinary readiness
teams (MIRTs), senior executive staff, covered entity
3. Effective Metrics: workforce, self assessment tool and risk
analysis/management
4. What are the phases of the privacy operational life
cycle D. i) Assess\nii) Protect\niii) Sustain\niv) Respond
F. Self-Certification
6. Tracking and bench-marking data protection indicators
through Performance Measurement is important because...
G. Defines individual program needs and way to meet specific
goals.\n\n- Org Privacy Guidance\n- Define Privacy\n-
7. Policies that govern the use and disclosure of health Laws/Regs\n- Technical Controls\n- External Privacy Orgs\n-
information about employees of the organization typically Frameworks\n- Privacy Enhancing Tech (PETs)\n-
reside with whom? Education/Awareness\n- Program Assurance
8. Generally speaking, this may be described as any H. Provide methods to inform the employee of the important
potential or actual compromise of personal information in a aspects of privacy and the basic protections a non-privacy
form that facilitates intentional or unintentional access by professional should know.
unauthorized third parties
I. Allow an affected person the opportunity to protect
themselves from identify theft or other harm
9. Developing organizational privacy policies, standards,
and/or guidelines involves:
J. Physical assets
13. These type of measurements use data recorded within (evaluate) \n\n o Respond (support)
a numerical-mathematical fashion
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 1/39
12/31/2019 Test: Cipm - Iapp | Quizlet
20. Privacy Objectives are typically broad-based. What is R. (1) Enterprise Objectives\n(2) Minimalism\n(3) Simplicity of
an example of a privacy objective? Procedure and Effective Training\n(4) Adequacy of
Infrastructure\n(5) Information Security\n(6) Authenticity and
21. Performing a gap analysis will... Accuracy of One's Own Records\n(7) Retreivability\n(8)
Distribution Controls\n(9) Auditability \n(10) Consistency of
Policies\n(11) Enforcement
22. POLC / Sustain / Communicate / Targeted employee,
managment, and contractor training...
S. Mechanisms for protection of information and information
systems
23. This term relates to the protection of hardware,
software, and data against physical threats, to reduce or
T. (1) Access\n\n\n(2) Redress\n\n\n(3) Correction \n\n\n(4)
prevent disruptions to operations and services and loss of
Managing data integrity
assets
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 2/39
12/31/2019 Test: Cipm - Iapp | Quizlet
34. Privacy is concerned with an individual's ability to AC. it ensures proper data protections are in place within
control the use of personal information while information businesses and between employees, consumers, and
security focuses on what? customers.
39. The form of Redress that is offered to the AE. such as implementing systems that support role-based
complainant should be clearly defined in what? access, also support the larger purposes of the privacy
program by specifically identifying and limiting who can
access the personal information in a particular database.
40. Business Case (as a step in developing the Privacy
Policy Framework)
AF. BD
41. Policies imposing general obligations on employees AG. Progress toward a business objective or goal without
may reside with whom? overburdening the reader
42. Policies and procedures that dictate certain privacy AH. Information Security (IS)
and security requirements on employees as they relate to the
technical infrastructure typically sit with whom? AI. Subjective
43. This activity triggers the pre-notification process AJ. Provide the assurances necessary to achieve the goals of
physical and data security.
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 3/39
12/31/2019 Test: Cipm - Iapp | Quizlet
AL. (1) Understand key roles and responsibilities (ID key business
49. This function is more closely aligned to the privacy
stakeholders and establish incident response
group than any other function.
teams).\n\n\n(2) Develop a privacy incident response
plan\n\n\n(3) Identify elements of the privacy incident
50. This plan is typically drafted and maintained by key response plan\n\n\n(4) Integrate privacy incident response
stakeholders, spelling out departmental responsibilities and into business continuity planning
actions teams must take before, during, and after a data breach
AM. "roughing out" the scope of a privacy program by flagging
51. This is needed to structure responsibilities with areas in an organization where personal information is likely
business goals to be collected, access or used (HR, finance, marketing,
customer relationship management systems, IT)
AO. (1) define and measure progress toward business goals and
53. POLC/Assess/Processors and 3rd party vendor
objectives\n\n\n(2) Should be concise - large amounts of
assessment includes:
useless info is counterproductive\n\n\n(3) Should be clear in
the meaning of what is being measured\n\n\n(4) rigorously
54. An effective metric is a clear and concise metric that defined\n\n\n(5) credible and relevant\n\n\n(6) objective
defines and measures what? and quantifiable \n\n\n(7) associated with the baseline
measurement per the organization standard metric
55. Education and Awareness: taxonomy
58. Ten foundational elements for privacy Business Case AR. Define Privacy and Mission, Develop Privacy Strategy,
Development are: Structure Privacy Team
59. What are the 4 Parts of the Privacy Operational Life AS. Provide the MANDATORY GOVERNMENT POLICY and
Cycle guidance based on the organization's location and industry.
60. POLC / Respond / Privacy Incidents/ Follow incident AT. 1. Develop Vision and Mission Statement Objectives 2. Define
response process to ensure meeting jurisdictional, global, and Privacy Program Scope 3.Identify Legal and Regulatory
64. The most time consuming task of a privacy AX. determine the capability of current privacy management to
professional was of a strategic nature, which was what? support each of the business and technical requirements
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 4/39
12/31/2019 Test: Cipm - Iapp | Quizlet
75. This is a structured readiness testing activity that BG. Monitoring, auditing, and comunication
simulates an emergency situation in an informal, stress-free
setting BH. This key factor that lays the groundwork for the rest of the
privacy program elements and is typically comprised of a
76. POLC / Sustain / Audit short sentence or two that describe the purpose and ideas in
less than 30 seconds.
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 5/39
12/31/2019 Test: Cipm - Iapp | Quizlet
86. Privacy governance framework provides the methods BN. Confidentiality, Integrity, Availability, Accountability,
to what? Assurance
90. In the U.K., this regulation contains privacy rules for definition of privacy for your org.
92. Generic privacy metrics should be developed to BT. i) Internal Audit & Risk Management\nii) Information Tech & IT
enable analyses of which processes? Operations/Development\niii) Information Security\niv)
HR/Ethics\nv) Legal/Contracts\nvi) Process/3rd Party
93. OMB Memorandum M-07-16, Safeguarding Against Vendors\nvii) Marketing/Sales\nviii) Government
and Responding to the Breach of Personally Identifiable Relations\nix) Accounting/Finance
Information, what are five factors that should be considered in a
data breach?
