IAPP CIPP/US Review

This is a review of the International Association of Privacy Professionals' (IAPP) Certified Information Privacy Professional US (CIPP/US) exam.

My background - 15+ years of infosec (and other job descriptions), mostly acting as a CISO without the $$ or title. Lots of GRC. The C in this case stands for privaCy since the only reasons companies protect your personal data is because laws or contracts require them to and those laws & contracts need to be Complied with. It's important I point this out because I am already very well versed in the material.

Why I took the test - I've been tinkering with taking either the CISSP-ISSMP or this CIPM. CIPM is asked for a bit more in job boards (barely...) and had the potential of teaching me more in my studies. Also I'm convinced privacy is the next big wave running along infosec, and IAPP's exams are the only name in the business, so this could be a good strategic move looking 3-5 years down the line. So, I chose the CIPM and coincidentally the training bundle I selected also included the CIPP/US, so I figured why the heck not.

Who is this test for - People who want to memorize US laws regarding privacy. Having taken the test and looking through the directory of already-certified people, it's mostly privacy attorneys, privacy consultants, and infosec managers.

What did I use to study for it - Official live training, official course book, official training guide, official practice exam (~30 questions). Live training was eh, mostly instructor reading verbatim off of the instructors notes to the training guide. Official coursebook (ISBN-13: 978-0979590184) was basically two lawyers who took all of the US laws touching on privacy, created a bulletpoint list of the requirements of each, and wrote them down in narrative form over 180 pages. Extraordinarily dry material. WAY worse than a law school textbook since those at least have cases to put things into context. This was literally just someone writing down legal requirements in paragraph form. I ended up making an outline of the book since you need to just straight up memorize the exact same things from each of up to 75+ similar, but each slightly different, laws (who enforces each law, whether consent to share info is needed, if consent is needed then what kind of consent [phone, email, signature, etc], the requirements of each law, the basis for each law, the fines levied for violations of each law, the security requirements of each law, the data breach notification requirements of each law, etc, etc, etc). This was WAY worse than an ISACA textbook in case you've ever lived through one of those. Official training guide was basically a 100+ page set of bulletpoints summing up the official coursebook with extra material thrown in for some reason. Mostly worthless, IMO. Practice exam was good test of the book and relatively representative of exam questions.

How was the exam - Probably the hardest test I've ever taken, and I've taken ISC2, ISACA, SANS, CompTIA, EC-Council, etc. Not hard in terms of confusingly worded or challenging your skill level, just hard in that many, many questions covered topics I'm fairly sure weren't in the actual textbook or training materials. Many other questions were extraordinarily poorly worded and had answers that didn't seem to relate to the question at all. That'd be fine if it was one or two easily-eliminated multiple choice distractor answers, but oftentimes all of the answers just didn't match the question. Example - Which of these parts is NOT found on a car: A) flagpole,

litter box, C) stamina, D) August. Seriously, I had a few questions where I thought the answer bank must have gotten switched around. I've been an auditor on a few cert exams and felt that many of the questions needed to be reworded. I'd love to see their back-end breakdown of how well some of the questions test. There were also scenario-based questions on the exam, and those weren't represented in the practice tests (caveat - I like scenario questions since you usually get more info to ponder). I was fairly certain I had failed the exam and was flabbergasted (don't get to use that word much) when I found out I passed (you're notified at the very end). I honestly have no idea how.....

Would I recommend this to others - As a strategic move, definitely; already mentioned I think privacy is in its infancy and is going to be big in the coming years. As a learning exam, yes, if you aren't already familiar with the material, but be warned that the material and test are essentially a factual brain **** that I don't believe anybody can actually retain after taking the test. To be fair, that isn't all IAPP's fault - the state of privacy law in the US (as of the day I write this) is a mess, and the material does test the law as it currently exists (with the exception of many horribly worded answers). Ultimately I'd recommend this as an educational piece about how messed up US privacy laws are, but you'll never hope to retain the info from here, esp. since there's no context given to any of the learning topics. If you feel this will be a resume-booster, then go for it, just be prepared to sit down and commit a lot of nearly-identical pieces of information to short-term memory for instant regurgitation over 2.5 hours.

What did I take away from this exam - Mmmmm..... I decided to have a drink when I got home even though it's only lunch time. I also decided to write this. Now let me go get that drink

Find more posts tagged with

Comments

infoseclawyer

Well said and great review. What you wrote is almost identical to my experience. The test is designed in a very legal way - as in cramming for the state bar. I memorized tons of laws on will & estates, but you would definitely not want to hire me to write your will. The same goes for this exam - it's just a brain ****, which is a shame, but there isn't another way to test the material.

