Dump Flashcards by Host Mom

One of the goals that is NOT a Privacy Program Manager role is to?

A. To identify their supply chain’s privacy risks.
B. To identify their organizations, employees, and patient’s risks.
C. To identify current state of policies, procedures, and any supporting documentation.
D. Promote consumer trust.

A. To identify their supply chain’s privacy risks.

The PPM’s goal is not to identify their supply chain’s privacy risks.
That would be a part of the Vendor Management program. Answer B and C are goals of the PPM. Answer D is a goal of the Privacy Program, which, ultimately, is an implied goal of the PPM. The best correct answer is A.

How well did you know this?

Not at all

Perfectly

Which of the following is NOT a reason organizations are becoming compliant with global privacy regulations?

A. Brand Name Protection
B. Reputation Protection
C. GDPR
D. U.S. Federal Privacy Law

D. U.S. Federal Privacy Law

The U.S. has yet to pass and implement a federal privacy law. Sectors within the U.S. have passed federal laws that implicate data privacy protections, however, there is not a U.S. wide federal privacy law to date.

How well did you know this?

Not at all

Perfectly

Privacy program managers are charged with the protection and appropriate use of?

A. Private Information
B. Personal Information
C. Public Information
D. Social Information

B. Personal Information

The term Private Information is rarely utilized, while Personal Information (PI)and Personally Identifiable Information (PII) are predominantly used. PPMS are groups not responsible for protecting either public information or social information. Do not read into the questions. Focus on the question as it is posed. If you imply or apply additional thoughts to the question, you may over think the question and choose the incorrect answer.

How well did you know this?

Not at all

Perfectly

Which of the following groups are NOT a priority group for the development of your privacy policies and procedures within your organization?

A. Human Resources
B. Legal
C. Business Development
D. External Audit

D. External Audit

An internal audit group would be a part of your priority group. All of the other groups are departments you should include.

How well did you know this?

Not at all

Perfectly

The privacy vision should align with?

A. Consumer Objectives
B. Business Objectives
C. Vendor Objectives
D. Contract Objectives

B. Business Objectives

Upon the request of the DPA, your organization must share the detailed record of processing with them. The other answers are also correct, however, the best, right answer is B. You will have questions like this on the exam.

How well did you know this?

Not at all

Perfectly

Your organization is implementing a new process that may collect consumer’s information. The process is complete and ready for a final review before being launched into production. During the review, it is determined that the new process lacks the ability to audit the privacy controls for regulatory compliance. What was not included in the design?

A. Proactive
B. Embedded privacy controls
C. Respect for users
D. Privacy by Design

D. Privacy by Design

How well did you know this?

Not at all

Perfectly

Upon request, a detailed record of processing must be shared with the?

A. Data Protection Officer
B. Data Protection Authority
C. Chief Information Officer
D. Chief Information Security Officer

B. Data Protection Authority

How well did you know this?

Not at all

Perfectly

A. Role-Based Access
B. Segregation of duties
C. Least privilege
D. Need-to-know access

B. Segregation of duties

Separation of duties is the concept of having more than one person required to complete a task. It is an administrative control used by organisations to prevent fraud, sabotage, theft, misuse of information, and other security compromises.

How well did you know this?

Not at all

Perfectly

While your organization is assessing a potential vendor, one statement within the vendor policy may require a review of?

A. Privacy Policy
B. Vendor Management
C. Location of data
D. Employees

C. Location of data

The vendor policy may stipulate that the procuring organization evaluate its processes for risk assessment, its risk profile, and categories of vendors based on risk. This may include evaluating the vendor’s internal policies; affiliations and memberships with other organizations; mandatory and nonmandatory certifications; location of data servers; and data storage, use, and transport.”

How well did you know this?

Not at all

Perfectly

Your organization has secured funding for a new privacy training initiative. Which of the following may NOT be one of the training methods you would implement?

A. Classroom
B. Online
C. Workshops
D. Testing

D. Testing

Training may be delivered through dedicated classroom, instructor-led courses or online platform
“Once breach preparedness is integrated into the BCP, or if the company decides to have a standalone incident response plan, incident response training will likely be required. This training may take many forms, including workshops, seminars and online videos, but often includes tabletop exercises, a strategic mainstay of corporate trainers and business continuity planners.”

How well did you know this?

Not at all

Perfectly

The CFO and CHR of a healthcare organization are looking to you, the privacy program manager, to provide them with a performance measurement of the privacy program. Which of the following would you NOT utilize in creating that?

A. Tracking
B. Identifying
C. Defining
D. Analyzing

A. Tracking

How well did you know this?

Not at all

Perfectly

Who needs to appreciate the benefits and risks associated with the collection and use of personal information?

A. Privacy
B. Privacy Professional
C. Privacy Program Manager
D. Privacy Officer

B. Privacy Professional

How well did you know this?

Not at all

Perfectly

A California, U.S. based organization receives its first subject access request (SAR). The privacy program manager is alerted to receipt of the request in a timely fashion. What will the program manager reference, that was developed in the establishment of the privacy program, that will assist in determining where the SAR’s information resides?

A. Data Classification Policy
B. Privacy Program Scope
C. Regulatory Map
D. Data Inventory

D. Data Inventory

How well did you know this?

Not at all

Perfectly

The GDPR, the CCPA, GLBA and other privacy regulatory laws have different terminology and requirements as it relates to ‘reasonable security procedures and practices.” The word, “adequate” or “appropriate technical and organizational measures’ - this is the ‘security principle’. Where might you NOT reference for these types of controls and standards?

A. Internet Security’s Critical Security Controls
B. ISO/IEC 27002
C. NIST SP 800-53rev4
D. ISO/IEC 27006 D. ISO/IEC 27006

The CIS Controls (formerly known as Critical Security Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.

This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation

ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).

ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). … ISO/IEC 27006 lays out formal requirements for accredited organizations which certify other organizations compliant with ISO/IEC 27001

How well did you know this?

Not at all

Perfectly

An organization’s privacy program maturity level is based on how established the program is functioning in multiple areas. Departments are following and adhering to processes and procedures for most functions. What level of maturity is the organization at?

A. Repeatable
B. Defined
С. Ad Hoc
D. Managed

B. Defined

How well did you know this?

Not at all

Perfectly

An organization’s privacy program maturity level is based on how established the program is functioning in multiple areas. Generally, if your privacy program has recently been created where you are still evaluating and inventorying what the organization has and does not have in place for policies, processes and procedures, the privacy program maturity level is at this stage?

A. Repeatable
B. Defined
C. Ad Hoc
D. Managed

C. Ad Hoc

How well did you know this?

