Dump Flashcards
One of the goals that is NOT a Privacy Program Manager role is to?
A. To identify their supply chain’s privacy risks.
B. To identify their organizations, employees, and patient’s risks.
C. To identify current state of policies, procedures, and any supporting documentation.
D. Promote consumer trust.
A. To identify their supply chain’s privacy risks.
The PPM’s goal is not to identify their supply chain’s privacy risks.
That would be a part of the Vendor Management program. Answer B and C are goals of the PPM. Answer D is a goal of the Privacy Program, which, ultimately, is an implied goal of the PPM. The best correct answer is A.
Which of the following is NOT a reason organizations are becoming compliant with global privacy regulations?
A. Brand Name Protection
B. Reputation Protection
C. GDPR
D. U.S. Federal Privacy Law
D. U.S. Federal Privacy Law
The U.S. has yet to pass and implement a federal privacy law. Sectors within the U.S. have passed federal laws that implicate data privacy protections, however, there is not a U.S. wide federal privacy law to date.
Privacy program managers are charged with the protection and appropriate use of?
A. Private Information
B. Personal Information
C. Public Information
D. Social Information
B. Personal Information
The term Private Information is rarely utilized, while Personal Information (PI)and Personally Identifiable Information (PII) are predominantly used. PPMS are groups not responsible for protecting either public information or social information. Do not read into the questions. Focus on the question as it is posed. If you imply or apply additional thoughts to the question, you may over think the question and choose the incorrect answer.
Which of the following groups are NOT a priority group for the development of your privacy policies and procedures within your organization?
A. Human Resources
B. Legal
C. Business Development
D. External Audit
D. External Audit
An internal audit group would be a part of your priority group. All of the other groups are departments you should include.
The privacy vision should align with?
A. Consumer Objectives
B. Business Objectives
C. Vendor Objectives
D. Contract Objectives
B. Business Objectives
Upon the request of the DPA, your organization must share the detailed record of processing with them. The other answers are also correct, however, the best, right answer is B. You will have questions like this on the exam.
Your organization is implementing a new process that may collect consumer’s information. The process is complete and ready for a final review before being launched into production. During the review, it is determined that the new process lacks the ability to audit the privacy controls for regulatory compliance. What was not included in the design?
A. Proactive
B. Embedded privacy controls
C. Respect for users
D. Privacy by Design
D. Privacy by Design
Upon request, a detailed record of processing must be shared with the?
A. Data Protection Officer
B. Data Protection Authority
C. Chief Information Officer
D. Chief Information Security Officer
B. Data Protection Authority
Upon the request of the DPA, your organization must share the detailed record of processing with them. The other answers are also correct, however, the best, right answer is B. You will have questions like this on the exam.
Your medical staff has access to all EMRS. Each staff member is trained frequently on proper handling, access, and protecting of sensitive data. If one of your medical practitioners is unable to access an EMR, and is authorized to access it, which basic security principle has been applied?
A. Role-Based Access
B. Segregation of duties
C. Least privilege
D. Need-to-know access
B. Segregation of duties
Separation of duties is the concept of having more than one person required to complete a task. It is an administrative control used by organisations to prevent fraud, sabotage, theft, misuse of information, and other security compromises.
While your organization is assessing a potential vendor, one statement within the vendor policy may require a review of?
A. Privacy Policy
B. Vendor Management
C. Location of data
D. Employees
C. Location of data
The vendor policy may stipulate that the procuring organization evaluate its processes for risk assessment, its risk profile, and categories of vendors based on risk. This may include evaluating the vendor’s internal policies; affiliations and memberships with other organizations; mandatory and nonmandatory certifications; location of data servers; and data storage, use, and transport.”
Your organization has secured funding for a new privacy training initiative. Which of the following may NOT be one of the training methods you would implement?
A. Classroom
B. Online
C. Workshops
D. Testing
D. Testing
Training may be delivered through dedicated classroom, instructor-led courses or online platform
“Once breach preparedness is integrated into the BCP, or if the company decides to have a standalone incident response plan, incident response training will likely be required. This training may take many forms, including workshops, seminars and online videos, but often includes tabletop exercises, a strategic mainstay of corporate trainers and business continuity planners.”
The CFO and CHR of a healthcare organization are looking to you, the privacy program manager, to provide them with a performance measurement of the privacy program. Which of the following would you NOT utilize in creating that?
A. Tracking
B. Identifying
C. Defining
D. Analyzing
A. Tracking
Who needs to appreciate the benefits and risks associated with the collection and use of personal information?
