Sie sind auf Seite 1von 14

M CIPM CIPM CIPM CIPM CIPM CIPM

IPM CIPM CIPM CIPM CIPM CIPM CIP

Certified Information
Privacy Manager (CIPM)

Study Guide

Effective July 2015

CIPM Study Guide 1


WELCOME
Congratulations on taking the first step toward achieving an IAPP privacy certification. This study guide
contains the basic information you need to get started:

An explanation of the IAPP certification program structure


Key areas of knowledge for the CIPM program
Recommended steps to help you prepare for your exam
A detailed body of knowledge for the CIPM program
An exam blueprint
Sample questions
General exam information

CIPM Study Guide 2


The IAPP Certification Program Structure
The IAPP currently offers three certification programs: The Certified Information Privacy Professional
(CIPP), the Certified Information Privacy Manager (CIPM) and the Certified Information Privacy
Technologist (CIPT).
The CIPP is the what of privacy. Earning this designation demonstrates your mastery of a
principles-based framework in information privacy in a legal or practical specialization. Within the CIPP,
there are four concentrations:
Canadian privacy (CIPP/C)
European privacy (CIPP/E)
U.S. government privacy (CIPP/G)
U.S. private-sector privacy (CIPP/US)
The CIPM is the how of privacy (operations). Earning this designation shows you understand how to
manage privacy in an organization through process and technology.

The CIPT is the how of privacy (technology). Earning this designation shows you know how to
manage and build privacy requirements and controls into technology.

There are no concentrations within the CIPM or the CIPTthey are global designations that cross all
jurisdictions and industries.

Requirements for IAPP Certification

1. You must pay an annual maintenance fee of $125 USD

OR

2. You can become a member of the IAPPwith access to numerous benefits like discounts,
networking opportunities, members-only resources and morefor just $250 USD, which includes
your annual maintenance fee.

More information about IAPP membership, including levels, benefits and rates, is available on the IAPP
website at www.iapp.org/join.

CIPM Study Guide 3


CIPM Key Areas of Knowledge

The CIPM program was developed in response to overwhelming demand to collate common practices
for managing privacy operations. It covers program governance and the skills to establish, maintain and
manage a privacy program across all stages of its operational lifecycle.

The two major CIPM program components are:

I. Privacy Program Governance


Creating a company vision
Establishing a privacy program
Structuring the privacy team
Developing and implementing a privacy program framework
Communicating to stakeholders
Performance measurement

II. Privacy Operational Lifecycle


Assessing or analyzing an organizations privacy regime
Protecting information assets through the implementation of industry-leading privacy
and security controls and technology
Sustaining the privacy program through communication, training and management actions
Responding to privacy incidents

CIPM Study Guide 4


Preparation
Privacy certification is an important effort that requires advance preparation. Deciding how you will
prepare for your exams is a personal choice that should include an assessment of your professional
background, scope of privacy knowledge and your preferred method of learning.

In general, the IAPP recommends that you plan for a minimum of 20 hours of study time in advance of
your exam date; however, you might need more or fewer hours depending on your personal choices and
professional experience.

The IAPP recommends you prepare in the following manner:

1. Review the body of knowledge


The body of knowledge for the CIPM program is a comprehensive outline of the subject matter areas
covered by the CIPM exam. Review it carefully to help determine which areas merit additional focus in
your preparation. See pages 6-10.

2. Review the exam blueprint


The CIPM exam blueprint on page 11 specifies the number of items from each area of the body of
knowledge that will appear on the exam. Studying the blueprint can help you further target your
primary study needs.

3. Study the CIPM textbook


Privacy Program Management is the authoritative reference for the CIPM program. The IAPP strongly
recommends you take the time to carefully read and study the textbook.

4. Get certification training


The IAPP offers both training classes and online training to help you prepare for your exams.
You can find a list of scheduled classes and/or purchase online training on the IAPP website at
www.iapp.org/train.

5. Take the CIPM practice test


Practice tests are a great way to check your knowledge and gain familiarity with the format of the exam.
Practice tests are available in a downloadable PDF file containing the test itself, an answer key and an
explanation of each correct answer.

6. Review other IAPP preparation resources


Additional resources are available on the IAPP website, including a searchable glossary of terms.