Not at all

Perfectly

Key stakeholders make decisions pertaining to the record of your organization’s privacy program. These decisions serves as the privacy program’s?

A. Governance
B. Risk Assessment
C. Due Care
D. Due Diligence

D. Due Diligence

Such documentation also helps support accountability requirements of the GDPR and serves as the privacy program’s due diligence in terms of which functions and individuals should be held accountable for privacy compliance.”

How well did you know this?

Not at all

Perfectly

Your customer’s information and their rights to control what and who collects their information, where their information is shared are privacy rights. What overlap is there with information security that relates to accuracy of information?

A. Availability
B. Confidentiality
C. Integrity
D. Accountability

C. Integrity

In the world of information security, integrity refers to the accuracy and completeness of data.

How well did you know this?

Not at all

Perfectly

As privacy laws and regulations continue to expand and change, complying and monitoring with those changes is critical for the organization’s privacy program success. What is one solution that provides organizations with updated changes, monitoring and auditing performances of their processes and procedures?

A. Internal Audit
B. Second-party Audit
C. Third-party Audit
D. Third-party Privacy Compliance Platform and Tools

D. Third-party Privacy Compliance Platform and Tools

How well did you know this?

Not at all

Perfectly

Prior to a new service or system being implemented, this type of action is required to be conducted?

A. Data Privacy Impact Assessment 
B. Privacy Impact Assessment 
C. Privacy Assessment 
D. Risk Assessment	
B. Privacy Impact Assessment

How well did you know this?

Not at all

Perfectly

Your organization has been alerted to a data breach within one of your vendors. During the DPA investigation, procurement has been summoned for questioning. What may be the topic of discussion?

A. Communications Language
B. Processor responsibilities
C. GDPR Compliance
D. Internal audit results

B. Processor responsibilities

How well did you know this?

Not at all

Perfectly

Your organization is capturing and documenting where and what information is flowing, both internally and externally. What is this type of exercise?

A. Regulatory Map
B. Legal Map
C. Data Inventory Map
D. Data Map

C. Data Inventory Map

Answers A and B are to determine regulatory and legal requirements that your organization is accountable to and for. Answer D is the process of matching fields from one database to another.

How well did you know this?

Not at all

Perfectly

Your organization is conducting processor assessments. Which privacy domain houses this action item?

A. Measure
B. Improve
C. Evaluate
D. Support A. Measure

Domains are: (A) Assess Measure, (B) Protect - Improve, (C) Sustain - Evaluate or (D) Respond - Support.

How well did you know this?

Not at all

Perfectly

HR is reviewing candidate’s resumes and background information based on an open job posting. What is one risk area that you, as the Privacy Program Manager, should work with Legal and HR on, as it relates to the background information gathered?

A. Data Retention
B. Data Policies
C. Information
D. Training A. Data Retention

Data retention, not only at the controller’s location, but also within the contract with the processor who is obtaining the background information. The controller must be explicit with what the processor will do with the information gathered on the individual once a decision has been executed on hiring or not hiring the candidate. Based on that decision, both the controller and processor must retain and then destroy the data that is no longer required for any business reason.

How well did you know this?

Not at all

Perfectly

Which of the following orders are the correct order as it relates to data incidents plans? A. Planning, Preparing, Handling, Reporting B. Planning, Investigating, Handling, Reporting C. Preparing, Reporting, Investigating, Recovering D. Preparing, Investigating, Recovering, Reporting A. Planning, Preparing, Handling, Reporting Plan, Prepare, Roles and Responsibilities, Handling, Investigating, Reporting, and Recovery are the correct orders as it relates to data incidents.

Your customer's information and their rights to control what and who collects their information, where their information is shared are privacy rights. What overlap is there with information security that relates to access of information? A. Availability B. Confidentiality C. Integrity D. Accountability A. Availability Availability is one of the information security triad's (C,I,A). Answers B and C are the other two security triads. Accountability does apply here, however, the question is asking about information security and how it relates to access. Both availability and access ensure information is available to authorized users.

Your medical staff has access to all EMRS. Each staff member is trained frequently on proper handling, access, and protecting of sensitive data. If one of your medical practitioners accesses an EMR in which they did not and will not provide care to, which basic security principle has been violated? A. Role-Based Access B. Segregation of duties C. Least privilege D. Need-to-know access D. Need-to-know access Need-to-know access is access to information or systems that are required to conduct and complete the responsibility of an authorized user. In this scenario, the medical practitioner is not and will not provide care to the patient, therefore, has no need-to-know to access the patient's records.

Your PIA identified a risk that you, as the privacy program manager, must address to bridge a gap within your privacy training and awareness program. You present the findings and the costs associated with the mitigating activity to your leadership. They reject your request. What should you have presented to your leadership to support your request? A. Business Case B. Return-on-Investment C. Qualitative benefits D. Annual loss expectancy (ALE) B. Return-on-Investment Had an ROI and the savings (quantify vs qualitative) been presented along with the probable cost and impact that the risk may pose to the organization would have provided more strategic vision to the leadership vs. the bottom-line expenses. Answer A is incorrect, where the business case would have been created for the privacy program, which is already in place. Answer D would be utilized to quantify and support the ROI discussion.

A financial institution has completed their regulatory mapping exercise and determined and created their data retention policy. The institution has adopted two possible standards for destroying the data, which are degaussing and shredding. What is another way to destroy the data electronically? A. Melt B. Burn C. Erase D. Overwrite D. Overwrite Answer A and B are physical, not electronic destruction methods. Answer C is a synonym for degaussing.

Your organization has suffered a data breach. You have initiated the incident response plan and are preparing for an external communication. Your marketing and social media team is made aware that an employee has posted a statement onto their personal social media platform. What didn't the organization do, based on the information provided? A. Implement a training program B. Conduct training C. Coordinate both internal and external communications D. Notify customers C. Coordinate both internal and external communications Coordinating both internal and external communications and then communicating those messages in sync will alleviate employees from posting inaccurate and unauthorized internal communications externally without specific guidance and provided templates, and reduction of confusion of anyone reading the communication of the employee.

Your organization has accepted your proposed privacy vision. In order to continue developing your privacy program, which is your next step? A. Develop the privacy team B. Develop the privacy program strategy C. Develop the mission statement D. Develop the scope of the privacy program D. Develop the scope of the privacy program After you have created and received approval of the vision or mission statement (C.), you must determine the scope of the privacy program. Answer A and B are subsequent steps after the vision/mission statement and scope have been established.

After completing the framework, which step is NEXT in the development of the privacy program? A. Develop the privacy team B. Develop the privacy program strategy C. Develop the mission statement D. Develop the scope of the privacy program B. Develop the privacy program strategy Once the vision/mission statement, scope and framework are selected, the strategy is next.

