CIPM

Question 1

Accountability

Answer 1

The implementation of appropriate technical and organizational measures to ensure and be able to demonstrate that the handling of personal data is performed in accordance with relevant law, an idea codified in the EU GDPR and other frameworks, including APEC’s Cross Border Privacy Rules. Traditionally, accountability has been a fair information practices principle, that due diligence and reasonable steps will be undertaken to ensure that personal information will be protected and handled consistently with relevant law and other fair use principles.

Question 2

Active Scanning Tools

Answer 2

DLP Network, storage, scans, and privacy tools can be used to identify security and privacy risks to personal information. They can also be used to monitor for compliance with internal policies and procedures, and block email or file transfers based on the data category and definition

Question 3

American Institute for Certified Public Accountants (AICPA)

Answer 3

A US professional organization of certified public accountants and co-creator of the WEbTrust seal program

Question 4

Anonymization

Answer 4

The process in which individually identifiable data is altered in such a way that it no longer can be related back to a given individual. Among many techniques, there are three primary ways that data is anonymized. Suppression, generalization, and noise addition

Question 5

APEC Privacy Principles

Answer 5

A set on non-binding principles adopted by the Asia-Pacific Economic Cooperative (APEC) that mirror the OECD Fair Information Privacy Practices. Seek to balance information privacy with business needs

Question 6

Assess

Answer 6

The first of four phases of the privacy operational cycle; provides the steps, checklists, and processes necessary to assess any gaps in a privacy program as compared to industry best practices, corporate privacy policies, applicable privacy laws. and objective-based privacy program frameworks

Question 7

Audit Life Cycle

Answer 7

High-level, five-phase audit approach. Steps include: Audit Planning, Audit Preparation, Conducting the Audit, Reporting, and Follow-up

Question 8

Behavioral Advertising

Answer 8

Advertising that is targeted at individuals based on the observation of their behavior over time

Question 9

Binding Corporate Rules

Answer 9

BCRs are an appropriate safeguard allowed by the GDPR to facilitate cross-border transfers of personal data between the various entities of a corporate group worldwide. Ensure the same high level of protection of personal data is compiled with by all members of the organization group by means of a single set of binding and enforceable rules

Question 10

Bureau of Competition

Answer 10

The US FTC Bureau of Competition enforces the nation’s antitrust laws, which form the foundation of our free market economy

Question 11

Bureau of Consumer Protection

Answer 11

US FTC Bureau of Consumer Protection stops unfair, deceptive, and fraudulent business practices by collecting complaints and conducting investigations, suing companies and people that break the law, developing rules to maintain a fair marketplace, and educating consumers and businesses about their rights and responsibilities

Question 12

Bureau of Economics

Answer 12

US FTC Bureau of Economics helps the FTC evaluate the economic impact of its actions by providing economic analysis for competition and consumer protection investigations and rulemakings, and analyzing the economic impact of government regulations on business and consumers

Question 13

Business case

Answer 13

The starting point for assessing the needs of the privacy organization, it defines the individual program needs and the ways to meet specific business goals, such as compliance with privacy laws or regulations, industry frameworks, customer requirements, and other considerations

Question 14

Business Continuity & Disaster Recovery Plan (BCDR)

Answer 14

A risk mitigation plan designed to prepare an organization for crises and to ensure critical business functions continue. The focus is to recover from a disaster when disruptions of any size are encountered

Question 15

Business Continuity Plan

Answer 15

Typically drafted and maintained by key stakeholders, spelling out departmental responsibilities and actions teams must take before, during, and after an event in order to help operations run smoothly. Eg: fire, flood, natural disaster, and terrorist attacks

Question 16

Canadian Institute of Chartered Accountants (CICA)

Answer 16

CICA, pursuant to the 2006 Protocol, is entrusted with the responsibility for providing strategic leadership, co-ordination of common critical function of strategic planning, protection of the public and ethics, education and qualifications, standard-setting, and communication

Question 17

Centralized Governance

Answer 17

Privacy governance model that leaves one team or person responsible for privacy-related affairs; all other persons or organizations will flow through this point

Question 18

Children’s Online Privacy Protection Act (COPPA) of 1998

Answer 18

US Federal law that applies to the operators of commercial websites and online services that are directed to children under the age of 13.

