CIPM Flashcards

1
Q

Accountability

A

The implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU GDPR and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Active Scanning Tools

A

DLP Network, storage, scans, and privacy tools can be used to identify security and privacy risks to personal information. They can also be used to monitor for compliance with internal policies and procedures, and block email or file transfers based on the data category and definition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

American Institute for Certified Public Accountants (AICPA)

A

A US professional organization of certified public accountants and co-creator of the WEbTrust seal program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Anonymization

A

The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual. Among many techniques, there are three primary ways that data is anonymized. Suppression, generalization, and noise addition

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

APEC Privacy Principles

A

A set on non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Seek to balance information privacy with business needs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Assess

A

The first of four phases of the privacy operational cycle; provides the steps, checklists, and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws. and objective-based privacy program frameworks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Audit Life Cycle

A

High-level, five-phase audit approach. Steps include: Audit Planning, Audit Preparation, Conducting the Audit, Reporting, and Follow-up

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Behavioral Advertising

A

Advertising that is targeted at individuals based on the observation of their behavior over time

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Binding Corporate Rules

A

BCRs are an appropriate safeguard allowed by the GDPR to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. Ensure the same high level of protection of personal data is compiled with by all members of the organization group by means of a single set of binding and enforceable rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Bureau of Competition

A

The US FTC Bureau of Competition enforces the nation’s antitrust laws, which form the foundation of our free market economy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Bureau of Consumer Protection

A

US FTC Bureau of Consumer Protection stops unfair, deceptive, and fraudulent business practices by collecting complaints and conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and responsibilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Bureau of Economics

A

US FTC Bureau of Economics helps the FTC evaluate the economic impact of its actions by providing economic analysis for competition and consumer protection investigations and rulemakings, and analyzing the economic impact of government regulations on business and consumers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Business case

A

The starting point for assessing the needs of the privacy organization, it defines the individual program needs and the ways to meet specific business goals, such as compliance with privacy laws or regulations, industry frameworks, customer requirements, and other considerations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Business Continuity & Disaster Recovery Plan (BCDR)

A

A risk mitigation plan designed to prepare an organization for crises and to ensure critical business functions continue. The focus is to recover from a disaster when disruptions of any size are encountered

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Business Continuity Plan

A

Typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during, and after an event in order to help operations run smoothly. Eg: fire, flood, natural disaster, and terrorist attacks

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Canadian Institute of Chartered Accountants (CICA)

A

CICA, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical function of strategic planning, protection of the public and ethics, education and qualifications, standard-setting, and communication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Centralized Governance

A

Privacy governance model that leaves one team or person responsible for privacy-related affairs; all other persons or organizations will flow through this point

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Children’s Online Privacy Protection Act (COPPA) of 1998

A

US Federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Choice

A

In the context of consent, choice refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

CIA Triad

A

AKA Security Triad; three common information security principles from the 1960’s: Confidentiality, Integrity, and Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Collection Limitation

A

A Fair Information Practices principle - it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with knowledge or consent of the data subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Consent

A

Privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Affirmative/Explicit Consent

A

A requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Implicit Consent

A

Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Consumer Reporting Agency (CRA)

A

Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Current Baseline

A

“As-is” data privacy requirements; the current environment and any protections, policies, and procedures currently deployed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Cyber Liability Insurance

A

Cyber Liability insurance may cover many breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification, and call center costs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Data Breach

A

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity or personal information maintained by a data collector

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Data Controller

A

The natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Data Inventory

A

Aka record of authority, identifies personal data as it moves across various systems and thus how data is shared and organized, and its location. The data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Data Life Cycle Management

A

Data Governance– policy-based approach to managing the flow of information through a life cycle from creation to final disposition.
Provides a holistic approach to the processes, roles, controls, and measures necessary to organize and maintain data, and has 11 elements
AKA Information Life Cycle Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

11 Elements of DLCM (Or ILCM)

A
  1. Enterprise Objectives
  2. Minimalization
  3. Simplicity of procedure and effective training
  4. Adequacy of infrastructure
  5. Information Security
  6. Authenticity and accuracy of one’s own records
  7. Retrievability
  8. Distribution controls
  9. Auditability
  10. Consistency of policies
  11. Enforcement
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Data Protection Authority

A

Independent public authorities that supervise the application of data protection laws in the EU.
Provide advice on data protection issues and field complaints from individuals alleging violations of the GDPR
Each EU member state has their own DPA

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Data Protection Impact Assessment

