Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CIPP-US > Ch 4 - Principles of Information Mgmt > Flashcards

Ch 4 - Principles of Information Mgmt Flashcards

You may prefer our related Brainscape-certified flashcards:
U.S. Geography flashcards
1
Q

People with a “privacy fundamentalist” attitude towards privacy exhibit:

a. A strong desire to protect privacy
b. Low worries about privacy
c. Varying concern about privacy depending on context
d. None of the above

A

a. A strong desire to protect privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

People with a “privacy unconcerned” attitude towards privacy exhibit:

a. A strong desire to protect privacy
b. Varying concern about privacy depending on context
c. Low worries about privacy
d. None of the above

A

c. Low worries about privacy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following is an attribute of a “privacy pragmatist”?

a. Level of concern is dependent on context
b. Willing to give up some privacy in exchange for benefits
c. Strong desire to protect privacy at any cost
d. Only a and b

A

d. Only a and b

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Which of the following was a major contributing factor to privacy concerns related to government surveillance?

a. President Obama’s 2012 White House Report
b. Edward Snowden’s 2013 WikiLeaks about the NSA
c. 2013 Privacy Report published by the Federal Trade Commission
d. Only a and b

A

b. Edward Snowden’s 2013 WikiLeaks about the NSA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

The role of a privacy professional includes:

a. Monitoring external environment for changes to regulations and laws
b. Alerting stakeholders to divergent perspectives within the industry and legal landscape
c. Identifying compliance challenges, and design policies to address ways to manage the risk
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which of the following best describes an element of legal risk?

a. Administrative efficiency of the organization’s privacy program
b. Ability of the organization to receive a return on investment in information and related activities.
c. Compliance with applicable state, federal and international laws concerning the use of personal information
d. All of the above

A

c. Compliance with applicable state, federal and international laws concerning the use of personal information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which of the following best describes an element of legal risk?

a. Compliance with contractual commitments, privacy promises and commitments to follow industry standards
b. Administrative efficiency of the organization’s privacy program
c. Ability of the organization to receive a return on investment in information and related activities.
d. All of the above

A

a. Compliance with contractual commitments, privacy promises and commitments to follow industry standards

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following best describes an element of reputational risk?

a. Compliance with contractual commitments, privacy promises and commitments to follow industry standards
b. Protecting the trust of consumers regarding the organization’s commitment to following through on its privacy policies
c. Compliance with applicable state, federal and international laws concerning the use of personal information
d. All of the above

A

b. Protecting the trust of consumers regarding the organization’s commitment to following through on its privacy policies

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which of the following best describes an element of operational risk?

a. Administrative efficiency of the organization’s privacy program
b. Ability of the organization to receive a return on investment in information and related activities.
c. Compliance with applicable state, federal and international laws concerning the use of personal information
d. All of the above

A

a. Administrative efficiency of the organization’s privacy program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Which of the following best describes an element of investment risk?

a. Administrative efficiency of the organization’s privacy program
b. Compliance with applicable state, federal and international laws concerning the use of personal information
c. Ability of the organization to receive a return on investment in information and related activities
d. All of the above

A

c. Ability of the organization to receive a return on investment in information and related activities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

A good information management program

a. Uses a holistic approach in assessing the risks and benefits of processing personal information
b. Helps develop policies for important activities
c. Informs activities and processes used to comply with policies
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Which of the following best describes the four basic steps for managing information?

a. Discover, analyze, build, and communicate
b. Discover, build, communicate, and evolve
c. Search, discover, communicate, and evolve
d. None of the above

A

b. Discover, build, communicate, and evolve

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Which of the following occurs during the Discover phase of information management?

a. Issue identification and self-assessment
b. Procedure development and verification
c. Full implementation
d. All of the above

A

a. Issue identification and self-assessment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Which of the following occurs during the Discover phase of information management?

a. Issue identification
b. Self-assessment
c. Determination of best practices
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following occurs during the Build phase of information management?