Question 19

Choice

Answer 19

In the context of consent, choice refers to the idea that consent must be freely given and that data subjects must have a genuine choice as to whether to provide personal data or not

Question 20

CIA Triad

Answer 20

AKA Security Triad; three common information security principles from the 1960’s: Confidentiality, Integrity, and Availability

Question 21

Collection Limitation

Answer 21

A Fair Information Practices principle - it is the principle stating there should be limits to the collection of personal data, that any such data should be obtained by lawful and fair means and, where appropriate, with knowledge or consent of the data subject

Question 22

Consent

Answer 22

Privacy requirement is one of the fair information practices. Individuals must be able to prevent the collection of their personal data, unless the disclosure is required by law.

Question 23

Affirmative/Explicit Consent

Answer 23

A requirement that an individual “signifies” his or her agreement with a data controller by some active communication between the parties

Question 24

Implicit Consent

Answer 24

Implied consent arises where consent may reasonably be inferred from the action or inaction of the individual

Question 25

Consumer Reporting Agency (CRA)

Answer 25

Any person or entity that complies or evaluates personal information for the purpose of furnishing consumer reports to third parties for a fee

Question 26

Current Baseline

Answer 26

“As-is” data privacy requirements; the current environment and any protections, policies, and procedures currently deployed

Question 27

Cyber Liability Insurance

Answer 27

Cyber Liability insurance may cover many breach-related expenses, including forensic investigations, outside counsel fees, crisis management services, public relations experts, breach notification, and call center costs

Question 28

Data Breach

Answer 28

The unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity or personal information maintained by a data collector

Question 29

Data Controller

Answer 29

The natural or legal person, public authority, agency, or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.

Question 30

Data Inventory

Answer 30

Aka record of authority, identifies personal data as it moves across various systems and thus how data is shared and organized, and its location. The data is then categorized by subject area, which identifies inconsistent data versions, enabling identification and mitigation of data disparities

Question 31

Data Life Cycle Management

Answer 31

Data Governance– policy-based approach to managing the flow of information through a life cycle from creation to final disposition.
Provides a holistic approach to the processes, roles, controls, and measures necessary to organize and maintain data, and has 11 elements
AKA Information Life Cycle Management

Question 32

11 Elements of DLCM (Or ILCM)

Answer 32

1. Enterprise Objectives
2. Minimalization
3. Simplicity of procedure and effective training
4. Adequacy of infrastructure
5. Information Security
6. Authenticity and accuracy of one’s own records
7. Retrievability
8. Distribution controls
9. Auditability
10. Consistency of policies
11. Enforcement

Question 33

Data Protection Authority

Answer 33

Independent public authorities that supervise the application of data protection laws in the EU.
Provide advice on data protection issues and field complaints from individuals alleging violations of the GDPR
Each EU member state has their own DPA

Question 34

Data Protection Impact Assessment

DPIA

Answer 34

The process by which companies can systematically assess and identify the privacy and data protection impacts of any products they offer and services they provide.
It enables them to identify the impact and take the appropriate actions to prevent or, at the very least, minimize the risk of those impacts

Question 35

Data Quality

Answer 35

A fair information practices principle, it is the principle that personal data should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and kept up-to-date.

Question 36

Quality of Data criteria (4)

Answer 36

The quality of data is judged by:

1. Does it meet the business needs?
2. Is it accurate?
3. Is it complete?
4. Is it recent?

Question 37

Decentralized Governance

Answer 37

governance model involving the delegations of decision-making authority down to the lower levels in an organization, away from and lower than a central authority.
There are fewer tiers in the organizational structure, wider span of control, and bottom-to-top flow of decision-making and ideas
Aka Local Governance

Question 38

Direct Marketing

Answer 38

When the seller directly contacts an individual, in contrast to marketing through mass media such as television or radio

Question 39

Do Not Track

Answer 39

A proposed regulatory policy, similar to the existing Do-Not-Call Registry in the US, which would allow consumers to opt out of web-usage tracking

Question 40

Electronic Communications Privacy Act of 1986

Answer 40

Collective name of the Electronic Communications Privacy and Stored Wire Electronic Communications Acts, which updated the Federal Wiretap Act of 1968.
ECPA, as amended, protects wire, oral, and electronic communications while those communications are being made, are in transit, and when they are stored on computers.
Applicable to email, telephone conversations, and data stored electronically.
The USA PATRIOT Act and subsequent federal enactments have clarified and updated ECPA in light of the ongoing development of modern communications technologies and methods, including easing restrictions on law enforcement access to stored communications in some cases

Question 41

EU Data Protection Directive

Answer 41

EU Data Protection Directive (95/45/EC) was replaced by the GDPR in 2018. The Directive was adopted in 1995, became effective in 1998, and was the first EU-wide legislation that protected individuals’ privacy and personal data use

