Pre-Summer Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = getmirror

Pass the IAPP Certified Information Privacy Manager CIPM Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam CIPM Premium Access

View all detail and faqs for the CIPM exam

Go to Exam

687 Students Passed

94% Average Score

97% Same Questions

Viewing page 8 out of 9 pages

Viewing questions 71-80 out of questions

Questions # 71:

SCENARIO

Please use the following to answer the next question:

Liam is the newly appointed information technology (IT) compliance manager at Mesa, a USbased outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company’s IT audit manager, who informs him that the auditing team will be conducting a review of Mesa’s privacy compliance risk in a month.

A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant’s report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card Industry’s Data Security Standard (PCI DSS).

Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.

The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could not understand the point since their office was not located in California or Europe. The marketing director touted his department’s success with purchasing email lists and taking a shotgun approach to direct marketing. Both directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.

With three weeks before the audit, Liam updated Mesa's Privacy Notice himself, which was taken and revised from a competitor’s website. He also wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he knew of with access to personal information.

During this time. Liam also filled the backlog of data subject requests for deletion that had been sent to him by the customer service manager. Liam worked with application owners to remove these individual's information and order history from the customer relationship management (CRM) tool, the enterprise resource planning (ERP). the data warehouse and the email server.

At the audit kick-off meeting. Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk had been mitigated to an appropriate level based on the work he had done thus far.

After the audit had been completed, the audit manager and Liam met to discuss her team’s findings, and much to his dismay. Liam was told that none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened the company up to additional risk and scrutiny. Based on these findings. Liam worked with external counsel and an established privacy consultant to develop a remediation plan.

Why do Mesa's E-commerce and marketing efforts need to be compliant with the GDPR?

Options:

Mesa is US-based.

Mesa uses mailing lists and engages in direct marketing.

Mesa uses automated systems and tools to process personal data.

Mesa has a global E-commerce presence and may have customers in Europe.

Questions # 72:

You are the privacy officer at a university. Recently, the police have contacted you as they suspect that one of your students is using a library computer to commit financial fraud. The police would like your assistance in investigating this individual and are requesting computer logs and usage data of the student.

What Is your first step in responding to the request?

Options:

Refuse the request as the police do not have a warrant.

Provide the data to police and record it for your own archives.

Contact the university's legal counsel to determine if the request is lawful.

Review policies, procedures and legislation to determine the university's obligation to co-operate with the police.

Questions # 73:

SCENARIO

Please use the following to answer the next QUESTION:

Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on production – not data processing – and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company's relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information.

To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth – his uncle's vice president and longtime confidante – wants to hold off on Anton's idea in favor of converting any paper records held at the company to electronic storage. Kenneth

believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access.

Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down the street will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton's possession can be destroyed within the next few years.

After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe.

Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company's online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check.

Documentation of this analysis will show auditors due diligence.

Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle's legacy to continue for many years to come.

In terms of compliance with regulatory and legislative changes, Anton has a misconception regarding?

Options:

The timeline for monitoring.

The method of recordkeeping.

The use of internal employees.

The type of required qualifications.

Answer

Questions # 74:

Which of the following methods analyzes data collected based the scale and not the endpoint of the privacy program?

Options:

Trend Analysis.

Business Resiliency.

Return on Investment.

The Privacy Maturity Model.

Questions # 75:

SCENARIO

Please use the following to answer the next QUESTION:

It's just what you were afraid of. Without consulting you, the information technology director at your organization launched a new initiative to encourage employees to use personal devices for conducting business. The initiative made purchasing a new, high-specification laptop computer an attractive option, with discounted laptops paid for as a payroll deduction spread over a year of paychecks. The organization is also paying the sales taxes. It's a great deal, and after a month, more than half the organization's employees have signed on and acquired new laptops. Walking through the facility, you see them happily customizing and comparing notes on their new computers, and at the end of the day, most take their laptops with them, potentially carrying personal data to their homes or other unknown locations. It's enough to give you data- protection nightmares, and you've pointed out to the information technology Director and many others in the organization the potential hazards of this new practice, including the inevitability of eventual data loss or theft.