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 6/39
12/31/2019 Test: Cipm - Iapp | Quizlet
CB. Procurement
CC. Repeatable
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 7/39
12/31/2019 Test: Cipm - Iapp | Quizlet
CK. IT
CO. HR
CP. Confidentiality\nIntegrity\nAvailability\n\nAccountability\nAs
surance
1. Metric Owner
A.
Five-Step Metric Life Cycle:
B.
Organizational privacy office guidance:
C.
This is a key factor that lays the groundwork for the rest of the privacy program elements and is comprised of a short
sentence or two that describes purpose and ideas in less than 30 seconds
D.
This person is the process owner, champion, advocate and evangelist responsible for management of the metric throughout
the metric life cycle
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 8/39
12/31/2019 Test: Cipm - Iapp | Quizlet
3. Qualitative measurements
A.
This means implementing a solution that materially addresses the various requirements of the majority of laws or regulations
with which you must comply.
B.
As part of the incident-response planning process, this group will provide guidance regarding the detection, isolation,
removal, and preservation of affected systems.
C.
Per recent industry surveys, Chief Information Security Officers seem to prefer which type of measurements?
D.
This is a data pattern that shows trends in an upwards or downward tendency i.e, privacy breaches over time
4. Should document the principles, policies, and practices that influence privacy for the organization. Provide direction on org.
privacy practices, privacy roles and responsibilities, breach or incident documents, privacy ownership, assign stakeholders. They
should also provide formal procedures for receiving and resolving privacy-related inquiries and complaints from both internal
and external sources.
A.
POLC / Respond / Privacy Incidents
B.
This plan is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams
must take before, during, and after a data breach
C.
What is a Privacy Program Framework?
D.
Internal Policy, Written Policy:
5. creating or updating the company's vision and mission statement based on privacy best practice
A.
Strategic management of privacy starts by
B.
Performing a gap analysis will...
C.
Attributes of an effective Metric
D.
Strategic Management model
6. (1) Legal Compliance\n\n\n(2) Incident Response Planning\n\n\n(3) Incident Detection\n\n\n(4) Incident Handling\n\n\n(5)
Follow incident response process to ensure meeting jurisdictional, global and business requirements\n\n\n(6) Identify incident
reduction techniques\n\n\n(7) Incident metrics - quantify the costs of a privacy incident
A.
POLC / Assess / Risk assessment:
B.
POLC/ Sustain/ Communicate / Awareness
C.
POLC / Respond / Privacy Incidents
D.
POLC / Respond / Privacy Incidents / Incident Detection
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 9/39
12/31/2019 Test: Cipm - Iapp | Quizlet
7. Union Leadership
A.
After a breach occurs, the primary role for this stakeholder is to provide members with timely updates and instructions.
B.
An ethical issue, this occurs when data is knowingly and purposely omitted that may have a detrimental effect on the metric
or metric owner
C.
This PMM maturity level indicates procedures or processes are fully documented and implemented and cover all relevant
aspects
D.
As it relates to ROI metrics, the second step is to define what
8. (1) Document current baseline of your privacy\n(2) Processors and third party vendor assessment\n(3) Physical
Assessments\n(4) Mergers, acquisitions, and divestitures\n(5) Conduct analysis and assessments, as needed or as appropriate
A.
Need for Data Life Cycle Management (DLM)
B.
Organizational privacy office guidance:
C.
Privacy Operational Life Cycle (POLC): Assess
D.
Member of the privacy team who may be responsible for privacy program framework development, management and
reporting within an organization
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 10/39
12/31/2019 Test: Cipm - Iapp | Quizlet
13. Conduct a privacy workshop for your stakeholders to level the privacy playing field by defining privacy for the organization,
explaining the market expectations, answering questions, and reducing confusion.
A.
Privacy Assessment Approach (Key Areas)
B.
Privacy Worshop
C.
Metric - Owner
D.
What is CIA & AA
15. Provide taxonomies or privacy categorization guidelines that are not law or regulation based. (Eg. ISO, GAAP)
A.
Information technology cutting-edge or innovation solutions:
B.
External Privacy Organizations:
C.
Industry frameworks:
D.
Metric - Primary Audience
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 11/39
12/31/2019 Test: Cipm - Iapp | Quizlet
17. Value the organization places on privacy, Desired organizational objectives, Strategies to drive the tactics used to achieve the
intended outcomes, Clarification of roles and responsibilities
A.
Many organizations create this, comprised of the same stakeholders that were identified at the start of the privacy program
implementation process. Instrumental in making strategic decisions and driving such strategies and decisions through their
own organizations.
B.
A mission statement should include what five items?
C.
Privacy best practices
D.
Privacy Operational Life Cycle (POLC): Assess
18. (1) Type of data being outsourced\n(2) Location of data\n(3) Implication of cloud computing strategy\n(4) Legal
compliance\n(5) Records retention\n(6) Contractual requirements (incident response, etc.)\n(7) Establish minimum standards
for safeguarding information
A.
How do you develop the Privacy Program Framework?
B.
POLC Assess: 1. Document current baseline of your privacy
C.
POLC / Assess / Risk assessment:
D.
POLC / Respond / Privacy Incidents / Incident Detection
19. Evangelize the purpose and intent of that metric to the organization
A.
A metric owner must be able to do what?
B.
What are the steps of the Audit Life Cycle?
C.
Strategic management of privacy starts by
D.
Metric - Analyze
20. Understand and identify the legal and regulatory compliance challenges of the organization and identify the data impacted
A.
When defining your privacy program scope, you must first do what?
B.
Est. Current Baseline of PP, Data Quality:
C.
When positioning the privacy team, you should also consider the authority it will receive based on the what?
D.
Steps to Develop Privacy Policies, Standards, Guidelines (4)
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 12/39
12/31/2019 Test: Cipm - Iapp | Quizlet
23. (1) Understanding applicable national laws and regulations\n\n\n(2) Understanding applicable local laws and
regulations\n\n\n(3) Understanding the penalties for noncompliance \n\n\n(4) Understanding scope and authority of oversight
agencies\n\n\n(5) Understand the privacy implications of doing business in or with countries with inadequate or without privacy
laws\n\n\n(6) Maintain the ability to manage a global privacy function\n\n\n(7) Maintain the ability to track multiple jurisdictions
for changes in privacy law\n\n\n(8) Understand international data sharing arrangements and agreements
A.
Effective Metrics:
B.
