IAPP CIPM Certified Information Privacy Manager Study Guide
Description
As cybersecurity and privacy become ever more important to the long-term viability and sustainability of enterprises in all sectors, employers and professionals are increasingly turning to IAPP's trusted and recognized Certified Information Privacy Manager qualification as a tried-and-tested indicator of information privacy management expertise.
In IAPP CIPM Certified Information Privacy Manager Study Guide, a team of dedicated IT and privacy management professionals delivers an intuitive roadmap to preparing for the CIPM certification exam and for a new career in the field of information privacy. Make use of pre-assessments, the Exam Essentials feature, and chapter review questions with detailed explanations to gauge your progress and determine where you're proficient and where you need more practice.
In the book, you'll find coverage of every domain tested on the CIPM exam and those required to succeed in your first--or your next--role in a privacy-related position. You'll learn to develop a privacy program and framework, as well as manage the full privacy program operational lifecycle, from assessing your organization's needs to responding to threats and queries.
The book also includes:
* A head-start to obtaining an in-demand certification used across the information privacy industry
* Access to essential information required to qualify for exciting new career opportunities for those with a CIPM credential
* Access to the online Sybex learning environment, complete with two additional practice tests, chapter review questions, an online glossary, and hundreds of electronic flashcards for efficient studying
An essential blueprint for success on the CIPM certification exam, IAPP CIPM Certified Information Privacy Manager Study Guide will also ensure you hit the ground running on your first day at a new information privacy-related job.
More details
Other editions
Additional editions
Persons
Mike Chapple, PhD, CIPM, is Teaching Professor of Information Technology, Analytics, and Operations at Notre Dame's Mendoza College of Business. He is the bestselling author of over 25 books and serves as the Academic Director of the University's Master of Science in Business Analytics program.
Joe Shelley, CIPM, is the Vice President for Libraries and Information Technology at Hamilton College in New York. He oversees information security and privacy programs, IT risk management, business intelligence and analytics, and data governance.
Content
- Cover
- Title Page
- Copyright Page
- Contents at a Glance
- Contents
- Introduction
- The CIPM Exam
- What Does This Book Cover?
- CIPM Exam Objectives
- CIPM Certification Exam Objective Map
- Assessment Test
- Answers to Assessment Test
- Chapter 1 Developing a Privacy Program
- Introduction to Privacy
- What Is Privacy?
- What Is Personal Information?
- What Isn't Personal Information?
- Why Should We Care about Privacy?
- Generally Accepted Privacy Principles
- Management
- Notice
- Choice and Consent
- Collection
- Use, Retention, and Disposal
- Access
- Disclosure to Third Parties
- Security for Privacy
- Quality
- Monitoring and Enforcement
- Developing a Privacy Program
- Crafting Vision, Strategy, Goals, and Objectives
- Structuring the Privacy Team
- Creating a Program Scope and Charter
- Privacy Roles
- Building Inventories
- Conducting a Privacy Assessment
- Implementing Privacy Controls
- Ongoing Operation and Monitoring
- Data Governance
- Data Governance Approaches
- Data Governance Roles
- Access Requirements
- Governing Information Processing
- Managing the Privacy Budget
- Organizational Budgeting
- Expense Types
- Budget Monitoring
- Communicating about Privacy
- Creating Awareness
- Building a Communications Plan
- Privacy Program Operational Life Cycle
- Summary
- Exam Essentials
- Review Questions
- Chapter 2 Privacy Program Framework
- Develop the Privacy Program Framework
- Examples of Privacy Frameworks
- Develop Privacy Policies, Procedures, Standards, and Guidelines
- Define Privacy Program Activities
- Implement the Privacy Program Framework
- Communicate the Framework
- Aligning with Applicable Laws and Regulations
- Develop Appropriate Metrics
- Identify Intended Audience for Metrics
- Define Privacy Metrics for Oversight and Governance per Audience
- Summary
- Exam Essentials
- Review Questions
- Chapter 3 Privacy Operational Life Cycle: Assess
- Document Your Privacy Program Baseline
- Education and Awareness
- Monitoring and Responding to the Regulatory Environment
- Assess Policy Compliance against Internal and External Requirements
- Data, Systems, and Process Assessment
- Risk Assessment Methods
- Incident Management, Response, and Remediation
- Perform Gap Analysis against an Accepted Standard or Law
- Program Assurance
- Processors and Third-Party Vendor Assessment
- Evaluate Processors and Third-Party Vendors
- Understand Sources of Information
- Risk Assessment