a. Procedure development and verification
b. Determination of best practices
c. Education
d. All of the above

A

a. Procedure development and verification

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Which of the following occurs during the Build phase of information management?

a. Issue identification and self-assessment
b. Documentation
c. Full implementation
d. All of the above

A

c. Full implementation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Which of the following occurs during the Communicate phase of information management?

a. Adaptation
b. Procedure development and verification
c. Documentation
d. All of the above

A

c. Documentation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Which of the following occurs during the Communicate phase of information management?

a. Determination of best practices
b. Education
c. Full implementation
d. All of the above

A

b. Education

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which of the following occurs during the Evolve phase of information management?

a. Affirmation
b. Monitoring
c. Adaptation
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

A data inventory is required for businesses in some industries under:

a. Gramm-Leach-Bliley Act Privacy Rule
b. Gramm-Leach-Bliley Act Safeguards Rule
c. APEC Privacy Rule
d. None of the above

A

b. Gramm-Leach-Bliley Act Safeguards Rule

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

An organized and documented data inventory:

a. Identifies reputational and legal risks
b. Helps mitigate penalties
c. Should be reviewed and updated on a regular basis
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Data classification:

a. Defines the level of protection needed for specific types of data based on its sensitivity
b. Identifies legal risks for data during a self-assessment
c. Determines which laws and regulations apply to the data flows occurring both internally and externally
d. All of the above

A

a. Defines the level of protection needed for specific types of data based on its sensitivity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Holding all data in one system:

a. Is a best practice for ensuring ease of management
b. May help reduce duplicate entries
c. May increase the impact of a single data breach
d. None of the above

A

c. May increase the impact of a single data breach

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

A documented well-organized data classification system helps an organization:

a. Respond to compliance audits for specific types of data
b. Respond more effectively to legal discovery requests
c. Efficiently use storage resources
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Documenting data flows should include:

a. How to respond to legal discovery requests
b. Mapping of systems, applications and processes for handling data
c. A plan for responding to a data breach
d. All of the above

A

b. Mapping of systems, applications and processes for handling data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Which of the following is a primary consideration for addressing privacy risk in an organization as it relates to sensitive personal information?

a. Where, how, and how long the data is stored
b. Current laws for obtaining a search warrant
c. Number of team members in Human Resources
d. All of the above

A

a. Where, how, and how long the data is stored

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which of the following is a primary consideration for addressing privacy risk in an organization as it relates to sensitive personal information?

a. How a customer’s marital status is documented
b. Determining how sensitive the information is
c. Current laws for authenticating a customer
d. All of the above

A

b. Determining how sensitive the information is

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Which of the following is a primary consideration for addressing privacy risk in an organization as it relates to sensitive personal information?

a. Whether or not the information should be encrypted
b. Whether or not the information will be transferred to other countries, and how it will be transferred
c. Data authorities who enforce the rules for the information
d. All of the above

A

d. All of the above

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Which of the following is a primary consideration for addressing privacy risk in an organization as it relates to sensitive personal information?

a. Documenting a customer’s marital status
b. Best practices for providing personal information to law enforcement
c. How the information is processed and the activities performed to maintain the processes
d. All of the above

A

c. How the information is processed and the activities performed to maintain the processes

30
Q

Which of the following is a primary consideration for addressing privacy risk in an organization as it relates to sensitive personal information?

a. Whether the use of the personal information is dependent upon other systems
b. Names of third parties processing data
c. Legal team’s knowledge in the area of privacy
d. All of the above

A

a. Whether the use of the personal information is dependent upon other systems

31
Q

A limited retention period:

a. Is not considered a best practice when storing large amounts of personal data
b. Increases reputational risk
c. Reduces the risk of data being breached
d. All of the above

A

c. Reduces the risk of data being breached

32
Q

Determining the level of sensitivity of personal data being held is directly dependent on which of the following?

a. Retention policies
b. Data classification
c. State tort laws
d. All of the above

