Dump Flashcards
One of the goals that is NOT a Privacy Program Manager role is to?
A. To identify their supply chain’s privacy risks.
B. To identify their organizations, employees, and patient’s risks.
C. To identify current state of policies, procedures, and any supporting documentation.
D. Promote consumer trust.
A. To identify their supply chain’s privacy risks.
The PPM’s goal is not to identify their supply chain’s privacy risks.
That would be a part of the Vendor Management program. Answer B and C are goals of the PPM. Answer D is a goal of the Privacy Program, which, ultimately, is an implied goal of the PPM. The best correct answer is A.
Which of the following is NOT a reason organizations are becoming compliant with global privacy regulations?
A. Brand Name Protection
B. Reputation Protection
C. GDPR
D. U.S. Federal Privacy Law
D. U.S. Federal Privacy Law
The U.S. has yet to pass and implement a federal privacy law. Sectors within the U.S. have passed federal laws that implicate data privacy protections, however, there is not a U.S. wide federal privacy law to date.
Privacy program managers are charged with the protection and appropriate use of?
A. Private Information
B. Personal Information
C. Public Information
D. Social Information
B. Personal Information
The term Private Information is rarely utilized, while Personal Information (PI)and Personally Identifiable Information (PII) are predominantly used. PPMS are groups not responsible for protecting either public information or social information. Do not read into the questions. Focus on the question as it is posed. If you imply or apply additional thoughts to the question, you may over think the question and choose the incorrect answer.
Which of the following groups are NOT a priority group for the development of your privacy policies and procedures within your organization?
A. Human Resources
B. Legal
C. Business Development
D. External Audit
D. External Audit
An internal audit group would be a part of your priority group. All of the other groups are departments you should include.
The privacy vision should align with?
A. Consumer Objectives
B. Business Objectives
C. Vendor Objectives
D. Contract Objectives
B. Business Objectives
Upon the request of the DPA, your organization must share the detailed record of processing with them. The other answers are also correct, however, the best, right answer is B. You will have questions like this on the exam.
Your organization is implementing a new process that may collect consumer’s information. The process is complete and ready for a final review before being launched into production. During the review, it is determined that the new process lacks the ability to audit the privacy controls for regulatory compliance. What was not included in the design?
A. Proactive
B. Embedded privacy controls
C. Respect for users
D. Privacy by Design
D. Privacy by Design
Upon request, a detailed record of processing must be shared with the?
A. Data Protection Officer
B. Data Protection Authority
C. Chief Information Officer
D. Chief Information Security Officer
B. Data Protection Authority
Upon the request of the DPA, your organization must share the detailed record of processing with them. The other answers are also correct, however, the best, right answer is B. You will have questions like this on the exam.
Your medical staff has access to all EMRS. Each staff member is trained frequently on proper handling, access, and protecting of sensitive data. If one of your medical practitioners is unable to access an EMR, and is authorized to access it, which basic security principle has been applied?
A. Role-Based Access
B. Segregation of duties
C. Least privilege
D. Need-to-know access
B. Segregation of duties
Separation of duties is the concept of having more than one person required to complete a task. It is an administrative control used by organisations to prevent fraud, sabotage, theft, misuse of information, and other security compromises.
While your organization is assessing a potential vendor, one statement within the vendor policy may require a review of?
A. Privacy Policy
B. Vendor Management
C. Location of data
D. Employees
C. Location of data
The vendor policy may stipulate that the procuring organization evaluate its processes for risk assessment, its risk profile, and categories of vendors based on risk. This may include evaluating the vendor’s internal policies; affiliations and memberships with other organizations; mandatory and nonmandatory certifications; location of data servers; and data storage, use, and transport.”
Your organization has secured funding for a new privacy training initiative. Which of the following may NOT be one of the training methods you would implement?
A. Classroom
B. Online
C. Workshops
D. Testing
D. Testing
Training may be delivered through dedicated classroom, instructor-led courses or online platform
“Once breach preparedness is integrated into the BCP, or if the company decides to have a standalone incident response plan, incident response training will likely be required. This training may take many forms, including workshops, seminars and online videos, but often includes tabletop exercises, a strategic mainstay of corporate trainers and business continuity planners.”
The CFO and CHR of a healthcare organization are looking to you, the privacy program manager, to provide them with a performance measurement of the privacy program. Which of the following would you NOT utilize in creating that?
A. Tracking
B. Identifying
C. Defining
D. Analyzing
A. Tracking
Who needs to appreciate the benefits and risks associated with the collection and use of personal information?