Which of the following tactics are used to identify your privacy program scope? A. Identify where business data is collected B. Identify where data is collected C. Identity where personal information is collected D. Identify global data protection laws

C. Identity where personal information is collected "You must know what personal information is collected and processed and which privacy and data protection laws and regulations impact your organization."

Your organization has implemented information security practices. Which privacy domain houses this action item? A. Measure B. Improve C. Evaluate D. Support B. Improve Domains are: (A) Assess - Measure, (B) Protect Improve, (C) Sustain Evaluate or (D) Respond - Support.

Your workforce is one of the key contributors to causing a data incident. What is one of the FIRST things you need to determine to address this risk? A. Secure Funding B. Train the workforce C. Develop a business case D. Workforce behavioral review D. Workforce behavioral review The disconnect between expected behavior and actual behavior is large. The organization needs to determine what the current behaviors are and then determine what are the desired behaviors. Once that is complete, the business case would then be created (Answer C) and presented to leadership to secure funding for the training (Answer A) and then execute the training (Answer B.)

HR is reviewing candidate's resumes and background information based on an open job posting. What is one risk area that you, as the Privacy Program Manager, should work focus on, as it relates to the vendor gathering the background information requested? A. Procurement B. Vendor Assessment C. Information Risk D. Communications B. Vendor Assessment The organization, prior to signing any contracts with a particular vendor, must assess the prospective vendor based on the organization's standards and regulatory requirements that must be complied with by the processor.

Your organization is implementing a new process that may collect consumer's information. Throughout the SDLC process, it is also determined that the consumer's information may be shared or aggregated throughout the life cycle of the information. In order to determine if a privacy impact assessment (PIA) is needed, you must conduct a? A. Data Privacy Impact Assessment B. Information risk assessment C. Privacy-enabling technology D. Recovery The correct answer is D.

A DPIA is a tool which controllers provide proof and demonstrate compliance with data protection laws, which is not the correct answer here. PETS are utilized within the PbD model and not the correct answer here. An insurance company is informed by an agent that they may have compromised personal information of their clients. What information security controls will be potentially implemented? A. Preventative B. Detective C. Corrective D. Recovery C. Corrective Corrective controls contain and minimize an incident from causing further damage. Answers A, B are implemented prior to an incident, while Answer D is implemented after the incident has been contained.

A U.S. based financial institution is required to provide customers a privacy notice annually that provides clear notice of the customer's right with respects to opt-outs. What regulation requires this? A. GDPR B. LGDP C. PIPEDA D. GLBA D. GLBA Answers A, B, and C are all international regulations, not U.S.

The stakeholders of a genetic organization have developed and are presenting their business case for a privacy program update, to include protective controls ensuring both the information security and privacy programs are united and overlapping. As part of this presentation, the quantified annual loss expectancy for a particular privacy control is $120,000 for complete development, implementation and monitoring of the control. While presenting, the question was posed to the presenter, 'If the control is not implemented, what will be the cost to the organization?" The projected impact to the organization would be less than the actual control being implemented. What would this example be called? A. Qualitative model B. Single loss expectancy C. Return on investment (ROI) D. Acceptable risk C. Return on investment (ROI) ROI is (Benefits - Cost) / Cost. However, with this particular example, the risk is less than the actual proposed control and, depending on the difference between those costs (which was not provided deliberately), this may not be a good business case model to approve and implement if the ROI is not favorable, however, the question is only asking you what this example is called. Remember, do not add to the 'story' or question as you read it. Only read the answer (2x), call out the key words and determine what is being asked of you. Answer D could be the answer however, the actual question is not looking for that, but it looks and sounds good - a distracting answer. Answers A and B are incorrect.

An organization's privacy program maturity level is based on how established the program is functioning in multiple areas. The privacy program has been in place for multiple years and has been extremely successful in providing metrics and efficiencies for your organization. What level of maturity is the organization at? A. Repeatable B. Defined C. Ad Hoc D. Managed D. Managed Managed maturity levels consist of reviews that assessed the effectiveness of the controls implemented.

Your medical staff has access to all EMRS. Each staff member is trained frequently on proper handling, access, and protecting of sensitive data. If one of your medical practitioners accesses an EMR in which they are providing care to, which basic security principle has been followed? A. Role-Based Access B. Segregation of duties C. Least privilege D. Need-to-know access D. Need-to-know access Need-to-know access is access to information or systems that are required to conduct and complete the responsibility of an authorized user. In this scenario, the medical practitioner is authorized to access the patient's records.

As technology infrastructure is procured, implemented, and secured, which of the following security controls are most integrated with IT? A. Physical Security B. HR Security C. Ethics and Integrity D. Employees A. Physical Security Systems and computers are physically protected and managed by doors and locks, CCTVS, etc. Answer B is integrated into IT; however, the question is asking about technology infrastructure (i.e. Computers, mobile devices, applications, etc.), therefore, the 'most' integrated with IT would be answer A.

Principles and standards, laws, regulations and programs are two categories that a privacy framework may be designed from. What is another category that can be referenced to create a privacy framework? A. Privacy Program Management B. Privacy Program Strategy C. Privacy Program Vision D. Privacy by Default A. Privacy Program Management Answer B and C are the foundation of the privacy program, however, are not frameworks. Answer D is a tricky answer.

Privacy by design (PbD) would be a correct answer, however, 'default' is not the correct response. Within the U.S., which federal law addresses money laundering? A. U.S. Federal Financial Law B. Federal Trade Commission Act C. Fair and Accurate Credit Transactions Act D. Financial Modernization Act D. Financial Modernization Act Also known as the Gramm-Leach Bliley Act (GLBA) which requires financial institutions to explain how they share and protect their customer's private information.

Your organization must share personal information to a country outside of the EEA and EU. You individually tailor the contract to your company's needs and obtain the required supervisory authority's authorization. What type of cross-border transfer rule are you using? A. BCR B. SCC C. Codes of Conduct D. Ad hoc contractual clause D. Ad hoc contractual clause BCRS allow organizations to create an internal policy. SCCS (Article 46(c) and Codes of conduct (Article 40) are addressed with the GDPR with enforceable commitments.

A global organization located in numerous countries would be best to implement this type of governance model? A. Centralized B. Distributed C. Hybrid D. External B. Distributed Distributed delegates decision-making to the lowest levels within an organization allowing a bottom-to-top flow of decisions and monitoring.

If your leadership is not supporting nor funding your privacy program management, one way to gain their support is to share what a potential privacy breach would cost the organizations. This would be an example of? A. Metrics B. Quantitative Model C. Qualitative Model D. Return on Investment (ROI) B. Quantitative Model Showcasing exact costs (quantifiable numbers) generally assists privacy program managers in obtaining support and funding for their privacy program development.

