As cybersecurity and privacy become ever more important to the long-term viability and sustainability of enterprises in all sectors, employers and professionals are increasingly turning to IAPP’s trusted and recognized Certified Information Privacy Manager qualification as a tried-and-tested indicator of information privacy management expertise.
In IAPP CIPM Certified Information Privacy Manager Study Guide, a team of dedicated IT and privacy management professionals delivers an intuitive roadmap to preparing for the CIPM certification exam and for a new career in the field of information privacy. Make use of pre-assessments, the Exam Essentials feature, and chapter review questions with detailed explanations to gauge your progress and determine where you’re proficient and where you need more practice.
In the book, you’ll find coverage of every domain tested on the CIPM exam and those required to succeed in your first - or your next - role in a privacy-related position. You’ll learn to develop a privacy program and framework, as well as manage the full privacy program operational lifecycle, from assessing your organization’s needs to responding to threats and queries.
The book also includes: - A head-start to obtaining an in-demand certification used across the information privacy industry - Access to essential information required to qualify for exciting new career opportunities for those with a CIPM credential - Access to the online Sybex learning environment, complete with two additional practice tests, chapter review questions, an online glossary, and hundreds of electronic flashcards for efficient studying
An essential blueprint for success on the CIPM certification exam, IAPP CIPM Certified Information Privacy Manager Study Guide will also ensure you hit the ground running on your first day at a new information privacy-related job.
Table of Contents
Introduction xvii
Assessment Test xxvii
Chapter 1 Developing a Privacy Program 1
Introduction to Privacy 3
What Is Privacy? 4
What Is Personal Information? 5
What Isn’t Personal Information? 5
Why Should We Care about Privacy? 8
Generally Accepted Privacy Principles 9
Management 10
Notice 11
Choice and Consent 11
Collection 12
Use, Retention, and Disposal 12
Access 13
Disclosure to Third Parties 14
Security for Privacy 14
Quality 15
Monitoring and Enforcement 16
Developing a Privacy Program 16
Crafting Vision, Strategy, Goals, and Objectives 17
Structuring the Privacy Team 20
Creating a Program Scope and Charter 22
Privacy Roles 25
Building Inventories 25
Conducting a Privacy Assessment 26
Implementing Privacy Controls 27
Ongoing Operation and Monitoring 27
Data Governance 28
Data Governance Approaches 28
Data Governance Roles 29
Access Requirements 29
Governing Information Processing 31
Managing the Privacy Budget 31
Organizational Budgeting 32
Expense Types 32
Budget Monitoring 33
Communicating about Privacy 34
Creating Awareness 34
Building a Communications Plan 35
Privacy Program Operational Life Cycle 36
Summary 36
Exam Essentials 37
Review Questions 38
Chapter 2 Privacy Program Framework 43
Develop the Privacy Program Framework 44
Examples of Privacy Frameworks 44
Develop Privacy Policies, Procedures, Standards, and Guidelines 51
Define Privacy Program Activities 52
Implement the Privacy Program Framework 57
Communicate the Framework 57
Aligning with Applicable Laws and Regulations 58
Develop Appropriate Metrics 78
Identify Intended Audience for Metrics 79
Define Privacy Metrics for Oversight and Governance per Audience 80
Summary 83
Exam Essentials 84
Review Questions 86
Chapter 3 Privacy Operational Life Cycle: Assess 91
Document Your Privacy Program Baseline 93
Education and Awareness 94
Monitoring and Responding to the Regulatory Environment 94
Assess Policy Compliance against Internal and External Requirements 94
Data, Systems, and Process Assessment 95
Risk Assessment Methods 96
Incident Management, Response, and Remediation 97
Perform Gap Analysis against an Accepted Standard or Law 97
Program Assurance 97
Processors and Third- Party Vendor Assessment 98
Evaluate Processors and Third- Party Vendors 99
Understand Sources of Information 99
Risk Assessment 100
Contractual Requirements and Ongoing Monitoring 102
Physical Assessments 102
Mergers, Acquisitions, and Divestitures 103
Privacy Assessments and Documentation 105
Privacy Threshold Analyses (PTAs) 105
Define a Process for Conducting Privacy Assessments 105
Summary 108
Exam Essentials 108
Review Questions 110
Chapter 4 Privacy Operational Life Cycle: Protect 115
Privacy and Cybersecurity 117
Cybersecurity Goals 117
Relationship between Privacy and Cybersecurity 118
Cybersecurity Controls 119
Security Control Categories 120
Security Control Types 120
Data Protection 121
Data Encryption 121
Data Loss Prevention 122
Data Minimization 123
Backups 124
Policy Framework 125
Cybersecurity Policies 126
Cybersecurity Standards 128
Cybersecurity Procedures 129
Cybersecurity Guidelines 130
Exceptions and Compensating Controls 131
Developing Policies 133
Identity and Access Management 133
Least Privilege 134
Identification, Authentication, and Authorization 134
Authentication Techniques 135
Provisioning and Deprovisioning 137
Account and Privilege Management 138
Privacy by Design 139
Privacy and the SDLC 140
System Development Phases 141
System Development Models 142
Integrating Privacy with Business Processes 146
Vulnerability Management 146
Vulnerability Scanning 147
Vulnerability Remediation 147
Data Policies 149
Data Sharing 149
Data Retention 149
Data Destruction 150
Summary 151
Exam Essentials 151
Review Questions 153
Chapter 5 Privacy Operational Life Cycle: Sustain 157
Monitor 158
Monitoring the Environment 159
Monitor Compliance with Privacy Policies 160
Monitor Regulatory Changes 160
Compliance Monitoring 161
Audit 162
Aligning with Audits 163
Audit Focus 164
Summary 167
Exam Essentials 168
Review Questions 170
Chapter 6 Privacy Operational Life Cycle: Respond 175
Data Subject Rights 176
Access 177
Managing Data Integrity 178
Right of Erasure 178
Right to Be Informed 180
Control over Use 180
Complaints 181
Handling Information Requests 181
Incident Response Planning 182
Stakeholder Identification 182
Building an Incident Oversight Team 183
Building the Incident Response Plan 184
Integrating the Plan with Other Functions 187
Incident Detection 187
Security and Privacy Incidents 187
Security Events and Incidents 188
Privacy Incidents 188
Reporting Privacy Incidents 189
Coordination and Information Sharing 190
Internal Communications 191
External Communications 191
Breach Notification 192
Incident Handling 192
Risk Assessment 193
Containment Activities 193
Remediation Measures 194
Ongoing Communications 195
Post- Incident Activity 196
Planning for Business Continuity 198
Project Scope and Planning 200
Business Impact Analysis 204
Continuity Planning 211
Plan Approval and Implementation 213
Summary 218
Exam Essentials 219
Review Questions 221
Appendix Answers to Review Questions 225
Chapter 1: Developing a Privacy Program 226
Chapter 2: Privacy Program Framework 228
Chapter 3: Privacy Operational Life Cycle: Assess 229
Chapter 4: Privacy Operational Life Cycle: Protect 231
Chapter 5: Privacy Operational Life Cycle: Sustain 233
Chapter 6: Privacy Operational Life Cycle: Respond 235
Index 239