A. Privacy
B. Privacy Professional
C. Privacy Program Manager
D. Privacy Officer
B. Privacy Professional
A California, U.S. based organization receives its first subject access request (SAR). The privacy program manager is alerted to receipt of the request in a timely fashion. What will the program manager reference, that was developed in the establishment of the privacy program, that will assist in determining where the SAR’s information resides?
A. Data Classification Policy
B. Privacy Program Scope
C. Regulatory Map
D. Data Inventory
D. Data Inventory
The GDPR, the CCPA, GLBA and other privacy regulatory laws have different terminology and requirements as it relates to ‘reasonable security procedures and practices.” The word, “adequate” or “appropriate technical and organizational measures’ - this is the ‘security principle’. Where might you NOT reference for these types of controls and standards?
A. Internet Security’s Critical Security Controls
B. ISO/IEC 27002
C. NIST SP 800-53rev4
D. ISO/IEC 27006 D. ISO/IEC 27006
The CIS Controls (formerly known as Critical Security Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.
This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation
ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).
ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). … ISO/IEC 27006 lays out formal requirements for accredited organizations which certify other organizations compliant with ISO/IEC 27001
An organization’s privacy program maturity level is based on how established the program is functioning in multiple areas. Departments are following and adhering to processes and procedures for most functions. What level of maturity is the organization at?
A. Repeatable
B. Defined
С. Ad Hoc
D. Managed
B. Defined
An organization’s privacy program maturity level is based on how established the program is functioning in multiple areas. Generally, if your privacy program has recently been created where you are still evaluating and inventorying what the organization has and does not have in place for policies, processes and procedures, the privacy program maturity level is at this stage?
A. Repeatable
B. Defined
C. Ad Hoc
D. Managed
C. Ad Hoc
Key stakeholders make decisions pertaining to the record of your organization’s privacy program. These decisions serves as the privacy program’s?
A. Governance
B. Risk Assessment
C. Due Care
D. Due Diligence
D. Due Diligence
Such documentation also helps support accountability requirements of the GDPR and serves as the privacy program’s due diligence in terms of which functions and individuals should be held accountable for privacy compliance.”
Your customer’s information and their rights to control what and who collects their information, where their information is shared are privacy rights. What overlap is there with information security that relates to accuracy of information?
A. Availability
B. Confidentiality
C. Integrity
D. Accountability
C. Integrity
In the world of information security, integrity refers to the accuracy and completeness of data.
As privacy laws and regulations continue to expand and change, complying and monitoring with those changes is critical for the organization’s privacy program success. What is one solution that provides organizations with updated changes, monitoring and auditing performances of their processes and procedures?
A. Internal Audit
B. Second-party Audit
C. Third-party Audit
D. Third-party Privacy Compliance Platform and Tools
D. Third-party Privacy Compliance Platform and Tools
Prior to a new service or system being implemented, this type of action is required to be conducted?
A. Data Privacy Impact Assessment B. Privacy Impact Assessment C. Privacy Assessment D. Risk Assessment B. Privacy Impact Assessment
Your organization has been alerted to a data breach within one of your vendors. During the DPA investigation, procurement has been summoned for questioning. What may be the topic of discussion?
A. Communications Language
B. Processor responsibilities
C. GDPR Compliance
D. Internal audit results
B. Processor responsibilities
Your organization is capturing and documenting where and what information is flowing, both internally and externally. What is this type of exercise?
A. Regulatory Map
B. Legal Map
C. Data Inventory Map
D. Data Map
C. Data Inventory Map
Answers A and B are to determine regulatory and legal requirements that your organization is accountable to and for. Answer D is the process of matching fields from one database to another.
Your organization is conducting processor assessments. Which privacy domain houses this action item?
A. Measure
B. Improve
C. Evaluate
D. Support A. Measure
Domains are: (A) Assess Measure, (B) Protect - Improve, (C) Sustain - Evaluate or (D) Respond - Support.
HR is reviewing candidate’s resumes and background information based on an open job posting. What is one risk area that you, as the Privacy Program Manager, should work with Legal and HR on, as it relates to the background information gathered?
A. Data Retention
B. Data Policies
C. Information
D. Training A. Data Retention
Data retention, not only at the controller’s location, but also within the contract with the processor who is obtaining the background information. The controller must be explicit with what the processor will do with the information gathered on the individual once a decision has been executed on hiring or not hiring the candidate. Based on that decision, both the controller and processor must retain and then destroy the data that is no longer required for any business reason.
