CIPM Exam Questions with Verified Answers (Graded A)

Proactive privacy management is accomplished through three tasks - Answer- 1) Define your organization's privacy vision and privacy mission statements 2) Develop privacy strategy 3) Structure your privacy team This is needed to structure responsibilities with business goals - Answer- Strategic Management Identifies alignment to organizational vision and defines the privacy leaders for an organization, along with the resources necessary to execute the vision. - Answer- Strategic Management model Member of the privacy team who may be responsible for privacy program framework development, management and reporting within an organization - Answer- Privacy professional Strategic management of privacy starts by - Answer- creating or updating the company's vision and mission statement based on privacy best practice Privacy best practices - Answer- 1) Develop vision and mission statement objectives 2) define privacy program scope 3)identify legal and regulatory compliance challenges 4) identify organization personal information legal requirements This key factor that lays the groundwork for the rest of the privacy program elements and is typically comprised of a short sentence or two that describe the purpose and ideas in less than 30 seconds. - Answer- Vision or mission statement This explains what you do as an organization, not who you are; what the organization stands for and why what you do an an organization to protect personal information is done - Answer- Mission Statement What are the steps in the five step metric cycle - Answer- Identify, Define, Select, Collect, Analyze The first step in the selecting the correct metrics starts by what? - Answer- Identifying the intended metric audience The primary audience for metrics may include - Answer- Legal and privacy officers, senior leadership; CIO, CSO, PM, Information Systems Owner (ISO), Information Security Officer (ISO), Others considered users and managers The secondary audience includes those who may not have privacy as a primary task include - Answer- CFO, Training organizations, HR, IG, HIPPA security officials The tertiary audiences may be considered, based on the organization's specific or unique requirements such as who? - Answer- External watch dog groups, Sponsors, Stockholders The difference between metrics audiences is based on what? - Answer- Level of interest, influence and responsibility to privacy within the business objectives, laws and regulations, or ownership Specific to Healthcare metrics, audiences may include whom? - Answer- HIPPA privacy officers, medical interdisciplinary readiness teams (MIRTs), senior executive staff, covered entity workforce, self assessment tool and risk analysis/management What is the second step in the metric life cycle? - Answer- Define Reporting Procedures A metric owner must be able to do what? - Answer- Evangelize the purpose and intent of that metric to the organization This person is the process owner, champion, advocate and evangelist responsible for management of the metric throughout the metric life cycle - Answer- Metric Owner As Six Sigma teaches, an effective metric owner must do what? - Answer- 1) Know what is critical about the metric, 2) Monitor process performance with the metric, 3) Make sure the process documentation is up to date, 4) Perform regular reviews, 5) Make sure that any improvements are incorporated and maintained in the process, 6) Advocate the metric to customers, partners and others, 7) Maintain training, documentation, and materials As a general practice, who should not perform the data collection tasks or perform the measurements of the metric? - Answer- Metric Owner What is the third step in the metric life cycle - Answer- Select Privacy Metrics Selecting the correct privacy metric requires what? - Answer- Full understanding of the business objectives and goals, along with a clear understanding of the primary business functions. Prior to selecting metrics, the reader should first understand what? - Answer- Attributes of an effective metric with metric taxonomy and how to limit improper metrics. An effective metric is a clear and concise metric that defines and measures what? - Answer- Progress toward a business objective or goal without overburdening the reader Good metrics should not do what? - Answer- Overburden the reader A metric should be clear in the meaning of what is being measured and what else? - Answer- 1) Rigorously defined, 2) Credible and relevant, 3) Objective and quantifiable 4) Associated with the baseline measurement per the organization standard metric taxonomy If a standard metric taxonomy does not exist, privacy professionals can generate their own using the best practices from where? - Answer- NIST, NISTIR 7564, "Directions in Security Metrics Research" A mission statement should include what five items? - Answer- Value the organization places on privacy, Desired organizational objectives, Strategies to drive the tactics used to achieve the intended outcomes, Clarification of roles and responsibilities Strategic Management assigns roles, sets expectations grants powers and what? - Answer- Verifies performance This model identifies alignment to organization vision and defines the privacy leaders for an organization, along with the resources (people, policy, processes, and procedures) necessary to execute vision - Answer- Strategic Management Model This is a key factor that lays the groundwork for the rest of the privacy program elements and is comprised of a short sentence or two that describes purpose and ideas in less than 30 seconds - Answer- Mission Statement What are the four steps in defining your organization's privacy vision and privacy mission statements - Answer- 1. Develop Vision and Mission Statement Objectives 2. Define Privacy Program Scope 3.Identify Legal and Regulatory Compliance Challenges 4. Identify Organizational Personal Information Legal Requirements What are the steps of Strategic Management? - Answer- Define Privacy and Mission, Develop Privacy Strategy, Structure Privacy Team This is someone who understands the importance of privacy and will act as an advocate for you and for the program. Typically, they will have experience with the organization, the respect of their colleagues and access to or ownership of budget. - Answer- Program Sponsor This is an executive who acts as an advocate and sponsor to further foster privacy as a core organization concept - Answer- Program Champion Individual executives who lead and "own" the responsibility of the relevant activities are called what? - Answer- Stakeholders As a rule, privacy policies and procedures are created and enforced at a what level? - Answer- Functional Policies imposing general obligations on employees may reside with whom? - Answer- Ethics, legal and