In addition to your study resources, I used what's basically someone's outline and an exam question bank (ISNB-13: 978-1507781036). The multiple choice questions were very helpful - the rest of the book is a waste. I copied the nearly 200 questions into an mac/ios program called "Flashcard Hero" that allows for easy multiple choice data entry and did the questions multiple times (in addition to the official practice test).

Congratulations on the pass!

na56

Hi Guys - infoseclawyer and 636-555-325, could I private message or email you guys with questions about the exam ...?

636-555-3226

Sure, can I get fries with that?

na56

Ok, Thanks - as a background, I am a lawyer. I took the CIPP/US a couple days ago - didnt study that much - and I failed. My scaled score was 247, so I think that if I can hone down on studying and getting 8 more questions right, I think I can do it. Since the questions are so detailed, I am literally going to memorize the textbook that was given - but I am skipping the classes. Given that, what was your scaled score. Do you remember any specific questions about the exam that was tough - I remember a few, that, even going back to the book, I am unclear on.

I am going to use your advice and study hard again and hope for a pass, if you had any strategic employed that you though was useful, please let me know so I can try it out. Also when you get the CIPP, I am hoping that will open the door for me for some privacy poistions (I am based near NYC). Do you know if it is a Gateway certificate?

Also, what gives you the impression that privacy is on the rise - I feel the same, but its based on articles that I read on the internet - I would love to hear your ideas on why you think this is the next big thing 3 to 5 years down the road.

Thanks,

Nick

infoseclawyer

I took the test several months ago, so i'm not sure what my scaled score was. The biggest issue with the certification is the lack of quality study material. I'm currently unable to do PM's on this site, so visit www.infosec.lawyer and give me an email from there.

I'm sure we can both learn a lot from 636-555-3226's insight into infosec and privacy trends, so I hope he shares his thoughts with us.

I can speak from experience that having the CIPP/US cert on your resume does signal the employer that you have a vested interest in privacy. It would give you a leg up versus your job competitors -- giving everything else was equal. With all legal positions, where you went to school, whether you clerked, and so on, holds more sway than a certification (without the experience to back it up). That being said, my certifications are the only reason I was hired at my current position (non-legal infosec position). The CIPP/US would definitely help with JD preferred positions (privacy officer, compliance, that sort of thing). Are you looking to practice law?

636-555-3226

I don't have the scaled score in my pass email, just the % for each of the 5 domains (77% average). I agree you'll need to memorize the textbook, that's really the only way to do it. It isn't a general topics kind of test; they ask you a straight up factual question regarding one of the laws and you need to know the hard requirement in that specific provision of the law. I don't think any of the questions were tough - again, I didn't see it as a "thinking" type of test as much of a brain ****.

I had no strategy other than to read the book and condense it into a Word outline listing. Examples below are just made up.
Law A full name (Junk Fax Prevention Act of 2005)
My Law A short name (fax spam)
Who enforces (FCC)
Consent to share needed? (Yes unless existing business relationship [define EBR])
If so, what kind of consent (phone, email, signature, etc)
Hard requirements (no more than 2 faxes a week, etc)
Basis for the law (HIPAA was created for efficiency instead of security, for example)
Fines levied for violations of each law ($1.5M for example)
Security requirements of each law (yearly audit, encryption, etc)
Data breach notification requirements of each law

I've never heard of Gateway certificates

Privacy is key nowadays. Europe is looking at a 4% revenue fine last I heard for data breaches. For many business that number far outweighs the cost to layer some controls on top. HIPAA enforcement is drastically on the rise in the US. State data breach laws are expanding in scope and becoming more particular with requirements. Much like security in general, privacy is more in the public eye and hacker's eyes and hence more attention is being paid to securing that data. A good privacy lawyer would be well suited, I think, in the years to come, esp. positioned near a big city.

na56

By Gateway certificate, I mean a certificate that employers will recognize that may "help you get your foot in the door."

Right now, I dont have any experience with privacy sector, but I want to show employers that I am genuinely interested in the area. I have experience interpreting laws obviously - and I want to carry that over to this new area. I agree with your assessment, I think this is the next area, which, in a few years will be a big area. I analogize it the area of financial compliance - I called it years ago when no-one heard of the ACAMS certification, that it would be helpful for jobs that are geared towards financial compliance, especially anti-money laundering compliance roles. Now, that area has become saturated. I believe that ina couple of years, European regulators will begin fining companies in U.S. for not notifying data breaches in time. As companies become fined, there is a "knee jerk" reaction to "fix the problem"

I am in the job-hunt process; looking for opportunities that will boost my resume. I am not a "techie" and its my hope that most of the privacy roles relate to creating, drafting procedures instead of things like coding.If you can provide any advice on what type of roles within this area to target, please let me know.