Which of the following orders are the correct order as it relates to data incidents plans?
A. Planning, Preparing, Handling, Reporting
B. Planning, Investigating, Handling, Reporting
C. Preparing, Reporting, Investigating, Recovering
D. Preparing, Investigating, Recovering, Reporting A. Planning, Preparing, Handling, Reporting
Plan, Prepare, Roles and Responsibilities, Handling, Investigating, Reporting, and Recovery are the correct orders as it relates to data incidents.
Your customer’s information and their rights to control what and who collects their information, where their information is shared are privacy rights. What overlap is there with information security that relates to access of information?
A. Availability
B. Confidentiality
C. Integrity
D. Accountability A. Availability
Availability is one of the information security triad’s (C,I,A). Answers B and C are the other two security triads. Accountability does apply here, however, the question is asking about information security and how it relates to access. Both availability and access ensure information is available to authorized users.
Your customer’s information and their rights to control what and who collects their information, where their information is shared are privacy rights. What overlap is there with information security that relates to access of information?
A. Availability
B. Confidentiality
C. Integrity
D. Accountability A. Availability
Availability is one of the information security triad’s (C,I,A). Answers B and C are the other two security triads. Accountability does apply here, however, the question is asking about information security and how it relates to access. Both availability and access ensure information is available to authorized users.
Your medical staff has access to all EMRS. Each staff member is trained frequently on proper handling, access, and protecting of sensitive data. If one of your medical practitioners accesses an EMR in which they did not and will not provide care to, which basic security principle has been violated?
A. Role-Based Access
B. Segregation of duties
C. Least privilege
D. Need-to-know access D. Need-to-know access
Need-to-know access is access to information or systems that are required to conduct and complete the responsibility of an authorized user. In this scenario, the medical practitioner is not and will not provide care to the patient, therefore, has no need-to-know to access the patient’s records.
Your PIA identified a risk that you, as the privacy program manager, must address to bridge a gap within your privacy training and awareness program. You present the findings and the costs associated with the mitigating activity to your leadership. They reject your request. What should you have presented to your leadership to support your request?
A. Business Case
B. Return-on-Investment
C. Qualitative benefits
D. Annual loss expectancy (ALE) B. Return-on-Investment
Had an ROI and the savings (quantify vs qualitative) been presented along with the probable cost and impact that the risk may pose to the organization would have provided more strategic vision to the leadership vs. the bottom-line expenses. Answer A is incorrect, where the business case would have been created for the privacy program, which is already in place. Answer D would be utilized to quantify and support the ROI discussion.
A financial institution has completed their regulatory mapping exercise and determined and created their data retention policy. The institution has adopted two possible standards for destroying the data, which are degaussing and shredding. What is another way to destroy the data electronically?
A. Melt
B. Burn
C. Erase
D. Overwrite D. Overwrite
Answer A and B are physical, not electronic destruction methods. Answer C is a synonym for degaussing.
Your organization has suffered a data breach. You have initiated the incident response plan and are preparing for an external communication. Your marketing and social media team is made aware that an employee has posted a statement onto their personal social media platform. What didn’t the organization do, based on the information provided?
A. Implement a training program
B. Conduct training
C. Coordinate both internal and external communications
D. Notify customers C. Coordinate both internal and external communications
Coordinating both internal and external communications and then communicating those messages in sync will alleviate employees from posting inaccurate and unauthorized internal communications externally without specific guidance and provided templates, and reduction of confusion of anyone reading the communication of the employee.
Your organization has accepted your proposed privacy vision. In order to continue developing your privacy program, which is your next step?
A. Develop the privacy team
B. Develop the privacy program strategy
C. Develop the mission statement
D. Develop the scope of the privacy program
D. Develop the scope of the privacy program
After you have created and received approval of the vision or mission statement (C.), you must determine the scope of the privacy program. Answer A and B are subsequent steps after the vision/mission statement and scope have been established.
After completing the framework, which step is NEXT in the development of the privacy program?
A. Develop the privacy team
B. Develop the privacy program strategy
C. Develop the mission statement
D. Develop the scope of the privacy program
B. Develop the privacy program strategy
Once the vision/mission statement, scope and framework are selected, the strategy is next.
Which of the following tactics are used to identify your privacy program scope?
A. Identify where business data is collected
B. Identify where data is collected
C. Identity where personal information is collected
D. Identify global data protection laws
C. Identity where personal information is collected
“You must know what personal information is collected and processed and which privacy and data protection laws and regulations impact your organization.”
