Domain 5: Sustaining Performance

Question 1

What are metrics?

Answer 1

Quantifiable measures to evaluate organizational success and efficiency.

Question 2

Why are metrics important?

Answer 2

• Provide evidence
• Enable decision making
• Show progress
• Support planning

Question 3

What is performance measurement?

Answer 3

The process of identifying metrics to evaluate effectiveness.

Question 4

What is a metrics life cycle?

Answer 4

The action of sustaining and updating a metric over time.

Question 5

Define KPIs and KRIs.

Answer 5

• KPIs: performance indicators
• KRIs: risk indicators used to measure performance and risk

Question 6

What should metrics align with?

Answer 6

• Business mission
• Objectives
• Risk appetite
• Audience needs

Question 7

Give examples of PII system inventory metrics.

Answer 7

• Number of systems with PII
• PIA completion dates
• Control implementation
• PII categories

Question 8

What are common privacy metrics?

Answer 8

• Incident response
• PIA/DPIA-related
• Training
• Data Subject Access Request (DSAR)
• Control assessments

Question 9

How do metrics benefit organizations?

Answer 9

• Support decisions
• Communicate concepts
• Normalize vocabulary
• Show maturity

Question 10

What are some features of useful metrics?

Answer 10

• Well-defined
• Regularly collected
• Story-telling
• Show compliance and ROI
• Demonstrate impact

Question 11

What are the responsibilities of a metrics owner?

Answer 11

• Understand the process
• Communicate purpose
• Update data/processes
• Create visualizations

Question 12

What expertise should a metrics owner have?

Answer 12

• Subject matter expertise
• Knowledge of day-to-day operations

Question 13

What does data analysis depend on?

Answer 13

• Type of metrics
• Dataset size
• Tools like dashboards (e.g., Power BI, Tableau)

Question 14

What are the main types of analysis in metrics?

Answer 14

• Trend analysis
• ROI
• Business resiliency
• Program maturity

Question 15

What is trend analysis?

Answer 15

• Identifies patterns over time (upward/downward trends)
• Includes cyclical and irregular components

Question 16

What are examples of cyclical components in trend analysis?

Answer 16

Seasonal changes like increased incidents during tax season.

Question 17

What are irregular components in trend analysis?

Answer 17

Outliers or data points that don’t fit the pattern.

Question 18

What are statistical trending methods?

Answer 18

• Simple data patterns
• Trend fitting (e.g., least squares)
• Noise analysis
• R-squared for fit

Question 19

What is Return on Investment (ROI) in privacy metrics?

Answer 19

• Measures financial gain/loss vs. cost
• Links program improvements to reduced business risk

Question 20

What is business resiliency?

Answer 20

The ability to adapt to disruptions while maintaining operations and protecting people, assets, and brand.

Question 21

What metrics are associated with business resiliency?

Answer 21

• Incident response
• Compliance
• System downtime

Question 22

What is program maturity?

Answer 22

A measure of an organization’s capabilities, effectiveness, and ability to improve.

Question 23

What is a maturity model?

Answer 23

A tool to assess the maturity of a function.

Question 24

What is the Privacy Maturity Model?

(PMM)

Answer 24

A model by AICPA/CICA based on GAPP and CMM to help improve privacy practices.

Question 25

What are the **5 PMM** levels?

Answer 25

1. Ad hoc 2. Repeatable 3. Defined 4. Managed 5. Optimized

Question 26

What are the **characteristics** of each PMM level?

Answer 26

* **Ad hoc**: informal * **Repeatable**: existing but not documented * **Defined**: documented and implemented * **Managed**: control reviews * **Optimized**: regular review and improvement

Question 27

How do you **establish maturity**?

Answer 27

* Identify privacy officer and stakeholders * Assign responsibilities * Assess baseline of program functions

Question 28

What is the **top reporting metric** according to IAPP?

Answer 28

Compliance

Question 29

What categories are included in the IAPP **DPO report metrics**?

Answer 29

* Systems and data * Legal/regulatory compliance * Advising

Question 30

What are the **main types of monitoring** in a privacy program?

Answer 30

* Compliance * Legal/regulatory * Network environment * Training/awareness

Question 31

What does **compliance monitoring** involve?

Answer 31

Monitoring PII collection, processing, sharing, and maintenance per laws, sensitivity, and standards.

Question 32

What are the **4 compliance monitoring** approaches?

Answer 32

* Self-monitor * Audit * System management * Risk management

Question 33

What **tools** support legal and regulatory monitoring?

Answer 33

Subscription services that **automate legal/regulatory change tracking**.

Question 34

How is **network environment monitoring** conducted?