Question 42

Gap Analysis

Answer 42

Performed to determine the capability of current privacy management to support each of the business and technical requirements uncovered during an audit or privacy assessment, is any exist; requires reviewing the capabilities of current systems, management tools, hardware, operating systems, administrator expertise, system locations, outsourced services and physical infrastructure

Question 43

Generally Accepted Privacy Principles

name the 10 principles

Answer 43

A framework promulgated by the AICPA in conjunction with the CICA. Ten principles:

1. Management
2. Notice
3. Choice and consent
4. Collection
5. Use and retention
6. Access
7. Disclosure to third parties
8. Security for privacy
9. Quality
10. Monitoring and enforcement

Question 44

Gramm-Leach-Bliley Act

Answer 44

AKA- Financial Services Modernization Act of 1999.
Re-organized the financial services regulation in the US and applies broadly to any company that is “significantly engaged” in financial activities in the US.

Question 45

Health Insurance Portability and Accountability Act

HIPAA

Answer 45

US law passed to create national standards for electronic healthcare transactions, among other purposes.
HIPAA requires the US DOHHS to promulgate regulations to protect the privacy and security of personal health information.
The basic rule is that patients have to opt in before their information can be shared with other organizations

Question 46

Hybrid Governance

Answer 46

Governance model that allows for a combination of centralized and local governance. Typically seen when a large organization assigns a main individual responsibility for privacy-related affairs, and the local entities then fulfill and support the policies and directives from the central governing body

Question 47

Individual Participation

4 rights

Answer 47

Fair Information practice principle - an individual should have the right:

1. to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has relating to them
2. to have data relating to them communicated to them within a reasonable time; at a charge. if any, that is not excessive; in a reasonable manner, and in a form that is readily intelligible to them
3. to be given reasons if a request made under subparagraphs 1 &2 is denied, and to be able to challenge such denial
4. to challenge data relating to them and if the challenge is successful, to have the data erased, rectified, completed, or amended

Question 48

Information Life Cycle

think purpose

Answer 48

The information life cycle recognizes that data has different value, and requires approaches, as it moves through an organization from collection to deletion

Question 49

Information Life Cycle Management

Answer 49

A policy-based approach to managing the flow of information through a life cycle from creation to final disposition, providing a holistic approach to the process, roles, controls, and measures necessary to organize and maintain data and has 11 elements
AKA Data Life Cycle Management or data governance

Question 50

Information Security Practices

Answer 50

Provide management, technical and operational controls to reduce probable damage, loss, modification, or unauthorized data access

Question 51

Information Security Triad

Answer 51

AKA CIA Triad - consists of three common information security principles:
Confidentiality, Integrity, and Availability

Question 52

Internal Partners

Answer 52

Professionals and departments within an organization who have ownership of privacy activities, e.g., human resources, marketing, information technology

Question 53

Jurisdiction

Answer 53

The authority of a court to hear a particular case. Courts must have jurisdiction over both the parties to the dispute (personal jurisdiction) and the type of dispute (subject matter jurisdiction). The term is also used to denote the geographical area or subject-matter to which such authority applies

Question 54

Local Governance

Answer 54

Governance model involving the delegation of decision-making authority down to the lower levels in an organization, away from and lower than a central authority. There are fewer tiers in the organizational structure, wider spread span of control and bottom-to-top flow of decision-making and ideas
AKA Decentralized Governance

Question 55

Metric Life Cycle

5 steps

Answer 55

The processes and methods to sustain a metric to match the ever-changing needs of an organization. Consists of 5-step process:

1. Identification of the intended audience
2. Definition of data sources
3. Selection of privacy metrics
4. Collection and refinement of systems/application collection points
5. Analysis of the data/metrics to provide value to the organization and provide a feedback quality mechanism

Question 56

Metrics

Answer 56

Tools that facilitate decision-making and accountability through collection, analysis, and reporting of data.
Must be measurable, meaningful, clearly defined (with boundaries), indicate progress, and answer a specific question to be valuable and practical

Question 57

NIST

Answer 57

National Institute of Standards and Technology
An agency within the Department of Commerce that has the lead responsibility for the development and issuance of security standards and guidelines for the federal government, contractors, and the United States critical information infrastructure.
Published RMF - Risk Management Framework

Question 58

Negligence

Answer 58

An organization will be liable for damages if it breaches a legal duty to protect personal information and an individual is harmed by that breach