Ensuring continuous alignment to applicable laws and regulations to support the development of an organizational Privacy
Program Framework consists of:
C.
Identifies alignment to organizational vision and defines the privacy leaders for an organization, along with the resources
necessary to execute the vision.
D.
Merchants that handle cardholder information for debit, credit, prepaid, e-purse, ATM and POS cards must be in compliance
with what?
24. (1) Define what constitutes a privacy incident\n\n\n(2) Identify reporting process\n\n\n(3) Coordinate detection capabilities (w/
IT, Security, HR, Investigation team, Vendors)
A.
POLC / Respond / Privacy Incidents / Legal Compliance
B.
POLC / Sustain / Audit
C.
POLC / Sustain / Measure
D.
POLC / Respond / Privacy Incidents / Incident Detection
25. (1) Develop vision and mission statement objectives\n\n(2) Define privacy program scope\n\n\n(3) Identify legal and regulatory
compliance challenges\n\n\n(4) Identify organization personal information legal requirements
A.
Strategic management of privacy starts by creating or updating the organization vision and mission statement based on
privacy best practices that should include:
B.
One method that can be used as a baseline for assessing your privacy program...
C.
Strategic management of privacy starts by
D.
Strategic managment
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 13/39
12/31/2019 Test: Cipm - Iapp | Quizlet
27. (1) Acquire knowledge on privacy approaches\n\n\n(2) E valuate the intended objective\n\n\n(3) Gain executive sponsor
approval for this Privacy Vision
A.
Elements of a Privacy Strategy?
B.
What are the seven foundational principles of PbD?
C.
How do you create a company's: Privacy Vision?
D.
Information technology cutting-edge or innovation solutions:
28. Faulty Assumptions, Selective Use, Well-chosen Average, Semi-attachment, Biased Sample, Intentional Deceit, Massaging the
Numbers, Overgeneralization
A.
The privacy professional must guard against improper conclusions such as these
B.
What are the three types of audit categories?
C.
This activity triggers the pre-notification process
D.
The Sustain phase of the privacy operational life cycle provides privacy management through what?
30. Personal data should be relevant to the purpose for which they are to be used, and, to the extent necessary for those purposes
should be accurate, complete, and kept up-to-date.
A.
Est. Current Baseline of PP, Data Quality:
B.
Steps to Developing a Privacy Strategy (5)
C.
Specific to Healthcare metrics, audiences may include whom?
D.
Est. Current Baseline of PP, Collection Limitation:
31. Promptly allocate funds and manpower needed to resolve the breach.
A.
One of the first and arguably most critical steps taken by the top executive is to what?
B.
An effective metric is a clear and concise metric that defines and measures what?
C.
CIA triad in additional to further advanced information security concepts are what?
D.
Privacy ROI defines metrics to measure the effectiveness of investments to protect investments in what?
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 14/39
12/31/2019 Test: Cipm - Iapp | Quizlet
32. (1) Identify (metric audience)\n\n\n(2) Define (the metric owner)\n\n\n(3) Select (the specific privacy metric)\n\n\n(4) Collect
(the data for the metric - Who, what, how, when, etc)\n\n\n(5) Analyze (statistical analysis, e.g., trend)
A.
To establish tort liability, a third-party plaintiff must show what?
B.
Metric - Audience
C.
Five-Step Metric Life Cycle:
D.
Questions to Ask When Determining Privacy Requirements (Legal)
33. Not all breaches require notification. There are various types of notification requirements to regulators and affected individuals.
Once it is concluded that an actual compromise of sensitive information has occurred, the pre-notification process is triggered.
Steps taken may vary depending on several factors, but the purpose is to confirm that the event does indeed constitute a
"reportable" breach.
A.
POLC / Sustain / Monitor
B.
POLC / Respond / Privacy Incidents
C.
Breaches
D.
Business Case
34. A data controller should be accountable for complying with measures which give effect to the principles stated above
(Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, and Individual
Participation).
A.
Est. Current Baseline of PP, Individual Participation:
B.
What are the steps of the Metric Life Cycle
C.
Est. Current Baseline of PP, Purpose Specification:
D.
Est. Current Baseline of PP, Accountability:
35. i) Ad Hoc - Procedures informal, incomplete, inconsistently applied (not written)\nii) Repeatable - Procedures exist, partially
documented, don't cover all areas\niii) Defined - All documented, implemented, cover all relevant aspects\niv) Managed -
Reviews conducted assess effectiveness of controls\nv) Optimized - Regular reviews and feedback to ensure continuous
improvements.
A.
4 keys to Response?
B.
11 element DLM model
C.
5 Maturity Levels of the AICPA/CICA Privacy Maturity Model?
D.
What are the steps of the Metric Life Cycle
36. Is not a standalone function. It is imperative that the privacy professional work closely with the IT, security, HR and legal
functions in order to take a coordinated approach to solutions.
A.
Privacy Function:
B.
Performance Measurement
C.
What is a Privacy Program Framework?
D.
POLC / Sustain / Audit
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 15/39
12/31/2019 Test: Cipm - Iapp | Quizlet
38. Key stakeholders, Execution timeline, Progress reporting and Response evaluation and modifications
A.
The primary focus when managing any privacy incident is always what?
B.
Generally, most well-conceived incident response plans account for and/or include which elements?
C.
According to Baker and McKenzie in their looking-ahead analysis of 2012, the goal of "achieving compliance" is steadily being
replaced with what?
D.
How do you develop the Privacy Program Framework?
39. (1) Map data inventories, flows, and classification\n(2) Create "record of authority" of systems processing personal information
within organization\n(3) Map and document data flow in systems and applications\n(4) Analyze and classify types and uses of
data
A.
POLC/Assess/1.d. Data, systems, and process assessment involves:
B.
POLC / Respond / Privacy Incidents/ Follow incident response process to ensure meeting jurisdictional, global, and business
requirements by...
C.
Privacy Domain (third step in developing the Privacy Policy Framework)
D.
POLC / Respond / Privacy Incidents / Incident Handling
40. (1) Integrate privacy requirements and representations into functional areas across the organization
A.
Metric - Analyze
B.
Education and Awareness:
C.
POLC/ Sustain/ Communicate / Awareness
D.
POLC/ Sustain / Align
41. (1) Define Privacy Vision and Privacy Mission Statement\n\n(2) Develop Privacy Strategy\n\n(3) Structure Privacy Team
A.
Strategic Management is the first high level necessary task to implement proactive privacy management through the
following 3 subtasks:
B.