DPIA

A

The process by which companies can systematically assess and identify the privacy and data protection impacts of any products they offer and services they provide.
It enables them to identify the impact and take the appropriate actions to prevent or, at the very least, minimize the risk of those impacts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Data Quality

A

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Quality of Data criteria (4)

A

The quality of data is judged by:

  1. Does it meet the business needs?
  2. Is it accurate?
  3. Is it complete?
  4. Is it recent?
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Decentralized Governance

A

governance model involving the delegations of decision-making authority down to the lower levels in an organization, away from and lower than a central authority.
There are fewer tiers in the organizational structure, wider span of control, and bottom-to-top flow of decision-making and ideas
Aka Local Governance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Direct Marketing

A

When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Do Not Track

A

A proposed regulatory policy, similar to the existing Do-Not-Call Registry in the US, which would allow consumers to opt out of web-usage tracking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Electronic Communications Privacy Act of 1986

A

Collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal Wiretap Act of 1968.
ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers.
Applicable to email, telephone conversations, and data stored electronically.
The USA PATRIOT Act and subsequent federal enactments have clarified and updated ECPA in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

EU Data Protection Directive

A

EU Data Protection Directive (95/45/EC) was replaced by the GDPR in 2018. The Directive was adopted in 1995, became effective in 1998, and was the first EU-wide legislation that protected individuals’ privacy and personal data use

42
Q

Gap Analysis

A

Performed to determine the capability of current privacy management to support each of the business and technical requirements uncovered during an audit or privacy assessment, is any exist; requires reviewing the capabilities of current systems, management tools, hardware, operating systems, administrator expertise, system locations, outsourced services and physical infrastructure

43
Q

Generally Accepted Privacy Principles

name the 10 principles

A

A framework promulgated by the AICPA in conjunction with the CICA. Ten principles:

  1. Management
  2. Notice
  3. Choice and consent
  4. Collection
  5. Use and retention
  6. Access
  7. Disclosure to third parties
  8. Security for privacy
  9. Quality
  10. Monitoring and enforcement
44
Q

Gramm-Leach-Bliley Act

A

AKA- Financial Services Modernization Act of 1999.
Re-organized the financial services regulation in the US and applies broadly to any company that is “significantly engaged” in financial activities in the US.

45
Q

Health Insurance Portability and Accountability Act

HIPAA

A

US law passed to create national standards for electronic healthcare transactions, among other purposes.
HIPAA requires the US DOHHS to promulgate regulations to protect the privacy and security of personal health information.
The basic rule is that patients have to opt in before their information can be shared with other organizations

46
Q

Hybrid Governance

A

Governance model that allows for a combination of centralized and local governance. Typically seen when a large organization assigns a main individual responsibility for privacy-related affairs, and the local entities then fulfill and support the policies and directives from the central governing body

47
Q

Individual Participation

4 rights

A

Fair Information practice principle - an individual should have the right:

  1. to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has relating to them
  2. to have data relating to them communicated to them within a reasonable time; at a charge. if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to them
  3. to be given reasons if a request made under subparagraphs 1 &2 is denied, and to be able to challenge such denial
  4. to challenge data relating to them and if the challenge is successful, to have the data erased, rectified, completed, or amended
48
Q

Information Life Cycle

think purpose

A

The information life cycle recognizes that data has different value, and requires approaches, as it moves through an organization from collection to deletion

49
Q

Information Life Cycle Management

A

A policy-based approach to managing the flow of information through a life cycle from creation to final disposition, providing a holistic approach to the process, roles, controls, and measures necessary to organize and maintain data and has 11 elements
AKA Data Life Cycle Management or data governance

50
Q

Information Security Practices

A

Provide management, technical and operational controls to reduce probable damage, loss, modification, or unauthorized data access

51
Q

Information Security Triad

A

AKA CIA Triad - consists of three common information security principles:
Confidentiality, Integrity, and Availability

52
Q

Internal Partners

A

Professionals and departments within an organization who have ownership of privacy activities, e.g., human resources, marketing, information technology

53
Q

Jurisdiction

A

The authority of a court to hear a particular case. Courts must have jurisdiction over both the parties to the dispute (personal jurisdiction) and the type of dispute (subject matter jurisdiction). The term is also used to denote the geographical area or subject-matter to which such authority applies

54
Q

Local Governance

A

Governance model involving the delegation of decision-making authority down to the lower levels in an organization, away from and lower than a central authority. There are fewer tiers in the organizational structure, wider spread span of control and bottom-to-top flow of decision-making and ideas
AKA Decentralized Governance

