CIPM Exam Flashcards

Document Content and Description Below

CIPM Exam Flashcards What are the 5 phases of a privacy program audit - ANS - Planning, Preparation, Audit, Report, Followup What happens during the audit planning phase of PPARF? - ANS - Risk asse ... ssment, schedule, selecting auditor, pre-audit questionnaire, preparatory meeting/visit and checklist What happens during the Audit Preparation phase of PPARF? - ANS - Confirm schedule, confirm and prepare checklists, sampling criteria and audit plan What Happens during the Audit phase of PPARF? - ANS - Meeting and audit execution What happens during the report phase of PPARF? - ANS - Noncompliance records and categories (major/minor), audit report, closing meeting and distribution What happens during the followup phase of PPARF? - ANS - Confirm scope, schedule, methodology and closure What are the three types of privacy governance models? (privacy governance may be "___, _____, or ______." - ANS - Centralized, Localized, or Hybrid When creating your privacy office governance model, you should consider what 4 factors? - ANS - 1. existing organisational structure, 2. position and authority of the privacy team, 3. involvement level of senior leadership and internal stakeholder 4. The development of internal partnerships. What are the advantages/disadvantages of the hybrid governance model? - ANS - Advantage: Resources of larger centralized org Disadvantage: Decentralized decision making provides less big picture vision What are the 5 maturity levels of the GAPP Privacy Maturity Model? - ANS - 1. Ad Hoc 2. Repeatable 3. Defined 4. Managed 5. Optimized (ARDMO) What are the 5 mechanisms that allow organizations to transfer data across borders? (there is something else you must also have) - ANS - 1. Adequacy Decisions 2. Ad Hoc Contracts 3. Standard Contractual Clauses 4.Binding Corporate Rules 5. Codes of Conduct/Self Certification Mechanisms (You must also have legal basis for processing data in addition to any of these prior to transfer) What are the 5 useful stages of the effective Policy Lifecycle? - ANS - 1. Draft practical polices, working with legal, to draft aligned and consistent policies. 2. Get approval from decision makers/stakeholders 3. Disseminate to all employees 4. Train and enforce policies 5. Review and revise policies (like after a breach or incident, or merger) Describe the 5 GAPP program maturity levels in order - ANS - 1. Ad Hoc - Process & Procedures: Informal, Incomplete, Inconsistently applied 2. Repeatable - Process & procedures: Not fully complete / Do not cover all relevant aspects 3. Defined - Process & procedures: Fully Documented, implemented, cover all relevant aspects 4. Managed - Reviews conducted to assess effectiveness of controls in place 5. Optimized - Regular Reviews / Feedback are used to ensure continual improvement toward optimisation of a given process Describe Adequacy Decisions - ANS - "Adequacy" means that one country (or jurisdiction, such as the EU) has deemed another country's data protection laws "adequate" to safeguard its own data. Describe Ad Hoc Contracts - ANS - Ad hoc contractual clauses may also be used for GDPR compliance, although they must receive prior supervisory authority approval and thus are potentially a less attractive option for controllers. Describe Standard Contractual Clauses - ANS - A standard contractual clause (language written into a contract) may be a way for organisations to facilitate cross-border transfers (these have been challenged recently and decisions are pending in the EUCJ) Describe Binding Corporate Rules & the 5 things they must include: - ANS - Under the GDPR, BCRs require approval from a supervisory authority. At a minimum, BCRs must include: 1. Structure and contact details for the concerned group 2. Information about the data and transfer processes 3. How the rules apply to general data protection principles 4. Complaint procedures 5. Compliance mechanisms Describe Codes of Conduct/Self Certification Mechanisms - ANS - Under the GDPR, codes of conduct resemble the self-regulatory programs used elsewhere to demonstrate to regulators and consumers that a company adheres to certain information privacy standards. (Like codes of conduct, certification is available to controllers and processors outside the EU, provided they demonstrate, by contractual or other legally binding instruments, their willingness to adhere to the mandated data protection safeguards.) What differentiates the 3 levels of metric audiences for a privacy program? - ANS - The level of interest, influence, ownership and responsibility of privacy within the business objectives. (For example, within a U.S. healthcare organisation, a metrics audience may include a HIPAA privacy officer, medical interdisciplinary readiness team (MIRT), senior executive staff and covered entity workforce.) What kinds of roles typically fill the Primary Metric Audience for a privacy program? - ANS - Legal and privacy officers Senior leadership Chief information officer (CIO) [Show More]

Last updated: 3 years ago

Preview 1 out of 46 pages