Question 59

Non-public information

Answer 59

Defined by GLBA as personally identifiable financial information (i) provided by a consumer to a financial institution, (ii) resulting from a transaction or service performed for the consumer, or (iii) otherwise obtained by the financial institution. Excluded from the definition are (i) publicly available information and (ii) any consumer list that is derived without using personally identifiable financial information

Question 60

Openness

Answer 60

A fair information practices principle. There should be a general policy of openness about developments, practices, and policies with respect to personal data.
Means should be readily available to establish the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller

Question 61

Opt-in

Answer 61

One of two central components of choice. It means an individual makes an active affirmative indication of choice, i.e., checking a box signaling a desire to share his or her information with third parties

Question 62

Opt-out

Answer 62

One of two central concepts of choice. It means an individual’s lack of action implies that a choice has been made, i.e., unless an individual checks or unchecks a box, their information will be shared with third parties

Question 63

Organization for Economic Cooperation and Development

Answer 63

An international organization that promotes policies designed to achieve the highest sustainable economic growth, employment and a rising standard of living in both member and non-member countries, while contributing to the world economy
AKA OECD

Question 64

PCI Data Security Standard

Answer 64

A self-regulatory system that provides an enforceable security standard for payment card data. The rules were drafted by the Payment Card Industry Security Standards Council, which built on previous rules written by the various credit card companies

Question 65

Performance Measurement

think measuring

Answer 65

The process of formulating or selecting metrics to evaluate implementation, efficiency or effectiveness; gathering data and producing quantifiable output that describes performance

Question 66

Personal data

Answer 66

The predominant term for personal information in the EU, defined broadly in the GDPR as any information relating to an identified or identifiable natural person

Question 67

Personal information

Answer 67

A synonym for “personal data”
It is a term with particular meaning under the CCPA, which defines it as information that identifies, relates to, describes, is caple of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer

Question 68

Personal Information Protection and Electronic Documents Act

2 goals

Answer 68

A Canadian act with two goals:
1. to instill trust in electronic commerce and private sector transactions for citizens
2. to establish a level playing field where the same marketplace rules apply to all businesses
PIPEDA

Question 69

Platform for Privacy Preferences

Answer 69

A machine-readable language that helps to express a website’s data management practices in an automated fashion
P3P

Question 70

Privacy by Design

Answer 70

Generally regarded as a synonym for Data Protection by Design
PbD as a specific term was first outlined in a framework in the mid-1990’s by then-Information and Privacy Commissioner of Ontario, Canada, Ann Cavoukian, with 7 foundational principles

Question 71

PbD Principles

Answer 71

1. Proactive no reactive; preventive not remedial
2. Privacy as the default setting
3. Privacy embedded into the design
4. Full functionality – positive-sum, not zero-sum
5. End-to-end security – full lifecycle protection
6. Visibility and transparency – keep it open
7. Respect for user privacy – keep it user-centric

Question 72

Privacy Champion

Answer 72

An executive who serves as the privacy program sponsor and acts as an advocate to further foster privacy as a core organization concept

Question 73

Privacy Impact Assessment

Answer 73

PIA
An analysis of how information is handled:
(i) to ensure handling conforms to applicable legal, regulatory and policy requirements regarding privacy
(ii) to determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system
(iii) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks

Question 74

Privacy Maturity Model

Answer 74

Provides a standardized reference for companies to use in assessing the level of maturity of their privacy programs

Question 75

Privacy Operational Life Cycle

Answer 75

Focused on refining and improving privacy processes, this model continuously monitors and improves the privacy program, with the added benefits of a life cycle approach to measure (assess), improve (protect), evaluate (sustain), and support (respond), and then start again

Question 76

Privacy Program Framework

Answer 76

An implementation roadmap that provides the structure or checklists (documented privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization

Question 77

Privacy Threshold Analysis

Answer 77

One tool used to determine whether a PIA should be conducted

PTA

Question 78

πrivacy-Enhancing Technologies

Answer 78

Privacy technology standards developed solely to be used for the transmission, storage and use of privacy data.
Examples: Platform for Privacy Preferences (P3P) and Enterprise Privacy Authorization Language (EPAL)

Question 79

Private Right of Action

Answer 79

Unless otherwise restricted by law, any individual that is harmed by violation of the law can file a lawsuit against the violator

Question 80

Protect

Answer 80

The second of four phases of the privacy operational life cycle. It provides the data life cycle, information security practices and PbD principles to “protect” personal information

