CIPM || A+ Assured.
Proactive privacy management is accomplished through three tasks correct answers 1) Define
your organization's privacy vision and privacy mission statements 2) Develop privacy
strategy 3) Structure your privacy team
This is needed to structure responsibilities with business goals correct answers Strategic
Management
Identifies alignment to organizational vision and defines the privacy leaders for an
organization, along with the resources necessary to execute the vision. correct answers
Strategic Management model
Member of the privacy team who may be responsible for privacy program framework
development, management and reporting within an organization correct answers Privacy
professional
Strategic management of privacy starts by correct answers creating or updating the
company's vision and mission statement based on privacy best practice
Privacy best practices correct answers 1) Develop vision and mission statement objectives 2)
define privacy program scope 3)identify legal and regulatory compliance challenges 4)
identify organization personal information legal requirements
This key factor that lays the groundwork for the rest of the privacy program elements and is
typically comprised of a short sentence or two that describe the purpose and ideas in less than
30 seconds. correct answers Vision or mission statement
This explains what you do as an organization, not who you are; what the organization stands
for and why what you do an an organization to protect personal information is done correct
answers Mission Statement
What are the steps in the five step metric cycle correct answers Identify, Define, Select,
Collect, Analyze
The first step in the selecting the correct metrics starts by what? correct answers Identifying
the intended metric audience
The primary audience for metrics may include correct answers Legal and privacy officers,
senior leadership; CIO, CSO, PM, Information Systems Owner (ISO), Information Security
Officer (ISO), Others considered users and managers
The secondary audience includes those who may not have privacy as a primary task include
correct answers CFO, Training organizations, HR, IG, HIPPA security officials
The tertiary audiences may be considered, based on the organization's specific or unique
requirements such as who? correct answers External watch dog groups, Sponsors,
Stockholders
, The difference between metrics audiences is based on what? correct answers Level of
interest, influence and responsibility to privacy within the business objectives, laws and
regulations, or ownership
Specific to Healthcare metrics, audiences may include whom? correct answers HIPPA
privacy officers, medical interdisciplinary readiness teams (MIRTs), senior executive staff,
covered entity workforce, self assessment tool and risk analysis/management
What is the second step in the metric life cycle? correct answers Define Reporting Procedures
A metric owner must be able to do what? correct answers Evangelize the purpose and intent
of that metric to the organization
This person is the process owner, champion, advocate and evangelist responsible for
management of the metric throughout the metric life cycle correct answers Metric Owner
As Six Sigma teaches, an effective metric owner must do what? correct answers 1) Know
what is critical about the metric, 2) Monitor process performance with the metric, 3) Make
sure the process documentation is up to date, 4) Perform regular reviews, 5) Make sure that
any improvements are incorporated and maintained in the process, 6) Advocate the metric to
customers, partners and others, 7) Maintain training, documentation, and materials
As a general practice, who should not perform the data collection tasks or perform the
measurements of the metric? correct answers Metric Owner
What is the third step in the metric life cycle correct answers Select Privacy Metrics
Selecting the correct privacy metric requires what? correct answers Full understanding of the
business objectives and goals, along with a clear understanding of the primary business
functions.
Prior to selecting metrics, the reader should first understand what? correct answers Attributes
of an effective metric with metric taxonomy and how to limit improper metrics.