Your organization has implemented information security practices. Which privacy domain houses this action item?
A. Measure
B. Improve
C. Evaluate
D. Support B. Improve
Domains are: (A) Assess - Measure, (B) Protect Improve, (C) Sustain Evaluate or (D) Respond - Support.
Your workforce is one of the key contributors to causing a data incident. What is one of the FIRST things you need to determine to address this risk?
A. Secure Funding
B. Train the workforce
C. Develop a business case
D. Workforce behavioral review D. Workforce behavioral review
The disconnect between expected behavior and actual behavior is large. The organization needs to determine what the current behaviors are and then determine what are the desired behaviors. Once that is complete, the business case would then be created (Answer C) and presented to leadership to secure funding for the training (Answer A) and then execute the training (Answer B.)
HR is reviewing candidate’s resumes and background information based on an open job posting. What is one risk area that you, as the Privacy Program Manager, should work focus on, as it relates to the vendor gathering the background information requested?
A. Procurement
B. Vendor Assessment
C. Information Risk
D. Communications B. Vendor Assessment
The organization, prior to signing any contracts with a particular vendor, must assess the prospective vendor based on the organization’s standards and regulatory requirements that must be complied with by the processor.
Your organization is implementing a new process that may collect consumer’s information. Throughout the SDLC process, it is also determined that the consumer’s information may be shared or aggregated throughout the life cycle of the information. In order to determine if a privacy impact assessment (PIA) is needed, you must conduct a?
A. Data Privacy Impact Assessment
B. Information risk assessment
C. Privacy-enabling technology
D. Recovery The correct answer is D.
A DPIA is a tool which controllers provide proof and demonstrate compliance with data protection laws, which is not the correct answer here. PETS are utilized within the PbD model and not the correct answer here.
An insurance company is informed by an agent that they may have compromised personal information of their clients. What information security controls will be potentially implemented?
A. Preventative
B. Detective
C. Corrective
D. Recovery C. Corrective
Corrective controls contain and minimize an incident from causing further damage. Answers A, B are implemented prior to an incident, while Answer D is implemented after the incident has been contained.
A U.S. based financial institution is required to provide customers a privacy notice annually that provides clear notice of the customer’s right with respects to opt-outs. What regulation requires this?
A. GDPR
B. LGDP
C. PIPEDA
D. GLBA D. GLBA
Answers A, B, and C are all international regulations, not U.S.
The stakeholders of a genetic organization have developed and are presenting their business case for a privacy program update, to include protective controls ensuring both the information security and privacy programs are united and overlapping. As part of this presentation, the quantified annual loss expectancy for a particular privacy control is $120,000 for complete development, implementation and monitoring of the control. While presenting, the question was posed to the presenter, ‘If the control is not implemented, what will be the cost to the organization?” The projected impact to the organization would be less than the actual control being implemented. What would this example be called?
A. Qualitative model
B. Single loss expectancy
C. Return on investment (ROI)
D. Acceptable risk C. Return on investment (ROI)
ROI is (Benefits - Cost) / Cost. However, with this particular example, the risk is less than the actual proposed control and, depending on the difference between those costs (which was not provided deliberately), this may not be a good business case model to approve and implement if the ROI is not favorable, however, the question is only asking you what this example is called. Remember, do not add to the ‘story’ or question as you read it. Only read the answer (2x), call out the key words and determine what is being asked of you. Answer D could be the answer however, the actual question is not looking for that, but it looks and sounds good - a distracting answer. Answers A and B are incorrect.
An organization’s privacy program maturity level is based on how established the program is functioning in multiple areas. The privacy program has been in place for multiple years and has been extremely successful in providing metrics and efficiencies for your organization. What level of maturity is the organization at?
A. Repeatable
B. Defined
C. Ad Hoc
D. Managed D. Managed
Managed maturity levels consist of reviews that assessed the effectiveness of the controls implemented.
Your medical staff has access to all EMRS. Each staff member is trained frequently on proper handling, access, and protecting of sensitive data. If one of your medical practitioners accesses an EMR in which they are providing care to, which basic security principle has been followed?
A. Role-Based Access
B. Segregation of duties
C. Least privilege
D. Need-to-know access D. Need-to-know access
Need-to-know access is access to information or systems that are required to conduct and complete the responsibility of an authorized user. In this scenario, the medical practitioner is authorized to access the patient’s records.
As technology infrastructure is procured, implemented, and secured, which of the following security controls are most integrated with IT?