55
Q

Metric Life Cycle

5 steps

A

The processes and methods to sustain a metric to match the ever-changing needs of an organization. Consists of 5-step process:

  1. Identification of the intended audience
  2. Definition of data sources
  3. Selection of privacy metrics
  4. Collection and refinement of systems/application collection points
  5. Analysis of the data/metrics to provide value to the organization and provide a feedback quality mechanism
56
Q

Metrics

A

Tools that facilitate decision-making and accountability through collection, analysis, and reporting of data.
Must be measurable, meaningful, clearly defined (with boundaries), indicate progress, and answer a specific question to be valuable and practical

57
Q

NIST

A

National Institute of Standards and Technology
An agency within the Department of Commerce that has the lead responsibility for the development and issuance of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure.
Published RMF - Risk Management Framework

58
Q

Negligence

A

An organization will be liable for damages if it breaches a legal duty to protect personal information and an individual is harmed by that breach

59
Q

Non-public information

A

Defined by GLBA as personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution. Excluded from the definition are (i) publicly available information and (ii) any consumer list that is derived without using personally identifiable financial information

60
Q

Openness

A

A fair information practices principle. There should be a general policy of openness about developments, practices, and policies with respect to personal data.
Means should be readily available to establish the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller

61
Q

Opt-in

A

One of two central components of choice. It means an individual makes an active affirmative indication of choice, i.e., checking a box signaling a desire to share his or her information with third parties

62
Q

Opt-out

A

One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made, i.e., unless an individual checks or unchecks a box, their information will be shared with third parties

63
Q

Organization for Economic Cooperation and Development

A

An international organization that promotes policies designed to achieve the highest sustainable economic growth, employment and a rising standard of living in both member and non-member countries, while contributing to the world economy
AKA OECD

64
Q

PCI Data Security Standard

A

A self-regulatory system that provides an enforceable security standard for payment card data. The rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit card companies

65
Q

Performance Measurement

think measuring

A

The process of formulating or selecting metrics to evaluate implementation, efficiency or effectiveness; gathering data and producing quantifiable output that describes performance

66
Q

Personal data

A

The predominant term for personal information in the EU, defined broadly in the GDPR as any information relating to an identified or identifiable natural person

67
Q

Personal information

A

A synonym for “personal data”
It is a term with particular meaning under the CCPA, which defines it as information that identifies, relates to, describes, is caple of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer

68
Q

Personal Information Protection and Electronic Documents Act

2 goals

A

A Canadian act with two goals:
1. to instill trust in electronic commerce and private sector transactions for citizens
2. to establish a level playing field where the same marketplace rules apply to all businesses
PIPEDA

69
Q

Platform for Privacy Preferences

A

A machine-readable language that helps to express a website’s data management practices in an automated fashion
P3P

70
Q

Privacy by Design

A

Generally regarded as a synonym for Data Protection by Design
PbD as a specific term was first outlined in a framework in the mid-1990’s by then-Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, with 7 foundational principles

71
Q

PbD Principles

A
  1. Proactive no reactive; preventive not remedial
  2. Privacy as the default setting
  3. Privacy embedded into the design
  4. Full functionality – positive-sum, not zero-sum
  5. End-to-end security – full lifecycle protection
  6. Visibility and transparency – keep it open
  7. Respect for user privacy – keep it user-centric
72
Q

Privacy Champion

A

An executive who serves as the privacy program sponsor and acts as an advocate to further foster privacy as a core organization concept

73
Q

Privacy Impact Assessment

A

PIA
An analysis of how information is handled:
(i) to ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy
(ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system
(iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks

74
Q

Privacy Maturity Model

A

Provides a standardized reference for companies to use in assessing the level of maturity of their privacy programs

75
Q

Privacy Operational Life Cycle

A

Focused on refining and improving privacy processes, this model continuously monitors and improves the privacy program, with the added benefits of a life cycle approach to measure (assess), improve (protect), evaluate (sustain), and support (respond), and then start again

76
Q

Privacy Program Framework

A

An implementation roadmap that provides the structure or checklists (documented privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization

77
Q

Privacy Threshold Analysis

A

One tool used to determine whether a PIA should be conducted

PTA

78
Q

πrivacy-Enhancing Technologies

A

Privacy technology standards developed solely to be used for the transmission, storage and use of privacy data.
Examples: Platform for Privacy Preferences (P3P) and Enterprise Privacy Authorization Language (EPAL)