compliance Policies and procedures that dictate certain privacy and security requirements on employees as they relate to the technical infrastructure typically sit with whom? - Answer- IT Policies that govern requirements that need to be imposed on provider of third-party services that implicate personal data typically sit with whom? - Answer- Procurement Policies that govern the use and disclosure of health information about employees of the organization typically reside with whom? - Answer- HR This approach collects the various data-protection requirements and rationalizes them where possible - Answer- Pragmatic Approach When defining your privacy program scope, you must first do what? - Answer- Understand and identify the legal and regulatory compliance challenges of the organization and identify the data impacted If your organization plans to do business within a jurisdiction that has inadequate or no data protection regulations, you should do what? - Answer- Institute your organization's requirements, policies and procedures instead of reducing them to the level of the country When developing your global privacy strategy, it must be relevant to what? - Answer- Markets, cultures, and geographical locations According to Baker and McKenzie in their looking-ahead analysis of 2012, the goal of "achieving compliance" is steadily being replaced with what? - Answer- A corporate need to "achieve and maintain compliance" What are examples of certain types of organizations and entities known as "covered entities" - Answer- Healthcare providers (hospitals, clinics, pharmacies) and health plans (medical plans, organization benefit plans) subject to HIPPA. Merchants that handle cardholder information for debit, credit, prepaid, e-purse, ATM and POS cards must be in compliance with what? - Answer- Payment Card Industry Data Security Standard (PCI DSS), which is a global standard, not a law. If you process personal information of any resident of a state that has adopted a breach notification law, understand that to the extent that non-encrypted data has been compromised, your compliance obligations may include notification to whom? - Answer- The residents of the states, as well as government bodies or state attorney general offices. What is the first step when identifying Organizational Personal Information Legal Requirements - Answer- "roughing out" the scope of a privacy program by flagging areas in an organization where personal information is likely to be collected, access or used (HR, finance, marketing, customer relationship management systems, IT) In the U.K., this regulation contains privacy rules for any form of electronic marketing, in addition to a vast array of statutes, regulations and voluntary codes of practice that govern direct marketing activity. - Answer- Privacy and Electronic Communications Regulations Based on these three things, the privacy professional will need to determine the best methods, style and practices to working within the organization. - Answer- Individual culture, politics and protocols of the organization This function is more closely aligned to the privacy group than any other function. - Answer- Information Security (IS) This functional group adds processes and controls that support privacy principles. It creates processes to develop and test software and applications in a manner that does not require the use of production data decreases the chances that the data will be compromised and that individuals who have no business need will access the data - Answer- Information Technology (IT) This functional group traditionally functions independently to assess whether controls are in place to protect personal information and whether people are abiding by these controls - Answer- Internal audit group Many organizations create this, comprised of the same stakeholders that were identified at the start of the privacy program implementation process. Instrumental in making strategic decisions and driving such strategies and decisions through their own organizations. - Answer- Privacy committee or council Organizations with a global footprint often create a governance structure that is comprised of whom? - Answer- Representatives from each geographic region and business function (ie., HR) in which the organization has a presence to ensure that proposed privacy policies, processes, and solutions align with local laws. You first step when developing a Data-governance Strategy for Personal Information (Collection, Authorized Use, Access, Security, Destruction) - Answer- Take an inventory of relevant regulations that apply to your business. Once you determine which laws apply, you must design a manageable approach to handling and protecting personal information This means implementing a solution that materially addresses the various requirements of the majority of laws or regulations with which you must comply. - Answer- Rationalization Data-protection regulations typically include what items - Answer- • Notice • Choice • Consent • Purpose limitations • Limits on retaining data • Individual rights to access • Correction and deletion of data • Obligation to safeguard data Privacy professionals should always involve whom to review, define or establish technical security controls, including common security controls such as firewalls, malware anti-virus, and complex password requirements - Answer- Security Engineer This strategy seeks solutions that do not violate any data privacy laws, exceed budgetary restrictions or contradict organization goals and objectives - Answer- Strictest Standard When positioning the privacy team, you should also consider the authority it will receive based on the what? - Answer- Governance model it follows Executive leadership support for your governance model will have a direct impact on the level of success when implementing your privacy strategies. What are the important steps to integrate into any model? - Answer- o Involve senior leadership o Involve stakeholders o Develop internal partnerships o Provide flexibility o Leverage communications o Leverage collaboration This type of governance fits well in organizations used to utilize single-channel functions (where direction flows from a single source) with planning and decision making completed by one group - Answer- Centralized Governance This type of governance delegates decision-making authority down to the lower levels in an organization; relatively away from and lower than a central authority - Answer- Local or Decentralized This is an implementation road map that provides the structure or checklists (document privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization - Answer- Privacy Program Framework Privacy governance framework provides the methods to what? - Answer- Access, protect, sustain and respond to the positive and negativ