CIPP/US- CHAPTER #3 ASSESSMENT
EXAM QUESTIONS WITH CORRECT
ANSWERS
Legal, Reputational, Operational, and Investment Risks - Answer-The four risks
associated with using PI Improperly
Four basic steps of information management - Answer-1. Discover- Issue identification
and self assessment and determination of best practices
2. Build- Procedure development and verification; full implementation
3. Communicate- Documentation and Education
4. Evolve- Affirmation and monitoring; adaptation
Data Classification - Answer-After a data inventory has been performed, companies
should make efforts to performs this function to properly classify data according to its
level of sensitivity. The different levels should define the clearance of individuals who
can access or handle that data, as well as the baseline level of protection that is
appropriate for that data.
Performing this function helps organizations address compliance audits for a particular
type of data, respond to legal discovery requests without producing more information
than necessary, and use storage resources in a cost effective manner.
Common categories include: confidential, proprietary, sensitive, restricted, and public
Document Data Flows - Answer-Once data has been inventoried and classified,
organizations should make efforts to perform this function to assist in identifying areas
for compliance attention. An organizational chart can be useful to map and document
the systems, application and processes handling data.
Determine Data Accountability - Answer-Organizations should perform this function due
to the significant responsibility it has to to assure compliance with privacy laws and
policies. The following questions should be asked:
- Where, how and for what length of time is the data stored?
-How sensitive is the information?
- Should the information be encrypted?
- Will the information be transferred to or from other countries, and if so, how will it be
transferred?
-Who determines the rules that apply to the information?
-How is the information to be processes, and how will these processes be maintained?
-Is the use of such data dependent upon other systems?
EXAM QUESTIONS WITH CORRECT
ANSWERS
Legal, Reputational, Operational, and Investment Risks - Answer-The four risks
associated with using PI Improperly
Four basic steps of information management - Answer-1. Discover- Issue identification
and self assessment and determination of best practices
2. Build- Procedure development and verification; full implementation
3. Communicate- Documentation and Education
4. Evolve- Affirmation and monitoring; adaptation
Data Classification - Answer-After a data inventory has been performed, companies
should make efforts to performs this function to properly classify data according to its
level of sensitivity. The different levels should define the clearance of individuals who
can access or handle that data, as well as the baseline level of protection that is
appropriate for that data.
Performing this function helps organizations address compliance audits for a particular
type of data, respond to legal discovery requests without producing more information
than necessary, and use storage resources in a cost effective manner.
Common categories include: confidential, proprietary, sensitive, restricted, and public
Document Data Flows - Answer-Once data has been inventoried and classified,
organizations should make efforts to perform this function to assist in identifying areas
for compliance attention. An organizational chart can be useful to map and document
the systems, application and processes handling data.
Determine Data Accountability - Answer-Organizations should perform this function due
to the significant responsibility it has to to assure compliance with privacy laws and
policies. The following questions should be asked:
- Where, how and for what length of time is the data stored?
-How sensitive is the information?
- Should the information be encrypted?
- Will the information be transferred to or from other countries, and if so, how will it be
transferred?
-Who determines the rules that apply to the information?
-How is the information to be processes, and how will these processes be maintained?
-Is the use of such data dependent upon other systems?