CIPM Study Guide 5


CIPM Common Body of Knowledge Outline
I. Privacy Program Governance
A. Organization Level
a. Create a company vision
i. Acquire knowledge on privacy approaches
ii. Evaluate the intended objective
iii. Gain executive sponsor approval for this vision
b. Establish a privacy program
i. Define program scope and charter
ii. Identify the source, types and uses of personal information (PI) within the
organization and the applicable laws
iii. Develop a privacy strategy
1. Business alignment
a. Finalize the operational business case for privacy
b. Identify stakeholders
c. Leverage key functions
d. Create a process for interfacing within the organization
e. Align organizational culture and privacy/data protection objectives
f. Obtain funding/budget for privacy and the privacy team
2. Develop a data governance strategy for personal information (collection,
authorized use, access, destruction)
3. Plan inquiry/complaint handling procedures (customers, regulators, etc.)
c. Structure the privacy team
i. Governance models
1. Centralized
2. Distributed
3. Hybrid
ii. Establish the organizational model, responsibilities and reporting
structure appropriate to the size of the organization
1. Large organizations
a. Chief privacy officer
b. Privacy manager
c. Privacy analysts
d. Business line privacy leaders
e. First responders
2. Small organizations/sole data protection officer (DPO), including when not only job
iii. Designate a point of contact for privacy issues
iv. Establish/endorse the measurement of professional competency
B. Develop the Privacy Program Framework
a. Develop organizational privacy policies, standards and/or guidelines
b. Define privacy program activities
i. Education and awareness
ii. Monitoring and responding to the regulatory environment
iii. Internal policy compliance
iv. Data inventories, data flows and classification
v. Risk assessment (Privacy Impact Assessments [PIAs], etc.)
vi. Incident response and process, including jurisdictional regulations
vii. Remediation
viii. Program assurance, including audits

CIPM Study Guide 6


C. Implement the Privacy Policy Framework
a. Communicate the framework to internal and external stakeholders
b. Ensure continuous alignment to applicable laws and regulations to support the development
of an organizational privacy program framework
i. Understand applicable national laws and regulations
ii. Understand applicable local laws and regulations
iii. Understand penalties for noncompliance with laws and regulations
iv. Understand the scope and authority of oversight agencies (e.g., Data Protection
Authorities, Privacy Commissioners, Federal Trade Commission, etc.)
v. Understand privacy implications of doing business in or with countries with
inadequate, or without, privacy laws
vi. Maintain the ability to manage a global privacy function
vii. Maintain the ability to track multiple jurisdictions for changes in privacy law
viii. Understand international data sharing arrangements agreements
D. Metrics
a. Identify intended audience for metrics
b. Define reporting resources
c. Define privacy metrics for oversight and governance per audience
i. Compliance metrics (examples, will vary by organization)
1. Collection (notice)
2. Responses to data subject inquiries
3. Use
4. Retention
5. Disclosure to third parties
6. Incidents (breaches, complaints, inquiries)
7. Employees trained
8. PIA metrics
9. Privacy risk indicators
10. Percent of company functions represented by governance mechanisms
ii. Trending
iii. Privacy program return on investment (ROI)
iv. Business resiliency metrics
v. Privacy program maturity level
vi. Resource utilization
d. Identify systems/application collection points
II. Privacy Operational Lifecycle
A. Assess Your Organization
a. Document current baseline of your privacy program
i. Education and awareness
ii. Monitoring and responding to the regulatory environment
iii. Internal policy compliance
iv. Data, systems and process assessment
1. Map data inventories, flows and classification
2. Create record of authority of systems processing personal information
within the organization
3. Map and document data flow in systems and applications
4. Analyze and classify types and uses of data
v. Risk assessment (PIAs, etc.)
vi. Incident response
vii. Remediation
viii. Determine desired state and perform gap analysis against an accepted standard or law
ix. Program assurance, including audits

CIPM Study Guide 7


b. Processors and third-party vendor assessment
i. Evaluate processors and third-party vendors, insourcing and outsourcing privacy risks
1. Privacy and information security policies
2. Access controls
3. Where personal information is being held
4. Who has access to personal information
ii. Understand and leverage the different types of relationships
1. Internal audit
2. Information security
3. Physical security
4. Data protection authority
iii. Risk assessment
1. Type of data being outsourced
2. Location of data
3. Implications of cloud computing strategies
4. Legal compliance
5. Records retention
6. Contractual requirements (incident response, etc.)
7. Establish minimum standards for safeguarding information
iv. Contractual requirements
v. Ongoing monitoring and auditing
c. Physical assessments
i. Identify operational risk
1. Data centers
2. Physical access controls
3. Document destruction
4. Media sanitization (e.g., hard drives, USB/thumb drives, etc.)
5. Device forensics
6. Fax machine security
7. Imaging/copier hard drive security controls
d. Mergers, acquisitions and divestitures
i. Due diligence
ii. Risk assessment
e. Conduct analysis and assessments, as needed or appropriate
i. Privacy Threshold Analysis (PTAs) on systems, applications and processes
ii. Privacy Impact Assessments (PIAs)
1. Define a process for conducting Privacy Impact Assessments
a. Understand the lifecycle of a PIA
b. Incorporate PIA into system, process, product lifecycles
B. Protect
a. Data lifecycle (creation to deletion)
b. Information security practices
i. Access controls for physical and virtual systems
1. Access control on need to know
2. Account management (e.g., provision process)
3. Privilege management
ii. Technical security controls
iii. Implement appropriate administrative safeguards