I have a question about the CIPP exam also that I will private message you.

na56

A gateway certification is a certification that will "help you get your foot through the door." I am interested in privacy sector - I agree with you in that I think it is the next big thing. I predicted something like that in 2009 when I thought the ACAMS certification was going to be important for those who go into Anti-Money Laundering compliance roles, which are with financial companies. A person with over 6 years of experience in that is making bank now. I hope I can replicate that type of prediction and actually get into something. I am not employed now - in the job hunt process. I am looking for a way to get a boost on my resume (my prior employers we all top law firms in Nyc and I graduated from top 10 law school) - but I want to work my way up, but dont know where to start. If you have any ideas or suggestions, I would love to hear them. Note that I am not a "techie" I want to be in a role where I am drafting and overseeing the compliance with regulations and interacting with federal regulators.

Also, I have a question for you about the CIPP/US - I will pm that to you

na56

whaat were some the questions, if you reacll, that were ambigious?

636-555-3226

Can't speak specifically about ambiguous questions, let's just say the answers didn't line up with the question at all (see my example, above). If you're looking for more non-technical certification-based training that could apply to privacy, I'd steer you towards ISACA land. CRISC & CISM directly align with the CIPM. SANS GSLC would be a good technical "intro" while also providing some security leadership training. Nothing aligns to the CIPP since IAPP is the only org I'm aware of training/certifying for privacy.

na56

Thanks - I was thinking about GSLC - did you gain your certification in that or in the other certification you mentioned? I was interested in CISM - and heard that it was widely viewed favorably by potential employers.

636-555-3226

na56 wrote: »

Thanks - I was thinking about GSLC - did you gain your certification in that or in the other certification you mentioned? I was interested in CISM - and heard that it was widely viewed favorably by potential employers.

No GSLC for me. From what I've seen it's supposed to be very similar to the GSEC with some management thrown in. Having reviewed the GSEC materials when a co-worker was taking it, I couldn't justify the $5k for things I already know. Any additional management topics contained in the GSLC wouldn't be worth the $5k just for that content, either.

CISM I have, I found it enjoyable and worth it. Other people have various opinions. It's pretty much an always-asked-for for infosec mgt jobs nowadays.

dig1tal

636-555-3226 wrote: »

Can't speak specifically about ambiguous questions, let's just say the answers didn't line up with the question at all .

AGREED!!! I passed the CIPT two weeks ago and was disappointed with the questions which I felt were ambiguous with answers that did align well. There were some scenarios with excessive narratives that had irrelevant questions. I don't feel like the Test objectives matched up with the test content.

the_Grinch

Personally (I will note I have not taken any of the exams) it appears this is largely geared towards the legal profession and that means thinking as lawyers do. I sort of look at it as the CISSP, where you have to think they way they do in order to be successful.

sadahoppa

636-555-3226 wrote: »

I had no strategy other than to read the book and condense it into a Word outline listing.

Would you be willing to share said outline? I am all about a donation to you or your favorite charity.

Thanks!

Spindoctor

I too would be willing to donate to a cause in exchange for the Outline. Further, I would agree to expand it where necessary and pass it on.

Thanks.

Tinted Eve

I am looking for a tutor for the 2016 CIPP/US exam. I failed the exam last month. I want to retake before the end of the year.

papadoc

If anyone has any doubts on where privacy is going or if it's valuable to get these certs, just have a look at GDPR. As 636 said up to 4% of annual revenue in fines.

In May of 2018, this goes into effect. I want to see the first EU regulator actually try to collect a 4% fine on annual revenues from a US based company that has an egregious finding/defective controls-program that led to a data breach of EU personal data. What happens if they refuse to pay? What would the EU do? Try to impose sanctions? Yeah, right! Perhaps they could threaten to shutter operations on the US company's overseas operations in Europe.

The lawyers will be all over this and with Trump in office pushing deregulation in certain areas, I could see some appeal letters being sent his way inciting half truth but leading to action, "GDPR is a deliberate attempt by European legislators to collect money for nothing material from companies here in the States. It resembles treason and robbery from our supposed European partners. This is a form of commercial terrorism and must be stopped!" Surely playing into Republican fear mongering by some attorneys that know how to work the system could go far into kicking the teeth out of this new "European regulation."

IPattny

If folks shared outlines, can you please share with me? Thanks.

Serenity623

I agree with some of the other posts on this exam, CIPP/US. I thought it was extremely challenging as I failed 2 of the 5 sections. Bummer for me, I have to pay for the next exam, firm covered the first one.
First, upset that I failed, but I knew that was coming the minute I started going through the questions. I studied for weeks, using many resources, IAPP CIPP/US sample exam, books, a CIPP website I found and subscribed to, Quizlet, US Privacy IAPP supplied book. Did not do live class though.