What must an efficient and successful privacy program be built with? A. Data Map B. Regulatory Map C. Compliance Map D. Comprehensive View D. Comprehensive View Answers A and B are components of the comprehensive view within the organization. Each organization must know what data that collects and processes throughout the data's entire lifecycle.

Your organization completed the data inventory exercise. Who in your organization determines what classifications of information are arranged into those categories? ``` A. Chief Security Officer B. Chief Executive Officer C. Privacy Officer D. Human Resources C. Privacy Officer ``` The Privacy Officer and legal department review all regulatory and legal requirements of the organization and based on those applicable laws, will determine what classifications will be utilized within the organization. Answer A will overlay the appropriate physical, administrative and technical controls, based on those categories of data. Answer B and D are not the correct answers.

Your organization has implemented a privacy program and you are analyzing the data and metrics. What was your PREVIOUS step? A. Identification of audience B. Analysis C. Collection D. Selection C. Collection

The five-step metrics life cycle Is: A. Identification of intended audiences B. Definition of data sources C. Selection of privacy metrics D. collection and Refinement of systems/application collecting points E. Analysis of the data/metrics

Once the policies, procedures and security controls have been assessed on your potential cloud provider, whom within your organization should approve of this type of vendor? A. General Counsel B. Privacy Program Manager C. Chief Information Security Officer D. Chief Information Officer D. Chief Information Officer All listed answers may be involved with the business case development, screening criteria of the vendor and review of the vendor, however, since it is a technical vendor, a cloud provider, ultimately, the CIO should approve of the provider.

Your organization is acquiring another organization. A part of the privacy checkpoint, your organization's processes should consist of conducting a prior to the integration of the acquired organization's systems and processes. A. Divestiture B. Data inventory C. Regulatory map D. Risk Assessment D. Risk Assessment A risk assessment of the acquired organization's systems, processes, and technologies should be conducted prior to integrating systems to your organization's systems. This will identify potential risks and allow time to mitigate those while protecting and not introducing those new risks to your organization.

The privacy program manager is preparing their performance measurement presentation. They are looking at the value of the asset being measured, ensuring to capture the possible changes or factors that may impact that value. What other consideration should the PPM take into account as they develop the presentation? A. Return on investment B. Chief Financial Officer C. Alignment D. Integration A. Return on investment The PPM must ensure that the ROI is connected and justifies the implementation of that particular function. Answers C and D are not the correct terms for use in a performance measurement analysis.

An insurance company is informed by an agent that their computer screen is open, and they are certain that they had locked the screen and that they may have compromised personal information of their clients. What information security controls may be audited? A. Access Controls B. Asset Management C. Procurement D. Training A. Access Controls Access controls may be audited to see who accessed the computer, when, and what was accessed.

You are making a purchase on an e-commerce website and you receive a notice in the middle of the page that articulates what the organization does to protect your information. You have not yet provided any personal information. What is this called? A. Opt-Out B. Opt-In C. Just-in-time-notice D. Privacy Policy C. Just-in-time-notice The notice is provided to the customer before any information is collected and articulates how that information will be protected along with the consumer's choices and rights. It is an external statement. A privacy policy is an internal communication.

An organization's privacy program maturity level is based on how established the program is functioning in multiple areas. Regular audits, assessments, guidance and communications are gathered to review and improve the overall privacy program. What level of maturity is the organization at? A. Repeatable B. Defined C. Optimized D. Managed

C. Optimized Optimized level provides reviews, communications and improvements for the program.

Your customer's information and their rights to control what and who collects their information, where their information is shared are privacy rights. What overlap is there with information security that relates to accountability? A. Availability B. Confidentiality C. Integrity D. Accountability D. Accountability Answers A, B and C are the information security triads. Accountability falls in both privacy and information security requiring data owners, controllers, and processors to protect the data adequately.

It is Monday morning and you are starting a new role. You log into your corporate email account and find an email from HR. As you read through the email, you see that you are required to complete specific privacy training. What type of control is this? A. Special Handling B. Data Classification C. Technical D. Role-Based Access D. Role-Based Access You are starting a new role; you are being required to complete 'specific' privacy training. Answer A, B, and C will support Role- Based Access controls, but are not the correct answers here.

HR is reviewing candidate's resumes and background information based on an open job posting. What is one risk area that you, as the Privacy Program Manager, should work with HR on, as it relates to the background information gathered? A. Contracts B. Procurement C. Marketing D. Data A. Contracts Contracts and explicit requirements of processors that gather background information on behalf of the hiring organization. Answer B and C are not correct. Answer D, based on the actual question, is a distracting answer and the incorrect answer.

Your organization has suffered a data breach. Your organization has implemented their incident response plan. Which privacy domain houses this action item? A. Measure В. Improve C. Evaluate D. Support D. Support Domains are: (A) Assess - Measure, (B) Protect - Improve, (C) Sustain Evaluate or (D) Respond - Support.

Your privacy program needs to monitor changes, organizational compliance, but it doesn't need to integrate with? A. Legal changes B. Cultural changes C. Technological changes D. Employee changes D. Employee changes Although employee changes are important to understand and take into consideration, as it relates to the privacy program, employee changes are not a priority. Cultural changes (answer B) are a priority to take into consideration as a whole, but not the individual employee changes.

Your organization has implemented a privacy program and you are preparing to present metrics captured. What was your INITIAL step in this process? A. Identification of audience B. Analysis C. Collection D. Selection A. Identification of audience The five-step metrics life cycle Is: A. Identification of intended audiences B. Definition of data sources C. Selection of privacy metrics D. collection and Refinement of systems/application collecting points E. Analysis of the data/metrics

Your organization has implemented a privacy program and you are defining your data sources. What is your NEXT step? A. Identification of audience B. Analysis C. Collection D. Selection D. Selection The five-step metrics life cycle Is: A. Identification of intended audiences B. Definition of data sources C. Selection of privacy metrics D. collection and Refinement of systems/application collecting points E. Analysis of the data/metrics

An insurance company is informed by an agent that they may have compromised personal information of their clients. What is this called when the agent thinks the information has been compromised? A. Incident Detection B. Incident Handling C. Incident Response Plan D. Employee Training A. Incident Detection The presumption of this question, which you will see similar questions on your exam, states that an agent has informed the organization that they may have an incident. They detected something and notified me. This also implies that the organization has already trained (Answer D) the employee on the IRP (Answer C) which is a part of the handling of the incident (Answer B). Understanding Incident Response is critical.