79
Q

Private Right of Action

A

Unless otherwise restricted by law, any individual that is harmed by violation of the law can file a lawsuit against the violator

80
Q

Protect

A

The second of four phases of the privacy operational life cycle. It provides the data life cycle, information security practices and PbD principles to “protect” personal information

81
Q

Protected Health Information

A

Any individually identifiable health information transmitted or maintained in any form or medium that is held by an entity covered by HIPAA or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present, or future physical or mental condition, provision of healthcare or payment for healthcare to that individual

82
Q

Pseudonymous Data

A

Data points which are not directly associated with a specific individual. The identity of the person is not known but multiple appearances of that person can be linked together. Uses an ID rather than PII to identify data as coming from the same source. IP address, GUID, and ticket numbers as pseudonymous values

83
Q

Purpose Limitation

A

A fair information practices principle, part of the original OECD Guidelines, and a piece of many privacy and data protection regulations, this is the principle that the purposes for which personal data are collected should be specified no later than at the time of data collection and the subsequent use of that personal data is limited to the fulfillment of those purposes or such others as are not incompatible with those purpose and as are specified to the individual on each occasion of change or purpose, or for which there is a further legal basis that would not require notification
AKA principle of finality

84
Q

Qualified Protective Order

A

Requires that the parties are prohibited from using or disclosing protected health information for any purpose other than the litigation and that the PHI will be returned or destroyed at the end of the litigation
Associated with HIPAA and PHI
QPO

85
Q

Respond

A

The fourth of four phases of the privacy operational life cycle. It includes the respond principle of information requests, legal compliance, incident-response planning, and incident-response handling. The “Respond” phase aims to reduce organizational risk and bolster compliance to regulations

86
Q

Retention

A

Within the information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose

87
Q

Return on Investment

A

An indicator used to measure the financial gain/loss (or “value”) of a project in relation to its cost. Privacy ROI defines metrics to measure the effectiveness of investments to protect investments in assets

88
Q

Right Not to be Subject to Fully Automated Decisions

A

Under Article 15 of the Data Protection Directive, individuals are entitled to object to being subject to fully automated decisions. The right, however, does not allow an individual to object to automated processing that then leads to a human decision

89
Q

Security Safeguards

A

A fair information practices principle, it is the principle that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data

90
Q

Social Engineering

A

a general term for how attackers can try to persuade a user to provide information or create some other sort of security vulnerability

91
Q

Stakeholder

A

Individual executives within an organization who lead and “own” the responsibility of privacy activities

92
Q

Strategic Management

A

The first high-level task necessary to implementing proactive privacy management through three subtasks:

  1. Define your organizations’ privacy vision and privacy mission statement
  2. Develop privacy strategy
  3. Structure your privacy team
93
Q

Substitute Notice

A

Most legislation recognized that data breach notifications involving thousands of impacted data subjects could place an undue financial burden on the organization and therefore allow substitute notification methods.

94
Q

Sustain

A

The third of four phases in the Privacy Operational Life Cycle.
It provides privacy management through the monitoring, auditing, and communication aspects of the management framework

95
Q

Unfair trade practices

A

Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid

96
Q

US-CERT

A

A partnership between the Department of Homeland Security and the public and private sectors intended to coordinate the response to security threats from the Internet.
As such, it releases information about current security issues, vulnerabilities and exploits via the National Cyber Alert System and works with software vendors to create patches for security vulnerabilities

97
Q

US-CERT IT Security Essential Body of Knowledge

14

A

Fourteen generic information security practice competency areas, including:

  1. Digital Security
  2. Digital Forensics
  3. Enterprise Continuity
  4. Incident Management
  5. IT Security and Training Awareness
  6. IT Systems Operation and Maintenance
  7. Network and Telecommunications Security
  8. Personnel Security
  9. Physical and Environmental Security
  10. Procurement
  11. Regulatory and Standards Compliance
  12. Security Risk Management
  13. Strategic Security Management
  14. System and Application Security
98
Q

Vendor Management

A

Assessment of a third-party vendor for the vendor’s privacy and information security policies, access controls. where the personal information will be held and who has access to it. Privacy/security questionnaires, privacy impact assessments, and other checklists can be used to assess this risk

99
Q

Video Surveillance

A

Recordings that do not have sound

Associated law: FISA

100
Q

WebTrust

A

Created by the AICPA and the CICA. It is a self-regulating seal program which licenses qualifying certified public accountants