A

b. Data classification

33
Q

Which of the following are definitions used by federal agencies for entities considered ‘processors’ who process personal data on behalf of a controller?

a. Business associate
b. Service provider
c. Encryptor
d. Only a and b

A

d. Only a and b

34
Q

Which of the following best describes the FTC’s guidance in a 2012 report and 2015 update for making material retroactive changes to privacy policies?

a. Notify affected consumers, and allow 60 days for an opt-out
b. Notify affected consumers, and provide a mail-in opt-out notice
c. Obtain express affirmative consent (opt-in) prior to making the change
d. None of the above

A

c. Obtain express affirmative consent (opt-in) prior to making the change

35
Q

Situations that would require an express affirmative consent (opt-in), under the FTC’s guidance, prior to making the change include:

a. Sharing consumer information with a third party after committing at the time of collection not to share the data
b. Making material changes to privacy practices that differ from the practices outlined in the privacy notice given to consumers at the time of collection
c. Changing a third-party vendor for activities outlined in the privacy notice given to customers at the time of collection
d. Only a and b

A

d. Only a and b

36
Q

Which of the following best describes a situation that would warrant an organization offering ‘no consumer choice’ or ‘no option’ to a consumer in sharing personal information with a third-party?

a. To process a transaction
b. To market its own products to the consumer
c. To respond to a legitimate legal request
d. All of the above

A

d. All of the above

37
Q

Which of the following is not generally a challenge in managing user preferences for opting in or out?

a. Mechanism for consumer to provide opt-in or out
b. Identifying the consumer who requested the opt-in or out
c. Linking a user’s interactions through multiple channels throughout the organization
d. Scope or how broadly the user preference will apply

A

b. Identifying the consumer who requested the opt-in or out

38
Q

Which of the following is not generally a challenge in managing user preferences for opting in or out?

a. Confirming the consumer’s opt-out or opt-in
b. Ensuring the time period for the opt-out or opt-in meets legal requirements
c. Linking a user’s interactions through multiple channels throughout the organization
d. Ensuring third-party vendors process PI according to user preferences expressed to the data controller

A

a. Confirming the consumer’s opt-out or opt-in

39
Q

The Judicial Redress Act of 2015 extends the right to civil action against a government agency to obtain access to covered records and rectification of incorrect records to:

a. U.S. citizens
b. Citizens of certain foreign countries
c. Citizens of certain regional economic organizations
d. Only b and c

A

d. Only b and c

40
Q

Which of the following provisions should be included in third party contracts to ensure an understanding of the data controller’s expectations for safeguarding consumer personal information?

a. Confidentiality provision
b. Indemnification clause
c. Arbitration clause
d. All of the above

A

a. Confidentiality provision

41
Q

Which of the following provisions should be included in third party contracts to ensure an understanding of the data controller’s expectations for safeguarding consumer personal information?

a. Agreement to settle disputes with a third party mediator
b. Agreement to indemnify data controller
c. Agreement to no further use of shared information
d. All of the above

A

c. Agreement to no further use of shared information

42
Q

Which of the following provisions should be included in third party contracts to ensure an understanding of the data controller’s expectations for safeguarding consumer personal information?

a. Agreement to require all subcontractors to follow their internal procedures
b. Agreement to require all subcontractors to attend specific privacy and security training
c. Agreement to require all subcontractors to follow privacy and security protection provisions
d. All of the above

A

c. Agreement to require all subcontractors to follow privacy and security protection provisions

43
Q

When a data processor uses subcontractors for collection, analysis, or other data management services, which of the following is not a recommended requirement of the subcontractor contract?

a. Follow privacy and security protection terms of the vendor’s contract
b. Indemnification from liability related to data breaches
c. Disclosure of transborder data flows
d. None of the above

A

b. Indemnification from liability related to data breaches

44
Q

Under the APEC Principles, when an organization is establishing its guidelines related to access requests, which of the following should individuals be able to do?