It seemed to me that nothing I knew made any sense to the questions and corresponding answers on the exam. There were at least 5 case studies that presented very challenging items, HIPPA, GINA, FCRA, Data Controller, Work Place Privacy. These items all made sense to me during study, but the application and the available answers threw me. One item was about I-9 processing – I don’t recall that in the book, did my best guess to the situation.

There were still questions about Safe Harbor, be warned, test likely to be updated at some point.
I did find a post that said the following…
Master the Minutiae. Many students commented on how the tests questions focused on seeming minutiae, such as the names and elements of specific statutes. Several students commented on how flash cards, reciting facts from the books, helped them memorize this minutiae

I agree with this completely, there were things on the exam, that I read in the book, but skimmed them, Cable Television Privacy, Video Privacy and FERPA ( I knew, but the question, eeh gads)!
Good luck on the test – back to the books for me. Have to wait 30 days!

LAWYER2

Hey there, did you eventually pass?

schiphol

Just came from passing the exam about an hour ago and I don't know how. That exam was a beast. The level of minutiae is incredible and there were some answers that had me just saying "c'mon!" in the room. My scaled score was 381 and I got 80%, 100%, 91%, 85%, and 55% across the five respective domains. I did self study based on the official IAPP book and I recently purchased the latest edition of the Privacy Fundamentals 2017 book (ISBN: 9780998322315). I am a licensed attorney and a cyber professional with 15 years in IT.

I only just found out yesterday that the exam got updated as of August 1st while I was looking through the forums and came across LAWYER2's comment on another thread! And a good number of questions involved new laws. Good thing they were fresh in my mind. I immediately researched the new material and made a quick and dirty mini outline to be added to my overall outline. I can share the comprehensive outline as soon as I'm done integrating everything.

beads

Haven't looked recently but seems that with GDPR taking center stage this would be a good time for IAPP to at the very least do a cross over between HIPAA and GDPR. If your looking to be compliant from the US side its gonna take some serious thinking. Really enough to warrant its own cert. - b/eads

sunk318

schiphol wrote: »

Just came from passing the exam about an hour ago and I don't know how. That exam was a beast. The level of minutiae is incredible and there were some answers that had me just saying "c'mon!" in the room. My scaled score was 381 and I got 80%, 100%, 91%, 85%, and 55% across the five respective domains. I did self study based on the official IAPP book and I recently purchased the latest edition of the Privacy Fundamentals 2017 book (ISBN: 9780998322315). I am a licensed attorney and a cyber professional with 15 years in IT.

I only just found out yesterday that the exam got updated as of August 1st while I was looking through the forums and came across LAWYER2's comment on another thread! And a good number of questions involved new laws. Good thing they were fresh in my mind. I immediately researched the new material and made a quick and dirty mini outline to be added to my overall outline. I can share the comprehensive outline as soon as I'm done integrating everything.

Glad to hear that you passed. I am taking the exam in about a week, and would like to find out what the recent changes are. I would appreciate if you can share your outline as well.

schiphol

sunk318 wrote: »

Glad to hear that you passed. I am taking the exam in about a week, and would like to find out what the recent changes are. I would appreciate if you can share your outline as well.

No problem. Can you send me a PM? Either I'm having issues with the site or I don't have sufficient privileges to view your profile and PM you.

cherie246

Hello Schiphol!
I've been reading the threads here, as I'm taking the test on Wednesday, and I had no idea they've updated the test. Would you mind sharing your outline with me as well (now that I'm fairly certain I'm going to fail after reading all these comments)? I would be very grateful!
If you don't mind - I just registered so I don't think I can PM you - can you PM me? THANK YOU!

schiphol

Cherie246 and sunk318, I can't PM either. Shoot me an email at TechExamThrowaway2017[at]gmail[dot]com

nycdataprivacyatty

I just took and passed the CIPP/US exam. Looking to take the CIPM and CIPT exams soon. Any good outlines out there for those exams? Practice tests? Trying to avoid paying for another book, although I realize that it's pretty much mandatory if you want to pass the CIPP/US exam (and assume it's the same for the others).

schiphol

nycdataprivacyatty wrote: »

I just took and passed the CIPP/US exam. Looking to take the CIPM and CIPT exams soon. Any good outlines out there for those exams? Practice tests? Trying to avoid paying for another book, although I realize that it's pretty much mandatory if you want to pass the CIPP/US exam (and assume it's the same for the others).

Maybe take a look at the IAPP website to see what the similarities, if any, are. If there is any overlap of applicable privacy laws that may be half the battle. IAPP also has practice tests for about $25 so you get a feel for what's on the CIPM or CIPT exams.

ugwz6ZGQYeui

Schiphol - I just sent you an email to that address as well. Thank you!