Strategic managment
C.
You first step when developing a Data-governance Strategy for Personal Information (Collection, Authorized Use, Access,
Security, Destruction)
D.
What are examples of certain types of organizations and entities known as "covered entities"
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 16/39
12/31/2019 Test: Cipm - Iapp | Quizlet
42. The residents of the states, as well as government bodies or state attorney general offices.
A.
The difference between metrics audiences is based on what?
B.
As it relates to ROI metrics, the first step is to identify and characterize the ROI metric to address what?
C.
In the U.K., this regulation contains privacy rules for any form of electronic marketing, in addition to a vast array of statutes,
regulations and voluntary codes of practice that govern direct marketing activity.
D.
If you process personal information of any resident of a state that has adopted a breach notification law, understand that to
the extent that non-encrypted data has been compromised, your compliance obligations may include notification to whom?
45. Managed
A.
This is an indicator used to measure the financial gain/loss (or value) of a project in relation to its cost
B.
Merchants that handle cardholder information for debit, credit, prepaid, e-purse, ATM and POS cards must be in compliance
with what?
C.
This PMM maturity level indicates that reviews are conducted to assess the effectiveness of the controls in place
D.
This PMM maturity level indicates procedures or processes are fully documented and implemented and cover all relevant
aspects
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 17/39
12/31/2019 Test: Cipm - Iapp | Quizlet
47. Look to the strictest standard when seeking a solution; provided it does not violate any (1) data privacy laws (2) exceed
budgetary restrictions (3) contradict organization goals and objectives.
A.
Strictest Standard (another data governance strategy for personal information)
B.
POLC/Assess/1.d. Data, systems, and process assessment involves:
C.
CIA triad in additional to further advanced information security concepts are what?
D.
Second step of developing a Privacy Policy Framework?
48. Identification of the intended audience: WHO will use the data?
A.
Metric - Identification
B.
A breach will typically involve
C.
Five-Step Metric Life Cycle:
D.
Policies imposing general obligations on employees may reside with whom?
49. Identifies alignment to organizational vision and defines the privacy leaders for an organization, along with the resources
necessary to execute the vision.
A.
Metric - Collection
B.
Strategic Management model
C.
Performance Measurement
D.
Metric taxonomies provide what categories?
50. Metric owner must:\n\n\n(1) Know what is critical about the metric. Why the output is important and understand how this metric
fits into the business objectives.\n\n\n(2) Monitor process performance with the metric. Predictors of performance and
monitoring data compiled by other metric owners, processes, or dependencies (operation, strategic, or tactical). \n\n\n(3)
Make sure the process documentation is up to date.\n\n\n(4) Perform regular reviews. Determine if the metric is still required,
capable to meet goals, and provides value to the organization.\n\n\n(5) Make sure that any improvements are incorporated
and maintained in the process.\n\n\n(6) Advocate the metric to customers, partners, and others.\n\n\n(7) Maintain training,
documentation, and materials.
A.
Metric - Tertiary audience
B.
Metric - Sigma Six
C.
Business Case
D.
Define Privacy:
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 18/39
12/31/2019 Test: Cipm - Iapp | Quizlet
52. Increased control over data, regulatory compliance (thereby minimizing business risk) and reduced costs (by eliminating
redundancies in data storage
A.
Strategic management of privacy starts by
B.
Est. Current Baseline of PP, Accountability:
C.
POLC / Respond / Privacy Incidents
D.
Main benefits of DLM and ILM are what?
53. The purposes for which personal data are collected should be specified not later than at the time of data collection and the
subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as
are specified on each occasion of change of purpose.
A.
Est. Current Baseline of PP, Purpose Specification:
B.
Data-protection regulations typically include what items
C.
POLC / Respond / Privacy Incidents / Incident Detection
D.
Selecting the correct privacy metric requires what?
54. i) ID Stakeholders and Internal Partnerships\nii) Leverage Key Functions\niii) Create a Process for Interfacing\niv) Develop a
Data Governance Strategy\nv) *Conduct a Privacy Workshop
A.
Steps to Developing a Privacy Strategy (5)
B.
Steps to Develop Privacy Policies, Standards, Guidelines (4)
C.
What are the 3 high level security roles?
D.
Strategic management (3 subtasks)
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 19/39
12/31/2019 Test: Cipm - Iapp | Quizlet
56. Privacy Domain - determines the privacy elements, such as industry, privacy organizations and other data, that will provide the
necessary laws, standards, guidelines and other factors that should be evaluated.
A.
Privacy Framework benefits include:
B.
Privacy Domain (third step in developing the Privacy Policy Framework)
C.
Strictest Standard (another data governance strategy for personal information)
D.
Privacy Function:
59. Full understanding of the business objectives and goals, along with a clear understanding of the primary business functions.
A.
When defining your privacy program scope, you must first do what?
B.
Business Case (as a step in developing the Privacy Policy Framework)
C.
The primary audience for metrics may include
D.
Selecting the correct privacy metric requires what?
60. (1) Define organization's (a) Privacy Vision and (b) Privacy Mission Statement\n\n\n(2) Develop Privacy Strategy\n\n\n(3)
Structure Privacy Team
A.
Strategic management (3 subtasks)
B.
POLC / Respond / Privacy Incidents
C.
Attributes of an effective Metric
D.
Strategic Management assigns roles, sets expectations grants powers and what?
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 20/39
12/31/2019 Test: Cipm - Iapp | Quizlet
61. The process of formulating or selecting metrics to evaluate implementation, efficiency or effectiveness.
A.
POLC / Sustain / Communicate
B.
Types of Protection Models (4)
C.
Prior to selecting metrics, the reader should first understand what?
D.
Performance Measurement
62. DLM/ILM
A.
This is a policy-based approach to manage the flow of information through a life cycle from creation to final disposition
B.
These provides common language between business, operational and technical managers to discuss the relevant information
(e.g., good, bad, or indifferent) related to assessing progress.
C.
This measurement completely excludes certain elements from the data population, thus providing on a partial set of data and
leading to false assumptions
D.
This ensures that privacy and security controls and aligned with an organization's tolerance for risk and its compliance with
regulations and commitment to building a sustainable privacy-minded culture
65. • Notice • Choice \n\n • Consent \n\n • Purpose limitations \n\n • Limits on retaining data \n\n • Individual rights to access \n\n •
Correction and deletion of data \n • Obligation to safeguard data
A.
What are the phases of the privacy operational life cycle
B.