a. Obtain a response as to whether or not the organization has their personal information
b. Obtain the personal information the organization has about them within a reasonable time, at no or minimal charge, in a reasonable manner, and in a form that’s easy to understand
c. Challenge the information held about them and have inaccuracies corrected
d. All of the above

A

d. All of the above

45
Q

Which of the following provisions should be included in third party contracts to ensure an understanding of the data controller’s expectations for safeguarding consumer personal information?

a. Notification of arbitration
b. Notification of data breach
c. Notification of merger
d. All of the above

A

b. Notification of data breach

46
Q

Which of the following information security provisions should be included in third party contracts, as applicable?

a. Specific security controls
b. Employee background checks
c. Audit rights
d. All of the above

A

d. All of the above

47
Q

Which of the following provisions should be included in third party contracts to ensure an understanding of the data controller’s expectations for safeguarding consumer personal information?

a. Information security provisions
b. Indemnification provisions
c. Arbitration provisions
d. All of the above

A

a. Information security provisions

48
Q

When evaluating vendors for processing data, which of the following is the least important consideration as part of the evaluation?

a. Reputation
b. Financial condition and insurance
c. Name and address of CEO
d. Information security controls

A

c. Name and address of CEO

49
Q

Which of the following information security provisions should be included in third party contracts, as applicable?

a. Encryption of data
b. Network security
c. Access controls
d. All of the above

A

d. All of the above

50
Q

When evaluating vendors for processing data, which of the following is the least important consideration as part of the evaluation?

a. Disposal of information
b. Number of employees
c. Employee training
d. Vendor incident response

A

b. Number of employees

51
Q

Fines for violations to the privacy requirements of the GDPR can be significant because they are based on:

a. A percentage of the company’s revenues worldwide
b. A percentage of the company’s revenues in the immediate vicinity of the breach
c. The rate determined by the country in which the company is based
d. None of the above

A

a. A percentage of the company’s revenues worldwide

52
Q

Which of the following was an important factor in the European Court of Justice striking down the U.S.-EU Safe Harbor program in the case of Schrems v. Data Protection Commission?

a. Weaknesses identified in the GLBA privacy notice provisions
b. Inability of involved countries to reach consensus on individual privacy rights
c. 2013 Snowden disclosures
d. None of the above

A

c. 2013 Snowden disclosures

53
Q

Important provisions added to the GDPR within the past few years include:

a. Security breach notification
b. Updated requirements for processors
c. Designated data protection officers
d. All of the above

A

d. All of the above

54
Q

Which of the following replaced the U.S.-EU Safe Harbor program?

a. Binding Corporate Rules
b. Privacy Shield Framework
c. Standard Contract Clauses
d. All of the above

A

b. Privacy Shield Framework

55
Q

Which of the following provisions are outlined in the EU-U.S. Privacy Shield agreement for U.S. companies importing personal data from the EU?

a. Commitments by U.S. companies and U.S. authorities
b. Rules for mergers and acquisitions
c. Three factor encryption requirements
d. Only a and c

A

a. Commitments by U.S. companies and U.S. authorities

56
Q

Which of the following provisions are outlined in the EU-U.S. Privacy Shield agreement for U.S. companies importing personal data from the EU?

a. Private right of action by other international companies
b. Detailed explanations of U.S. laws
c. Three factor encryption requirements
d. All of the above

A

b. Detailed explanations of U.S. laws

57
Q

Important provisions added to the GDPR within the past few years include:

a. Increased accountability
b. International transfer rules
c. Sanctions of up to 4% revenues
d. All of the above

A

d. All of the above

58
Q

Which of the following agencies is involved in ensuring that law enforcement access complies with the appropriate safeguards and oversight mechanisms of the EU-U.S. Privacy Shield framework?

a. U.S. State Department
b. U.S. Department of Commerce
c. U.S. Federal Trade Commission
d. None of the above

A

c. U.S. Federal Trade Commission

59
Q

GDPR provisions include:

a. Individual’s right to be forgotten
b. Individual’s right to data portability
c. Business’s implementation of data protection by design as a default
d. All of the above