Today you have in your office a representative of the organization's marketing department who shares with you, reluctantly, a story with potentially serious consequences. The night before, straight from work, with laptop in hand, he went to the Bull and Horn Pub to play billiards with his friends. A fine night of sport and socializing began, with the laptop "safely" tucked on a bench, beneath his jacket. Later that night, when it was time to depart, he retrieved the jacket, but the laptop was gone. It was not beneath the bench or on another bench nearby. The waitstaff had not seen it. His friends were not playing a joke on him. After a sleepless night, he confirmed it this morning, stopping by the pub to talk to the cleanup crew. They had not found it. The laptop was missing. Stolen, it seems. He looks at you, embarrassed and upset.

You ask him if the laptop contains any personal data from clients, and, sadly, he nods his head, yes. He believes it contains files on about 100 clients, including names, addresses and governmental identification numbers. He sighs and places his head in his hands in despair.

In order to determine the best course of action, how should this incident most productively be viewed?

Options:

As the accidental loss of personal property containing data that must be restored.

As a potential compromise of personal information through unauthorized access.

As an incident that requires the abrupt initiation of a notification campaign.

As the premeditated theft of company data, until shown otherwise.

Questions # 76:

How are individual program needs and specific organizational goals identified in privacy framework development?

Options:

By employing metrics to align privacy protection with objectives.

Through conversations with the privacy team.

By employing an industry-standard needs analysis.

Through creation of the business case.

Questions # 77:

SCENARIO

Please use the following to answer the next QUESTION:

Perhaps Jack Kelly should have stayed in the U.S. He enjoys a formidable reputation inside the company, Special Handling Shipping, for his work in reforming certain "rogue" offices. Last year, news broke that a police sting operation had revealed a drug ring operating in the Providence, Rhode Island office in the United States. Video from the office's video surveillance cameras leaked to news operations showed a drug exchange between Special Handling staff and undercover officers.

In the wake of this incident, Kelly had been sent to Providence to change the "hands off" culture that upper management believed had let the criminal elements conduct their illicit transactions. After a few weeks under Kelly's direction, the office became a model of efficiency and customer service. Kelly monitored his workers' activities using the same cameras that had recorded the illegal conduct of their former co-workers.

Now Kelly has been charged with turning around the office in Cork, Ireland, another trouble spot. The company has received numerous reports of the staff leaving the office unattended. When Kelly arrived, he found that even when present, the staff often spent their days socializing or conducting personal business on their mobile phones. Again, he observed their behaviors using surveillance cameras. He issued written reprimands to six staff members based on the first day of video alone.

Much to Kelly's surprise and chagrin, he and the company are now under investigation by the Data Protection Commissioner of Ireland for allegedly violating the privacy rights of employees. Kelly was told that the company's license for the cameras listed facility security as their main use, but he does not know why this matters. He has pointed out to his superiors that the company's training programs on privacy protection and data collection mention nothing about surveillance video.

You are a privacy protection consultant, hired by the company to assess this incident, report on the legal and compliance issues, and recommend next steps.

What does this example best illustrate about training requirements for privacy protection?

Options:

Training needs must be weighed against financial costs.

Training on local laws must be implemented for all personnel.

Training must be repeated frequently to respond to new legislation.

Training must include assessments to verify that the material is mastered.

Questions # 78:

An organization's business continuity plan or disaster recovery plan does NOT typically include what?

Options:

Recovery time objectives.

Emergency response guidelines.

Statement of organizational responsibilities.

Retention schedule for storage and destruction of information.

Answer

Explanation

An organization’s business continuity plan or disaster recovery plan does not typically include a retention schedule for storage and destruction of information. A retention schedule is a document that specifies how long different types of information should be kept by an organization before they are disposed of or destroyed. A retention schedule is usually based on legal, regulatory, operational, historical, or archival requirements. A retention schedule is part of an organization’s information governance or records management policy, not its business continuity or disaster recovery plan.

A business continuity plan (BCP) is a document that outlines how an organization will continue its critical functions and operations in the event of a disruption or disaster. A BCP usually includes:

Contact information and service level agreements (SLAs) for key personnel, stakeholders, providers, backup site operators, etc.

Business impact analysis (BIA) that identifies the potential impacts of disruption on all aspects of the business, such as financial, legal, reputational, etc.

Risk assessment that identifies and evaluates the likelihood and severity of various threats and vulnerabilities that could cause disruption or disaster.

Identification of critical functions that are essential for the survival and recovery of the business.

Communications plan that specifies how to communicate with internal and external parties during and after a disruption or disaster.

