Good day! I want to use this ad hoc post to talk about ISACA’s newest certification that I had the privilege to take recently, the CDPSE. This certification was developed and designed for the data privacy professional or other individuals who work with regulations and laws around data and individual privacy. If you want to know more, please see the link to the CDPSE.
At the moment, the exam is still in its beta stage, meaning they haven’t completely determined how to score it just yet. As of this writing (2/1/2021), I completed the exam the Saturday before. The exam was 120 questions with a time limit of 3 hours. It took me about two hours to get through all 120 questions, leaving me an hour to look back through all my answers and challenge what I put. This is my typical way of assessing what I initially put and seeing if I can convince myself to choose another answer. This is not a strategy for everyone and I’ve burned myself using it before, but also benefited from it as well. The material I studied included different privacy frameworks (NIST, ISACA Privacy Principles, APEC, etc.), as well as ISACA’s review manual. This manual is approximately $105 for ISACA members and $135 for non-members. But wait! If you’re serious about taking the exam, you should register first because they will send you a code to get the review manual for free! Additional resources I also used was the practice question booklet you can find here on Amazon for about $20. This practice booklet comes with 150 questions that aren’t quite the same as what are on the test, but it helps understand how the questions will be asked. If you’ve ever taken one of their exams before, the questions always ask you for what is the BEST answer or MOST likely to prevent XYZ. If you want to take the exam, register at this link and use the promo code “50CDPSE” to take the exam for $50 instead of the $695 for members and $880 for non-members. This code may have expired by the time you read this, but what do you have to lose form trying it? According to the end of the exam, I, and others, will know our results by March 31, 2021, but I believe it will be sometime before then.
Critical items to understand are, of course, the three privacy domains (Governance, Architecture, and Data Lifecycle) and how they play into the daily operations of the company. If you want to see how regulations apply to you, check out my Newsletters and find the regulation you’re looking for. See below for a rough outline of the exam and also go here for a more comprehensive outline.
Privacy Governance (34% of exam)
- Governance (Personal Data, Regulations and Laws, Privacy Documentation)
- Management (Roles and Responsibilities, Audit Processes, Vendor Management)
- Risk Management (RM Process, PIA)
Privacy Architecture (36% of exam)
- Infrastructure (Cloud, Tech Stack, System Hardening)
- Apps and Software (SDLC, Tracking Technologies)
- Technical Privacy Controls (Endpoint Protection, IAM)
Data Cycle (30% of exam)
- Data Purpose (Data Classification, Data Analytics)
- Data Persistence (Data Minimization, Data Storage, Data Retention and Destruction)
I can say that you do need to know all three domains well to be successful, but I was not asked any questions that were specifically related to regulations. Instead, you will be asked a question like this:
Question: “A company wants to open an office and process data in another state that they currently don’t do business in. What should MOST be considered when doing this?”
From here, you’ll need to pick through answers like:
- (A) Laws and Regulations
- (B) Data Inventory
- (C) Industry Privacy Frameworks
- (D) Company Mission Statement
Obviously, two of the answers (B and D) are just there to distract or to fill space. Choices A and C would be the primary two to choose from and in this instance, the answer would be A because the laws and regulations are more important than the framework, and chances are, you’re already using the privacy framework that is industry-wide. This question is not an exam question, but it’s a good flavor of what you would be asked. Each question is all about what answer is the BEST choice, and not what is the CORRECT choice, although there definitely is a correct answer! How else would you get a passing grade if there wasn’t?!?!? Creating your own questions and knowing the answers would be one of the best methods to prepare for the questions that would warrant the answers like “Privacy Impact Assessment” and “Data Owner.”
In the end, I would recommend studying Domains 2 and 3 a lot heavier than Domain 1 simply because the exam, when I took the beta, didn’t have anything related to specific laws and regulations. I memorized the NIST Privacy Framework, Cybersecurity Framework, GDPR articles 1 through 23, Risk Management Framework, SLDC, and many others only to discover that memorizing those areas doesn’t help you as much as knowing the technicalities around privacy controls and the benefits that something like tokenization and encryption provide to the privacy strategy. That being said, don’t neglect 34% of the exam.
That’s the best advice I can give for this exam and I hope it helps you in deciding if this is something you’d like to pursue. Once I get my results, I plan to do Part 2 of this post too, hopefully, share in congratulations with everyone who passed the beta exam! But until then, I will see you later.
See the Newsletters page for the latest content and to subscribe to the regular update, see the About page for information around who DPP is, and check out the Contact page to reach out to DPP with any questions or concerns. These are my thoughts and should not be taken as professional advice simply because you are not paying me for my opinion.
Once you understand how valuable your information is, then you can begin taking steps to keep it private.