When your organization has purchased cyber liability insurance, and suffered a data breach, your incident response plan is then followed and one of the first calls would be to? A. Forensic Firm B. Data Protection Authority C. CSO D. Breach Coach

A. Forensic Firm A Forensic Firm is an outside legal firm/counsel that will assist in triaging and providing the organization with legal guidance vs. in-house legal team providing 'business' guidance and also which provides the organization with privileged rights.

Who, within your organization, would the privacy program manager NOT work with to better understand the organization's privacy needs? A. CPO B. DPO C. DPA D. General Counsel

C. DPA The DPA will not provide the PPM with privacy insights within their organization. They may provide templates and guidance on how to learn of those, however. The other answers are primary functional leaders that would provide great insight to the privacy needs of your organization.

Of the following, which is a privacy framework that may be used for your privacy program management framework? A. ENISA B. EFCC C. CNIL D. DPA

C. CNIL

This regulation offers organizations a new framework for data protection? A. GDPR B. LGDP С. PIPEDA D. APPI

A. GDPR GDPR also requires organizations to be accountable with global impacts. LGDP is the newly approved Brazilian General Data Protection Law. PIPEDA applies to Canada and APPI applies to Japan's Act on Protection of Personal Information.

As you assess your prospective vendors, what is one topic that is NOT a priority for you to assess? A. Financial B. Geographic Location(s) C. Privacy Framework D. Data Inventory D. Data Inventory Yes, you need a data inventory and will add to it once you add vendors to your vendor management portfolio, but as a prospective vendor, you do not need to focus on that, yet.

You are making a purchase on an e-commerce website and a banner at the bottom of the page appears before you can provide your billing and shipping information. This banner articulates what the organization does to protect your information. What is this called? A. Opt-Out B. Opt-In C. Privacy Notice D. Privacy Policy C. Privacy Notice The statement is a promise to the consumer on what information is collected, how it will be protected, and the consumer's choices and rights. It is an external statement. A privacy policy is an internal communication.

What is measured via metrics associated with confidentiality, unavailability, and projected business impact assessments for downtime within an organization's business objectives? A. Accountability B. Data Privacy C. Data Protection D. Business Resiliency D. Business Resiliency The BIA will provide quantitative values and expenses if unavailable and will drive the DR and BCP to protect and defend your business operations if an outage was to be realized, which is business resiliency. Answers A, B, and C are all incorrect.

A California, U.S. based organization receives its first subject access request (SAR). The privacy program manager is alerted to receipt of the request in a timely fashion. What is the FIRST step of the organization upon receipt of the SAR? A. Verify Identity of Requestor B. Review BIPA C. Regulatory Map D. Data Inventory A. Verify Identity of Requestor Verification of the requestor is required prior to any next steps, to ensure personal data is protected, and that the confidentiality, integrity and availability are protected. Any data subject-access requests made by unauthorized persons and the SAR is provided to that unauthorized person, will result in a breach.

Which of the following are NOT privacy matters to consider? A. Geographical location B. Global Privacy Regulations C. Cross-border data sharing D. Competitor's Privacy Strategy D. Competitor's Privacy Strategy Although it would be nice to know what your competitors are doing, it is not a priority for your privacy program to focus on. The other three answers are and should be taken into consideration.

What is developed to guide your organization in disseminating and adoption for your privacy program? A. Developing the privacy vision B. Developing the privacy strategy C. Developing the privacy framework D. Developing the privacy structure B. Developing the privacy strategy The vision won't guide your organizations' communications or your leadership's adoption for the PPM. Answers C and D are possible answers but won't be a driver for adoption for your PPM.

Within your organization, who is responsible for protecting personal information that is captured and processed? A. Consumer B. Vendor C. Patient D. Workforce D. Workforce The key words are, "Within your organization", which then nullifies the Consumer, Vendor, and Patient answers.

Your organization is capturing and documenting where and what information is flowing, both internally and externally. What does the end product assist your organization with? A. Identifies vendors B. Identifies regulatory requirements C. Identifies classification D. Identifies personal information use D. Identifies personal information use A data inventory will identify the source, types and uses of personal information. Answer A and B could be an answer, but not with the limited information provided. Answer C would be a by-product of the identification of the personal use information.

Your organization, a covered entity within the U.S., has suffered a data breach within your archived information. What policy will be looked at to determine whether or not your organization has complied with that policy? A. Acceptable Use B. BYOD C. Incident Response Plan D. Retention D. Retention The key word in the question is 'archived', meaning stored and leading to the review of your retention of information.

Your organization is structuring your privacy team. Which privacy domain houses this action item? A. Measure B. Improve C. Privacy Program Framework D. Developing a Privacy Program D. Developing a Privacy Program When your organization is developing the privacy program, they will create the company vision, establish a data governance model, establish a privacy program, structure the privacy team and communicate, both internally and externally pertaining to their accountability.

Under what U.S. law requires government agencies to conduct a privacy impact assessment? A. FISMA В. FACTA C. E-Commerce Act D. E-Government Act D. E-Government Act The key word is 'government'. If you caught that, you answered the question correctly.

An insurance company is informed by an agent that they may have compromised personal information of their clients. What is this called? A. Data Breach B. Privacy Incident C. Cyber Security D. Incident Response Framework B. Privacy Incident The key word is 'may' have compromised. It has not been confirmed or validated, so, at this point, it is unknown if it is a data breach. Remember, you can have an incident without a data breach, but you cannot have a data breach without an incident.

Who is responsible for monitoring, improving, reporting and communicating the criticality of a particular metric? A. Privacy Manager B. Privacy Owner C. Communications Leader D. Metric owner D. Metric owner

They must be able to communicate the value and purpose of the metric to the organization. An international manufacturing company is implementing their privacy program. While they are in that process, they are conducting self-assessments, developing procedures, communicating and monitoring the program. What type of management is this called? A. Information Security Management System B. Risk Management C. Centralized Management D. Information Management D. Information Management Answer A is a security management system. Answer B is incorrect. Answer C is a governance model. Information management consists of discovering, building, communicating, and growth.

Your organization has suffered a data breach. You have initiated the incident response plan and are preparing for an external communication. Which or who would be best to communicate that message externally? A. HR B. Ethics and Integrity C. Marketing Dept. D. CEO D. CEO Answer A is the voice to the employees, internally. Answer B is not correct. Answer C may work with the PR/Communications group on the message; however, Answer D is best and recommended to communicate externally.

In order for you to assess a cloud provider, you must understand their? A. Privacy B. Mission Statement C. Notice D. Policies D. Policies Their mission statement (answer B) is something to view and will support their policies, which will help you assess the cloud provider. Answer A and C are not relevant to this particular question.