Question 81

Protected Health Information

Answer 81

Any individually identifiable health information transmitted or maintained in any form or medium that is held by an entity covered by HIPAA or its business associate; identifies the individual or offers a reasonable basis for identification; is created or received by a covered entity or an employer; and relates to a past, present, or future physical or mental condition, provision of healthcare or payment for healthcare to that individual

Question 82

Pseudonymous Data

Answer 82

Data points which are not directly associated with a specific individual. The identity of the person is not known but multiple appearances of that person can be linked together. Uses an ID rather than PII to identify data as coming from the same source. IP address, GUID, and ticket numbers as pseudonymous values

Question 83

Purpose Limitation

Answer 83

A fair information practices principle, part of the original OECD Guidelines, and a piece of many privacy and data protection regulations, this is the principle that the purposes for which personal data are collected should be specified no later than at the time of data collection and the subsequent use of that personal data is limited to the fulfillment of those purposes or such others as are not incompatible with those purpose and as are specified to the individual on each occasion of change or purpose, or for which there is a further legal basis that would not require notification
AKA principle of finality

Question 84

Qualified Protective Order

Answer 84

Requires that the parties are prohibited from using or disclosing protected health information for any purpose other than the litigation and that the PHI will be returned or destroyed at the end of the litigation
Associated with HIPAA and PHI
QPO

Question 85

Respond

Answer 85

The fourth of four phases of the privacy operational life cycle. It includes the respond principle of information requests, legal compliance, incident-response planning, and incident-response handling. The “Respond” phase aims to reduce organizational risk and bolster compliance to regulations

Question 86

Retention

Answer 86

Within the information life cycle, the concept that organizations should retain personal information only as long as necessary to fulfill the stated purpose

Question 87

Return on Investment

Answer 87

An indicator used to measure the financial gain/loss (or “value”) of a project in relation to its cost. Privacy ROI defines metrics to measure the effectiveness of investments to protect investments in assets

Question 88

Right Not to be Subject to Fully Automated Decisions

Answer 88

Under Article 15 of the Data Protection Directive, individuals are entitled to object to being subject to fully automated decisions. The right, however, does not allow an individual to object to automated processing that then leads to a human decision

Question 89

Security Safeguards

Answer 89

A fair information practices principle, it is the principle that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification, or disclosure of data

Question 90

Social Engineering

Answer 90

a general term for how attackers can try to persuade a user to provide information or create some other sort of security vulnerability

Question 91

Stakeholder

Answer 91

Individual executives within an organization who lead and “own” the responsibility of privacy activities

Question 92

Strategic Management

Answer 92

The first high-level task necessary to implementing proactive privacy management through three subtasks:

1. Define your organizations’ privacy vision and privacy mission statement
2. Develop privacy strategy
3. Structure your privacy team

Question 93

Substitute Notice

Answer 93

Most legislation recognized that data breach notifications involving thousands of impacted data subjects could place an undue financial burden on the organization and therefore allow substitute notification methods.

Question 94

Sustain

Answer 94

The third of four phases in the Privacy Operational Life Cycle.
It provides privacy management through the monitoring, auditing, and communication aspects of the management framework

Question 95

Unfair trade practices

Answer 95

Commercial conduct that intentionally causes substantial injury, without offsetting benefits, and that consumers cannot reasonably avoid

Question 96

US-CERT

Answer 96

A partnership between the Department of Homeland Security and the public and private sectors intended to coordinate the response to security threats from the Internet.
As such, it releases information about current security issues, vulnerabilities and exploits via the National Cyber Alert System and works with software vendors to create patches for security vulnerabilities

Question 97

US-CERT IT Security Essential Body of Knowledge

14

Answer 97

Fourteen generic information security practice competency areas, including:

1. Digital Security
2. Digital Forensics
3. Enterprise Continuity
4. Incident Management
5. IT Security and Training Awareness
6. IT Systems Operation and Maintenance
7. Network and Telecommunications Security
8. Personnel Security
9. Physical and Environmental Security
10. Procurement
11. Regulatory and Standards Compliance
12. Security Risk Management
13. Strategic Security Management
14. System and Application Security

Question 98

Vendor Management

Answer 98

Assessment of a third-party vendor for the vendor’s privacy and information security policies, access controls. where the personal information will be held and who has access to it. Privacy/security questionnaires, privacy impact assessments, and other checklists can be used to assess this risk

Question 99

Video Surveillance

Answer 99

Recordings that do not have sound

Associated law: FISA

Question 100

WebTrust

Answer 100

Created by the AICPA and the CICA. It is a self-regulating seal program which licenses qualifying certified public accountants