Steps to Developing a Privacy Strategy (5)
C.
Data-protection regulations typically include what items
D.
First step of developing a Privacy Policy Framework?
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 21/39
12/31/2019 Test: Cipm - Iapp | Quizlet
66. Process owner, champion, advocate and evangelist responsible for management of the metric throughout the metric life cycle
A.
Metric - Owner
B.
An effective metric is a clear and concise metric that defines and measures what?
C.
Strategic management (3 subtasks)
D.
Technical Controls:
67. Implementation roadmap that provides structure or checklists to guide privacy professionals through management and
prompts for details to determine privacy relevant decisions.
A.
What are the 7 foundation principles of Privacy by Design?
B.
Steps to Developing a Privacy Strategy (5)
C.
What is the third step in the metric life cycle
D.
What is a Privacy Program Framework?
68. o Identify the intended audience - Who will use the data o Define the data sources - Who is the data owner and how is that
data accessed \n\n o Select privacy metrics - what metrics to use based on the audience, reporting resources and final
selection of the best metric \n\n o Collect and refine systems/applications collection point - where will the data come from to
finalize the metric collection report? When will the data be collected? Why is that data important? \n\n o Analyze the
data/metrics to provide value to the organization and provide a feedback quality mechanism
A.
What are the steps of the Metric Life Cycle
B.
Est. Current Baseline of PP, Individual Participation:
C.
Privacy Program activities usually consist of:
D.
What is the second step in the metric life cycle?
69. Third party hacker who intentionally exploits vulnerabilities of the customer system, Customer failure to properly operate, use
or secure its systems, Lost or stolen computer equipment, Misconduct of customer employees
A.
A breach will typically involve
B.
The secondary audience includes those who may not have privacy as a primary task include
C.
This functional group adds processes and controls that support privacy principles. It creates processes to develop and test
software and applications in a manner that does not require the use of production data decreases the chances that the data
will be compromised and that individuals who have no business need will access the data
D.
Privacy professional
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 22/39
12/31/2019 Test: Cipm - Iapp | Quizlet
71. IT assets
A.
When an individual is unable to provide their point, this may result with the exclusion of elements of a measurement when
conveying results
B.
This is a data pattern that shows trends in an upwards or downward tendency i.e, privacy breaches over time
C.
Inherent technical features that collectively protect the organizational infrastructure, achieving and sustaining confidentiality,
integrity, availability, and accountability.
D.
These are measures to reduce the likelihood and severity of accidental and intentional alteration, destruction,
misappropriation, misuse, misconfiguration, unauthorized distribution and unavailability of an organization's logical and
physical assets, as the result of action or inaction by insiders and known outsiders, like business partners
73. (1) The value the organization places on privacy\n\n\n(2) Desired organizational objectives\n\n\n(3) Strategies to drive the
tactics used to achieve the intended outcomes\n\n\n(4) Clarification of roles and responsibilities
A.
The fundamental principle that should govern a privacy incident is to what?
B.
The privacy statement should indicate:
C.
Metric - Identification
D.
The secondary audience includes those who may not have privacy as a primary task include
75. Level of interest, influence and responsibility to privacy within the business objectives, laws and regulations, or ownership
A.
The difference between metrics audiences is based on what?
B.
POLC / Respond / Privacy Incidents / Incident Handling
C.
Selecting the correct privacy metric requires what?
D.
How do you develop the Privacy Program Framework?
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 23/39
12/31/2019 Test: Cipm - Iapp | Quizlet
76. Healthcare providers (hospitals, clinics, pharmacies) and health plans (medical plans, organization benefit plans) subject to
HIPPA.
A.
What are examples of certain types of organizations and entities known as "covered entities"
B.
What are the 3 high level security roles?
C.
What are the three types of audit categories?
D.
What is the difference between positive & negative controls?
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 24/39
12/31/2019 Test: Cipm - Iapp | Quizlet
82. Legal and privacy officers, senior leadership; CIO, CSO, PM, Information Systems Owner (ISO), Information Security Officer
(ISO), Others considered users and managers
A.
Data-protection regulations typically include what items
B.
What is the difference between positive & negative controls?
C.
The primary audience for metrics may include
D.
One method that can be used as a baseline for assessing your privacy program...
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 25/39
12/31/2019 Test: Cipm - Iapp | Quizlet
86. Collection and refinement of systems/application collection points: WHERE will the data come from to finalize the metric
collection report? WHEN will the data be collected? WHY is tat data important?
A.
Metric - Collection
B.
POLC / Sustain / Audit
C.
Performance Measurement
D.
Metric - Owner
87. APEC Privacy - regional data transfers\nPIPEDA (Canada) & AIPP (Australian)\nOCED\nPrivacy by Design\nUS Government
A.
Performance Measurement
B.
Metric - Owner
C.
Education and Awareness:
D.
Popular Frameworks (6)
89. Definition of data sources: WHO is the data owner and HOW is that data accessed?
A.
Privacy professionals should always involve whom to review, define or establish technical security controls, including
common security controls such as firewalls, malware anti-virus, and complex password requirements
B.
Metric - Definition
C.
The fundamental principle that should govern a privacy incident is to what?
D.
This is someone who understands the importance of privacy and will act as an advocate for you and for the program.
Typically, they will have experience with the organization, the respect of their colleagues and access to or ownership of
budget.
90. (1) Faulty Assumptions\n\n\n(2) Selective Use\n\n\n(3) The Well-chosen Average\n\n\n(4) Semi-attachment\n\n\n(5) Biased
Sample\n\n\n(6) Intentional Deceit\n\n\n(7) Massaging the Numbers\n\n\n(8) Over-generalization
A.
Performance Measurement
B.
Metric - Collection
C.
Technical Controls:
D.
Metrics - Improper
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 26/39
12/31/2019 Test: Cipm - Iapp | Quizlet
91. Functional
A.
As a rule, privacy policies and procedures are created and enforced at a what level?
B.
Key aspects of Internal Policy include:
C.
A breach will typically involve
D.
Metric - Definition
92. Rationalization
A.
This ensures that privacy and security controls and aligned with an organization's tolerance for risk and its compliance with
regulations and commitment to building a sustainable privacy-minded culture
B.
Many times the mean is used for a metric, but it is sometimes more appropriate to use the median or mode rather than the
true mean/average
C.
This means implementing a solution that materially addresses the various requirements of the majority of laws or regulations
with which you must comply.
D.