Testing plan that specifies how to test and update the BCP regularly to ensure its effectiveness and validity.

A disaster recovery plan (DRP) is a document that outlines how an organization will restore its IT systems, data, applications, and infrastructure in the event of a disruption or disaster. A DRP usually includes:

Recovery time objectives (RTOs) that specify how quickly each IT system or service needs to be restored after a disruption or disaster.

Recovery point objectives (RPOs) that specify how much data loss is acceptable for each IT system or service after a disruption or disaster.

Emergency response guidelines that specify how to respond to and contain a disruption or disaster, such as activating the DRP, declaring a disaster, notifying the stakeholders, etc.

Statement of organizational responsibilities that specifies who is responsible for what tasks and roles during and after a disruption or disaster, such as initiating the DRP, executing the recovery procedures, restoring the IT systems or services, etc.

Recovery procedures that specify how to recover each IT system or service from backup sources, such as backup tapes, disks, cloud services, etc.

Testing plan that specifies how to test and update the DRP regularly to ensure its effectiveness and validity. References: [Business Continuity Plan (BCP) Definition]; [Disaster Recovery Plan (DRP) Definition]

Questions # 79:

An executive for a multinational online retail company in the United States is looking for guidance in developing her company's privacy program beyond what is specifically required by law.

What would be the most effective resource for the executive to consult?

Options:

Internal auditors.

Industry frameworks.

Oversight organizations.

Breach notifications from competitors.

Questions # 80:

SCENARIO

Please use the following to answer the next QUESTION:

Ben works in the IT department of IgNight, Inc., a company that designs lighting solutions for its clients. Although IgNight's customer base consists primarily of offices in the US, some individuals have been so impressed by the unique aesthetic and energy-saving design of the light fixtures that they have requested IgNight's installations in their homes across the globe.

One Sunday morning, while using his work laptop to purchase tickets for an upcoming music festival, Ben happens to notice some unusual user activity on company files. From a cursory review, all the data still appears to be where it is meant to be but he can't shake off the feeling that something is not right. He knows that it is a possibility that this could be a colleague performing unscheduled maintenance, but he recalls an email from his company's security team reminding employees to be on alert for attacks from a known group of malicious actors specifically targeting the industry.

Ben is a diligent employee and wants to make sure that he protects the company but he does not want to bother his hard-working colleagues on the weekend. He is going to discuss the matter with this manager first thing in the morning but wants to be prepared so he can demonstrate his knowledge in this area and plead his case for a promotion.

If this were a data breach, how is it likely to be categorized?

Options:

Availability Breach.

Authenticity Breach.

Confidentiality Breach.

Integrity Breach.

Answer

Explanation

If this were a data breach, it is likely to be categorized as a confidentiality breach. A confidentiality breach is a type of data breach that involves unauthorized or accidental disclosure of or access to personal data. A confidentiality breach violates the principle of confidentiality, which requires that personal data is protected from unauthorized or unlawful use or disclosure. A confidentiality breach can occur when personal data is exposed to unauthorized parties, such as hackers, competitors, or third parties without consent. A confidentiality breach can also occur when personal data is sent to incorrect recipients, such as by email or mail.

The other options are not likely to be the correct category for this data breach. An availability breach is a type of data breach that involves accidental or unauthorized loss of access to or destruction of personal data. An availability breach violates the principle of availability, which requires that personal data is accessible and usable by authorized parties when needed. An availability breach can occur when personal data is deleted, corrupted, encrypted, or otherwise rendered inaccessible by malicious actors or technical errors. An authenticity breach is a type of data breach that involves unauthorized or accidental alteration of personal data. An authenticity breach violates the principle of authenticity, which requires that personal data is accurate and up to date. An authenticity breach can occur when personal data is modified, tampered with, or falsified by malicious actors or human errors. An integrity breach is a type of data breach that involves unauthorized or accidental alteration of personal data that affects its quality or reliability. An integrity breach violates the principle of integrity, which requires that personal data is complete and consistent with its intended purpose. An integrity breach can occur when personal data is incomplete, inconsistent, outdated, or inaccurate due to malicious actors or human errors. References: Personal Data Breaches: A Guide; Guidance on the Categorisation and Notification of Personal Data Breaches

Viewing page 8 out of 9 pages

Viewing questions 71-80 out of questions