Which one of the following is NOT one of the most common causes of a data breach? A. Malicious Actors B. Human Error C. System Glitches D. Vendors D. Vendors The top three causes are answers A, B, and C. Vendors are up there, but not the most common cause.

The information security group utilizes a systematic approach to manage information risks relating to people, processes, and technologies. What is the name of this approach? A. Privacy Framework B. Information Security C. Information Privacy Management System D. Information Security Management System D. Information Security Management System ISO/IEC 27000 Information Security Management System (ISMS) series provides an overview and guidance to what and how to implement an ISMS.

These guidelines apply to all media and address marketing plans? A. Network Advertising Initiative (NAI) B. VeriSign C. PCI DSS D. DMA Guidelines for Ethical Business Practices D. DMA Guidelines for Ethical Business Practices NAI is an industry trade group that develops self-regulatory standards for online advertising. VeriSign enables the security, stability and resiliency of key internet infrastructure and services, including the .com and .net domains. PCI DSS is the information security standard for organizations that handle branded credit cards from the major card schemes.

Privacy programs and their leadership may fall under multiple areas within organizations. They may fall under Legal, HR, IT, Risk, or other areas. As your organization determines which area it may report to, the organization should take all of the following into consideration, except: A. Organizational structure B. Roles and responsibilities C. Evaluation D. Vendor Management D. Vendor Management All of the other answers should be taken into consideration as the organization determines where the program and its leaders will fall under.

What is the value of a privacy workshop for an organization's stakeholders? A. A workshop ensures compliance to policies at all levels of an organization. B. A workshop ensures all stakeholders commit resources to the privacy program. C. A workshop ensures common baseline understanding of the risks and challenges. D. A workshop allows the privacy professional to create a single policy across the organization. C. A workshop ensures common baseline understanding of the risks and challenges.

All of the following are factors in determining whether an organization can craft a common solution to the privacy requirements of multiple jurisdictions except: A. effective date of most restrictive law B. implementation complexity C. legal regulations D. cost A. effective date of most restrictive law

What are non-governmental organizations that advocate for privacy protection known as? A. external privacy organizations B. privacy policy review boards C. privacy trade associations D. political Action Committees or PACs A. external privacy organizations

John is the Data Protection Officer for a fashion retailer based in Europe. He has recently trained the staff on the concept of Privacy by Design. Staff now know to seek his advice early in the planning of any new initiatives that involve the collection of personal data. John has been asked to provide advice on a proposal for a new online business for enthusiasts of designer fashion, called "DesignersYou Love."This will be a web-based service through which subscribers can access insider news on their favorite designers, receive discounts on clothing, have the opportunity to meet designers at fashion shows and be able to book tickets and enter competitions. In order to sign up for "DesignersYou Love," individuals must complete an online form.The data being collected includes the mandatory provision of name, email address, payment card information, favorite designers, clothing size, and annual clothing expenditures. After reviewing the form, John grows concerned that the company might be collecting excessive information. The business intends to use this data for the following purposes: • To provide subscribers with access to information on the site • To collect payment and manage subscriptions • To analyse subscriber use of the site (using browsing history, subscription information and cookies) • To perform profiling for the purpose of sending relevant offers to customers The website and the associated database of subscribers will be hosted by a U.S. technology company called HostPro Ltd. Its servers are located in the U.S., but it wishes to use subcontractors who have their own servers.The company intends to use a payment card processor they already have a relationship with to manage subscription payments. How might John first explore his concerns regarding excessive data collection? A. Perform a third-party audit. B. Monitor complaints from subscribers. C. Ask the data protection supervisory authority for guidance. D. Ask the business sponsor for the rationale for each data field collected. D. Ask the business sponsor for the rationale for each data field collected.

John is the Data Protection Officer for a fashion retailer based in Europe. He has recently trained the staff on the concept of Privacy by Design. Staff now know to seek his advice early in the planning of any new initiatives that involve the collection of personal data. John has been asked to provide advice on a proposal for a new online business for enthusiasts of designer fashion, called "DesignersYou Love."This will be a web-based service through which subscribers can access insider news on their favorite designers, receive discounts on clothing, have the opportunity to meet designers at fashion shows and be able to book tickets and enter competitions. In order to sign up for "DesignersYou Love," individuals must complete an online form.The databeing collected includes the mandatory provision of name, email address, payment card information, favorite designers, clothing size, and annual clothing expenditures. After reviewing the form, John grows concerned that the company might be collecting excessive information. The business intends to use this data for the following purposes: • To provide subscribers with access to information on the site • To collect payment and manage subscriptions • To analyse subscriber use of the site (using browsing history, subscription information and cookies) • To perform profiling for the purpose of sending relevant offers to customers The website and the associated database of subscribers will be hosted by a U.S. technology company called HostPro Ltd. Its servers are located in the U.S., but it wishes to use subcontractors who have their own servers.The company intends to use a payment card processor they already have a relationship with to manage subscription payments. What vendor management process should John invoke first? A. Conduct a security walkthrough of vendor work sites. B. Assess the vendors' ability to protect personal data. C. Require ongoing monitoring of the vendors' processes. D. Review the supplier contract and weigh against vendor performance. B. Assess the vendors' ability to protect personal data.

Which descriptor best describes the general attitude an organization should exhibit regarding its practices and policies for data protection? A. security B. openness C. adaptation D. education B. openness

According to the Treaty of Lisbon, the majority of EU legislation cannot be adopted without the approval of which two European Institutions? A. European Council and European Parliament. B. European Commission and European Parliament. C. European Parliament and Council of the European Union. D. European Commission and the Court of Justice of the European Union. C. European Parliament and Council of the European Union.

In addition to GDPR compliance, what benefit does pseudonymizing data offer data controllers? A. It ensures that it is impossible to re-identify the data. B. It eliminates the responsibility to report data breaches. C. It allows for further use of the data for research purposes. D. It eliminates the need for a policy specifying subject access rights. C. It allows for further use of the data for research purposes.

When would a data subject have the right to require the erasure of his or her data without undue delay? A. When erasure is in the public interest. B. When the controller is a public authority. C. When the processing is carried out by automated means. D. When the data is no longer necessary for its original purpose. D. When the data is no longer necessary for its original purpose.

When should stakeholders in privacy framework development be identified? A. after the privacy team has established its agenda B. during the data inventory C. during the review of written policies D. during the business case development process D. during the business case development process

Where should an organization's procedures for resolving consumer complaints about privacy protection be found? A. in written policies regarding privacy B. in the emergency response plan C. in memoranda from the CEO D. in the minutes of corporate or organizational board meetings A. in written policies regarding privacy

Who is considered a primary audience for metrics data? A. chief financial officers B. information security officers C. stockholders D. external regulatory bodies B. information security officers

What does an effective performance measurement indicator do? A. It stays the same through different business cycles. B. It insures against data loss. C. It identifies important corporate resources. D. It provides data on effectiveness. D. It provides data on effectiveness.

