CIPM

Question 1

What 2 things does DLM (Data Lifecycle Management) Establish?

Answer 1

1. Data Handling Policy
2. Employee Roles and Responsibilities.

Question 2

1. Whats the manner of how breaches occur?
2. What percent does each account for?

Answer 2

1. Negligent Insider 34%
2. Outsourcing data to a third party 19%
3. Malicious insider 16%
4. Systems “glitch” 11%
5. Cyber attack 7%
6. Failure to shred documents 6%

Question 3

What are the three types of audits?

Answer 3

• 1st Party - Internal
• 2nd Party - Supplier / Contractor
• 3rd Party - External.

Question 4

What is a business case?

Answer 4

Defines a business need and describes a way to meet that goal.

Question 5

How does a complaint handling procedure differ from a privacy question procedure?

Answer 5

it is more formal (required by some data protection laws) and should include: -

• Centralized intake
• Escalation process
• Mgmt from intake to resolution
• Flexibility to:-
  
  • Involve stakeholders as needed
  • Function between teams for privacy complaints embedded in ethics complaints.

Question 6

What should a company do with regard to letter-drops (notifications by mail)?

Answer 6

Front load the work:

• Establish Secure data channel
• Create literature in advance
• Obtain content approvals
• Send logo & signature files to printer before andincident occurs
• Supply return address to printer.

Question 7

With regard to improper use of metrics what is are: -

• Biased Sample
• Intentional deceit

Answer 7

• Measurement excluding relevant elements of data, cherry picking to get desired result.
• As the name suggests the intent is to deceive.

Question 8

What’s the role of Union leadership in breach planning and response?

Answer 8

Planning - represent union members interests, plan to speak on behalf of members

Response - Work with other members of the response team re communication channels in their control for example - Union Social Media, Web, Intranet etc.

Contact workers on member rolls, if appropriate.

Question 9

With regard to data integrity whats human error versus systemic error?

Answer 9

Human: - Miskeyed input

Systemic: - Database fields mismatched.

Question 10

What are the requirements of PCI-DSS?

Answer 10

• Firewall
  
  • Default Settings allowed
  • Protect cardholder data
  • Encrypt transmission
  • Anti Virus
  • Secure system and apps.
• Access control
  
  • Unique ID’s
  • Physical Access restricted
  • Monitor and track access
  • Test security of system
  • Info sec policy.

Question 11

What is the presidents or CEOs role in breach planning and response?

Answer 11

Planning -

• Oversee breach control
• Bears responsibility in a breach incident.

Response -

• Set tone for company & employees
• Allocates human and financial resources
• Makes public statement & coordinates PR.

Question 12

Why should an organization or privacy professional use a privacy framework? (4 reasons)

Answer 12

• Reduce Risk
• Avoid data loss
• Sustain organization market value and reputation
• Comply with laws, regulations and standards.

Question 13

What’s a privacy workshop?

Answer 13

Meeting where privacy professional, stakeholders are informed about legal & market expectations on privacy, answering questions, setting the baseline for privacy knowledge.

Question 14

What are the four elements of a privacy response plan?

Answer 14

• Key Stakeholders assemble those responsible for plans design & implementation.
• Execution timeline - Plans execution schedule.
• Progress reporting - Determine who will need to know what and facilitate it.
• Response evaluation - Lessons learned from incidents documented and incorporated.

Question 15

How should a company recover from the bad press or reputational damage following a breach?

Answer 15

Marketing internal or external consultants and public relations.

Question 16

What are operational privacy? practices

Answer 16

• Standard Operating Instructions & related training for specific contents involving handling personal data.
• Personal data collection use, retention & disposal.
• Data handling e.g encryption
• Reporting incidents
• Department specific handling procedures.

Question 17

Whats an audit and why conduct one?

Answer 17

Systemic & independent examination to determine whether the personal data processing adhering to data policy & procedures: -

• Demonstrates compliance
• Shows GAPS
• Determine whether priv controld correctly managed
• Demonstrate the functioning of privacy programs et alia.

Question 18

What does a DLP scanning tool do?

Answer 18

Looks through unstructured or structured files to identify personal data and assist in setting security controls.

Question 19

What’s APEC and how is it relevant to privacy?

Answer 19

Aisa Pacific Economic Cooperation

Has a framework to enable safe data transfers meant to benefit consumers business & govt.

Question 20

What is the ISTPA?

Answer 20

The international Security Trust and Privacy Alliance

is an organization focused on creating actionable frameworks for a business implementing data protection policies.

Question 21

What are the metric taxonomies and where do they come from?

Answer 21

NIST IR 7564

• Objective/Subjective
• Quantitative / Qualitative
• IT Metrics/ Quantitative measurement
• Static/Dynamic
• Absolute / Relative (absolute not depnedant on others)
• Direct/Indirect (size=direct,complexity=indirect)

Question 22

What framework does/did the U.S publish in 2012.

Answer 22

Consumer bill of rights White House publication.

Question 23

What’s the AICPA/CICA framework?

What application do they use?

Answer 23

1. GAPP Generally accepted privacy principles.
2. Webtrust applications to have accountants certified to conduct priv evaluations like Canadian PIA based on multinational privacy laws,

Question 24

What should an organisation do to limit liabilities for 3rd party vendors?

Answer 24

1. Vendor Vetting / due diligence
2. Contract provisions to address privacy concerns.
3. Monitoring & auditing once vendor is engaged.

Question 25

What are the elements of the metric lifecycle?

Answer 25

• IDENTIFY intended audience
• DEFINE data sources, data owners, data access
• SELECT the actual metrics based on audience and sources.
• COLLECT the data, how who, when, where, what, why.
• ANALYZE metrics/data ROI.

Question 26

What are the following self-regulatory standards.

• PCI DSS
• NAI
• DMA
• CARU

Answer 26

1. Payment Card Industry Data Sec Standard
2. Network Advertising Initiative (Online ads)
3. Digital Marketing Association (interactive marketing)
4. Childrens Advertising Review Unit ads to under 12s.

Question 27

Whats Australias Information Privacy law and who enforces it?

Answer 27

Australian Privacy Principles (APP)

Question 28

What 2 things should employees be taught regarding breaches?

Answer 28

1. How to detect
2. How to report and escalate.