IAPP Certication Foundation

Study Guide
T
I
O
N

F
O
U
N
D
A
T
I
O
N

F
O
U
N
D
A
T
I
O
N

F
O
U
N
D
O
U
N
D
A
T
I
O
N

F
O
U
N
D
A
T
I
O
N

F
O
U
N
D
A
T
I
O
N
Effective March 2013
IAPP Certication Foundation Study Guide 2
WELCOME
Congratulations on taking the frst step toward achieving an IAPP privacy certifcation. This study guide contains the basic
information you need to get started:
An explanation of the IAPP certifcation program structure
Key areas of knowledge for the Certifcation Foundation program
Recommended steps to help you prepare for your exam
A detailed Body of Knowledge for the Certifcation Foundation program
An exam blueprint
Sample questions
General exam information
IAPP Certication Foundation Study Guide 3
The IAPP Certication Program Structure
The IAPP currently ofers two certifcation programs: The Certifed Information Privacy Professional (CIPP) and the
Certifed Information Privacy Manager (CIPM).
The CIPP is the what of privacy. Earning this designation demonstrates your mastery of a principles-based framework in
information privacy in a legal or practical specialization. Within the CIPP, there are fve concentrations:
U.S. private-sector privacy (CIPP/US)
Canadian privacy (CIPP/C)
European privacy (CIPP/E)
U.S. government privacy (CIPP/G)
Privacy in information technology (CIPP/IT)
The CIPM is the how of privacy. Earning this designation assesses your understanding of the application of common
privacy practices in the daily operations of an organization. There are no concentrations within the CIPMit crosses all
jurisdictions and industries.
To become certifed in any of these areas, you must successfully complete the Certifcation Foundation examination,
followed by a designation exam (either the CIPM exam or an exam in one of the fve CIPP concentrations).
The Certifcation Foundation exam assesses understanding of fundamental concepts of privacy and data protection. It covers
common practice areas that are relevant to all privacy professionals regardless of legal jurisdiction, geographic location or
practice specialization.
You must pass both the Certifcation Foundation exam and a designation exam to achieve certifcation.
Successful completion of just one exam will not result in certifcation being awarded.
Testing for Multiple Designations
Many people choose to certify in multiple areas. Should you wish to pursue additional designations, you are not required to
retake the Certifcation Foundation multiple times; you are only required to pass the additional designation exam to achieve
another credential.
Requirements for IAPP Certication
1. You must be a current member of the IAPP prior to registering for your examination.
(Information about IAPP membership, including levels, benefts and rates is available on the
IAPP website at www.privacyassociation.org/membership.)
2. Successful completion of both the Certifcation Foundation exam and a designation exam.
IAPP Certication Foundation Study Guide 4
Certication Foundation Key Areas of Knowledge
The Certifcation Foundation, which is a pre-requisite for all IAPP designations, covers elementary concepts of privacy
and data protection from a global perspective. It is designed to provide the basis for a multi-faceted approach to privacy and
data protection and to allow for the specifc application of IAPP privacy certifcations to build upon this foundation with
minimal repetition.
The four Foundation course components are:
I. Common Principles and Approaches to Privacy
Historical descriptions, defnitions and classes of privacy
Types and elements of information
Privacy policies and notices and processing of personal data
Information risk management and information lifecycle principles
Modern privacy principles, including FIPs, OECD and APEC, and common themes
II. A Survey of Global Privacy Laws and Industry Practices
Global perspectives and data protection models
The U.S. approach to information privacy
The EU Data Protection Directive
Data protection in Asia, Africa and the Middle East
Sectors of privacy law, including healthcare, fnancial, telecommunications, marketing, human resources
III. Information Security
Privacy and information security in context
Elements of information security
Information security standards: ISO 27001 and ISO 27002
Information security threats and vulnerabilities
Information security management and governance
IV. Online Privacy: Using Personal Information on Websites and with Other Internet-related Technologies
Privacy considerations for sensitive online information, including data subject access and redress, childrens
online privacy, online identifcation methods, privacy and electronic mail, Internet searches, marketing and
advertising, social media, cloud computing and mobile privacy
IAPP Certication Foundation Study Guide 5
Preparation
Privacy certifcation is an important efort that requires advance preparation. Deciding how you will prepare for your exams
is a personal choice that should include an assessment of your professional background, scope of privacy knowledge and your
preferred method of learning.