- Contractual Requirements and Ongoing Monitoring
- Physical Assessments
- Mergers, Acquisitions, and Divestitures
- Privacy Assessments and Documentation
- Privacy Threshold Analyses (PTAs)
- Define a Process for Conducting Privacy Assessments
- Summary
- Exam Essentials
- Review Questions
- Chapter 4 Privacy Operational Life Cycle: Protect
- Privacy and Cybersecurity
- Cybersecurity Goals
- Relationship between Privacy and Cybersecurity
- Cybersecurity Controls
- Security Control Categories
- Security Control Types
- Data Protection
- Data Encryption
- Data Loss Prevention
- Data Minimization
- Backups
- Policy Framework
- Cybersecurity Policies
- Cybersecurity Standards
- Cybersecurity Procedures
- Cybersecurity Guidelines
- Exceptions and Compensating Controls
- Developing Policies
- Identity and Access Management
- Least Privilege
- Identification, Authentication, and Authorization
- Authentication Techniques
- Provisioning and Deprovisioning
- Account and Privilege Management
- Privacy by Design
- Privacy and the SDLC
- System Development Phases
- System Development Models
- Integrating Privacy with Business Processes
- Vulnerability Management
- Vulnerability Scanning
- Vulnerability Remediation
- Data Policies
- Data Sharing
- Data Retention
- Data Destruction
- Summary
- Exam Essentials
- Review Questions
- Chapter 5 Privacy Operational Life Cycle: Sustain
- Monitor
- Monitoring the Environment
- Monitor Compliance with Privacy Policies
- Monitor Regulatory Changes
- Compliance Monitoring
- Audit
- Aligning with Audits
- Audit Focus
- Summary
- Exam Essentials
- Review Questions
- Chapter 6 Privacy Operational Life Cycle: Respond
- Data Subject Rights
- Access
- Managing Data Integrity
- Right of Erasure
- Right to Be Informed
- Control over Use
- Complaints
- Handling Information Requests
- Incident Response Planning
- Stakeholder Identification
- Building an Incident Oversight Team
- Building the Incident Response Plan
- Integrating the Plan with Other Functions
- Incident Detection
- Security and Privacy Incidents
- Security Events and Incidents
- Privacy Incidents
- Reporting Privacy Incidents
- Coordination and Information Sharing
- Internal Communications
- External Communications
- Breach Notification
- Incident Handling
- Risk Assessment
- Containment Activities
- Remediation Measures
- Ongoing Communications
- Post-Incident Activity
- Planning for Business Continuity
- Business Continuity Planning vs. Disaster Recovery Planning
- Project Scope and Planning
- Business Impact Analysis
- Continuity Planning
- Plan Approval and Implementation
- Summary
- Exam Essentials
- Review Questions
- Appendix: Answers to Review Questions
- Chapter 1: Developing a Privacy Program
- Chapter 2: Privacy Program Framework
- Chapter 3: Privacy Operational Life Cycle: Assess
- Chapter 4: Privacy Operational Life Cycle: Protect
- Chapter 5: Privacy Operational Life Cycle: Sustain
- Chapter 6: Privacy Operational Life Cycle: Respond
- Index
- Comprehensive Online Learning Environment
- EULA
Chapter 1
Developing a Privacy Program
THE CIPM EXAM OBJECTIVES COVERED IN THIS CHAPTER INCLUDE:
- Domain I. Developing a Privacy Program
- I.A. Create an organizational vision
- I.A.a. Evaluate the intended objective
- I.A.b. Gain executive sponsor approval for this vision
- I.B. Establish a data governance model
- I.B.a. Centralized
- I.B.b. Distributed
- I.B.c. Hybrid
- I.C. Define a privacy program
- I.C.a. Define program scope and charter
- I.C.b. Identify the source, types, and uses of personal information (PI) within the organization and the applicable laws.
- I.C.c. Develop a privacy strategy
- I.D. Structure the privacy team
- I.D.a. Establish the organizational model, responsibilities, and reporting structure appropriate to the size of the organization (e.g., Chief Privacy Officer, DPO, Privacy manager, Privacy analysts, Privacy champions, "First responders")
- I.D.b. Designate a point of contact for privacy issues
- I.D.c. Establish/endorse the measurement of professional competency
- I.E. Communicate
- I.E.a. Create awareness of the organization's privacy program internally and externally (e.g., PR, Corporate Communication, HR)
- I.E.b. Develop internal and external communication plans to ingrain organizational accountability
- I.E.c. Ensure employees have access to policies and procedures and updates relative to their role.
- I.A. Create an organizational vision
Organizations around the world find themselves under increasing scrutiny for their privacy practices. Legal and regulatory requirements, consumer pressure, and ethical obligations drive them to identify the personal information that they use and to implement controls to protect the privacy of that information.
As privacy functions flourish within organizations, they need qualified managers and leaders to ensure their success. From top-level chief privacy officers to mid-level managers, demand continues to increase for privacy experts.