A. Physical Security
B. HR Security
C. Ethics and Integrity
D. Employees A. Physical Security
Systems and computers are physically protected and managed by doors and locks, CCTVS, etc. Answer B is integrated into IT; however, the question is asking about technology infrastructure (i.e. Computers, mobile devices, applications, etc.), therefore, the ‘most’ integrated with IT would be answer A.
Principles and standards, laws, regulations and programs are two categories that a privacy framework may be designed from. What is another category that can be referenced to create a privacy framework?
A. Privacy Program Management
B. Privacy Program Strategy
C. Privacy Program Vision
D. Privacy by Default A. Privacy Program Management
Answer B and C are the foundation of the privacy program, however, are not frameworks. Answer D is a tricky answer.
Privacy by design (PbD) would be a correct answer, however, ‘default’ is not the correct response.
Within the U.S., which federal law addresses money laundering?
A. U.S. Federal Financial Law
B. Federal Trade Commission Act
C. Fair and Accurate Credit Transactions Act
D. Financial Modernization Act D. Financial Modernization Act
Also known as the Gramm-Leach Bliley Act (GLBA) which requires financial institutions to explain how they share and protect their customer’s private information.
Your organization must share personal information to a country outside of the EEA and EU. You individually tailor the contract to your company’s needs and obtain the required supervisory authority’s authorization. What type of cross-border transfer rule are you using?
A. BCR
B. SCC
C. Codes of Conduct
D. Ad hoc contractual clause D. Ad hoc contractual clause
BCRS allow organizations to create an internal policy. SCCS (Article 46(c) and Codes of conduct (Article 40) are addressed with the GDPR with enforceable commitments.
A global organization located in numerous countries would be best to implement this type of governance model?
A. Centralized
B. Distributed
C. Hybrid
D. External B. Distributed
Distributed delegates decision-making to the lowest levels within an organization allowing a bottom-to-top flow of decisions and monitoring.
If your leadership is not supporting nor funding your privacy program management, one way to gain their support is to share what a potential privacy breach would cost the organizations. This would be an example of?
A. Metrics
B. Quantitative Model
C. Qualitative Model
D. Return on Investment (ROI) B. Quantitative Model
Showcasing exact costs (quantifiable numbers) generally assists privacy program managers in obtaining support and funding for their privacy program development.
What must an efficient and successful privacy program be built with?
A. Data Map
B. Regulatory Map
C. Compliance Map
D. Comprehensive View
D. Comprehensive View
Answers A and B are components of the comprehensive view within the organization. Each organization must know what data that collects and processes throughout the data’s entire lifecycle.
Your organization completed the data inventory exercise. Who in your organization determines what classifications of information are arranged into those categories?
A. Chief Security Officer B. Chief Executive Officer C. Privacy Officer D. Human Resources C. Privacy Officer
The Privacy Officer and legal department review all regulatory and legal requirements of the organization and based on those applicable laws, will determine what classifications will be utilized within the organization. Answer A will overlay the appropriate physical, administrative and technical controls, based on those categories of data. Answer B and D are not the correct answers.
Your organization has implemented a privacy program and you are analyzing the data and metrics. What was your PREVIOUS step?
A. Identification of audience
B. Analysis
C. Collection
D. Selection C. Collection
The five-step metrics life cycle Is: A. Identification of intended audiences B. Definition of data sources C. Selection of privacy metrics D. collection and Refinement of systems/application collecting points E. Analysis of the data/metrics
Once the policies, procedures and security controls have been assessed on your potential cloud provider, whom within your organization should approve of this type of vendor?
A. General Counsel
B. Privacy Program Manager
C. Chief Information Security Officer
D. Chief Information Officer D. Chief Information Officer
All listed answers may be involved with the business case development, screening criteria of the vendor and review of the vendor, however, since it is a technical vendor, a cloud provider, ultimately, the CIO should approve of the provider.
Your organization is acquiring another organization. A part of the privacy checkpoint, your organization’s processes should consist of conducting a prior to the integration of the acquired organization’s systems and processes.
A. Divestiture
B. Data inventory
C. Regulatory map
D. Risk Assessment D. Risk Assessment
A risk assessment of the acquired organization’s systems, processes, and technologies should be conducted prior to integrating systems to your organization’s systems. This will identify potential risks and allow time to mitigate those while protecting and not introducing those new risks to your organization.
The privacy program manager is preparing their performance measurement presentation. They are looking at the value of the asset being measured, ensuring to capture the possible changes or factors that may impact that value. What other consideration should the PPM take into account as they develop the presentation?