In general, the IAPP recommends that you plan for a minimum of 20 hours of study time in advance of your exam date;
however, you might need more or fewer hours depending on your personal choices and professional experience.
The IAPP recommends you prepare in the following manner:
1. Review the Body of Knowledge
The Body of Knowledge for the Certifcation Foundation program is a comprehensive outline of the subject matter
areas covered by the Foundation exam. Review it carefully to help determine which areas merit additional focus in your
preparation. See pages 6-10.
2. Review the exam blueprint
The Certifcation Foundation Examination Blueprint on page 11 specifes the number of items from each area of the Body
of Knowledge that will appear on the exam. Studying the blueprint can help you further target your primary study needs.
3. Study the Certication Foundation textbook
Foundations of Information Privacy and Data Protection is the ofcial reference for the Certifcation Foundation program. The
IAPP strongly recommends you take the time to carefully read and study the textbook.
4. Get Certication Training
The IAPP ofers both in-person certifcation prep classes and online training to help you prepare for your exams.
You can fnd a list of scheduled classes and/or purchase downloadable online training on the IAPP website.
5. Take the Certication Foundation practice test
Practice tests are a great way to gain familiarity with the format and content of the actual designation exams. Practice
tests are shorter versions of the exam, available in a downloadable PDF fle containing the test itself, an answer key and an
explanation of each correct answer.
6. Review other IAPP preparation resources
Additional resources are available on the IAPP website, including a searchable glossary of terms, a bibliography of
recommended reading and a case study book.
IAPP Certication Foundation Study Guide 6
Certication Foundation Common Body of Knowledge Outline
I. Common Principles and Approaches to Privacy
A. A Modern History of Privacy
a. Descriptions, defnitions and classes
b. Historical and social origins
B. Types of Information
a. Personal information
b. Non-personal information
c. General and organizational
i. Financial
ii. Human resources
iii. Operational
iv. Intellectual property (IP)
v. Information products and services
d. Elements of personal information
i. Data subjects
ii. Personal data (EU)
iii. Personally identifable information (U.S.)
iv. Sensitive personal information
e. Processing of personal data
i. Data controller
ii. Data processor
iii. Data protection authority (DPA)
f. Privacy policy and notice
i. Consent and choice
1. Opt in and opt out
C. Information Risk Management
a. Privacys impact on organizational risk
i. Main drivers and challenges
ii. Common processes
iii. Potential outcomes
b. Information lifecycle principles
i. Collection
ii. Use and retention
iii. Disclosure
iv. Management and administration
v. Monitoring and enforcement
c. Privacy impact assessments (PIA)
D. Modern Privacy Principles
a. Foundational principles
i. U.S. fair information practices
1. Notice, access, choice and consent
2. Scope and limitations of use
ii. The Organization of Economic Cooperation and Development (OECD) Guidelines Governing
the Protection of Privacy and Trans-border Data Flows of Personal Data (1980)
iii. The Asia Pacifc Economic Cooperation (APEC) privacy principles
b. Historical timeline of principles frameworks
c. Common themes among principles frameworks
IAPP Certication Foundation Study Guide 7
II. Jurisdictions and Industries
A. Geography: Privacy and Data Protection Regulation
a. Introduction
b. Global perspectives overview
i. Countries with comprehensive data protection laws
ii. Countries with sectoral data protection laws
iii. The co-regulatory model
iv. The self-regulatory model
c. United States
i. Federal privacy laws
ii. State privacy laws
d. Canada
i. The Privacy Act of 1983
ii. The Personal Information Protection and Electronic Documents Act of 2000 (PIPEDA)
e. Europe
i. The European Union (EU) Data Protection Directive (95/46/EC)
1. Applicability
2. Core principles
3. Data processing
4. Data transfers
a. Adequacy
b. Binding corporate rules (BCRS)
c. Model Contracts
ii. The EU ePrivacy Directive (2002/58/EC)
iii. The Article 29 Working Party
iv. Employment data
v. EU U.S. Safe Harbor Principles
1. Program components
2. Privacy principles
3. Compliance and enforcement
f. Japan
i. Laws concerning the protection of personal information
ii. Data transfer requirements
g. Australia
i. The Privacy Act of 2001
h. Latin America
i. Habeas data
i. India
j. Other Countries
B. Sectors of Privacy Law
a. Introduction
b. Healthcare
c. Financial
d. Telecommunications
e. Online Privacy
f. Government
g. Marketing
h. Energy
i. Human Resources
j. Other
IAPP Certication Foundation Study Guide 8
III. Information Security: Safeguarding Personal Information
A. Introduction to Information Security
a. Privacy and information security in context
i. Defnitions
ii. Confdentiality, integrity and availability
iii. Common issues and challenges
1. Privacy vs. security
b. Elements of information security
i. Information security needs