These provides common language between business, operational and technical managers to discuss the relevant information
(e.g., good, bad, or indifferent) related to assessing progress.
93. Analyze the data/metric to provide value to the organization and provide a feedback quality mechanism
A.
Information technology cutting-edge or innovation solutions:
B.
A metric owner must be able to do what?
C.
Effective Metrics:
D.
Metric - Analyze
99 True/False questions
1. (1) Understanding key roles and responsibilities\n\n\n(2) Develop a communications plan to notify executive
management → POLC / Respond / Information Requests
True
False
2. Markets, cultures, and geographical locations → Privacy governance framework provides the methods to what?
True
False
3. Define Reporting Procedures → What is the second step in the metric life cycle?
True
False
4. Optimized → This PMM maturity level indicates that regular review and feedback is used to ensure continuous improvement
towards optimization of the given process
True
False
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 27/39
12/31/2019 Test: Cipm - Iapp | Quizlet
5. Proactive not Reactive-Preventative not Remedial; Privacy as the Default Setting; Privacy Embedded into Design; Full
Functionality-Positive Sum not Zero-sum; End-to-End Security-Full Life Cycle Protection; Visibility and Transparency; Respect
for User Privacy → What are the seven foundational principles of PbD?
True
False
6. Human failure or systemic error. → Data integrity issues are often the results of what?
True
False
7. the value of the asset → As it relates to ROI metrics, the second step is to define what
True
False
8. Information Technology (IT) → This functional group adds processes and controls that support privacy principles. It creates
processes to develop and test software and applications in a manner that does not require the use of production data
decreases the chances that the data will be compromised and that individuals who have no business need will access the data
True
False
9. Consider how valuable, sensitive, or confidential the personal information is and what damage or distress could be caused to
individuals if there was a security breach. → One method that can be used as a baseline for assessing your privacy program...
True
False
10. Representatives from each geographic region and business function (ie., HR) in which the organization has a presence to
ensure that proposed privacy policies, processes, and solutions align with local laws. → Strictest Standard (another data
governance strategy for personal information)
True
False
11. Conducting a data inventory reveals where personal data resides, which will identify the data as it moves across various systems
and thus how data is shared and organized and its locations. That data is then categorized by subject area, which identifies
inconsistent data versions, enabling identification and mitigation of data disparities. The data inventory offers a good starting
point for the privacy team to prioritize resources, efforts, risk assessments and current policy in response to
incidents. → Business Case
True
False
12. 1) Rigorously defined, 2) Credible and relevant, \n\n 3) Objective and quantifiable, and \n\n 4) Associated with the baseline
measurement per the organization standard metric taxonomy. → POLC / Sustain / Communicate / Targeted employee,
managment, and contractor training...
True
False
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 28/39
12/31/2019 Test: Cipm - Iapp | Quizlet
13. Semi-attachment → When an individual is unable to provide their point, this may result with the exclusion of elements of a
measurement when conveying results
True
False
14. Selection of privacy metrics: WHAT metrics to use based on the audience, reporting resources, and final selection of the best
metric? → Metric - Tertiary audience
True
False
15. There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and,
where appropriate, with the knowledge or consent of the data subject. → Second step of developing a Privacy Policy
Framework?
True
False
16. Legal → This type of governance fits well in organizations used to utilize single-channel functions (where direction flows from a
single source) with planning and decision making completed by one group
True
False
17. Indirectly by extrapolation from other measured factors → What are the three types of audit categories?
True
False
18. Privacy professional → Member of the privacy team who may be responsible for privacy program framework development,
management and reporting within an organization
True
False
19. 1) Define your organization's privacy vision and privacy mission statements 2) Develop privacy strategy 3) Structure your
privacy team → A metric should be clear in the meaning of what is being measured and what else?
True
False
True
False
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 29/39
12/31/2019 Test: Cipm - Iapp | Quizlet
21. There should be a general policy of openness about developments, practices, and policies with respect to personal data.
Means should be readily available to establish the existence and nature of personal data, and the main purpose of their use, as
well as the identify and usual residence of the data controller. → Est. Current Baseline of PP, Openness:
True
False
22. Well-chosen Average → Many times the mean is used for a metric, but it is sometimes more appropriate to use the median or
mode rather than the true mean/average
True
False
23. o Involve senior leadership o Involve stakeholders \n\n o Develop internal partnerships \n\n o Provide flexibility \n\n o
Leverage communications \n\n o Leverage collaboration → Executive leadership support for your governance model will have
a direct impact on the level of success when implementing your privacy strategies. What are the important steps to integrate
into any model?
True
False
True
False
25. i) Enterprise Objectives\nii) Minimalism\niii) Simplicity of Procedures & Training\niv) Adequacy of Infrastructure\nv) Information
Security\nvi) Authenticity and Accuracy of Records\nvii) Retrievabiliyt\nviii) Distribution Controls\nix) Auditability\nx)
Consistency of Policies\nxi) Enforcement → 11 Principles of the Data Life Cycle Management Model
True
False
26. Vision or mission statement → This key factor that lays the groundwork for the rest of the privacy program elements and is
typically comprised of a short sentence or two that describe the purpose and ideas in less than 30 seconds.
True
False
27. Pragmatic Approach → This is the process of informing affected individuals that their personal data has been breached
True
False
True
False
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 30/39
12/31/2019 Test: Cipm - Iapp | Quizlet
29. If developed, offers the best staring point. This should be the first step, regardless of the program maturity. → The fundamental
principle that should govern a privacy incident is to what?