Introduction to Privacy
Privacy is one of the core rights inherent to every human being. The term is defined in many historic works, but they all share the basic tenet of individuals having the right to protect themselves and their information from unwanted intrusions by others or the government. Let's take a brief look at the historical underpinnings of privacy in the United States.
In 1890, lawyers Samuel D. Warren and Louis D. Brandeis wrote an article for the Harvard Law Review titled "The Right to Privacy." In that article, they wrote:
Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual . the right "to be let alone." Instantaneous photographs and newspaper enterprises have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that "what is whispered in the closet shall be proclaimed from the house-tops." For years there has been a feeling that the law must afford some remedy for the unauthorized circulation of portraits of private persons; and the evil of the invasion of privacy by the newspapers, long keenly felt, has been but recently discussed by an able writer.
Reading that excerpt over a century later, we can easily see echoes of Warren and Brandeis's concerns about technology in today's world. We could just as easily talk about the impact of social media, data brokerages, and electronic surveillance as having the potential to cause "what is whispered in the closet" to be "proclaimed from the house-tops."
The words written by Warren and Brandeis might have slipped into obscurity were it not for the fact that 25 years later one author would ascend to the Supreme Court where, as Justice Brandeis, he would take the concepts from this law review article and use them to argue for a constitutional right to privacy. In a dissenting opinion in the case Olmstead v. United States, Justice Brandeis wrote:
The makers of our Constitution undertook to secure conditions favorable to the pursuit of happiness .. They conferred, as against the Government, the right to be let alone-the most comprehensive of rights and the right most valued by civilized men. To protect that right, every unjustifiable intrusion by the Government upon the privacy of the individual, whatever the means employed, must be deemed a violation of the Fourth Amendment.
This text, appearing in a dissenting opinion, was not binding upon the courts, but it has surfaced many times over the years in arguments establishing a right to privacy as that right "to be let alone." Recently, the 2018 majority opinion of the court in Carpenter v. United States cited Olmstead in an opinion declaring warrantless searches of cell phone location records unconstitutional, saying:
As Justice Brandeis explained in his famous dissent, the Court is obligated as "[s]ubtler and more far-reaching means of invading privacy have become available to the Government"-to ensure that the "progress of science" does not erode Fourth Amendment protections. Here the progress of science has afforded law enforcement a powerful new tool to carry out its important responsibilities. At the same time, this tool risks Government encroachment of the sort the Framers, "after consulting the lessons of history," drafted the Fourth Amendment to prevent.
This is just one example of many historical precedents that firmly establish a right to privacy in U.S. law and allow the continued reinterpretation of that right in the context of technologies and tools that the authors of the Constitution could not possibly have imagined.
What Is Privacy?
It would certainly be difficult to start a book on privacy without first defining the word privacy, but this is a term that eludes a common definition in today's environment. Legal and privacy professionals asking this question often harken back to the words of Justice Brandeis, describing privacy simply as the right "to be let alone."
In their Generally Accepted Privacy Principles (GAPP), the American Institute of Certified Public Accountants (AICPA) offers a more hands-on definition, describing privacy as "the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and destruction of personal information."
The GAPP definition may not be quite as pithy and elegant as Justice Brandeis's right "to be let alone," but it does provide privacy professionals with a better working definition that they can use to guide their privacy programs, so it is the definition that we will adopt in this book.
What Is Personal Information?
Now that we have privacy defined, we're led to another question. If privacy is about the protection of personal information, what information fits into this category? Here, we turn our attention once again to GAPP, which defines personal information as "information that is or can be about or related to an identifiable individual."
More simply, if information is about a person, that information is personal information as long as you can identify the person that it is about. For example, the fairly innocuous statement "Mike Chapple and Joe Shelley wrote this book" fits the definition of personal information. That personal information might fall into the public domain (after all, it's on the cover of this book!), but it remains personal information.
You'll often hear the term personally identifiable information (PII) used to describe personal information. The acronym PII is commonly used in privacy programs as a shorthand notation for all personal information.
Of course, not all personal information is in the public domain. Many other types of information fit into this category that most people would consider private. Our bank balances, medical records, college admissions test scores, and email communications are all personal information that we might hold sensitive. This information fits into the narrower category of sensitive personal information (SPI). SPI tends to designate the type of information that a person might want to keep confidential. SPI can have differing levels of sensitivity and may also be protected by law. For example, General Data Protection Regulation (GDPR) in the European Union (EU) has a listing of "special categories of personal data," which includes:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data used for the purpose of uniquely identifying a natural person
- Health data
- Data concerning a natural person's sex life or sexual orientation
GDPR uses this list to create special boundaries and controls around the categories of information that EU lawmakers found to be the most sensitive.
What Isn't Personal Information?
With a working knowledge of personal information under our belts, it's also important to make sure that we have a clear understanding of what types of information do not fit the definition of personal...