ii. Information security key principles
1. Segregation of duties
2. Access privileges
3. Least privilege
c. Information security standards
i. ISO 27001
ii. ISO 27002
1. Security clauses
d. Information security threats and vulnerabilities
i. Determining risk
ii. Threat agents and origins
iii. Security risks and vulnerabilities
iv. Malware
v. Phishing
vi. Social engineering
B. Information Security Management
a. Building an information security framework
i. Process components
ii. Industry standards
iii. Organizational policy
b. Information security compliance
i. Legal requirements
c. Common information security controls
i. Access control policy and responsibility
ii. Access control types
1. Preventative
2. Detective
3. Corrective
iii. Access control placement
1. Network
2. Operating system
3. Application layer
4. Mobile computing and teleworking
iv. Cryptography
1. General concepts of shared and public key cryptography
a. Public key infrastructure (PKI)
2. Encryption
3. Decryption
4. Non-repudiation
5. Other uses
a. Digital signatures
b. Certifcations
IAPP Certication Foundation Study Guide 9
v. Identity and access management (IAM)
1. Authentication
2. Authorization
vi. Other controls
1. Networks
a. Firewalls
b. Intrusion detection systems (IDS)
c. Intrusion prevention systems (IPS)
d. Data loss and data leakage protection
2. Financial transactions
a. Payment Card Industry (PCI) Data Security Standard (DSS)
d. Information security governance
i. Internal to organization
ii. External parties
iii. Asset management
1. Inventory of assets
2. Information classifcation
iv. Human resources security
1. Pre-employment
2. Change of employment
v. Physical and environmental security
1. Securing facilities
2. Equipment safety
vi. Communications and operations management
1. Management of third-party service delivery
2. System monitoring
a. System and end user
3. Back-up media
a. Handling
b. Transfer of information
4. Online security and monitoring
vii. Incident management
1. Reporting events and weaknesses
2. Managing incidents and improvements
3. Business continuity
viii. The information security program
1. The information security management system (ISMS)
2. Program improvement
3. Management review
4. Program assessments
a. Internal audits
b. External/third-party audits
ix. Vendor management
1. Due diligence and qualifcation
2. Contract management
IAPP Certication Foundation Study Guide 10
IV. Online Privacy: Using Personal Information on Websites and with Other
Internet-related Technologies
A. The Web as a Platform
a. Standard Web protocols
i. Internet protocol (IP)
ii. Hypertext transfer protocol (HTTP)
iii. Hypertext transfer protocol secure (HTTPS)
iv. Internet proxies and caches
v. Web server logs
vi. Transport layer security (TLS)
vii. Secure sockets layer (SSL)
B. Privacy Considerations for Sensitive Online Information
a. Threats to online privacy
i. Cross-site scripting (XSS)
b. Online privacy notices and methods for communication
i. Website privacy statement
1. Location at/link from all points of data collection
2. Sample language
ii. Layered notice
c. Data subject access and redress
d. Online security
e. Website user authentication
f. Childrens online privacy
g. Active versus passive data collection
i. Web forms
h. Online identifcation mechanisms
i. Cookies
1. First-party and third-party
2. Common use cases
3. Industry best practices
ii. Web beacons
i. Privacy and electronic mail
i. Commercial e-mail
1. Best practices and standards for privacy protection
2. Unsolicited commercial e-mail (spam)
j. Internet searches
k. Online marketing and advertising
i. Search engine marketing (SEM)
ii. Online behavioral marketing (OBM)
l. Online social media
i. Social networking services
ii. Instant messaging
m. Online assurance
i. Trust seal and dispute resolution programs
ii. Self-regulatory frameworks
n. Cloud computing
o. Mobile online privacy
i. Location data
IAPP Certication Foundation Study Guide 11
Certication Foundation Exam Format
The Certifcation Foundation exam is a 90-minute, 90-item, objective test.
The Foundation exam is composed of 90 multiple-choice items. There are no essay questions. Each correct answer is
worth one point.
It is important to note that Certifcation Foundation is not itself an IAPP certifcation; you must pass both the
Certifcation Foundation and a designation exam to achieve certifcation.
Exam Blueprint
The exam blueprint indicates the minimum and maximum number of questions included on the exam from the major
areas of the body of knowledge. Questions may be asked from any of the topics listed within each area. You can use this
blueprint to guide your studying.
Min Max
I. Common Principles and Approaches to Privacy 31 35
A. Modern history of privacy 1 3
B. Types of information 15 21
Personal information, non-personal information, general and organizational
information, elements of personal information, data processing roles, privacy
policy and notice
C. Information risk management 7 11
Privacys impact of organizational risk, information lifecycle principles,
privacy impact assessments
D. Modern privacy principles 3 5

