CIPM study questions and answers 2023

3 privacy team governance models - Answer- 1) Centralized 2) Distributed, Local, or Decentralized 3) Hybrid 3 steps to establish a privacy program - Answer- 1) business alignment 2) data governance strategy 3) plan inquiry/complaint handling strategy for customers and regulators 4 metric reporting resources - Answer- 1) process owner 2) champion 3) advocate 4) evangelist 5 step metric life cycle - Answer- 1) identify 2) define 3) select 4) collect 5) analyze Centralized privacy team governance model: a) single channel function b) local entities fulfill c) fewer tiers d) lower level decisions - Answer- a) single channel function Primary metrics audiences a) Legal b) Sponsor c) CSO d) Sr Leadership - Answer- a) Legal c) CSO d) Sr Leadership Secondary metrics audiences a) IG b) Legal c) CFO d) Stockholders - Answer- a) IG c) CFO Tertiary metrics audiences a) ISO b) Training c) Sponsors d) Legal - Answer- c) sponsors 3 data patterns for metrics reporting - T, C, I - Answer- Time series - # of breaches over time Cyclical component - weekly, monthly, yearly Irregular component - absence or indication of data breaches Metrics reporting resources P, P, T - Answer- People - primary, secondary, tertiary Processes - benchmarks, add value Technology - automated 5 privacy program maturing levels - Answer- Ad hoc - informal, incomplete Repeatable - not fully documented Defined - fully documented and implemented Managed - reviews conducted Optimized - regular review, ensures continuous improvement Privacy program maturity models: Ad hoc a) ensure continuous improvement b) incomplete c) reviews conducted d) inconsistently applied - Answer- b) incomplete d) inconsistently applied Privacy program maturity models: Managed a) reviews conducted b) not fully documented c) regular reviews d) implemented - Answer- a) reviews conducted Privacy program maturity models: repeatable a) regular reviews b) implemented c) incomplete d) not fully documented - Answer- d) not fully documented Privacy program maturity models: Optimized a) ensure continuous improvement b) regular reviews c) incomplete d) fully documented - Answer- a) ensure continuous improvement b) regular reviews Privacy program maturity models: Defined a) regular reviews b) incomplete c) reviews conducted d) implemented - Answer- d) implemented Which privacy program maturity level is not fully documented - Answer- Repeatable Which privacy program maturity level is reviews conducted - Answer- Managed Which privacy program maturity level is fully documented and implemented - Answer- Defined What is the metrics ROI formula - Answer- ROI = (benefits - costs) / costs 4 points of contact for privacy issues - Answer- 1) group email box 2) SharePoint site 3) phone number 4) web presence Who make up the privacy team members for a small company - Answer- DPO Who make up the privacy team members for a large company - Answer- 1) CPO 2) manager 3) analyst 4) business line privacy leaders 5) first responders 6) DPO What is the goal of the privacy framework - Answer- - reduce privacy risk - protect against breaches - reduce financial or reputation harm - create competitive advantage What are the 4 steps to develop a privacy framework - Answer- 1) business case 2) gap analysis (data inventory) 3) review and monitor 4) communicate What are the 3 ways to communicate the privacy framework to internal and external stakeholders - Answer- 1) meetings 2) conference calls 3) education and awareness - newsletters, email, posters - e-learning - video conferences - web pages - voicemail broadcast What metric audience is external watch dog groups a) primary b) secondary c) tertiary - Answer- c) tertiary What metric audience is Inspectors generals (IG) a) primary b) secondary c) tertiary - Answer- b) secondary What metric audience is program manager a) primary b) secondary c) tertiary - Answer- a) primary What metric audience is training a) primary b) secondary c) tertiary - Answer- b) secondary What metric audience is stockholders a) primary b) secondary c) tertiary - Answer- c) tertiary What metric audience is HR a) primary b) secondary c) tertiary - Answer- b) secondary What metric audience is legal and privacy officers a) primary b) secondary c) tertiary - Answer- a) primary What metric audience is HIPPA security officers a) primary b) secondary c) tertiary - Answer- b) secondary What metric audience is information systems officer a) primary b) secondary c) tertiary - Answer- a) primary What metric audience is chief security officer a) primary b) secondary c) tertiary - Answer- a) primary C-I-A triad +2 - Answer- Confidentiality - prevent disclosure Integrity - information protected from modification or deletion Availability - accessible to those authorized + Accountability - ownership traceable Assurance - 4 above objectives met 10 data inventory elements - Answer- 1 nature of repository 2 owner 3 location 4 volume of information 5 format 6 use 7 type of PI 8 where stored 9 where accessed 10 international transfers PTA PIA DPIA - Answer- Privacy Threshold Analysis Privacy Impact Assessment Data Protection Impact Assessment 4 items to evaluate for processors and 3rd party vendor assessments - Answer- 1 privacy and info sec policies 2 access controls 3 where PI held 4 who has access to PI Risk assessments for processors and 3rd party vendors should include 7 elements - Answer- 1 type of data outsources 2 location 3 implication of cloud computing strategies 4 legal compliance 5 records retention 6 contractual requirements 7 minimum standards for safeguarding info 7 physical assessments for identifying operation risk - Answer- 1 data centers 2 physical access controls 3 document destruction 4 media sanitization 5 device forensics 6 fax machine security 7 imaging/copier hard drive security controls 5 factors for risk assessments for M & A and divestitures - Answer- 1 HIPPA 2 PCI (payment card industry) 3 country laws 4 marketing and other controls 5 new resources, technologies, and processes Data life cycle - Answer- Create Use Archive Delete 3 DLM governance elements - Answer- 1 decision rights and accountability 2 processes and standards 3 roles 3 high-levl info sec roles from best practices - Answer- 1 executive - CIO, ISO, Compliance 2 functional - security engineer 3 corollary - physical security, privacy professional 7 PbD foundational principles - Answer- 1 Proactive 2 privacy by default 3 embedded 4 positive-sum, full functionality 5 end to end, full life cycle 6 visibility and transparency 7 respect for user PbD _________ through system development life cycle (SDLC) _________ establish privacy gates in standard process, development framework - Answer- integrate establish 4 types of information requests to respond to - Answer- 1 access 2 redress/remedy 3 correction/rectification