An effective metric is a clear and concise metric that defines and measures what? correct
answers Progress toward a business objective or goal without overburdening the reader
Good metrics should not do what? correct answers Overburden the reader
A metric should be clear in the meaning of what is being measured and what else? correct
answers 1) Rigorously defined, 2) Credible and relevant, 3) Objective and quantifiable 4)
Associated with the baseline measurement per the organization standard metric taxonomy
If a standard metric taxonomy does not exist, privacy professionals can generate their own
using the best practices from where? correct answers NIST, NISTIR 7564, "Directions in
Security Metrics Research"
A mission statement should include what five items? correct answers Value the organization
places on privacy, Desired organizational objectives, Strategies to drive the tactics used to
achieve the intended outcomes, Clarification of roles and responsibilities
Proactive privacy management is accomplished through three tasks correct answers 1) Define
your organization's privacy vision and privacy mission statements 2) Develop privacy
strategy 3) Structure your privacy team
This is needed to structure responsibilities with business goals correct answers Strategic
Management
Identifies alignment to organizational vision and defines the privacy leaders for an
organization, along with the resources necessary to execute the vision. correct answers
Strategic Management model
Member of the privacy team who may be responsible for privacy program framework
development, management and reporting within an organization correct answers Privacy
professional
Strategic management of privacy starts by correct answers creating or updating the
company's vision and mission statement based on privacy best practice
Privacy best practices correct answers 1) Develop vision and mission statement objectives 2)
define privacy program scope 3)identify legal and regulatory compliance challenges 4)
identify organization personal information legal requirements
This key factor that lays the groundwork for the rest of the privacy program elements and is
typically comprised of a short sentence or two that describe the purpose and ideas in less than
30 seconds. correct answers Vision or mission statement
This explains what you do as an organization, not who you are; what the organization stands
for and why what you do an an organization to protect personal information is done correct
answers Mission Statement
What are the steps in the five step metric cycle correct answers Identify, Define, Select,
Collect, Analyze
The first step in the selecting the correct metrics starts by what? correct answers Identifying
the intended metric audience
The primary audience for metrics may include correct answers Legal and privacy officers,
senior leadership; CIO, CSO, PM, Information Systems Owner (ISO), Information Security
Officer (ISO), Others considered users and managers
The secondary audience includes those who may not have privacy as a primary task include
correct answers CFO, Training organizations, HR, IG, HIPPA security officials
The tertiary audiences may be considered, based on the organization's specific or unique
requirements such as who? correct answers External watch dog groups, Sponsors,
Stockholders
, The difference between metrics audiences is based on what? correct answers Level of
interest, influence and responsibility to privacy within the business objectives, laws and
regulations, or ownership
Specific to Healthcare metrics, audiences may include whom? correct answers HIPPA
privacy officers, medical interdisciplinary readiness teams (MIRTs), senior executive staff,
covered entity workforce, self assessment tool and risk analysis/management
What is the second step in the metric life cycle? correct answers Define Reporting Procedures
A metric owner must be able to do what? correct answers Evangelize the purpose and intent
of that metric to the organization
This person is the process owner, champion, advocate and evangelist responsible for
management of the metric throughout the metric life cycle correct answers Metric Owner
As Six Sigma teaches, an effective metric owner must do what? correct answers 1) Know
what is critical about the metric, 2) Monitor process performance with the metric, 3) Make
sure the process documentation is up to date, 4) Perform regular reviews, 5) Make sure that
any improvements are incorporated and maintained in the process, 6) Advocate the metric to
customers, partners and others, 7) Maintain training, documentation, and materials
As a general practice, who should not perform the data collection tasks or perform the
measurements of the metric? correct answers Metric Owner
What is the third step in the metric life cycle correct answers Select Privacy Metrics
Selecting the correct privacy metric requires what? correct answers Full understanding of the
business objectives and goals, along with a clear understanding of the primary business
functions.
Prior to selecting metrics, the reader should first understand what? correct answers Attributes
of an effective metric with metric taxonomy and how to limit improper metrics.
An effective metric is a clear and concise metric that defines and measures what? correct
answers Progress toward a business objective or goal without overburdening the reader
Good metrics should not do what? correct answers Overburden the reader
A metric should be clear in the meaning of what is being measured and what else? correct
answers 1) Rigorously defined, 2) Credible and relevant, 3) Objective and quantifiable 4)
Associated with the baseline measurement per the organization standard metric taxonomy
If a standard metric taxonomy does not exist, privacy professionals can generate their own
using the best practices from where? correct answers NIST, NISTIR 7564, "Directions in
Security Metrics Research"
A mission statement should include what five items? correct answers Value the organization
places on privacy, Desired organizational objectives, Strategies to drive the tactics used to
achieve the intended outcomes, Clarification of roles and responsibilities