A. Privacy
B. Privacy Professional
C. Privacy Program Manager
D. Privacy Officer
B. Privacy Professional
A California, U.S. based organization receives its first subject access request (SAR). The privacy program manager is alerted to receipt of the request in a timely fashion. What will the program manager reference, that was developed in the establishment of the privacy program, that will assist in determining where the SAR’s information resides?
A. Data Classification Policy
B. Privacy Program Scope
C. Regulatory Map
D. Data Inventory
D. Data Inventory
The GDPR, the CCPA, GLBA and other privacy regulatory laws have different terminology and requirements as it relates to ‘reasonable security procedures and practices.” The word, “adequate” or “appropriate technical and organizational measures’ - this is the ‘security principle’. Where might you NOT reference for these types of controls and standards?
A. Internet Security’s Critical Security Controls
B. ISO/IEC 27002
C. NIST SP 800-53rev4
D. ISO/IEC 27006 D. ISO/IEC 27006
The CIS Controls (formerly known as Critical Security Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.
This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation
ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).
ISO/IEC 27006 is an information security standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). … ISO/IEC 27006 lays out formal requirements for accredited organizations which certify other organizations compliant with ISO/IEC 27001
An organization’s privacy program maturity level is based on how established the program is functioning in multiple areas. Departments are following and adhering to processes and procedures for most functions. What level of maturity is the organization at?
A. Repeatable
B. Defined
С. Ad Hoc
D. Managed
B. Defined
An organization’s privacy program maturity level is based on how established the program is functioning in multiple areas. Generally, if your privacy program has recently been created where you are still evaluating and inventorying what the organization has and does not have in place for policies, processes and procedures, the privacy program maturity level is at this stage?
A. Repeatable
B. Defined
C. Ad Hoc
D. Managed
C. Ad Hoc
Key stakeholders make decisions pertaining to the record of your organization’s privacy program. These decisions serves as the privacy program’s?
A. Governance
B. Risk Assessment
C. Due Care
D. Due Diligence
D. Due Diligence
Such documentation also helps support accountability requirements of the GDPR and serves as the privacy program’s due diligence in terms of which functions and individuals should be held accountable for privacy compliance.”
Your customer’s information and their rights to control what and who collects their information, where their information is shared are privacy rights. What overlap is there with information security that relates to accuracy of information?
A. Availability
B. Confidentiality
C. Integrity
D. Accountability
C. Integrity
In the world of information security, integrity refers to the accuracy and completeness of data.
As privacy laws and regulations continue to expand and change, complying and monitoring with those changes is critical for the organization’s privacy program success. What is one solution that provides organizations with updated changes, monitoring and auditing performances of their processes and procedures?
A. Internal Audit
B. Second-party Audit
C. Third-party Audit
D. Third-party Privacy Compliance Platform and Tools
D. Third-party Privacy Compliance Platform and Tools
Prior to a new service or system being implemented, this type of action is required to be conducted?
A. Data Privacy Impact Assessment B. Privacy Impact Assessment C. Privacy Assessment D. Risk Assessment B. Privacy Impact Assessment
Your organization has been alerted to a data breach within one of your vendors. During the DPA investigation, procurement has been summoned for questioning. What may be the topic of discussion?
A. Communications Language
B. Processor responsibilities
C. GDPR Compliance
D. Internal audit results
B. Processor responsibilities
Your organization is capturing and documenting where and what information is flowing, both internally and externally. What is this type of exercise?
A. Regulatory Map
B. Legal Map
C. Data Inventory Map
D. Data Map
C. Data Inventory Map
Answers A and B are to determine regulatory and legal requirements that your organization is accountable to and for. Answer D is the process of matching fields from one database to another.
Your organization is conducting processor assessments. Which privacy domain houses this action item?
A. Measure
B. Improve
C. Evaluate
D. Support A. Measure
Domains are: (A) Assess Measure, (B) Protect - Improve, (C) Sustain - Evaluate or (D) Respond - Support.
HR is reviewing candidate’s resumes and background information based on an open job posting. What is one risk area that you, as the Privacy Program Manager, should work with Legal and HR on, as it relates to the background information gathered?
A. Data Retention
B. Data Policies
C. Information
D. Training A. Data Retention
Data retention, not only at the controller’s location, but also within the contract with the processor who is obtaining the background information. The controller must be explicit with what the processor will do with the information gathered on the individual once a decision has been executed on hiring or not hiring the candidate. Based on that decision, both the controller and processor must retain and then destroy the data that is no longer required for any business reason.