II. Privacy by Jurisdictions and Industries 20 23
A. Jurisdictions 10 13
Global perspectives, Europe, United States, Canada, other jurisdictions
B. Industries 9 11
Healthcare, fnancial, telecommunications, marketing, human resources,
other industries
III. Information Security: Safeguarding Personal Information 12 14
A. Overview of information security 7 11
Privacy and information security in context, elements of information security,
information security standards, information security threats and vulnerabilities
B. Information security management 3 5
Building an information security framework, information security compliance,
common information security controls, information security governance
IV. Online Privacy 20 24
A. Standard web protocols 1 3
B. Privacy considerations 20 22
Threats to online privacy, online privacy notice and methods for communication,
data subject access and redress, online security, website user authentication, childrens
online privacy, active vs. passive data collection, online identifcation mechanisms,
privacy and e-mail, Internet searches, online marketing and advertising, online social
media, online assurance, cloud computing, mobile online privacy
IAPP Certication Foundation Study Guide 12
Sample Exam Questions
1. What is the defnition of a data controller?
A. A third-party service provider that maintains the platform on which personal data is stored.
B. A supervisory authority empowered to enforce privacy regulation or law.
C. The individual who provides the personal data.
D. An entity that holds personal data and determines the purposes of use.
2. What must be included in a privacy impact assessment?
A. A regulatory review of the assessment.
B. The source code of the system processing the data.
C. The attributes of data collected.
D. The administrator passwords of the system being evaluated.
3. Which standard web protocol allows for a peers identity to be authenticated prior to a connection being made?
A. Secure Sockets Layer.
B. Hypertext Transfer Protocol.
C. Transmission Control Protocol.
D. Internet Protocol.
4. What is an example of passive data collection on a website?
A. Single sign-on service.
B. Drop-down list.
C. De-selected check box.
D. Web beacon.
IAPP Certication Foundation Study Guide 13
General Exam Information
The IAPP ofers testing at major annual conferences and at select industry conferences. Event-based testing is paper-pencil
format. You may sit for the Certifcation Foundation and one designation exam during a single event.
The IAPP also ofers testing via computer-based delivery at test centers worldwide. There are approximately 600 Kryterion
High-stakes Online Secured Testing (HOST) locations around the world where IAPP certifcation exams are administered.
You can fnd detailed information about how to register for exams, as well as exam day instructions, on our website at
www.privacyassociation.org/certifcation.
Questions?
The IAPP recognizes that privacy certifcation is an important professional development efort requiring commitment and
preparation. We thank you for choosing to pursue certifcation, and we welcome your questions and comments regarding
our certifcation program.
Please dont hesitate to contact us at certifcation@privacyassociation.org or +1 603.427.9200.