CIPM Exam / Revised Questions and Answers /
Sure A+
A 2012 study revealed what groups were most often the cause for privacy incidents? - Insiders
and third parties
A breach will typically involve - Third party hacker who intentionally exploits vulnerabilities of the
customer system, Customer failure to properly operate, use or secure its systems, Lost or stolen
computer equipment, Misconduct of customer employees
A metric owner must be able to do what? - Evangelize the purpose and intent of that metric to
the organization
A metric should be clear in the meaning of what is being measured and what else? - 1) Rigorously
defined, 2) Credible and relevant, 3) Objective and quantifiable 4) Associated with the baseline
measurement per the organization standard metric taxonomy
A mission statement should include what five items? - Value the organization places on privacy,
Desired organizational objectives, Strategies to drive the tactics used to achieve the intended outcomes,
Clarification of roles and responsibilities
A well known self certification framework is what? - US-EU Safe Harbor
According to Baker and McKenzie in their looking-ahead analysis of 2012, the goal of "achieving
compliance" is steadily being replaced with what? - A corporate need to "achieve and maintain
compliance"
After a breach occurs, the primary role for this stakeholder is to provide members with timely updates
and instructions. - Union Leadership
An effective metric is a clear and concise metric that defines and measures what? - Progress
toward a business objective or goal without overburdening the reader
,An ethical issue, this occurs when data is knowingly and purposely omitted that may have a detrimental
effect on the metric or metric owner - Intentional Deciet
As a basic business practice in the selection of metrics, the privacy professional should select how many
key privacy metrics that focus on the key organizational objectives - Three to five
As a general practice, who should not perform the data collection tasks or perform the measurements of
the metric? - Metric Owner
As a rule, privacy policies and procedures are created and enforced at a what level? - Functional
As it relates to ROI metrics, the first step is to identify and characterize the ROI metric to address what? -
The specific risk that control or feature is supposed to mitigate
As it relates to ROI metrics, the second step is to define what - the value of the asset
As part of the incident-response planning process, this group will provide guidance regarding the
detection, isolation, removal, and preservation of affected systems. - Information Systems (IS)
As Six Sigma teaches, an effective metric owner must do what? - 1) Know what is critical about the
metric, 2) Monitor process performance with the metric, 3) Make sure the process documentation is up
to date, 4) Perform regular reviews, 5) Make sure that any improvements are incorporated and
maintained in the process, 6) Advocate the metric to customers, partners and others, 7) Maintain
training, documentation, and materials
Assuming privacy incident notification is required, organizations generally have how long to notify the
affected individuals - 60 days
Based on these three things, the privacy professional will need to determine the best methods, style and
practices to working within the organization. - Individual culture, politics and protocols of the
organization
, Because of their unique association with customers and the bond of trust built carefully over time, this
group is often asked to notify key accounts when their data has been breached - BD
CIA triad in additional to further advanced information security concepts are what? -
Confidentiality, Integrity, Availability, Accountability, Assurance
Combining of legal, compliance, internal audit and security functions: collaboration is assured, but what?
- functional independence is more challenging
Common reporting intervals in incident response plans include what? - Hourly, daily, weekly,
monthly
Data integrity issues are often the results of what? - Human failure or systemic error.
Data-protection regulations typically include what items - • Notice
• Choice
• Consent
• Purpose limitations
• Limits on retaining data
• Individual rights to access
• Correction and deletion of data
• Obligation to safeguard data
Executive leadership support for your governance model will have a direct impact on the level of success
when implementing your privacy strategies. What are the important steps to integrate into any model? -
o Involve senior leadership
o Involve stakeholders
o Develop internal partnerships
o Provide flexibility