True
False
30. Includes: \n\n\nLegal and privacy officers\nSenior leadership; chief information officer\nChief security officer\nProgram
managers\nInformation system owner\nInformation security officer → Metric - Primary Audience
True
False
31. (1) Collection Limitation\n(2) Data Quality\n(3) Purpose Specification\n(4) Use Limitation\n(5) Security Safeguards\n(6)
Openness\n(7) Individual Participation\n(8) Accountability → Examples of Compliance Metrics
True
False
32. Individual culture, politics and protocols of the organization → This model identifies alignment to organization vision and
defines the privacy leaders for an organization, along with the resources (people, policy, processes, and procedures)
necessary to execute vision
True
False
33. Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access,
destruction, use, modification or disclosure of data. → POLC/Assess/1.d. Data, systems, and process assessment involves:
True
False
34. 1. Enterprise data growth 2. Growth in unstructured data \n\n 3. Limitations in relational database management system
performance \n\n 4. Information access and security concerns\n5. Lack of effective methods for classifying data \n6. Difficulty
in assessing productivity of systems, applications and databases → Main drivers of DLM/ILM
True
False
35. i) Sectoral (US)\nii) Comprehensize (EU, Canada, Russia)\niii) Co-Regulatory (Australia)\niv) Self Regulated (US, Japan,
Singapore) → Types of Protection Models (4)
True
False
36. E.g., Privacy Office or Privacy Officer. This contact can also serve as the liaison to information security, legal and human
resources. → Internal Policy, Designated Point of Contact:
True
False
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 31/39
12/31/2019 Test: Cipm - Iapp | Quizlet
37. PIA, risk assessments, security assessments → These type of assessments further assist the privacy professional in the Protect
phase
True
False
38. Assessment of the Business Case for the current (or forthcoming) privacy program or privacy requirements for privacy policies,
standards, and/or guidelines. → Est. Current Baseline of PP, Security Safguards:
True
False
39. Member of the privacy team who may be responsible for privacy program framework development, management and
reporting within an organization → This person is the process owner, champion, advocate and evangelist responsible for
management of the metric throughout the metric life cycle
True
False
40. Taking an inventory of relevant regulations that apply to your business. → Third and final step of developing a Privacy Policy
Framework?
True
False
41. (1) Collection (notice)\n(2) Responses to data subject inquiries\n(3) Use\n(4) Retention\n(5) Disclosure to third parties\n(6)
Incidents (breaches, complaints, inquiries)\n(7) Employees trained\n(8) PIA metrics\n(9) Privacy risk indicators\n(10) % of
company functions represented by governance mechanisms → Examples of Compliance Metrics
True
False
42. Define privacy technology standards developed soley to be used for the transmission, storage and use of privacy data. → Est.
Current Baseline of PP, Openness:
True
False
43. Verifies performance → This occurs when inferences are made concerning a general data population that leads to poor
conclusions
True
False
44. Provides the methods to access, protect, sustain, and respond to the positive and negative effects of all influencing factors.
This master plan, or framework, thereby provides reusable procedures and checklists that outline the operational life cycle
courses of action, research, and subject matter expertise, constituting a "best practice" approach to an idea, thought or subject.
Like maps, frameworks provide inquiry topics and direction (e.g., problem definition, purpose, literature review, methodology,
data collection and analysis) to ensure quality through repeatable steps throughout program management, thereby reducing
errors or gaps in knowledge or experience. → Privacy Assessment Approach (Key Areas)
True
False
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 32/39
12/31/2019 Test: Cipm - Iapp | Quizlet
45. Take an inventory of relevant regulations that apply to your business. Once you determine which laws apply, you must design a
manageable approach to handling and protecting personal information → The difference between metrics audiences is based
on what?
True
False
46. Is the first high level task necessary to implement proactive privacy management. → Strategic Management assigns roles, sets
expectations grants powers and what?
True
False
47. While, stakeholders at all levels should be involved in the selection and management of any metric to ensure buy-in and a
sense of ownership, ISOs are seen as a primary audience for metrics data because they have a higher level of interest,
influence, and responsibility to privacy with the business objectives, laws and regulations, or ownership. → ISOs ( Information
Security Owner or Information Security Officer)
True
False
48. Business Continuity and Disaster Recovery Planning (BCDR) → These type of assessments further assist the privacy professional
in the Protect phase
True
False
49. Payment Card Industry Data Security Standard (PCI DSS), which is a global standard, not a law. → If a standard metric
taxonomy does not exist, privacy professionals can generate their own using the best practices from where?
True
False
50. 1) Know what is critical about the metric, 2) Monitor process performance with the metric, \n\n 3) Make sure the process
documentation is up to date,\n4) Perform regular reviews, \n5) Make sure that any improvements are incorporated and
maintained in the process, \n6) Advocate the metric to customers, partners and others, and \n\n 7) Maintain training,
documentation, and materials. → What are the four steps in defining your organization's privacy vision and privacy mission
statements
True
False
51. - Who collects, uses, maintians Personal Information\n- What are the types of Personal Information\n- What are the legal
requirements for the PI\n- Where is the PI stored\n- How is the PI collected\n- Why is the PI collected → Individual executives
who lead and "own" the responsibility of the relevant activities are called what?
True
False
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 33/39
12/31/2019 Test: Cipm - Iapp | Quizlet
52. Centralized Governance → This term relates to the protection of hardware, software, and data against physical threats, to
reduce or prevent disruptions to operations and services and loss of assets
True
False
53. Clear and concise metric that defines and measures progress toward a business objective or goal without overburdening the
reader → Strategic management (3 subtasks)
True
False
54. (1) Define program scope and charter\n\n\n(2) Identify the sources, types, and uses of Personal Information (PI) within the org.
and the applicable laws\n\n\n(3) Develop a Privacy Strategy → How do you create a company's: Privacy Vision?
True
False
55. (1) a formal written policy and\n(2) designated points of contact → Key aspects of Internal Policy include:
True
False
56. Defined → This PMM maturity level indicates procedures or processes are fully documented and implemented and cover all
relevant aspects
True
False
57. Personal data should not be disclosed, made available or otherwise used for purposes other than those specified, except with
the consent of the data subject or by the authority of law. → Est. Current Baseline of PP, Use Limitation:
True
False
58. Reduce risk; avoid incident of data loss; sustain organization market value and reputation and provide measurement in
compliance to laws, regulations, and standards. → Privacy Framework benefits include:
True
False
59. (a) Education and awareness\n(b) Monitoring and responding to regulatory environment\n(c) Internal policy compliance\n(d)
Data, systems and process assessment\n(e) Risk assessment\n(f) Incident response\n(g) Remediation\n(h) Determine desired
state and perform gap analysis against an accepted standard or law\n(i) Program assurance, including audits → POLC Assess: 1.
Document current baseline of your privacy
True
False
60. Over-generalizations → This is the process of informing affected individuals that their personal data has been breached
True
False
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 34/39
12/31/2019 Test: Cipm - Iapp | Quizlet
61. (1) Develop organizational privacy policies, standards, and/or guidelines\n\n\n(2) Define Privacy Program activities → How do
you develop the Privacy Program Framework?
True
False
62. Review and Monitor the program and Communicate the Privacy Policy Framework. → Third and final step of developing a
Privacy Policy Framework?