What is one characteristic of an effective metric? A. set by regulation B. externally defined C. measurable D. changeable C. measurable

What is business resiliency? A. how quickly a business accomplishes a merger B. how well a business responds to and adapts after a disaster C. how successful a business's auditing process is D. how well a business rewards and retains its employees B. how well a business responds to and adapts after a disaster

The Privacy Program Operational Life Cycle include the following except: ``` A. Protecting B. Operating C. Sustaining D. Assessing E. Responding ``` B. Operating

Which one is an example of a standard with focus on the technical controls of a system to provide data security. A. The payment card industry data security standard (PCI DSS) B. N/A C. ISO/IEC 27000 series D. NIST-800 C. ISO/IEC 27000 series

The payment card industry data security standard provides twelve security control requirements in six categories that apply to the financial industry. Which one is not includes in Categories? A. Protect cardholder data B. Implement strong access control measures C. Build and maintain a secure network D. Protect Only the bank data D. Protect Only the bank data Strategic management of privacy starts by what based on privacy best practices

A. Developing and implementing a Privacy Maturity Model B. Notice all the stockholders C. Recruiting the Chief Privacy Management D. creating or updating the organization vision and mission statement a

The metric lifecycle contains five stages but does not include: ``` A. identification B. definition C. audit D. collection and refinement E. selection ``` C. audit

In the privacy operational life cycle which one phase provides the data life cycle, information security practices and Privacy by Design principles to "protect" personal information: ``` A. Sustain B. Respond C. Protect D. Governance E. Assess ``` C. Protect

Which term is used to describe a member of the privacy team who may be responsible for privacy program framework development, management and reporting within an organization. ``` A. Chief Executive Officer B. first-tiger C. data protection officer D. Privacy professional E. First responders ``` D. Privacy professional

Which domain provides a solid foundation for the governance of a privacy program and defines how the privacy program may be developed, measured and improved A. Privacy Program Governance B. N/A C. Privacy Program Operational Life Cycle A. Privacy Program Governance

Privacy by design consists of some foundational principles. Which one is not include: A. Privacy embedded into design B. Reactive, Not Proactive; Remedial, Not preventative C. Privacy as the default setting D. Respect for user privacy B. Reactive, Not Proactive; Remedial, Not preventative

In the Privacy Government the Metrics must be: ``` A. clearly defined B. N/A C. meaningful D. indicate progress and answer a specific question E. measurable ``` B. N/A

In the privacy operational life cycle which one phase include the respond principles of information requests, legal compliance, incident-response planning and incident handling. ``` A. Respond B. Governance C. Protect D. Assess E. Sustain ``` A. Respond

Risk can be tracked based on pre-defined severity categories such as those provided in the: A. N/A B. NIST-800 C. The payment card industry data security standard (PCI DSS) D. ISO/IEC 27000 series A. N/A

About the Data Protection Act of 1998 defines which term give a description of the: A systematic and independent examination to determine whether activities involving the processing of personal data are carried out in accordance with an organization's data protection policies and procedures. A. refinement B. collection C. identification D. audits D. audits

Which one ensures the confidentiality, integrity, availability and privacy of data in all forms of media: A. incident management B. Digital forensics C. Data security D. Physical / environmental security C. Data security

According to IAPP which is not a main type of governance model? A. Centralized B. Hybrid C. National D. Distributed C. National

During the Data Inventory, which Element map for the Purpose "How is the information being used?" A. The volume of information in this repository B. Location of the repository C. The format of the information D. The use of the information A. The volume of information in this repository

Which term is the main focus on social networking and the new internet web cookie policy: A. Enterprise Privacy Authorization Language (EPAL) B. eGov 2.0 C. Platform for Privacy Preferences (P3P) B. eGov 2.0

Which maturity levels regular review and feedback are used to ensure continuous improvement towards optimization of the given process ``` A. Managed B. Optimized C. Alliance D. Repeatable E. Defined F. Ad hoc ```

B. Optimized

As with all life cycle models, which phase is the entry point or exit point to privacy program operational management. ``` A. The protect phase B. The sustain phase C. The assess phase D. no entry or no exit point but instead a continuous cycle E. The respond phase ``` C. The assess phase

Companies use a code of practice by a group of companies as industry bodies, this Privacy Protect Model May be: A. Self-Regulated Model B. Comprehensive Laws C. Sectoral D. Co-Regulatory Model A. Self-Regulated Model

Examples of existing privacy enhancing technologies are: ``` A. N/A B. Communication anonymizers C. Enhanced privacy ID (EPID) D. Access to personal data E. Shared bogus online accounts ``` A. N/A

According to Asia-Pacific Economic Cooperation (APEC), which term is an important tool in encouraging the development of appropriate information privacy protections and ensuring the free flow of information A. Incident Planning B. privacy mission statements C. Privacy framework D. Privacy by Design C. Privacy framework

Which maturity levels reviews are conducted to assess the effectiveness of the controls in place ``` A. Optimized B. Ad hoc C. Alliance D. Managed E. Defined F. Repeatable ```

D. Managed

Which term is an implementation roadmap that provides the structure or checklists (documented privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization. A. Incident Planning B. Privacy program framework C. Privacy by Design D. privacy mission statements B. Privacy program framework

In the Privacy Filed the term PETS stand for: A. Privacy-enhancing technologies (PETs) A. Privacy-enhancing technologies (PETs)

Enactment of laws that specifically address a particular industry sector, this Privacy Protect Model may be: A. Sectoral Laws B. Self-Regulated Model C. Co-Regulatory Model D. Comprehensive Laws A. Sectoral Laws

Advantages of using external auditors include: A. Lending credibility to internal audit program B. Learning curve about the organization C. Identifying weakness of internal controls D. Providing a level of unbiased, expert recommendations A. Lending credibility to internal audit program

Auditing Privacy include five phase approach except: ``` A. Rebuild B. Conduct Audit C. Audit Planning D. Follow-up E. Audit Preparation A. Rebuild ```

Set up a dedicated e-mail address for all privacy enquiries, both internal and external, which the privacy team can monitoring of contact A. N/A B. I know it B. I know it

Govern the collection, use and dissemination in public and private sectors with an official oversight enforcement agency, this Privacy Protect Model may be: ``` A. Self-Regulated Model B. Sectoral Laws C. Co-Regulatory Model D. Comprehensive Laws D. Comprehensive Laws ```

