Certified Information Privacy Manager (C.I.P.M.) Exam Prep Test

Which best describes the disadvantages of a centralized privacy governance model?

• Streamlined processes and procedures

• Bottom-to-top flow of information

• Offers the resources of a larger, centralized organization

• Individual employees cannot make decisions

• Lack of centralized process can create duplication of efforts

• Decentralized decision-making provides less big-picture vision

Opting-in means an individual makes an active, affirmative indication of choice—for example, by checking a box to signal her desire to share her information with third parties. This choice should be clear and easy to execute. true or false?

• True

• False

Information security provides physical, technical and administrative controls to manage risk by reducing probable damage, loss, modification or unauthorized access to data. Controls can also be divided into several categories based on the control objective. Select all the elements which are technical controls.

• Fences

• Doors and locks

• Logins

• Virus software

• Firewalls

• Incident response processes

• Management oversight

• Security awareness and training

• Data handling policies

True or false? All incidents are breaches, but not all breaches are incidents.

• True

• False

True or false? When communicating about a breach, an organization should make internal announcements well in advance of external announcements.

• True

• False

Can you identify the five phases of a privacy program audit?

• Audit planning, audit preparation, audit, report and follow-up

• Audit planning, audit, analyze, report and follow-up

• Audit, audit analysis, audit review, report and evaluate

• Audit planning, audit preparation, audit, follow-up and renewal

Why does an organization need a privacy program? Identify the number 3 privacy team responsibility.

• Enhance marketplace reputation and brand

• Meet regulatory compliance obligations, including the GDPR

• Enable global operations and entry into new markets

• Safeguard data against attacks and threats

• Increase revenues from cross-selling and direct marketing

• Reduce scrutiny from privacy watchdog groups

• Provide a competitive differentiator

• Maintain or enhance the value of information assets

• Reduce risk of employee and consumer lawsuits

• Be a good corporate citizen

• Meet expectations of business clients and partners

• Meet consumer expectations/ enhance trust

A privacy policy is generally an internal document that is addressed to employees. Policies clearly state how personal information is going to be handled. When launching communications related to the privacy program, which of the following considerations should be made:

• What do you want the policy to achieve? Should it, for example, simply spread knowledge? Or should it attempt to change behavior?

• How can you work with the communications team?

• What existing communication modes—such as a company intranet—can you employ?

• Which functional areas most align with the privacy program? (For example, IT, security or HR)

• And how can you motivate employees and use metrics to help demonstrate the value of privacy?

• Who is the audience?

How do information security and privacy teams work in concert, so that their respective spends can complement each other? Check all that apply.

• Increased involvement of privacy personnel on information security teams

• Employing core privacy functions with an IT orientation to get a better handle on their data and the extent of their corporate risk

• Increased investment in privacy technology

• Increased use of privacy impact assessments and data inventory and classification

• Increased use of data retention policies

Information security provides physical, technical and administrative controls to manage risk by reducing probable damage, loss, modification or unauthorized access to data. Controls can also be divided into several categories based on the control objective. Select all the elements which are corrective controls.

• Firewalls

• Passwords

• Procedures

• Training

• Audits

• Security software

• Monitoring and logging

• Business continuity plans

• Back-up data restoration

• Updated policies

Privacy risks. In 2006, Daniel Solove authored an article entitled, “A Taxonomy of Privacy,” wherein he proposed a common taxonomy of privacy risk factors. Although many of these activities can pose risks to privacy, they also have many benefits. For an organization, the key is in ensuring that impacts to privacy are identified and minimized by an organization. Select each description that is an element of Information dissemination:

• Surveillance

• Interrogation

• Aggregation

• Insecurity

• Identification

• Secondary use

• Exclusion

• Intrusion

• Decisional interference

• Breach of confidentiality

• Disclosure

• Exposure

• Increased accessibility

• Blackmail

• Appropriation

• Distortion

A metric owner is a process owner, champion and advocate responsible for management of the metric throughout the metric lifecycle. This person should have privacy knowledge, training and experience—to limit possible errors interpreting privacy-related laws, regulations and practices. Select the metric owner responsibilities.