A

d. All of the above

60
Q

Which of the following agencies is involved in ensuring that requests related to national security purposes comply with the appropriate safeguards and oversight mechanisms of the EU-U.S. Privacy Shield framework?

a. U.S. Department of Justice
b. Office of the Director of National Intelligence
c. U.S. Department of Commerce
d. a and b

A

d. a and b

61
Q

Which of the following is the most commonly used mechanism for transfers of personal data between the EU and the U.S.?

a. Company policies and procedures
b. EU-U.S. Privacy Shield Framework
c. Standard Contract Clauses (SCCs)
d. None of the above

A

c. Standard Contract Clauses (SCCs)

62
Q

Which of the following are lawful bases for transfers of personal information between the EU and the United States?

a. Binding Corporate Rules (BCRs)
b. Standard Contract Clauses (SCCs)
c. Privacy Shield Framework
d. All of the above

A

d. All of the above

63
Q

Which of the following best describes the SCC mechanism for transfers of personal data between the EU and the U.S.?

a. U.S. company agrees contractually to comply with EU law and submit to the authority of an EU privacy supervisory agency
b. Formally adopted framework between the U.S. and the EU
c. Data protection policies based on data protection principles to ensure appropriate safeguards are met
d. None of the above

A

a. U.S. company agrees contractually to comply with EU law and submit to the authority of an EU privacy supervisory agency

64
Q

Which of the following best describes a provision of the BCR mechanism for transfers of personal data between the EU and the U.S.?

a. Corporate rules for multinational corporations making transfers of personal information between the EU and U.S.
b. Required to be approved by the data protection authority in each Member EU State involved in the transfers
c. Must satisfy EU standards for data protection
d. All of the above

A

d. All of the above

65
Q

Which of the following is an APEC Principle for data subject rights used as a baseline for determining when access requests should be granted?

a. Charge the data subject for any data provided to them at the price that makes the best profit for the data controller
b. Determine whether it is profitable for the controller to make changes requested by the data subject
c. Obtain confirmation from the data controller they hold personal information of the data subject
d. All of the above

A

c. Obtain confirmation from the data controller they hold personal information of the data subject

66
Q

Which of the following as an APEC Principle for data subject rights organizations should use as a baseline for granting access requests?

a. Communicate with the data subject within a reasonable time
b. Provide information to the data subject at a reasonable charge, if any
c. Provide information to the data subject in a reasonable manner and in a form that is easily understandable
d. All of the above

A

d. All of the above

67
Q

In Schrems v. Data Protection Commission, what was the primary reason the European Court of Justice struck down the Safe Harbor program?

a. Facebook was not following strict encryption rules for cross-border data transfers
b. The 2013 Snowden disclosures invalidated the privacy practices of the U.S.
c. Data transfer rules were non-existent
d. None of the above

A

b. The 2013 Snowden disclosures invalidated the privacy practices of the U.S.

68
Q

As an APEC Principle for data subject rights used as a baseline for granting access requests, individuals should be able to challenge the information and have it corrected or deleted, except when:

a. The burden or expense would be unreasonable or disproportionate to the risks to the individual’s privacy
b. The information should not be disclosed due to legal or security reasons or to protect confidential information
c. The information privacy of other individuals would be violated
d. All of the above

A

d. All of the above

69
Q

What was the premise of Schrems II as it relates to information privacy of cross-border data flows?

a. Facebook is engaging in inadequate encryption methods
b. Personal data from the EU is at risk for hackers during its transfer to the U.S.
c. Binding contractual clauses and Privacy Shield do not provide adequate protection from U.S. government surveillance practices
d. None of the above

A

c. Binding contractual clauses and Privacy Shield do not provide adequate protection from U.S. government surveillance practices

70
Q

An information management program should effectively address:

a. Legal risk
b. Reputational risk
c. Meet the organization’s goals
d. All of the above

A

d. All of the above

CIPP-US (14 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions