Dump

Question 1

One of the goals that is NOT a Privacy Program Manager role is to?

A. To identify their supply chain’s privacy risks.
B. To identify their organizations, employees, and patient’s risks.
C. To identify current state of policies, procedures, and any supporting documentation.
D. Promote consumer trust.

A. To identify their supply chain’s privacy risks.

Answer 1

The PPM’s goal is not to identify their supply chain’s privacy risks.
That would be a part of the Vendor Management program. Answer B and C are goals of the PPM. Answer D is a goal of the Privacy Program, which, ultimately, is an implied goal of the PPM. The best correct answer is A.

Question 2

Which of the following is NOT a reason organizations are becoming compliant with global privacy regulations?

A. Brand Name Protection
B. Reputation Protection
C. GDPR
D. U.S. Federal Privacy Law

Answer 2

D. U.S. Federal Privacy Law

The U.S. has yet to pass and implement a federal privacy law. Sectors within the U.S. have passed federal laws that implicate data privacy protections, however, there is not a U.S. wide federal privacy law to date.

Question 3

Privacy program managers are charged with the protection and appropriate use of?

A. Private Information
B. Personal Information
C. Public Information
D. Social Information

Answer 3

B. Personal Information

The term Private Information is rarely utilized, while Personal Information (PI)and Personally Identifiable Information (PII) are predominantly used. PPMS are groups not responsible for protecting either public information or social information. Do not read into the questions. Focus on the question as it is posed. If you imply or apply additional thoughts to the question, you may over think the question and choose the incorrect answer.

Question 4

Which of the following groups are NOT a priority group for the development of your privacy policies and procedures within your organization?

A. Human Resources
B. Legal
C. Business Development
D. External Audit

Answer 4

D. External Audit

An internal audit group would be a part of your priority group. All of the other groups are departments you should include.

Question 5

The privacy vision should align with?

A. Consumer Objectives
B. Business Objectives
C. Vendor Objectives
D. Contract Objectives

Answer 5

B. Business Objectives

Upon the request of the DPA, your organization must share the detailed record of processing with them. The other answers are also correct, however, the best, right answer is B. You will have questions like this on the exam.

Question 6

Your organization is implementing a new process that may collect consumer’s information. The process is complete and ready for a final review before being launched into production. During the review, it is determined that the new process lacks the ability to audit the privacy controls for regulatory compliance. What was not included in the design?

A. Proactive
B. Embedded privacy controls
C. Respect for users
D. Privacy by Design

D. Privacy by Design

Question 7

Upon request, a detailed record of processing must be shared with the?

A. Data Protection Officer
B. Data Protection Authority
C. Chief Information Officer
D. Chief Information Security Officer

Answer 7

B. Data Protection Authority

Upon the request of the DPA, your organization must share the detailed record of processing with them. The other answers are also correct, however, the best, right answer is B. You will have questions like this on the exam.

Question 8

Your medical staff has access to all EMRS. Each staff member is trained frequently on proper handling, access, and protecting of sensitive data. If one of your medical practitioners is unable to access an EMR, and is authorized to access it, which basic security principle has been applied?

A. Role-Based Access
B. Segregation of duties
C. Least privilege
D. Need-to-know access

Answer 8

B. Segregation of duties

Separation of duties is the concept of having more than one person required to complete a task. It is an administrative control used by organisations to prevent fraud, sabotage, theft, misuse of information, and other security compromises.

Question 9

While your organization is assessing a potential vendor, one statement within the vendor policy may require a review of?

A. Privacy Policy
B. Vendor Management
C. Location of data
D. Employees

Answer 9

C. Location of data

The vendor policy may stipulate that the procuring organization evaluate its processes for risk assessment, its risk profile, and categories of vendors based on risk. This may include evaluating the vendor’s internal policies; affiliations and memberships with other organizations; mandatory and nonmandatory certifications; location of data servers; and data storage, use, and transport.”

Question 10

Your organization has secured funding for a new privacy training initiative. Which of the following may NOT be one of the training methods you would implement?

A. Classroom
B. Online
C. Workshops
D. Testing

Answer 10

D. Testing

Training may be delivered through dedicated classroom, instructor-led courses or online platform
“Once breach preparedness is integrated into the BCP, or if the company decides to have a standalone incident response plan, incident response training will likely be required. This training may take many forms, including workshops, seminars and online videos, but often includes tabletop exercises, a strategic mainstay of corporate trainers and business continuity planners.”

Question 11

The CFO and CHR of a healthcare organization are looking to you, the privacy program manager, to provide them with a performance measurement of the privacy program. Which of the following would you NOT utilize in creating that?

A. Tracking
B. Identifying
C. Defining
D. Analyzing

Answer 11

A. Tracking

Question 12

Who needs to appreciate the benefits and risks associated with the collection and use of personal information?

A. Privacy
B. Privacy Professional
C. Privacy Program Manager
D. Privacy Officer

B. Privacy Professional

Question 13

A California, U.S. based organization receives its first subject access request (SAR). The privacy program manager is alerted to receipt of the request in a timely fashion. What will the program manager reference, that was developed in the establishment of the privacy program, that will assist in determining where the SAR’s information resides?

A. Data Classification Policy
B. Privacy Program Scope
C. Regulatory Map
D. Data Inventory

D. Data Inventory

Question 14

The GDPR, the CCPA, GLBA and other privacy regulatory laws have different terminology and requirements as it relates to ‘reasonable security procedures and practices.” The word, “adequate” or “appropriate technical and organizational measures’ - this is the ‘security principle’. Where might you NOT reference for these types of controls and standards?

A. Internet Security’s Critical Security Controls
B. ISO/IEC 27002
C. NIST SP 800-53rev4
D. ISO/IEC 27006 D. ISO/IEC 27006

Answer 14

The CIS Controls (formerly known as Critical Security Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.

This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation

ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).

ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). … ISO/IEC 27006 lays out formal requirements for accredited organizations which certify other organizations compliant with ISO/IEC 27001

Question 15

An organization’s privacy program maturity level is based on how established the program is functioning in multiple areas. Departments are following and adhering to processes and procedures for most functions. What level of maturity is the organization at?

A. Repeatable
B. Defined
С. Ad Hoc
D. Managed

Answer 15

B. Defined

Question 16

An organization’s privacy program maturity level is based on how established the program is functioning in multiple areas. Generally, if your privacy program has recently been created where you are still evaluating and inventorying what the organization has and does not have in place for policies, processes and procedures, the privacy program maturity level is at this stage?

A. Repeatable
B. Defined
C. Ad Hoc
D. Managed

Answer 16

C. Ad Hoc

Question 17

Key stakeholders make decisions pertaining to the record of your organization’s privacy program. These decisions serves as the privacy program’s?

A. Governance
B. Risk Assessment
C. Due Care
D. Due Diligence

Answer 17

D. Due Diligence

Such documentation also helps support accountability requirements of the GDPR and serves as the privacy program’s due diligence in terms of which functions and individuals should be held accountable for privacy compliance.”

Question 18

Your customer’s information and their rights to control what and who collects their information, where their information is shared are privacy rights. What overlap is there with information security that relates to accuracy of information?

A. Availability
B. Confidentiality
C. Integrity
D. Accountability

Answer 18

C. Integrity

In the world of information security, integrity refers to the accuracy and completeness of data.

Question 19

As privacy laws and regulations continue to expand and change, complying and monitoring with those changes is critical for the organization’s privacy program success. What is one solution that provides organizations with updated changes, monitoring and auditing performances of their processes and procedures?

A. Internal Audit
B. Second-party Audit
C. Third-party Audit
D. Third-party Privacy Compliance Platform and Tools

D. Third-party Privacy Compliance Platform and Tools

Question 20

Prior to a new service or system being implemented, this type of action is required to be conducted?

A. Data Privacy Impact Assessment 
B. Privacy Impact Assessment 
C. Privacy Assessment 
D. Risk Assessment	
B. Privacy Impact Assessment

Question 21

Your organization has been alerted to a data breach within one of your vendors. During the DPA investigation, procurement has been summoned for questioning. What may be the topic of discussion?

A. Communications Language
B. Processor responsibilities
C. GDPR Compliance
D. Internal audit results

Answer 21

B. Processor responsibilities

Question 22

Your organization is capturing and documenting where and what information is flowing, both internally and externally. What is this type of exercise?

A. Regulatory Map
B. Legal Map
C. Data Inventory Map
D. Data Map

C. Data Inventory Map

Answers A and B are to determine regulatory and legal requirements that your organization is accountable to and for. Answer D is the process of matching fields from one database to another.

Question 23

Your organization is conducting processor assessments. Which privacy domain houses this action item?

A. Measure
B. Improve
C. Evaluate
D. Support A. Measure

Answer 23

Domains are: (A) Assess Measure, (B) Protect - Improve, (C) Sustain - Evaluate or (D) Respond - Support.

Question 24

HR is reviewing candidate’s resumes and background information based on an open job posting. What is one risk area that you, as the Privacy Program Manager, should work with Legal and HR on, as it relates to the background information gathered?

A. Data Retention
B. Data Policies
C. Information
D. Training A. Data Retention

Answer 24

Data retention, not only at the controller’s location, but also within the contract with the processor who is obtaining the background information. The controller must be explicit with what the processor will do with the information gathered on the individual once a decision has been executed on hiring or not hiring the candidate. Based on that decision, both the controller and processor must retain and then destroy the data that is no longer required for any business reason.

Question 25

Which of the following orders are the correct order as it relates to data incidents plans?

A. Planning, Preparing, Handling, Reporting
B. Planning, Investigating, Handling, Reporting
C. Preparing, Reporting, Investigating, Recovering
D. Preparing, Investigating, Recovering, Reporting A. Planning, Preparing, Handling, Reporting

Plan, Prepare, Roles and Responsibilities, Handling, Investigating, Reporting, and Recovery are the correct orders as it relates to data incidents.

Question 26

Your customer’s information and their rights to control what and who collects their information, where their information is shared are privacy rights. What overlap is there with information security that relates to access of information?

A. Availability
B. Confidentiality
C. Integrity
D. Accountability A. Availability

Availability is one of the information security triad’s (C,I,A). Answers B and C are the other two security triads. Accountability does apply here, however, the question is asking about information security and how it relates to access. Both availability and access ensure information is available to authorized users.

Question 27

Your customer’s information and their rights to control what and who collects their information, where their information is shared are privacy rights. What overlap is there with information security that relates to access of information?

A. Availability
B. Confidentiality
C. Integrity
D. Accountability A. Availability

Availability is one of the information security triad’s (C,I,A). Answers B and C are the other two security triads. Accountability does apply here, however, the question is asking about information security and how it relates to access. Both availability and access ensure information is available to authorized users.

Question 28

Your medical staff has access to all EMRS. Each staff member is trained frequently on proper handling, access, and protecting of sensitive data. If one of your medical practitioners accesses an EMR in which they did not and will not provide care to, which basic security principle has been violated?

A. Role-Based Access
B. Segregation of duties
C. Least privilege
D. Need-to-know access D. Need-to-know access

Need-to-know access is access to information or systems that are required to conduct and complete the responsibility of an authorized user. In this scenario, the medical practitioner is not and will not provide care to the patient, therefore, has no need-to-know to access the patient’s records.

Question 29

Your PIA identified a risk that you, as the privacy program manager, must address to bridge a gap within your privacy training and awareness program. You present the findings and the costs associated with the mitigating activity to your leadership. They reject your request. What should you have presented to your leadership to support your request?

A. Business Case
B. Return-on-Investment
C. Qualitative benefits
D. Annual loss expectancy (ALE) B. Return-on-Investment

Had an ROI and the savings (quantify vs qualitative) been presented along with the probable cost and impact that the risk may pose to the organization would have provided more strategic vision to the leadership vs. the bottom-line expenses. Answer A is incorrect, where the business case would have been created for the privacy program, which is already in place. Answer D would be utilized to quantify and support the ROI discussion.

Question 30

A financial institution has completed their regulatory mapping exercise and determined and created their data retention policy. The institution has adopted two possible standards for destroying the data, which are degaussing and shredding. What is another way to destroy the data electronically?

A. Melt
B. Burn
C. Erase
D. Overwrite D. Overwrite

Answer A and B are physical, not electronic destruction methods. Answer C is a synonym for degaussing.

Question 31

Your organization has suffered a data breach. You have initiated the incident response plan and are preparing for an external communication. Your marketing and social media team is made aware that an employee has posted a statement onto their personal social media platform. What didn’t the organization do, based on the information provided?

A. Implement a training program
B. Conduct training
C. Coordinate both internal and external communications
D. Notify customers C. Coordinate both internal and external communications

Coordinating both internal and external communications and then communicating those messages in sync will alleviate employees from posting inaccurate and unauthorized internal communications externally without specific guidance and provided templates, and reduction of confusion of anyone reading the communication of the employee.

Question 32

Your organization has accepted your proposed privacy vision. In order to continue developing your privacy program, which is your next step?

A. Develop the privacy team
B. Develop the privacy program strategy
C. Develop the mission statement
D. Develop the scope of the privacy program

D. Develop the scope of the privacy program

After you have created and received approval of the vision or mission statement (C.), you must determine the scope of the privacy program. Answer A and B are subsequent steps after the vision/mission statement and scope have been established.

Question 33

After completing the framework, which step is NEXT in the development of the privacy program?

A. Develop the privacy team
B. Develop the privacy program strategy
C. Develop the mission statement
D. Develop the scope of the privacy program

B. Develop the privacy program strategy

Once the vision/mission statement, scope and framework are selected, the strategy is next.

Question 34

Which of the following tactics are used to identify your privacy program scope?

A. Identify where business data is collected
B. Identify where data is collected
C. Identity where personal information is collected
D. Identify global data protection laws

Answer 34

C. Identity where personal information is collected

“You must know what personal information is collected and processed and which privacy and data protection laws and regulations impact your organization.”

Question 35

Your organization has implemented information security practices. Which privacy domain houses this action item?

A. Measure
B. Improve
C. Evaluate
D. Support B. Improve

Domains are: (A) Assess - Measure, (B) Protect Improve, (C) Sustain Evaluate or (D) Respond - Support.

Question 36

Your workforce is one of the key contributors to causing a data incident. What is one of the FIRST things you need to determine to address this risk?

A. Secure Funding
B. Train the workforce
C. Develop a business case
D. Workforce behavioral review D. Workforce behavioral review

The disconnect between expected behavior and actual behavior is large. The organization needs to determine what the current behaviors are and then determine what are the desired behaviors. Once that is complete, the business case would then be created (Answer C) and presented to leadership to secure funding for the training (Answer A) and then execute the training (Answer B.)

Question 37

HR is reviewing candidate’s resumes and background information based on an open job posting. What is one risk area that you, as the Privacy Program Manager, should work focus on, as it relates to the vendor gathering the background information requested?

A. Procurement
B. Vendor Assessment
C. Information Risk
D. Communications B. Vendor Assessment

The organization, prior to signing any contracts with a particular vendor, must assess the prospective vendor based on the organization’s standards and regulatory requirements that must be complied with by the processor.

Question 38

Your organization is implementing a new process that may collect consumer’s information. Throughout the SDLC process, it is also determined that the consumer’s information may be shared or aggregated throughout the life cycle of the information. In order to determine if a privacy impact assessment (PIA) is needed, you must conduct a?

A. Data Privacy Impact Assessment
B. Information risk assessment
C. Privacy-enabling technology
D. Recovery The correct answer is D.

Question 39

A DPIA is a tool which controllers provide proof and demonstrate compliance with data protection laws, which is not the correct answer here. PETS are utilized within the PbD model and not the correct answer here.

An insurance company is informed by an agent that they may have compromised personal information of their clients. What information security controls will be potentially implemented?

A. Preventative
B. Detective
C. Corrective
D. Recovery C. Corrective

Corrective controls contain and minimize an incident from causing further damage. Answers A, B are implemented prior to an incident, while Answer D is implemented after the incident has been contained.

Question 40

A U.S. based financial institution is required to provide customers a privacy notice annually that provides clear notice of the customer’s right with respects to opt-outs. What regulation requires this?

A. GDPR
B. LGDP
C. PIPEDA
D. GLBA D. GLBA

Answers A, B, and C are all international regulations, not U.S.

Question 41

The stakeholders of a genetic organization have developed and are presenting their business case for a privacy program update, to include protective controls ensuring both the information security and privacy programs are united and overlapping. As part of this presentation, the quantified annual loss expectancy for a particular privacy control is $120,000 for complete development, implementation and monitoring of the control. While presenting, the question was posed to the presenter, ‘If the control is not implemented, what will be the cost to the organization?” The projected impact to the organization would be less than the actual control being implemented. What would this example be called?

A. Qualitative model
B. Single loss expectancy
C. Return on investment (ROI)
D. Acceptable risk C. Return on investment (ROI)

ROI is (Benefits - Cost) / Cost. However, with this particular example, the risk is less than the actual proposed control and, depending on the difference between those costs (which was not provided deliberately), this may not be a good business case model to approve and implement if the ROI is not favorable, however, the question is only asking you what this example is called. Remember, do not add to the ‘story’ or question as you read it. Only read the answer (2x), call out the key words and determine what is being asked of you. Answer D could be the answer however, the actual question is not looking for that, but it looks and sounds good - a distracting answer. Answers A and B are incorrect.

Question 42

An organization’s privacy program maturity level is based on how established the program is functioning in multiple areas. The privacy program has been in place for multiple years and has been extremely successful in providing metrics and efficiencies for your organization. What level of maturity is the organization at?

A. Repeatable
B. Defined
C. Ad Hoc
D. Managed D. Managed

Managed maturity levels consist of reviews that assessed the effectiveness of the controls implemented.

Question 43

Your medical staff has access to all EMRS. Each staff member is trained frequently on proper handling, access, and protecting of sensitive data. If one of your medical practitioners accesses an EMR in which they are providing care to, which basic security principle has been followed?

A. Role-Based Access
B. Segregation of duties
C. Least privilege
D. Need-to-know access D. Need-to-know access

Need-to-know access is access to information or systems that are required to conduct and complete the responsibility of an authorized user. In this scenario, the medical practitioner is authorized to access the patient’s records.

Question 44

As technology infrastructure is procured, implemented, and secured, which of the following security controls are most integrated with IT?

A. Physical Security
B. HR Security
C. Ethics and Integrity
D. Employees A. Physical Security

Systems and computers are physically protected and managed by doors and locks, CCTVS, etc. Answer B is integrated into IT; however, the question is asking about technology infrastructure (i.e. Computers, mobile devices, applications, etc.), therefore, the ‘most’ integrated with IT would be answer A.

Question 45

Principles and standards, laws, regulations and programs are two categories that a privacy framework may be designed from. What is another category that can be referenced to create a privacy framework?

A. Privacy Program Management
B. Privacy Program Strategy
C. Privacy Program Vision
D. Privacy by Default A. Privacy Program Management

Answer B and C are the foundation of the privacy program, however, are not frameworks. Answer D is a tricky answer.

Question 46

Privacy by design (PbD) would be a correct answer, however, ‘default’ is not the correct response.
Within the U.S., which federal law addresses money laundering?

A. U.S. Federal Financial Law
B. Federal Trade Commission Act
C. Fair and Accurate Credit Transactions Act
D. Financial Modernization Act D. Financial Modernization Act

Also known as the Gramm-Leach Bliley Act (GLBA) which requires financial institutions to explain how they share and protect their customer’s private information.

Question 47

Your organization must share personal information to a country outside of the EEA and EU. You individually tailor the contract to your company’s needs and obtain the required supervisory authority’s authorization. What type of cross-border transfer rule are you using?

A. BCR
B. SCC
C. Codes of Conduct
D. Ad hoc contractual clause D. Ad hoc contractual clause

BCRS allow organizations to create an internal policy. SCCS (Article 46(c) and Codes of conduct (Article 40) are addressed with the GDPR with enforceable commitments.

Question 48

A global organization located in numerous countries would be best to implement this type of governance model?

A. Centralized
B. Distributed
C. Hybrid
D. External B. Distributed

Distributed delegates decision-making to the lowest levels within an organization allowing a bottom-to-top flow of decisions and monitoring.

Question 49

If your leadership is not supporting nor funding your privacy program management, one way to gain their support is to share what a potential privacy breach would cost the organizations. This would be an example of?

A. Metrics
B. Quantitative Model
C. Qualitative Model
D. Return on Investment (ROI) B. Quantitative Model

Showcasing exact costs (quantifiable numbers) generally assists privacy program managers in obtaining support and funding for their privacy program development.

Question 50

What must an efficient and successful privacy program be built with?

A. Data Map
B. Regulatory Map
C. Compliance Map
D. Comprehensive View

D. Comprehensive View

Answers A and B are components of the comprehensive view within the organization. Each organization must know what data that collects and processes throughout the data’s entire lifecycle.

Question 51

Your organization completed the data inventory exercise. Who in your organization determines what classifications of information are arranged into those categories?

A. Chief Security Officer 
B. Chief Executive Officer 
C. Privacy Officer 
D. Human Resources	
C. Privacy Officer 

The Privacy Officer and legal department review all regulatory and legal requirements of the organization and based on those applicable laws, will determine what classifications will be utilized within the organization. Answer A will overlay the appropriate physical, administrative and technical controls, based on those categories of data. Answer B and D are not the correct answers.

Question 52

Your organization has implemented a privacy program and you are analyzing the data and metrics. What was your PREVIOUS step?

A. Identification of audience
B. Analysis
C. Collection
D. Selection C. Collection

Answer 52

The five-step metrics life cycle Is: A. Identification of intended audiences B. Definition of data sources C. Selection of privacy metrics D. collection and Refinement of systems/application collecting points E. Analysis of the data/metrics

Question 53

Once the policies, procedures and security controls have been assessed on your potential cloud provider, whom within your organization should approve of this type of vendor?

A. General Counsel
B. Privacy Program Manager
C. Chief Information Security Officer
D. Chief Information Officer D. Chief Information Officer

All listed answers may be involved with the business case development, screening criteria of the vendor and review of the vendor, however, since it is a technical vendor, a cloud provider, ultimately, the CIO should approve of the provider.

Question 54

Your organization is acquiring another organization. A part of the privacy checkpoint, your organization’s processes should consist of conducting a prior to the integration of the acquired organization’s systems and processes.

A. Divestiture
B. Data inventory
C. Regulatory map
D. Risk Assessment D. Risk Assessment

A risk assessment of the acquired organization’s systems, processes, and technologies should be conducted prior to integrating systems to your organization’s systems. This will identify potential risks and allow time to mitigate those while protecting and not introducing those new risks to your organization.

Question 55

The privacy program manager is preparing their performance measurement presentation. They are looking at the value of the asset being measured, ensuring to capture the possible changes or factors that may impact that value. What other consideration should the PPM take into account as they develop the presentation?

A. Return on investment
B. Chief Financial Officer
C. Alignment
D. Integration A. Return on investment

The PPM must ensure that the ROI is connected and justifies the implementation of that particular function. Answers C and D are not the correct terms for use in a performance measurement analysis.

Question 56

An insurance company is informed by an agent that their computer screen is open, and they are certain that they had locked the screen and that they may have compromised personal information of their clients. What information security controls may be audited?

A. Access Controls
B. Asset Management
C. Procurement
D. Training A. Access Controls

Access controls may be audited to see who accessed the computer, when, and what was accessed.

Question 57

You are making a purchase on an e-commerce website and you receive a notice in the middle of the page that articulates what the organization does to protect your information. You have not yet provided any personal information. What is this called?

A. Opt-Out
B. Opt-In
C. Just-in-time-notice
D. Privacy Policy C. Just-in-time-notice

The notice is provided to the customer before any information is collected and articulates how that information will be protected along with the consumer’s choices and rights. It is an external statement. A privacy policy is an internal communication.

Question 58

An organization’s privacy program maturity level is based on how established the program is functioning in multiple areas. Regular audits, assessments, guidance and communications are gathered to review and improve the overall privacy program. What level of maturity is the organization at?

A. Repeatable
B. Defined
C. Optimized
D. Managed

Answer 58

C. Optimized

Optimized level provides reviews, communications and improvements for the program.

Question 59

Your customer’s information and their rights to control what and who collects their information, where their information is shared are privacy rights. What overlap is there with information security that relates to accountability?

A. Availability
B. Confidentiality
C. Integrity
D. Accountability D. Accountability

Answers A, B and C are the information security triads. Accountability falls in both privacy and information security requiring data owners, controllers, and processors to protect the data adequately.

Question 60

It is Monday morning and you are starting a new role. You log into your corporate email account and find an email from HR. As you read through the email, you see that you are required to complete specific privacy training. What type of control is this?

A. Special Handling
B. Data Classification
C. Technical
D. Role-Based Access D. Role-Based Access

You are starting a new role; you are being required to complete ‘specific’ privacy training. Answer A, B, and C will support Role- Based Access controls, but are not the correct answers here.

Question 61

HR is reviewing candidate’s resumes and background information based on an open job posting. What is one risk area that you, as the Privacy Program Manager, should work with HR on, as it relates to the background information gathered?

A. Contracts
B. Procurement
C. Marketing
D. Data A. Contracts

Contracts and explicit requirements of processors that gather background information on behalf of the hiring organization. Answer B and C are not correct. Answer D, based on the actual question, is a distracting answer and the incorrect answer.

Question 62

Your organization has suffered a data breach. Your organization has implemented their incident response plan. Which privacy domain houses this action item?

A. Measure
В. Improve
C. Evaluate
D. Support D. Support

Domains are: (A) Assess - Measure, (B) Protect - Improve, (C) Sustain Evaluate or (D) Respond - Support.

Question 63

Your privacy program needs to monitor changes, organizational compliance, but it doesn’t need to integrate with?

A. Legal changes
B. Cultural changes
C. Technological changes
D. Employee changes D. Employee changes

Although employee changes are important to understand and take into consideration, as it relates to the privacy program, employee changes are not a priority. Cultural changes (answer B) are a priority to take into consideration as a whole, but not the individual employee changes.

Question 64

Your organization has implemented a privacy program and you are preparing to present metrics captured. What was your INITIAL step in this process?

A. Identification of audience
B. Analysis
C. Collection
D. Selection

A. Identification of audience

The five-step metrics life cycle Is: A. Identification of intended audiences B. Definition of data sources C. Selection of privacy metrics D. collection and Refinement of systems/application collecting points E. Analysis of the data/metrics

Question 65

Your organization has implemented a privacy program and you are defining your data sources. What is your NEXT step?

A. Identification of audience
B. Analysis
C. Collection
D. Selection

D. Selection

The five-step metrics life cycle Is: A. Identification of intended audiences B. Definition of data sources C. Selection of privacy metrics D. collection and Refinement of systems/application collecting points E. Analysis of the data/metrics

Question 66

An insurance company is informed by an agent that they may have compromised personal information of their clients. What is this called when the agent thinks the information has been compromised?

A. Incident Detection
B. Incident Handling
C. Incident Response Plan
D. Employee Training A. Incident Detection

The presumption of this question, which you will see similar questions on your exam, states that an agent has informed the organization that they may have an incident. They detected something and notified me. This also implies that the organization has already trained (Answer D) the employee on the IRP (Answer C) which is a part of the handling of the incident (Answer B). Understanding Incident Response is critical.

Question 67

When your organization has purchased cyber liability insurance, and suffered a data breach, your incident response plan is then followed and one of the first calls would be to?

A. Forensic Firm
B. Data Protection Authority
C. CSO
D. Breach Coach

Answer 67

A. Forensic Firm

A Forensic Firm is an outside legal firm/counsel that will assist in triaging and providing the organization with legal guidance vs. in-house legal team providing ‘business’ guidance and also which provides the organization with privileged rights.

Question 68

Who, within your organization, would the privacy program manager NOT work with to better understand the organization’s privacy needs?

A. CPO
B. DPO
C. DPA
D. General Counsel

Answer 68

C. DPA

The DPA will not provide the PPM with privacy insights within their organization. They may provide templates and guidance on how to learn of those, however. The other answers are primary functional leaders that would provide great insight to the privacy needs of your organization.

Question 69

Of the following, which is a privacy framework that may be used for your privacy program management framework?

A. ENISA
B. EFCC
C. CNIL
D. DPA

Answer 69

C. CNIL

Question 70

This regulation offers organizations a new framework for data protection?

A. GDPR
B. LGDP
С. PIPEDA
D. APPI

Answer 70

A. GDPR

GDPR also requires organizations to be accountable with global impacts. LGDP is the newly approved Brazilian General Data Protection Law. PIPEDA applies to Canada and APPI applies to Japan’s Act on Protection of Personal Information.

Question 71

As you assess your prospective vendors, what is one topic that is NOT a priority for you to assess?

A. Financial
B. Geographic Location(s)
C. Privacy Framework
D. Data Inventory D. Data Inventory

Yes, you need a data inventory and will add to it once you add vendors to your vendor management portfolio, but as a prospective vendor, you do not need to focus on that, yet.

Question 72

You are making a purchase on an e-commerce website and a banner at the bottom of the page appears before you can provide your billing and shipping information. This banner articulates what the organization does to protect your information. What is this called?

A. Opt-Out
B. Opt-In
C. Privacy Notice
D. Privacy Policy C. Privacy Notice

The statement is a promise to the consumer on what information is collected, how it will be protected, and the consumer’s choices and rights. It is an external statement. A privacy policy is an internal communication.

Question 73

What is measured via metrics associated with confidentiality, unavailability, and projected business impact assessments for downtime within an organization’s business objectives?

A. Accountability
B. Data Privacy
C. Data Protection
D. Business Resiliency D. Business Resiliency

The BIA will provide quantitative values and expenses if unavailable and will drive the DR and BCP to protect and defend your business operations if an outage was to be realized, which is business resiliency. Answers A, B, and C are all incorrect.

Question 74

A California, U.S. based organization receives its first subject access request (SAR). The privacy program manager is alerted to receipt of the request in a timely fashion. What is the FIRST step of the organization upon receipt of the SAR?

A. Verify Identity of Requestor
B. Review BIPA
C. Regulatory Map
D. Data Inventory A. Verify Identity of Requestor

Verification of the requestor is required prior to any next steps, to ensure personal data is protected, and that the confidentiality, integrity and availability are protected. Any data subject-access requests made by unauthorized persons and the SAR is provided to that unauthorized person, will result in a breach.

Question 75

Which of the following are NOT privacy matters to consider?

A. Geographical location
B. Global Privacy Regulations
C. Cross-border data sharing
D. Competitor’s Privacy Strategy D. Competitor’s Privacy Strategy

Although it would be nice to know what your competitors are doing, it is not a priority for your privacy program to focus on. The other three answers are and should be taken into consideration.

Question 76

What is developed to guide your organization in disseminating and adoption for your privacy program?

A. Developing the privacy vision
B. Developing the privacy strategy
C. Developing the privacy framework
D. Developing the privacy structure B. Developing the privacy strategy

The vision won’t guide your organizations’ communications or your leadership’s adoption for the PPM. Answers C and D are possible answers but won’t be a driver for adoption for your PPM.

Question 77

Within your organization, who is responsible for protecting personal information that is captured and processed?

A. Consumer
B. Vendor
C. Patient
D. Workforce D. Workforce

The key words are, “Within your organization”, which then nullifies the Consumer, Vendor, and Patient answers.

Question 78

Your organization is capturing and documenting where and what information is flowing, both internally and externally. What does the end product assist your organization with?

A. Identifies vendors
B. Identifies regulatory requirements
C. Identifies classification
D. Identifies personal information use D. Identifies personal information use

A data inventory will identify the source, types and uses of personal information. Answer A and B could be an answer, but not with the limited information provided. Answer C would be a by-product of the identification of the personal use information.

Question 79

Your organization, a covered entity within the U.S., has suffered a data breach within your archived information. What policy will be looked at to determine whether or not your organization has complied with that policy?

A. Acceptable Use
B. BYOD
C. Incident Response Plan
D. Retention D. Retention

The key word in the question is ‘archived’, meaning stored and leading to the review of your retention of information.

Question 80

Your organization is structuring your privacy team. Which privacy domain houses this action item?

A. Measure
B. Improve
C. Privacy Program Framework
D. Developing a Privacy Program D. Developing a Privacy Program

When your organization is developing the privacy program, they will create the company vision, establish a data governance model, establish a privacy program, structure the privacy team and communicate, both internally and externally pertaining to their accountability.

Question 81

Under what U.S. law requires government agencies to conduct a privacy impact assessment?

A. FISMA
В. FACTA
C. E-Commerce Act
D. E-Government Act D. E-Government Act

The key word is ‘government’. If you caught that, you answered the question correctly.

Question 82

An insurance company is informed by an agent that they may have compromised personal information of their clients. What is this called?

A. Data Breach
B. Privacy Incident
C. Cyber Security
D. Incident Response Framework B. Privacy Incident

The key word is ‘may’ have compromised. It has not been confirmed or validated, so, at this point, it is unknown if it is a data breach. Remember, you can have an incident without a data breach, but you cannot have a data breach without an incident.

Question 83

Who is responsible for monitoring, improving, reporting and communicating the criticality of a particular metric?

A. Privacy Manager
B. Privacy Owner
C. Communications Leader
D. Metric owner D. Metric owner

Question 84

They must be able to communicate the value and purpose of the metric to the organization.

An international manufacturing company is implementing their privacy program. While they are in that process, they are conducting self-assessments, developing procedures, communicating and monitoring the program. What type of management is this called?

A. Information Security Management System
B. Risk Management
C. Centralized Management
D. Information Management D. Information Management

Answer A is a security management system. Answer B is incorrect. Answer C is a governance model. Information management consists of discovering, building, communicating, and growth.

Question 85

Your organization has suffered a data breach. You have initiated the incident response plan and are preparing for an external communication. Which or who would be best to communicate that message externally?

A. HR
B. Ethics and Integrity
C. Marketing Dept.
D. CEO D. CEO

Answer A is the voice to the employees, internally. Answer B is not correct. Answer C may work with the PR/Communications group on the message; however, Answer D is best and recommended to communicate externally.

Question 86

In order for you to assess a cloud provider, you must understand their?

A. Privacy
B. Mission Statement
C. Notice
D. Policies D. Policies

Their mission statement (answer B) is something to view and will support their policies, which will help you assess the cloud provider. Answer A and C are not relevant to this particular question.

Question 87

Which one of the following is NOT one of the most common causes of a data breach?

A. Malicious Actors
B. Human Error
C. System Glitches
D. Vendors

D. Vendors

The top three causes are answers A, B, and C. Vendors are up there, but not the most common cause.

Question 88

The information security group utilizes a systematic approach to manage information risks relating to people, processes, and technologies. What is the name of this approach?

A. Privacy Framework
B. Information Security
C. Information Privacy Management System
D. Information Security Management System D. Information Security Management System

ISO/IEC 27000 Information Security Management System (ISMS) series provides an overview and guidance to what and how to implement an ISMS.

Question 89

These guidelines apply to all media and address marketing plans?

A. Network Advertising Initiative (NAI)
B. VeriSign
C. PCI DSS
D. DMA Guidelines for Ethical Business Practices D. DMA Guidelines for Ethical Business Practices

NAI is an industry trade group that develops self-regulatory standards for online advertising. VeriSign enables the security, stability and resiliency of key internet infrastructure and services, including the .com and .net domains. PCI DSS is the information security standard for organizations that handle branded credit cards from the major card schemes.

Question 90

Privacy programs and their leadership may fall under multiple areas within organizations. They may fall under Legal, HR, IT, Risk, or other areas. As your organization determines which area it may report to, the organization should take all of the following into consideration, except:

A. Organizational structure
B. Roles and responsibilities
C. Evaluation
D. Vendor Management D. Vendor Management

All of the other answers should be taken into consideration as the organization determines where the program and its leaders will fall under.

Question 91

What is the value of a privacy workshop for an organization’s stakeholders?

A. A workshop ensures compliance to policies at all levels of an organization.
B. A workshop ensures all stakeholders commit resources to the privacy program.
C. A workshop ensures common baseline understanding of the risks and challenges.
D. A workshop allows the privacy professional to create a single policy across the organization.

C. A workshop ensures common baseline understanding of the risks and challenges.

Question 92

All of the following are factors in determining whether an organization can craft a common solution to the privacy requirements of multiple jurisdictions except:

A. effective date of most restrictive law
B. implementation complexity
C. legal regulations
D. cost

A. effective date of most restrictive law

Question 93

What are non-governmental organizations that advocate for privacy protection known as?

A. external privacy organizations
B. privacy policy review boards
C. privacy trade associations
D. political Action Committees or PACs

A. external privacy organizations

Question 94

John is the Data Protection Officer for a fashion retailer based in Europe. He has recently trained the staff on the concept of Privacy by Design. Staff now know to seek his advice early in the planning of any new initiatives that involve the collection of personal data.
John has been asked to provide advice on a proposal for a new online business for enthusiasts of designer fashion, called “DesignersYou Love.”This will be a web-based service through which subscribers can access insider news on their favorite designers, receive discounts on clothing, have the opportunity to meet designers at fashion shows and be able to book tickets and enter competitions.
In order to sign up for “DesignersYou Love,” individuals must complete an online form.The data being collected includes the mandatory provision of name, email address, payment card information, favorite designers, clothing size, and annual clothing expenditures. After reviewing the form, John grows concerned that the company might be collecting excessive information.
The business intends to use this data for the following purposes:
• To provide subscribers with access to information on the site
• To collect payment and manage subscriptions
• To analyse subscriber use of the site (using browsing history, subscription information and cookies)
• To perform profiling for the purpose of sending relevant offers to customers
The website and the associated database of subscribers will be hosted by a U.S. technology company called HostPro Ltd. Its servers are located in the U.S., but it wishes to use subcontractors who have their own servers.The company intends to use a payment card processor they already have a relationship with to manage subscription payments.

How might John first explore his concerns regarding excessive data collection?

A. Perform a third-party audit.
B. Monitor complaints from subscribers.
C. Ask the data protection supervisory authority for guidance.
D. Ask the business sponsor for the rationale for each data field collected.

D. Ask the business sponsor for the rationale for each data field collected.

Question 95

John is the Data Protection Officer for a fashion retailer based in Europe. He has recently trained the staff on the concept of Privacy by Design. Staff now know to seek his advice early in the planning of any new initiatives that involve the collection of personal data.
John has been asked to provide advice on a proposal for a new online business for enthusiasts of designer fashion, called “DesignersYou Love.”This will be a web-based service through which subscribers can access insider news on their favorite designers, receive discounts on clothing, have the opportunity to meet designers at fashion shows and be able to book tickets and enter competitions.
In order to sign up for “DesignersYou Love,” individuals must complete an online form.The databeing collected includes the mandatory provision of name, email address, payment card information, favorite designers, clothing size, and annual clothing expenditures. After reviewing the form, John grows concerned that the company might be collecting excessive information.
The business intends to use this data for the following purposes:
• To provide subscribers with access to information on the site
• To collect payment and manage subscriptions
• To analyse subscriber use of the site (using browsing history, subscription information and cookies)
• To perform profiling for the purpose of sending relevant offers to customers
The website and the associated database of subscribers will be hosted by a U.S. technology company called HostPro Ltd. Its servers are located in the U.S., but it wishes to use subcontractors who have their own servers.The company intends to use a payment card processor they already have a relationship with to manage subscription payments.

What vendor management process should John invoke first?

A. Conduct a security walkthrough of vendor work sites.
B. Assess the vendors’ ability to protect personal data.
C. Require ongoing monitoring of the vendors’ processes.
D. Review the supplier contract and weigh against vendor performance.

B. Assess the vendors’ ability to protect personal data.

Question 96

Which descriptor best describes the general attitude an organization should exhibit regarding its practices and policies for data protection?

A. security
B. openness
C. adaptation
D. education B. openness

Question 97

According to the Treaty of Lisbon, the majority of EU legislation cannot be adopted without the approval of which two European Institutions?

A. European Council and European Parliament.
B. European Commission and European Parliament.
C. European Parliament and Council of the European Union.
D. European Commission and the Court of Justice of the European Union.

C. European Parliament and Council of the European Union.

Question 98

In addition to GDPR compliance, what benefit does pseudonymizing data offer data controllers?

A. It ensures that it is impossible to re-identify the data.
B. It eliminates the responsibility to report data breaches.
C. It allows for further use of the data for research purposes.
D. It eliminates the need for a policy specifying subject access rights.

C. It allows for further use of the data for research purposes.

Question 99

When would a data subject have the right to require the erasure of his or her data without undue delay?

A. When erasure is in the public interest.
B. When the controller is a public authority.
C. When the processing is carried out by automated means.
D. When the data is no longer necessary for its original purpose.

D. When the data is no longer necessary for its original purpose.

Question 100

When should stakeholders in privacy framework development be identified?

A. after the privacy team has established its agenda
B. during the data inventory
C. during the review of written policies
D. during the business case development process

D. during the business case development process

Question 101

Where should an organization’s procedures for resolving consumer complaints about privacy protection be found?

A. in written policies regarding privacy
B. in the emergency response plan
C. in memoranda from the CEO
D. in the minutes of corporate or organizational board meetings

A. in written policies regarding privacy

Question 102

Who is considered a primary audience for metrics data?

A. chief financial officers
B. information security officers
C. stockholders
D. external regulatory bodies

B. information security officers

Question 103

What does an effective performance measurement indicator do?

A. It stays the same through different business cycles.
B. It insures against data loss.
C. It identifies important corporate resources.
D. It provides data on effectiveness.

D. It provides data on effectiveness.

Question 104

What is one characteristic of an effective metric?

A. set by regulation
B. externally defined
C. measurable
D. changeable

C. measurable

Question 105

What is business resiliency?

A. how quickly a business accomplishes a merger
B. how well a business responds to and adapts after a disaster
C. how successful a business’s auditing process is
D. how well a business rewards and retains its employees

B. how well a business responds to and adapts after a disaster

Question 106

The Privacy Program Operational Life Cycle include the following except:

A. Protecting
B. Operating
C. Sustaining
D. Assessing
E. Responding	

B. Operating

Question 107

Which one is an example of a standard with focus on the technical controls of a system to provide data security.

A. The payment card industry data security standard (PCI DSS)
B. N/A
C. ISO/IEC 27000 series
D. NIST-800

C. ISO/IEC 27000 series

Question 108

The payment card industry data security standard provides twelve security control requirements in six categories that apply to the financial industry. Which one is not includes in Categories?

A. Protect cardholder data
B. Implement strong access control measures
C. Build and maintain a secure network
D. Protect Only the bank data D. Protect Only the bank data
Strategic management of privacy starts by what based on privacy best practices

Question 109

A. Developing and implementing a Privacy Maturity Model
B. Notice all the stockholders
C. Recruiting the Chief Privacy Management
D. creating or updating the organization vision and mission statement a

Question 110

The metric lifecycle contains five stages but does not include:

A. identification
B. definition
C. audit
D. collection and refinement
E. selection	

C. audit

Question 111

In the privacy operational life cycle which one phase provides the data life cycle, information security practices and Privacy by Design principles to “protect” personal information:

A. Sustain
B. Respond
C. Protect
D. Governance
E. Assess	

C. Protect

Question 112

Which term is used to describe a member of the privacy team who may be responsible for privacy program framework development, management and reporting within an organization.

A. Chief Executive Officer
B. first-tiger
C. data protection officer
D. Privacy professional
E. First responders	

D. Privacy professional

Question 113

Which domain provides a solid foundation for the governance of a privacy program and defines how the privacy program may be developed, measured and improved

A. Privacy Program Governance
B. N/A
C. Privacy Program Operational Life Cycle
A. Privacy Program Governance

Question 114

Privacy by design consists of some foundational principles. Which one is not include:

A. Privacy embedded into design
B. Reactive, Not Proactive; Remedial, Not preventative
C. Privacy as the default setting
D. Respect for user privacy

B. Reactive, Not Proactive; Remedial, Not preventative

Question 115

In the Privacy Government the Metrics must be:

A. clearly defined
B. N/A
C. meaningful
D. indicate progress and answer a specific question
E. measurable	

B. N/A

Question 116

In the privacy operational life cycle which one phase include the respond principles of information requests, legal compliance, incident-response planning and incident handling.

A. Respond
B. Governance
C. Protect
D. Assess
E. Sustain	

A. Respond

Question 117

Risk can be tracked based on pre-defined severity categories such as those provided in the:

A. N/A
B. NIST-800
C. The payment card industry data security standard (PCI DSS)
D. ISO/IEC 27000 series

A. N/A

Question 118

About the Data Protection Act of 1998 defines which term give a description of the: A systematic and independent examination to determine whether activities involving the processing of personal data are carried out in accordance with an organization’s data protection policies and procedures.

A. refinement
B. collection
C. identification
D. audits

D. audits

Question 119

Which one ensures the confidentiality, integrity, availability and privacy of data in all forms of media:

A. incident management
B. Digital forensics
C. Data security
D. Physical / environmental security

C. Data security

Question 120

According to IAPP which is not a main type of governance model?

A. Centralized
B. Hybrid
C. National
D. Distributed

C. National

Question 121

During the Data Inventory, which Element map for the Purpose “How is the information being used?”

A. The volume of information in this repository
B. Location of the repository
C. The format of the information
D. The use of the information

A. The volume of information in this repository

Question 122

Which term is the main focus on social networking and the new internet web cookie policy:

A. Enterprise Privacy Authorization Language (EPAL)
B. eGov 2.0
C. Platform for Privacy Preferences (P3P)

B. eGov 2.0

Question 123

Which maturity levels regular review and feedback are used to ensure continuous improvement towards optimization of the given process

A. Managed
B. Optimized 
C. Alliance
D. Repeatable
E. Defined
F. Ad hoc

Answer 123

B. Optimized

Question 124

As with all life cycle models, which phase is the entry point or exit point to privacy program operational management.

A. The protect phase
B. The sustain phase
C. The assess phase
D. no entry or no exit point but instead a continuous cycle
E. The respond phase	

C. The assess phase

Question 125

Companies use a code of practice by a group of companies as industry bodies, this Privacy Protect Model May be:

A. Self-Regulated Model
B. Comprehensive Laws
C. Sectoral
D. Co-Regulatory Model

A. Self-Regulated Model

Question 126

Examples of existing privacy enhancing technologies are:

A. N/A
B. Communication anonymizers
C. Enhanced privacy ID (EPID)
D. Access to personal data
E. Shared bogus online accounts	

A. N/A

Question 127

According to Asia-Pacific Economic Cooperation (APEC), which term is an important tool in encouraging the development of appropriate information privacy protections and ensuring the free flow of information

A. Incident Planning
B. privacy mission statements
C. Privacy framework
D. Privacy by Design

C. Privacy framework

Question 128

Which maturity levels reviews are conducted to assess the effectiveness of the controls in place

A. Optimized
B. Ad hoc
C. Alliance
D. Managed
E. Defined
F. Repeatable

Answer 128

D. Managed

Question 129

Which term is an implementation roadmap that provides the structure or checklists (documented privacy procedures and processes) to guide the privacy professional through privacy management and prompts them for the details to determine all privacy-relevant decisions for the organization.

A. Incident Planning
B. Privacy program framework
C. Privacy by Design
D. privacy mission statements B. Privacy program framework

Question 130

In the Privacy Filed the term PETS stand for:

A. Privacy-enhancing technologies (PETs) A. Privacy-enhancing technologies (PETs)

Question 131

Enactment of laws that specifically address a particular industry sector, this Privacy Protect Model may be:

A. Sectoral Laws
B. Self-Regulated Model
C. Co-Regulatory Model
D. Comprehensive Laws A. Sectoral Laws

Question 132

Advantages of using external auditors include:

A. Lending credibility to internal audit program
B. Learning curve about the organization
C. Identifying weakness of internal controls
D. Providing a level of unbiased, expert recommendations A. Lending credibility to internal audit program

Question 133

Auditing Privacy include five phase approach except:

A. Rebuild 
B. Conduct Audit
C. Audit Planning
D. Follow-up
E. Audit Preparation	
A. Rebuild

Question 134

Set up a dedicated e-mail address for all privacy enquiries, both internal and external, which the privacy team can monitoring of contact

A. N/A
B. I know it B. I know it

Question 135

Govern the collection, use and dissemination in public and private sectors with an official oversight enforcement agency, this Privacy Protect Model may be:

A. Self-Regulated Model
B. Sectoral Laws
C. Co-Regulatory Model
D. Comprehensive Laws	
D. Comprehensive Laws

Question 136

The PMM uses five maturity levels below except:

A. Managed
B. Optimized
C. Ad hoc
D. Repeatable
E. Defined
F. Alliance

Answer 136

F. Alliance

Question 137

The Online Privacy Alliance (OPA), TRUSTe, BBBOnline, and WebTrust are examples of the following type of model

A. Self-Regulated Model
B. Comprehensive Laws
C. Sectoral Laws
D. Co-Regulatory Model A. Self-Regulated Model

Question 138

As an example, a well-known self-certification program is the

A. U.S.-EU Safe Harbor Framework A. U.S.-EU Safe Harbor Framework

Question 139

A privacy __________ is generally an internal document that is addressed to employees. It clearly states how personal information is going to be handled.

A. N/A
B. policy
C. notice B. policy

Question 140

During the Data Inventory, which Element map for the Purpose “In which country/countries is the data stored?”

A. The format of the information
B. The use of the information
C. Where the data is stored
D. The volume of information in this repository	
C. Where the data is stored

Question 141

A __________ is generally an external communication of the privacy policies to the customers about how their personal data is being handled.

A. policy
B. notice
C. N/A
B. notice

Question 142

Which phase of the Privacy Operational Life Cycle model provides the framework for the privacy professional to evaluate the current processes, procedures, management, and practices for privacy management in the organization and apply best practices to them.

A. The assess phase
B. The respond phase
C. The sustain phase
D. The protect phase A. The assess phase

Question 143

Which the following is the standardized term that refers to specific methods that act in accordance with the laws of data protection, it allow online users to protect the privacy of their personally identifiable information (PII) provided to and handled by services or applications

A. Privacy-Enhancing Technologies (PET) A. Privacy-Enhancing Technologies (PET)
Privacy Metrics are sometimes used poorly or improperly or contain faulty assumptions. The privacy professional must guard against:

A. Selective Use
B. Massaging the Numbers
C. SMART Methodology
D. Faulty Assumptions C. SMART Methodology

Question 144

Notification of a data breach to individuals is

A. always desirable
B. N/A
C. not always desirable C. not always desirable

Question 145

This privacy operational life cycle ensures the the organization is prepared to assess, protect, sustain and respond within the context of the ever-changing privacy demands of the world.

A. privacy operational life cycle A. privacy operational life cycle

Question 146

Which maturity levels procedures or processes are generally informal, incomplete and inconsistently applied

A. Alliance
B. Ad hoc
C. Managed
D. Defined
E. Optimized
F. Repeatable

Answer 146

B. Ad hoc

Question 147

The Certified Information Privacy Manager (CIPM) program, expands the privacy professional’s knowledge to include the __________ of privacy.

A. “how”
B. “what”
C. N/A A. “how”

Question 148

Disadvantages of using external auditors include

A. providing a level of unbiased, expert recommendations
B. Learning curve about the organization
C. Confidentiality
D. Cost budget
E. Time or schedule A. providing a level of unbiased, expert recommendations

Question 149

During the Data Inventory, which Element map for the Purpose “how much data is actually in the repository?”

A. The format of the information
B. Location of the repository
C. The use of the information
D. The volume of information in this repository The volume of information in this repository

Question 150

Will assist the privacy professional with best practices in generic terms to identify, define, select, collect and analyze metrics specific to privacy

A. Incident Planning
B. Performance Measurement
C. Develop and Implement a Framework
D. Strategy Management

B. Performance Measurement

Question 151

The Metric Life Cycle which one sometimes takes the most time of all five steps due the large amount of data collected on automated systems;

A. select privacy metrics
B. Define Reporting Resources
C. analyze the data
D. Identify the Intended Audience

C. analyze the data

Question 152

Is a machine-readable language that helps to express a website’s data management practices in an automated fashion.

A. Liberty Alliance and SAML
B. Enterprise Privacy Authorization Language (EPAL)
C. Extensible Access Control Markup Language (XACML)
D. Platform for Privacy Preferences (P3P)

D. Platform for Privacy Preferences (P3P)

Question 153

According to IAPP, A privacy mission statement describes the purpose and ideas in just a few sentences. It should be read in less than:

A. 30 seconds
B. 30 minutes
C. 30 words
D. N/A

A. 30 seconds

Question 154

Which one is a policy-based approach to managing the flow of information through a life cycle from creation to final disposition?

A. Data life cycle management (DLM)
B. Privacy Maturity Model (PMM)
C. Data leakage prevention (DLP)
D. Privacy Impact Assessment (PIA)

A. Data life cycle management (DLM)

Question 155

Which term provide an automated means for organizations to identify, document and manage their existing risks and controls.

A. Protect
B. Sustain
C. notice
D. Dashboards

D. Dashboards

Question 156

Privacy Program Governance include but except:

A. Strategic management
B. Developing and implementing a Privacy Maturity Model
C. Performance measurement
D. Developing and implementing a framework

D. Developing and implementing a framework

Question 157

Websites collecting information from Children under the age of thirteen are required to comply with:

A. the Gramm-Leach-Biley Act (GLBA)
B. the Health Insurance Portability and Accountability Act of 1996
C. Children’s Online Privacy Protection Act (COPPA)
D. the Payment Card Industry Data Security Standard

C. Children’s Online Privacy Protection Act (COPPA)

Question 158

Which one is the starting point for assessing the needs of the privacy organization.

A. review and monitor
B. gap analysis
C. communicate the framework
D. business case

D. business case

Question 159

There are many Privacy Frameworks. Examples include but except:

A. PCI DSS
B. The Organisation for Economic Co-operation and Development (OECD) Privacy Guidelines
C. Privacy by Design
D. The APEC Privacy Framework

A. PCI DSS

Question 160

Which maturity levels assures Procedures and processes are fully documented and implemented and cover all relevant aspects

A. Ad hoc
B. Managed
C. Optimized
D. Defined
E. Alliance
F. Repeatable

Answer 160

D. Defined

Question 161

The following may be a

A. privacy vision and privacy mission statements
B. Chief Financial Officer’s job
C. Incident Public Notice
D. Roadmap of information security

A. privacy vision and privacy mission statements

Question 162

Privacy ROI defines metrics by:

A. ROI = (Costs - Benefits)/Costs
B. ROI = (Benefits + Costs)/Benefits
C. ROI = (Benefits - Costs)/Costs
D. ROI = (Benefits + Costs)/Costs

C. ROI = (Benefits - Costs)/Costs

Question 163

Which term is Define privacy technology standards developed solely to be used for the transmission, storage and use of privacy data

Privacy-enhancing technologies (PETs) A. Privacy-enhancing technologies (PETs)

Question 164

Which privacy model can be more easily integrated in organizations that utilize single-channel functions with planning and decision making occurring centrally

A. hybrid model
B. Local or Decentralized model
C. centralized model

C. centralized model

Question 165

When we talk about select privacy metrics use the SMART methodology. Every letter in the SMART includes all of the below except:

A. Specific and/or simple
B. Manageable
C. Auditability
D. Timely
E. Relevant/results-oriented	

C. Auditability

Question 166

In the privacy operational life cycle which one phase provides privacy management through the monitoring, auditing and communication aspects of the management framework

A. Protect
B. Governance
C. Sustain
D. Respond
E. Assess	

C. Sustain

Question 167

Which privacy model shows fewer tiers in the organizational structure, wider span of control, and a bottom-to-top flow of decision making and flow of ideas.

A. N/A
B. hybrid model
C. centralized model
D. Local or Decentralized model

D. Local or Decentralized model