True
False
63. US-EU Safe Harbor → What is the third step in the metric life cycle
True
False
64. Escalation → This is the internal process of employees alerting supervisors about a security-related incident, who in turn report
the details to a predefined list of experts
True
False
65. Notification → This is the process of informing affected individuals that their personal data has been breached
True
False
66. Harm prevention and/or minimization → The tertiary audiences may be considered, based on the organization's specific or
unique requirements such as who?
True
False
True
False
True
False
69. (1) Quantify the costs of technical controls\n\n\n(2) Manage data retention with respect to the organization's policies \n\n\n(3)
Define the methods for physical and electronic data destruction\n\n\n(4) Define the roles and responsibilities for managing the
sharing and disclosure of data for internal and external use → POLC/ Sustain / Align
True
False
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 35/39
12/31/2019 Test: Cipm - Iapp | Quizlet
70. (1) Education and awareness\n\n\n(2) Monitoring and responding to the regulatory environment\n\n\n(3) Internal policy
compliance\n\n\n(4) Data inventories, data flows, and classification\n\n\n(5) Risk assessment (Privacy Impact Assessments,
etc.)\n\n\n(6) Incident response and process, including jurisdictional regulations\n\n\n(7) Remediation\n\n\n(8) Program
assurance, including audits → Structuring the Privacy Team involves:
True
False
71. (1) Awareness\n\n\n(2) Targeted employee, management, and contractor training → POLC / Sustain / Communicate
True
False
72. (1) Identifying and Establishing the appropriate Governance Model for your organization (usually based on size)\n\n\n(2)
Responsibilities and reporting structure for Governance Model and Organization\n\n\n(3) Designate a point of contact for
Privacy Issues\n\n\n(4) Establish/endorse the measurement of professional competency → POLC / Sustain / Measure
True
False
73. (1) Data life cycle (creation to deletion)\n\n\n(2) Information Security Practices\n\n\n(3) Privacy by Design → POLC / Protect
True
False
74. Communications and PR → This is the process of informing affected individuals that their personal data has been breached
True
False
75. i) Centralized\nii) Local/Decentralized\niii) Hybrid → What are the 3 high level security roles?
True
False
76. Attributes of an effective metric with metric taxonomy and how to limit improper metrics. → What enables you to create a
data-governance strategy for your organization?
True
False
77. Ad hoc, Repeatable, Defined, Managed, Optimized → What are the PMM maturity levels?
True
False
78. (1) Environment (e.g., systems, applications) monitoring\n\n\n(2) Monitor compliance with established privacy policies\n\n\n(3)
Monitor regulatory and legislative changes\n\n\n(4) Compliance monitoring (e.g., collection, use, and retention) - can be done
by : Internal Audits, Self-Regulation, Retention Strategy, or Exit Strategy → POLC / Sustain / Monitor
True
False
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 36/39
12/31/2019 Test: Cipm - Iapp | Quizlet
79. Information requests, legal compliance, incident response planning and incident handling → The Respond phase of the privacy
operational life cycle includes which principles?
True
False
80. External watch dog groups, Sponsors, Stockholders → The tertiary audiences may be considered, based on the organization's
specific or unique requirements such as who?
True
False
81. A gap analysis of the information collected for the Business Case, ensuring there are no gaps or holes in the current or
developing privacy program. → Selecting the correct privacy metric requires what?
True
False
82. Institute your organization's requirements, policies and procedures instead of reducing them to the level of the
country → Individual executives who lead and "own" the responsibility of the relevant activities are called what?
True
False
83. (1) Communicating the Framework to internal and external stakeholders\n\n\n(2) Ensuring continuous alignment to applicable
laws and regulations to support the development of an organizational Privacy Program Framework → Implementing the
Privacy Policy Framework consists of:
True
False
84. 1) identify organization PI *legal requirements,2) Develop V&M statement objectives,3) identify legal & regulatory compliance
challenges, &,4) define privacy program scope, → Privacy best practices
True
False
85. Select Privacy Metrics → What is the third step in the metric life cycle
True
False
86. Massaging the Numbers → This is slightly adjusting measurements to provide the appearance of success or other-than-actual
results, leading the reviewer to believe the metric is more successful than it actually may be
True
False
87. Marketing → This strategy seeks solutions that do not violate any data privacy laws, exceed budgetary restrictions or
contradict organization goals and objectives
True
False
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 37/39
12/31/2019 Test: Cipm - Iapp | Quizlet
True
False
89. Intentional Deciet → An ethical issue, this occurs when data is knowingly and purposely omitted that may have a detrimental
effect on the metric or metric owner
True
False
90. Involve the use of newer or unregulated technology, such as social networking and the new Internet web cookie policy for
eGov 2.0 → Selecting the correct privacy metric requires what?
True
False
91. (1) Business Alignment\n\n\n(2) Develop a data governance strategy for personal information (collection, authorized use,
access, and destruction)\n\n\n(3) Plan inquiry/complaint handing procedures (customers, regulators, etc.) → Elements of a
Privacy Strategy?
True
False
92. The specific risk that control or feature is supposed to mitigate → This is a data pattern that shows trends in an upwards or
downward tendency i.e, privacy breaches over time
True
False
93. Program Sponsor → This is someone who understands the importance of privacy and will act as an advocate for you and for
the program. Typically, they will have experience with the organization, the respect of their colleagues and access to or
ownership of budget.
True
False
94. Metric taxonomy → This lists the metric characteristics that delineate boundaries between metric categories
True
False
95. Primary, secondary, and tertiary stakeholders who obtain value from a metric → Metric - Audience
True
False
96. NIST, NISTIR 7564, "Directions in Security Metrics Research" → If a standard metric taxonomy does not exist, privacy
professionals can generate their own using the best practices from where?
True
False
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 38/39
12/31/2019 Test: Cipm - Iapp | Quizlet
97. An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data
controller has data relating to him; (b) to have communicated to him, data relating to him within a reasonable time; at a charge,
if any, that is not excessive; in a reasonable manner; and in a form that is readily intelligible to him; (c) to be given reasons if a
request made under sub-paragraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) challenge data
relating to him and, if the challenge is successful, to have the data erased, rectified, completed, or amended. → What are the
steps of the Metric Life Cycle
True
False
98. Notification could create unnecessary concern and confusion → What does the Federal government guidance state when a
breach poses little or no risk of harm?
True
False
99. Ad hoc → This approach collects the various data-protection requirements and rationalizes them where possible
True
False
https://quizlet.com/236674660/test?answerTermSides=2&promptTermSides=6&questionCount=298&questionTypes=14&showImages=true 39/39