CIPM Study Guide 8


c. Privacy by Design
i. Integrate privacy throughout the system development lifecycle (SDLC)
ii. Establish privacy gates/PIAs-Data Protection Impact Assessments (DPIAs) as part of the
standard process, system development framework
C. Sustain
a. Measure
i. Quantify the costs of technical controls
ii. Manage data retention with respect to the organizations policies
iii. Define the methods for physical and electronic data destruction
iv. Define roles and responsibilities for managing the sharing and disclosure of data for
internal and external use
b. Align
i. Integrate privacy requirements and representation into functional areas
across the organization
1. Information security
2. IT operations and development
3. Business continuity and disaster recovery planning
4. Mergers, acquisitions and divestitures
5. Human resources
6. Compliance and ethics
7. Audit
8. Marketing/business development
9. Public relations
10. Procurement/sourcing
11. Legal and contracts
12. Security/emergency services
13. Finance
14. Others
c. Audit
i. Align privacy operations to an internal and external compliance audit program
1. Knowledge of audit processes
2. Align to industry standards
ii. Audit compliance with privacy policies and standards
iii. Audit data integrity and quality
iv. Audit information access, modification and disclosure accounting
v. Communicate audit findings with stakeholders
d. Communicate
i. Awareness
1. Create awareness of the organizations privacy program internally and externally
2. Ensure policy flexibility in order to incorporate legislative/regulatory/market
requirements
3. Develop internal and external communication plans to ingrain organizational
accountability
4. Identify, catalog and maintain documents requiring updates as privacy requirements
change

CIPM Study Guide 9


ii. Targeted employee, management and contractor training
1. Privacy policies
2. Operational privacy practices (e.g., standard operating instructions), such as
a. Data creation/usage/retention/disposal
b. Access control
c. Reporting incidents
d. Key contacts
e. Monitor
iii. Environment (e.g., systems, applications) monitoring
iv. Monitor compliance with established privacy policies
v. Monitor regulatory and legislative changes
vi. Compliance monitoring (e.g. collection, use and retention)
1. Internal audit
2. Self-regulation
3. Retention strategy
4. Exit strategy
D. Respond
a. Information requests
i. Access
ii. Redress
iii. Correction
iv. Managing data integrity
b. Privacy incidents
i. Legal compliance
1. Preventing harm
2. Collection limitations
3. Accountability
4. Monitoring and enforcement
ii. Incident response planning
1. Understand key roles and responsibilities
a. Identify key business stakeholders
1. Information security
2. Legal
3. Audit
4. Human resources
5. Marketing
6. Business development
7. Communications and public relations
8. Other
b. Establish incident oversight teams
2. Develop a privacy incident response plan
3. Identify elements of the privacy incident response plan
4. Integrate privacy incident response into business continuity planning

CIPM Study Guide 10


iii. Incident detection
1. Define what constitutes a privacy incident
2. Identify reporting process
3. Coordinate detection capabilities
a. Organization IT
b. Physical security
c. Human resources
d. Investigation teams
e. Vendors
iv. Incident handling
1. Understand key roles and responsibilities
2. Develop a communications plan to notify executive management
v. Follow incident response process to ensure the organization is meeting jurisdictional,
global and business requirements
1. Engage privacy team
2. Review the facts
3. Conduct analysis
4. Determine actions (contain, communicate, etc.)
5. Execute
6. Monitor
7. Review and apply lessons learned
vi. Identify incident reduction techniques
vii. Incident metricsquantify the cost of a privacy incident

CIPM Study Guide 11


CIPM Exam Format
The CIPM is an 2.5 hour exam comprised of 90 multiple choice items (questions). Approximately half
of the multiple choice items are associated with scenarios. There are no essay questions. Each correct
answer is worth one point.

Exam Blueprint
The exam blueprint indicates the minimum and maximum number of items included on the CIPM
exam from the major areas of the body of knowledge. Questions may be asked from any of the topics
listed under each area.You can use this blueprint to guide your preparation.