Answer 34

* Intrusion Detection Systems (IDS) * Intrusion Prevention Systems (IPS) * Continuous system/application monitoring

Question 35

What **metrics** are used for **training and awareness** monitoring?

Answer 35

* Staff training completion rate * Phishing campaign failure rate

Question 36

What **tools** are used for monitoring?

Answer 36

* Data discovery/scanning * GRC platforms * Audits * Breach logs * Complaints * Controls

Question 37

What is an **audit** in the context of a privacy program?

Answer 37

An **assessment** of management, implementation, effectiveness, and compliance of **a privacy program**.

Question 38

**Why** conduct a **privacy audit**?

Answer 38

* Assess compliance * Identify gaps * Enable improvement * Satisfy regulators and industry standards

Question 39

What are the **core phases** of an audit?

Answer 39

* Plan * Prepare * Audit * Report * Follow-up

Question 40

What activities are included in the '**Plan**' phase of an audit?

Answer 40

* Select auditor/team * Assess audit risk * Create timeline * Hold kickoff meeting

Question 41

What is done during the '**Prepare**' phase?

Answer 41

Confirm audit schedule and finalize audit plan.

Question 42

What happens during the '**Audit**' phase?

Answer 42

Conduct the audit and meet with auditees and stakeholders.

Question 43

What is included in an **audit report**?

Answer 43

* Roles * Methodology * Audit scope * Compliance status * Supporting evidence * Remediation steps

Question 44

What are typical **follow-up activities** after an audit?

Answer 44

* Confirm remediation plan, timeline * Close out audit

Question 45

What are **2 possible additional stages** in an audit?

Answer 45

* Pre-audit data collection * Pre-report feedback gathering

Question 46

What are the **3 types of audits**?

Answer 46

* First-party * Second-party * Third-party

Question 47

What is a **first-party audit**?

Answer 47

An **internal audit** conducted by an organization **on its own processes**, systems, and controls.

Question 48

What are the **goals** of **first-party audits**?

Answer 48

* Drive internal improvements * Prepare for external audits * Support self-certification

Question 49

What is a **second-party audit**?

Answer 49

An audit conducted by **an external entity** with **a direct interest**, like a customer or supplier.

Question 50

What are **common reasons** for second-party audits?

Answer 50

* Contract due diligence * Verification of audit rights * Assess impacts on business relationships

Question 51

What is a **third-party audit**?

Answer 51

Conducted by an **independent external organization** with **no direct interest** in the auditee.

Question 52

What is the **purpose** of third-party audits?

Answer 52

* Provide objective compliance assessment * Often needed for certification or regulatory compliance

Question 53

What is the **goal** of **training** in a privacy program?

Answer 53

To **teach knowledge and skills** needed for effective job performance in privacy and security.

Question 54

What is the **purpose** of **awareness**?

Answer 54

* To focus attention on privacy/security * Build sensitivity to threats * Reinforce good behavior

Question 55

What are the **4 steps** in **NIST SP 800-50** training lifecycle?

Answer 55

* Design * Material Development * Implementation * Post-Implementation

Question 56

What is **NIST SP 800-16** known for?

Answer 56

It defines role- and performance-based IT security training requirements.

Question 57

What **content** should **privacy training** include?

Answer 57

* Laws * Regulations * Policies * Reporting procedures * Role-specific guidance * Attestation

Question 58

What makes training **effective**?

Answer 58

* Mandatory * Interactive * Gamified * Measured * Integrated with other programs

Question 59

Who is the **target audience** for privacy training?

Answer 59

* **Everyone**: basic awareness * **Stakeholders**: role-based * **Privacy team**: specific ongoing training

Question 60

What are **key elements** of building an **internal awareness program**?

Answer 60

* Cross-functional cooperation * Assessing privacy awareness * Leveraging incidents * Attending events

Question 61

Why build an **external awareness** program?

Answer 61

* Build trust * Earn business * Demonstrate commitment to protecting consumer privacy

Question 62

What does **operationalizing awareness** involve?

Answer 62

* Creating communication plans * Involving stakeholders * Updating policies/requirements

Question 63

Why is **repetition** important in training and awareness?

Answer 63

It **reinforces learning** by strengthening neural connections, enhancing retention.

Question 64

What are examples of **training mediums**?

Answer 64

* Classes (e.g., live virtual, asynchronous e-learning) * Brown bag lunch events * Newsletters * Emails * Posters * Handouts

Question 65

What **creative tools** can increase engagement in awareness?

Answer 65

* Stickers * Memes * Social media * Competitions * Themed awareness days

Question 66

What **outcome metrics** can be collected from training?

Answer 66

* Knowledge check scores * Incident reduction over time