CIPM Study Guide / Revised Questions and
Answers / Sure A+
A good place to start building an awareness program internally is through: - Interdepartmental
cooperation working toward the shared goal of privacy protection. Discuss how different groups can
work together to reinforce the privacy message with the workforce, creating an even greater awareness
of your privacy program.
A good question about communication to ask regularly is: - How effectively are we communicating
the expectations of our privacy program to the workforce - everyone who is using the data?
A key step in incident preparation is: - The formal creation of an incident response plan. To create
the plan, the drafting team will need to gather a vast amount of information and then use the
information they have gathered to develop processes and procedures. This team should be led by the
privacy office and the legal department and include help from IT, communications, HR, and senior
management. The exact stakeholders will vary by organization.
A layered approach to privacy notices provides a high-level summary of the various sections of the
privacy notice and allows the users to read more about that section by clicking a link to that section or
scrolling below. Such an approach has been endorsed by: - Both the FTC and the EU's Article 29
Working Party (WP29), now the European Data Protection Board (EDPB)
A list of tips to help manage expectations and communicate with executives: (1 of 2) - Manage
executive leaders' expectations by establishing the frequency of updates/communications
Determine what is appropriate for the situation and communicate when/if the frequency needs to
change
Hold a kickoff meeting to present the team with the known facts and circumstances
Provide senior executives with an overview of the event and of the team's expected course of action
Engage remediation providers to reduce consumers' risk of fraud or identity theft
A list of tips to help manage expectations and communicate with executives: (2 of 2) - Convene
with individual stakeholders to discuss lawsuits, media inquiries, regulatory concerns, and other pressing
developments
,Keep individual response-team members on tract to meet their performance objectives and timelines
Track budget adherence for all response activities
Contact outside incident response resources to confirm engagement and monitor performance
Prepare a final analysis of the response effort and lead the post-event evaluation
A relatively new type of insurance coverage, called cyber-liability insurance, may cover many breach-
related expenses, including: - Forensic investigations; Outside counsel fees; Crisis management
services; PR experts; Breach notification; Call center costs; Credit monitoring; Fraud resolution services
A roadmap or crosswalk of the organization's privacy requirements is as simple or complex as the
organization desires. For some, a simple spreadsheet with tabs for applicable law, audit protocol, and
specific contract language is sufficient. For overlap in global laws and regulations, note the similarities
regarding notice, choice and consent, purpose limitation, individual rights, data retention limits, and data
transfers. [No Definition] - [No Definition]
A typical approach to identifying the scope of the privacy program includes the following two steps: -
Identify the personal information collected and processed.
Identify in-scope privacy and data protection laws and regulations.
Acceptable Use Policies (AUPs) consider the following: - Others' privacy; Legal protections (e.g.,
copyright); Integrity of computer systems (e.g., anti-hacking rules); Ethics; Laws and regulations; Others'
network access; Routing patterns; Unsolicited advertising and intrusive communications; User
responsibilities for damages; Security and proprietary information; Virus, malware protection, and
malicious programs; Safeguards (e.g., scanning, port scanning, monitoring) against security breaches or
disruptions of network communications.
Acceptable Use Policy (AUP): - Stipulates rules and constraints for people within and outside the
organization who access the organization's network or internet connection. It outlines acceptable and
unacceptable use of the network or internet connections to which the user agrees either in written or
electronic form. Violation typically leads to loss of use and/or punitive action either by the organization
or by law enforcement if necessary. People affected include employees, students, guests, contractors,
and vendors.
According to controls' nature: - Physical controls
,Administrative or policy controls
Technical controls
Accountability: - Accountable organizations have the proper policies and procedures to promote
proper handling of personal information and, generally, can demonstrate they have the capacity to
comply with applicable privacy laws. They promote trust and confidence and make all parties aware of
the importance of proper handling of personal information.
The idea is that, when organizations collect and process information about people, they must be
responsible for it. They need to take ownership and take care of it throughout the data lifecycle. By doing
so, the organization can be held accountable.
Accountability as defined by laws can actually benefit organizations because, although it may impose
obligations to take ownership and to explain how the organization is compliant, in exchange, it can give
organizations a degree of flexibility about exactly how they will comply with their obligations.
Actions an organization can take to develop a data retention policy include: - Determine what data
is currently being retained, how, and where
Work with legal to determine applicable legal data retention requirements
Brainstorm scenarios that would require data retention
Estimate business impacts of retaining versus destroying the data
Work with IT to develop and implement a policy
Additionally, information security includes the concepts of: - Accountability and assurance.
Accountability - entity ownership is traceable
Assurance - all other four objectives are met
After a breach is made known, which task should a company accomplish first: coordinate with other-
affected companies to limit the damage, or determine whether notification is legally required. -
Determine whether notification is legally required. Notification is the process of informing
affected individuals that their personal data has been breached. Many statutes prescribe specific time
frames for providing notification - either to impacted individuals and/or relevant regulators. The legal
requirements change regularly. For planning purposes, however, it is enough to know that when
, investigating an incident, time is of the essence. Timing is even more critical once the incident has been
confirmed to be a breach. An organization's privacy professionals, and those charged with incident
response planning and notification, should be intimately familiar with the prevailing notification
requirements and guidelines and should work with qualified legal counsel to assist in making the legal
determinations about the need to give notice.
After establishing a privacy mission statement and vision, you'll need to: - Define the scope of the
privacy program. Every organization has its own unique legal and regulatory compliance obligations, and
you'll need to identify the specific privacy and data protection laws and regulations that apply to it.
Age threshold in other jurisdictions: - GDPR - 16 years old, but allows individual countries to set
the age threshold between 13 and 16 years old.
CCPA - requires organizations to obtain parental or legal guardian consent for children under the age of
13 years old and the affirmative consent of children between 13 and 16 years of age prior to engaging in
data selling.
All the following are factors in determining whether an organization can craft a common solution to the
privacy requirements of multiple jurisdictions EXCEPT:
Effective date of most restrictive law.
Implementation Complexity.
Legal regulations.
Costs. - Effective date of most restrictive law. Building a privacy strategy may mean changing the
mindset and perspective of an entire organization. Everyone in an organization has a role to play in
protecting the personal information an organization collects, uses, and discloses. Management needs to
approve funding to resource and equip the privacy team, fund important privacy-enhancing resources
and technologies, support privacy initiatives such as training and awareness, and hold employees
accountable for following privacy policies and procedures. Sales personnel must secure business contact
data and respect the choices of these individuals. Developers and engineers must incorporate effective
security controls, build safe websites, and create solutions that require the collection or use of only the
data necessary to accomplish the purpose.
Although policy formats will differ from organization to organization, a privacy policy should include the
following components: - Purpose; Scope; Risk and responsibilities; Compliance (General
organization compliance; The ability to apply penalties and disciplinary actions, and; Understanding of
the penalties for noncompliance)