Min Max
I. Privacy Program Governance 26 39
A. Organization Level 8 11
Create a company vision, establish a privacy program,
structure the privacy team
B. Develop the Privacy Program Framework 9 13
Develop organizational privacy policies, standards and/or guidelines,
define privacy program activities
C. Implement the Privacy Policy Framework 6 9
Communicate the framework to internal and external stakeholders,
ensure continuous alignment to applicable laws and regulations
to support the development of an organizational privacy program
framework
D. Metrics 3 6
Identify intended audience for metrics, define reporting resources, define
privacy metrics for oversight and governance per audience, identify
systems/application collection points
II. Privacy Operational Lifecycle 29 42
A. Assess Your Organization 8 11
Document current baseline of your privacy, processors and third-party
vendor assessment, physical assessments, mergers, acquisitions and
divestitures, conduct analysis and assessments, as needed or appropriate
B. Protect 2 5
Data lifecycle, information security practices, Privacy by Design
C. Sustain 10 14
Measure, align, audit, communicate, monitor
D. Respond 9 12
Information requests, privacy incidents

CIPM Study Guide 12


Sample Exam Questions

1. Which descriptor best describes the general attitude an organization should exhibit regarding its
practices and policies for data protection?
A. Security.
B. Openness.
C. Secrecy.
D. Education.

2. Where should procedures for resolving complaints about privacy protection be found?
A. In written policies regarding privacy.
B. In the Emergency Response Plan.
C. In memoranda from the CEO.
D. In the minutes of corporate or organizational board meetings.

Sample Scenario
Country Fresh Sundries started in the kitchen of its founder Margaret Holmes as she made soap
following a traditional family recipe. It is a much different business today, having grown first through
product placement in health and beauty retail outlets, then through a thriving catalog business. The
company was slow to launch an online store, but once it did so, the online business grew rapidly. Online
sales now account for 65% of a business which is increasingly international in scope. In fact, Country
Fresh is now a leading seller of luxury soaps in Europe and South America, as well as continuing its
strong record of growth in the United States. Despite its rapid ascent, Country Fresh prides itself on
maintaining its homey atmosphere, as symbolized by its company headquarters with a farmhouse in front
of a factory in a rural region of Maine, in the U.S. The company is notably employee friendly, allowing,
for instance, employees to use their personal computers for conducting business and encouraging people
to work at home to spend more time with their families.
As the incoming Director of Privacy, you are the companys first dedicated privacy professional. During
the interview process, you found that while the people you talked to, including Shelly Holmes, CEO,
daughter of the founder, and Jim Greene,Vice President for Operations, meant well, they did not possess
a sophisticated knowledge of privacy practices and regulations, and were unsure of exactly where the
company stood in relation to compliance and security. Jim candidly admitted, We know theres a lot we
need to be thinking about and doing regarding privacy, but none of us know much about it. Weve put
some safeguards in place, but were not even sure they are effective. We need someone to build a privacy
program from the ground up.
The final interview ended after the close of business. The cleaning crew had started its nightly work. As
you walked through the office, you noticed that computers had been left on at employee work stations
and the only shredder you saw was marked with a sign that said Out of Order. Do Not Use.

Continued on next page

CIPM Study Guide 13


You have accepted the job offer and are about to report to work on Monday.You are now on a plane
headed toward your new office, considering your course of action in this position and jotting down
some notes.

1. How can you discover where personal data resides at the company?
A. Focus solely on emerging technologies as they present the greatest risks.
B. Check all public interfaces for breaches of personal data.
C. Conduct a data inventory and map data flows.
D. Interview each department head.

2. In analyzing the companys existing privacy program, you find procedures that are informal and
incomplete. What stage does this represent in the AICPA/CICA Privacy Maturity Model?
A. Early.
B. Ad hoc.
C. Non-repeatable.
D. Pre-program.

General Exam Information


The IAPP offers testing via computer-based delivery at test centers worldwide. There are approximately
700 Kryterion High-stakes Online Secured Testing (HOST) locations around the world where IAPP
certification exams are administered.

The IAPP also offers testing at our major annual conferences. Event-based testing is paper-pencil format.

You can find detailed information about how to register for exams, as well as exam-day instructions in
the IAPP Certification Information Candidate Handbook, on our website at www.iapp.org/certify.

Questions?
The IAPP recognizes that privacy certification is an important professional development effort requiring
commitment and preparation. We thank you for choosing to pursue certification, and we welcome your
questions and comments regarding our certification program.

Please dont hesitate to contact us at certification@iapp.org or +1 603.427.9200.

CIPM Study Guide 14

Das könnte Ihnen auch gefallen