CIPM Flashcards
Exam preparation
What 2 things does DLM (Data Lifecycle Management) Establish?
- Data Handling Policy
- Employee Roles and Responsibilities.
- Whats the manner of how breaches occur?
- What percent does each account for?
- Negligent Insider 34%
- Outsourcing data to a third party 19%
- Malicious insider 16%
- Systems “glitch” 11%
- Cyber attack 7%
- Failure to shred documents 6%
What are the three types of audits?
- 1st Party - Internal
- 2nd Party - Supplier / Contractor
- 3rd Party - External.
What is a business case?
Defines a business need and describes a way to meet that goal.
How does a complaint handling procedure differ from a privacy question procedure?
it is more formal (required by some data protection laws) and should include: -
- Centralized intake
- Escalation process
- Mgmt from intake to resolution
- Flexibility to:-
- Involve stakeholders as needed
- Function between teams for privacy complaints embedded in ethics complaints.
What should a company do with regard to letter-drops (notifications by mail)?
Front load the work:
- Establish Secure data channel
- Create literature in advance
- Obtain content approvals
- Send logo & signature files to printer before andincident occurs
- Supply return address to printer.
With regard to improper use of metrics what is are: -
- Biased Sample
- Intentional deceit
- Measurement excluding relevant elements of data, cherry picking to get desired result.
- As the name suggests the intent is to deceive.
What’s the role of Union leadership in breach planning and response?
Planning - represent union members interests, plan to speak on behalf of members
Response - Work with other members of the response team re communication channels in their control for example - Union Social Media, Web, Intranet etc.
Contact workers on member rolls, if appropriate.
With regard to data integrity whats human error versus systemic error?
Human: - Miskeyed input
Systemic: - Database fields mismatched.
What are the requirements of PCI-DSS?
- Firewall
- Default Settings allowed
- Protect cardholder data
- Encrypt transmission
- Anti Virus
- Secure system and apps.
- Access control
- Unique ID’s
- Physical Access restricted
- Monitor and track access
- Test security of system
- Info sec policy.
What is the presidents or CEOs role in breach planning and response?
Planning -
- Oversee breach control
- Bears responsibility in a breach incident.
Response -
- Set tone for company & employees
- Allocates human and financial resources
- Makes public statement & coordinates PR.
Why should an organization or privacy professional use a privacy framework? (4 reasons)
- Reduce Risk
- Avoid data loss
- Sustain organization market value and reputation
- Comply with laws, regulations and standards.
What’s a privacy workshop?
Meeting where privacy professional, stakeholders are informed about legal & market expectations on privacy, answering questions, setting the baseline for privacy knowledge.
What are the four elements of a privacy response plan?
- Key Stakeholders assemble those responsible for plans design & implementation.
- Execution timeline - Plans execution schedule.
- Progress reporting - Determine who will need to know what and facilitate it.
- Response evaluation - Lessons learned from incidents documented and incorporated.
How should a company recover from the bad press or reputational damage following a breach?
Marketing internal or external consultants and public relations.
What are operational privacy? practices
- Standard Operating Instructions & related training for specific contents involving handling personal data.
- Personal data collection use, retention & disposal.
- Data handling e.g encryption
- Reporting incidents
- Department specific handling procedures.
Whats an audit and why conduct one?
Systemic & independent examination to determine whether the personal data processing adhering to data policy & procedures: -
- Demonstrates compliance
- Shows GAPS
- Determine whether priv controld correctly managed
- Demonstrate the functioning of privacy programs et alia.
What does a DLP scanning tool do?
Looks through unstructured or structured files to identify personal data and assist in setting security controls.
What’s APEC and how is it relevant to privacy?
Aisa Pacific Economic Cooperation
Has a framework to enable safe data transfers meant to benefit consumers business & govt.
What is the ISTPA?
The international Security Trust and Privacy Alliance
is an organization focused on creating actionable frameworks for a business implementing data protection policies.
What are the metric taxonomies and where do they come from?
NIST IR 7564
- Objective/Subjective
- Quantitative / Qualitative
- IT Metrics/ Quantitative measurement
- Static/Dynamic
- Absolute / Relative (absolute not depnedant on others)
- Direct/Indirect (size=direct,complexity=indirect)
What framework does/did the U.S publish in 2012.
Consumer bill of rights White House publication.
What’s the AICPA/CICA framework?
What application do they use?
- GAPP Generally accepted privacy principles.
- Webtrust applications to have accountants certified to conduct priv evaluations like Canadian PIA based on multinational privacy laws,
What should an organisation do to limit liabilities for 3rd party vendors?
- Vendor Vetting / due diligence
- Contract provisions to address privacy concerns.
- Monitoring & auditing once vendor is engaged.
What are the elements of the metric lifecycle?
- IDENTIFY intended audience
- DEFINE data sources, data owners, data access
- SELECT the actual metrics based on audience and sources.
- COLLECT the data, how who, when, where, what, why.
- ANALYZE metrics/data ROI.
What are the following self-regulatory standards.
- PCI DSS
- NAI
- DMA
- CARU
- Payment Card Industry Data Sec Standard
- Network Advertising Initiative (Online ads)
- Digital Marketing Association (interactive marketing)
- Childrens Advertising Review Unit ads to under 12s.
Whats Australias Information Privacy law and who enforces it?
Australian Privacy Principles (APP)
What 2 things should employees be taught regarding breaches?
- How to detect
- How to report and escalate.