• Know what is critical about the metric: Ask why the output is important and how this metric fits into the business objectives.

• Monitor process performance with the metric.

• Keep process documentation up to date to ensure all audiences have a clear definition of the metric and how it should be used.

• Perform regular reviews. Determine if the metric is still required, capable to meet goals, and provides value to the organization.

• Ensure improvements are incorporated and maintained in the process.

Type response below

The implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU General Data Protection Regulation and other frameworks, including APEC's Cross Border Privacy Rules. ________

DLP network, storage, scans and privacy tools can be used to identify security and privacy risks to personal information. They can also be used to monitor for compliance with internal policies and procedures, and block e-mail or file transfers based on the data category and definitions. ________

A U.S. professional organization of certified public accountants and co-creator of the WebTrust seal program. ________

The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual. ________

________ takes specific identifying values and makes them broader, such as changing a specific age (18) to an age range (18-24).

________ addition takes identifying values from a given data set and switches them with identifying values from another individual in that data set.

________ is the most basic version of anonymization and it simply removes some identifying values from data to reduce its identifiability.

A set of non-binding principles adopted by the Asia-Pacific Economic Cooperative that mirror the OECD Fair Information Privacy Practices. Though based on OECD Guidelines, they seek to promote electronic commerce throughout the Asia-Pacific region by balancing information privacy with business needs. ________

The first of four phases of the privacy operational life cycle ________

High-level, five-phase audit approach. The steps include: Audit Planning; Audit Preparation; Conducting the Audit; Reporting; and Follow-up. ________

________ is targeted at individuals based on the observation of their behavior over time.

________ are appropriate safeguards allowed by the General Data Protection Regulation to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide.

The United States’ Federal Trade Commission’s ________ (BoC) enforces the nation's antitrust laws, which form the foundation of our free market economy. The antitrust laws promote the interests of consumers; they support unfettered markets and result in lower prices and more choices.

The United States’ Federal Trade Commission’s ________ (BoCP) stops unfair, deceptive and fraudulent business practices by collecting complaints and conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and responsibilities.

The United States’ Federal Trade Commission’s ________ (BoE) helps the FTC evaluate the economic impact of its actions by providing economic analysis for competition and consumer protection investigations and rulemakings, and analyzing the economic impact of government regulations on businesses and consumers.

The starting point for assessing the needs of the privacy organization, it defines the individual program needs and the ways to meet specific business goals, such as compliance with privacy laws or regulations, industry frameworks, customer requirements and other considerations. ________

BCDR or ________ is a risk mitigation plan designed to prepare an organization for crises and to ensure critical business functions continue. The focus is to recover from a disaster when disruptions of any size are encountered.

The ________ (BCP) is typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during and after an event in order to help operations run smoothly. Situations covered in a BCP often include fire, flood, natural disasters (tornadoes and hurricanes), and terrorist attack.

________ (COPPA) is a U.S. federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13. It also applies to general audience websites and online services that have actual knowledge that they are collecting personal information from children under the age of 13.

In the context of consent, ________ refers to the idea that consent must be freely given.

Three common information security principles from the 1960s. ________

The three common information security principles from the 1960s that comprise the CIA Triad also known as Information Security Triad: ________

A fair information practices principle, it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject. ________

This privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law. ________

A requirement that an individual "signifies" his or her agreement with a data controller by some active communication between the parties. ________

Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual. ________

Any person or entity that complies or evaluates personal information for the purpose of furnishing it to third parties for a fee. ________

“As-is” data privacy requirements; the current environment and any protections, policies, and procedures currently deployed. ________

Relatively new form of insurance protection that fills gaps typically not covered by General Commercial Liability plans. ________

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a data collector. ________

The natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. ________

Also known as a record of authority, identifies personal data as it moves across various systems and thus how data is shared and organized, and its location. That data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities. ________

Also known as Information Life Cycle Management (ILM) or data governance, DLM is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition. It provides a holistic approach to the processes, roles, controls and measures necessary to organize and maintain data, and has 11 elements. ________

The idea that one should only collect and retain that personal data which is necessary. ________

Independent public authorities that supervise the application of data protection laws in the EU. ________