The PMM uses five maturity levels below except: ``` A. Managed B. Optimized C. Ad hoc D. Repeatable E. Defined F. Alliance ```

F. Alliance

The Online Privacy Alliance (OPA), TRUSTe, BBBOnline, and WebTrust are examples of the following type of model A. Self-Regulated Model B. Comprehensive Laws C. Sectoral Laws D. Co-Regulatory Model A. Self-Regulated Model

As an example, a well-known self-certification program is the A. U.S.-EU Safe Harbor Framework A. U.S.-EU Safe Harbor Framework

A privacy __________ is generally an internal document that is addressed to employees. It clearly states how personal information is going to be handled. A. N/A B. policy C. notice B. policy

During the Data Inventory, which Element map for the Purpose "In which country/countries is the data stored?" ``` A. The format of the information B. The use of the information C. Where the data is stored D. The volume of information in this repository C. Where the data is stored ```

A __________ is generally an external communication of the privacy policies to the customers about how their personal data is being handled. A. policy B. notice C. N/A B. notice

Which phase of the Privacy Operational Life Cycle model provides the framework for the privacy professional to evaluate the current processes, procedures, management, and practices for privacy management in the organization and apply best practices to them. A. The assess phase B. The respond phase C. The sustain phase D. The protect phase A. The assess phase

Which the following is the standardized term that refers to specific methods that act in accordance with the laws of data protection, it allow online users to protect the privacy of their personally identifiable information (PII) provided to and handled by services or applications A. Privacy-Enhancing Technologies (PET) A. Privacy-Enhancing Technologies (PET) Privacy Metrics are sometimes used poorly or improperly or contain faulty assumptions. The privacy professional must guard against: A. Selective Use B. Massaging the Numbers C. SMART Methodology D. Faulty Assumptions C. SMART Methodology

Notification of a data breach to individuals is A. always desirable B. N/A C. not always desirable C. not always desirable

This privacy operational life cycle ensures the the organization is prepared to assess, protect, sustain and respond within the context of the ever-changing privacy demands of the world. A. privacy operational life cycle A. privacy operational life cycle

Which maturity levels procedures or processes are generally informal, incomplete and inconsistently applied ``` A. Alliance B. Ad hoc C. Managed D. Defined E. Optimized F. Repeatable ```

B. Ad hoc

The Certified Information Privacy Manager (CIPM) program, expands the privacy professional's knowledge to include the __________ of privacy. A. "how" B. "what" C. N/A A. "how"

Disadvantages of using external auditors include A. providing a level of unbiased, expert recommendations B. Learning curve about the organization C. Confidentiality D. Cost budget E. Time or schedule A. providing a level of unbiased, expert recommendations

During the Data Inventory, which Element map for the Purpose "how much data is actually in the repository?" A. The format of the information B. Location of the repository C. The use of the information D. The volume of information in this repository The volume of information in this repository

Will assist the privacy professional with best practices in generic terms to identify, define, select, collect and analyze metrics specific to privacy A. Incident Planning B. Performance Measurement C. Develop and Implement a Framework D. Strategy Management B. Performance Measurement

The Metric Life Cycle which one sometimes takes the most time of all five steps due the large amount of data collected on automated systems; A. select privacy metrics B. Define Reporting Resources C. analyze the data D. Identify the Intended Audience C. analyze the data

Is a machine-readable language that helps to express a website's data management practices in an automated fashion. A. Liberty Alliance and SAML B. Enterprise Privacy Authorization Language (EPAL) C. Extensible Access Control Markup Language (XACML) D. Platform for Privacy Preferences (P3P) D. Platform for Privacy Preferences (P3P)

According to IAPP, A privacy mission statement describes the purpose and ideas in just a few sentences. It should be read in less than: A. 30 seconds B. 30 minutes C. 30 words D. N/A A. 30 seconds

Which one is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition? A. Data life cycle management (DLM) B. Privacy Maturity Model (PMM) C. Data leakage prevention (DLP) D. Privacy Impact Assessment (PIA) A. Data life cycle management (DLM)

Which term provide an automated means for organizations to identify, document and manage their existing risks and controls. A. Protect B. Sustain C. notice D. Dashboards D. Dashboards

Privacy Program Governance include but except: A. Strategic management B. Developing and implementing a Privacy Maturity Model C. Performance measurement D. Developing and implementing a framework D. Developing and implementing a framework

Websites collecting information from Children under the age of thirteen are required to comply with: A. the Gramm-Leach-Biley Act (GLBA) B. the Health Insurance Portability and Accountability Act of 1996 C. Children's Online Privacy Protection Act (COPPA) D. the Payment Card Industry Data Security Standard C. Children's Online Privacy Protection Act (COPPA)

Which one is the starting point for assessing the needs of the privacy organization. A. review and monitor B. gap analysis C. communicate the framework D. business case D. business case

There are many Privacy Frameworks. Examples include but except: A. PCI DSS B. The Organisation for Economic Co-operation and Development (OECD) Privacy Guidelines C. Privacy by Design D. The APEC Privacy Framework A. PCI DSS

Which maturity levels assures Procedures and processes are fully documented and implemented and cover all relevant aspects ``` A. Ad hoc B. Managed C. Optimized D. Defined E. Alliance F. Repeatable ```

D. Defined

The following may be a A. privacy vision and privacy mission statements B. Chief Financial Officer's job C. Incident Public Notice D. Roadmap of information security A. privacy vision and privacy mission statements

Privacy ROI defines metrics by: A. ROI = (Costs - Benefits)/Costs B. ROI = (Benefits + Costs)/Benefits C. ROI = (Benefits - Costs)/Costs D. ROI = (Benefits + Costs)/Costs C. ROI = (Benefits - Costs)/Costs

Which term is Define privacy technology standards developed solely to be used for the transmission, storage and use of privacy data Privacy-enhancing technologies (PETs) A. Privacy-enhancing technologies (PETs)

Which privacy model can be more easily integrated in organizations that utilize single-channel functions with planning and decision making occurring centrally A. hybrid model B. Local or Decentralized model C. centralized model C. centralized model

When we talk about select privacy metrics use the SMART methodology. Every letter in the SMART includes all of the below except: ``` A. Specific and/or simple B. Manageable C. Auditability D. Timely E. Relevant/results-oriented ``` C. Auditability

In the privacy operational life cycle which one phase provides privacy management through the monitoring, auditing and communication aspects of the management framework ``` A. Protect B. Governance C. Sustain D. Respond E. Assess ``` C. Sustain

Which privacy model shows fewer tiers in the organizational structure, wider span of control, and a bottom-to-top flow of decision making and flow of ideas. A. N/A B. hybrid model C. centralized model D. Local or Decentralized model D. Local or Decentralized model