A. Return on investment
B. Chief Financial Officer
C. Alignment
D. Integration A. Return on investment
The PPM must ensure that the ROI is connected and justifies the implementation of that particular function. Answers C and D are not the correct terms for use in a performance measurement analysis.
An insurance company is informed by an agent that their computer screen is open, and they are certain that they had locked the screen and that they may have compromised personal information of their clients. What information security controls may be audited?
A. Access Controls
B. Asset Management
C. Procurement
D. Training A. Access Controls
Access controls may be audited to see who accessed the computer, when, and what was accessed.
You are making a purchase on an e-commerce website and you receive a notice in the middle of the page that articulates what the organization does to protect your information. You have not yet provided any personal information. What is this called?
A. Opt-Out
B. Opt-In
C. Just-in-time-notice
D. Privacy Policy C. Just-in-time-notice
The notice is provided to the customer before any information is collected and articulates how that information will be protected along with the consumer’s choices and rights. It is an external statement. A privacy policy is an internal communication.
An organization’s privacy program maturity level is based on how established the program is functioning in multiple areas. Regular audits, assessments, guidance and communications are gathered to review and improve the overall privacy program. What level of maturity is the organization at?
A. Repeatable
B. Defined
C. Optimized
D. Managed
C. Optimized
Optimized level provides reviews, communications and improvements for the program.
Your customer’s information and their rights to control what and who collects their information, where their information is shared are privacy rights. What overlap is there with information security that relates to accountability?
A. Availability
B. Confidentiality
C. Integrity
D. Accountability D. Accountability
Answers A, B and C are the information security triads. Accountability falls in both privacy and information security requiring data owners, controllers, and processors to protect the data adequately.
It is Monday morning and you are starting a new role. You log into your corporate email account and find an email from HR. As you read through the email, you see that you are required to complete specific privacy training. What type of control is this?
A. Special Handling
B. Data Classification
C. Technical
D. Role-Based Access D. Role-Based Access
You are starting a new role; you are being required to complete ‘specific’ privacy training. Answer A, B, and C will support Role- Based Access controls, but are not the correct answers here.
HR is reviewing candidate’s resumes and background information based on an open job posting. What is one risk area that you, as the Privacy Program Manager, should work with HR on, as it relates to the background information gathered?
A. Contracts
B. Procurement
C. Marketing
D. Data A. Contracts
Contracts and explicit requirements of processors that gather background information on behalf of the hiring organization. Answer B and C are not correct. Answer D, based on the actual question, is a distracting answer and the incorrect answer.
Your organization has suffered a data breach. Your organization has implemented their incident response plan. Which privacy domain houses this action item?
A. Measure
В. Improve
C. Evaluate
D. Support D. Support
Domains are: (A) Assess - Measure, (B) Protect - Improve, (C) Sustain Evaluate or (D) Respond - Support.
Your privacy program needs to monitor changes, organizational compliance, but it doesn’t need to integrate with?
A. Legal changes
B. Cultural changes
C. Technological changes
D. Employee changes D. Employee changes
Although employee changes are important to understand and take into consideration, as it relates to the privacy program, employee changes are not a priority. Cultural changes (answer B) are a priority to take into consideration as a whole, but not the individual employee changes.
Your organization has implemented a privacy program and you are preparing to present metrics captured. What was your INITIAL step in this process?
A. Identification of audience
B. Analysis
C. Collection
D. Selection
A. Identification of audience
The five-step metrics life cycle Is: A. Identification of intended audiences B. Definition of data sources C. Selection of privacy metrics D. collection and Refinement of systems/application collecting points E. Analysis of the data/metrics
Your organization has implemented a privacy program and you are defining your data sources. What is your NEXT step?
A. Identification of audience
B. Analysis
C. Collection
D. Selection
D. Selection
The five-step metrics life cycle Is: A. Identification of intended audiences B. Definition of data sources C. Selection of privacy metrics D. collection and Refinement of systems/application collecting points E. Analysis of the data/metrics
An insurance company is informed by an agent that they may have compromised personal information of their clients. What is this called when the agent thinks the information has been compromised?
A. Incident Detection
B. Incident Handling
C. Incident Response Plan
D. Employee Training A. Incident Detection
The presumption of this question, which you will see similar questions on your exam, states that an agent has informed the organization that they may have an incident. They detected something and notified me. This also implies that the organization has already trained (Answer D) the employee on the IRP (Answer C) which is a part of the handling of the incident (Answer B). Understanding Incident Response is critical.