2022 Summer Express Limited Time 55% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 5763r953

Welcome To DumpsPedia

CIPM Sample Questions Answers

Questions 4

SCENARIO

Please use the following to answer the next QUESTION:

Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia to help run his aging grandfather's law practice. The elder McAdams desired a limited, lighter role in the practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and assesses the office's strategies for growth.

Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to modernize the office, mostly in regard to the handling of clients' personal data. His first goal is to digitize all the records kept in file cabinets, as many of the documents contain personally identifiable financial and medical data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/ printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing policy by the year's end.

Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following day, to get insight into how the office computer system is currently set-up and managed.

As Richard begins to research more about Data Lifecycle Management (DLM), he discovers that the law office can lower the risk of a data breach by doing what?

Options:

A.

Prioritizing the data by order of importance.

B.

Minimizing the time it takes to retrieve the sensitive data.

C.

Reducing the volume and the type of data that is stored in its system.

D.

Increasing the number of experienced staff to code and categorize the incoming data.

Buy Now
Questions 5

A minimum requirement for carrying out a Data Protection Impact Assessment (DPIA) would include?

Options:

A.

Processing on a large scale of special categories of data.

B.

Monitoring of a publicly accessible area on a large scale.

C.

Assessment of the necessity and proportionality.

D.

Assessment of security measures.

Buy Now
Questions 6

If your organization has a recurring issue with colleagues not reporting personal data breaches, all of the following are advisable to do EXCEPT?

Options:

A.

Carry out a root cause analysis on each breach to understand why the incident happened.

B.

Communicate to everyone that breaches must be reported and how they should be reported.

C.

Provide role-specific training to areas where breaches are happening so they are more aware.

D.

Distribute a phishing exercise to all employees to test their ability to recognize a threat attempt.

Buy Now
Questions 7

What is the main purpose of a privacy program audit?

Options:

A.

To mitigate the effects of a privacy breach.

B.

To justify a privacy department budget increase.

C.

To make decisions on privacy staff roles and responsibilities.

D.

To ensure the adequacy of data protection procedures.

Buy Now
Questions 8

What is least likely to be achieved by implementing a Data Lifecycle Management (DLM) program?

Options:

A.

Reducing storage costs.

B.

Ensuring data is kept for no longer than necessary.

C.

Crafting policies which ensure minimal data is collected.

D.

Increasing awareness of the importance of confidentiality.

Buy Now
Questions 9

What is the best way to understand the location, use and importance of personal data within an organization?

Options:

A.

By analyzing the data inventory.

B.

By testing the security of data systems.

C.

By evaluating methods for collecting data.

D.

By interviewing employees tasked with data entry.

Buy Now
Questions 10

SCENARIO

Please use the following to answer the next QUESTION:

Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.

Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging

Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.

Spencer – a former CEO and currently a senior advisor – said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.

One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. "Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.

Spencer replied that acting with reason means allowing security to be handled by the security functions within the company – not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.

Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."

Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.

What is the most realistic step the organization can take to help diminish liability in the event of another incident?

Options:

A.

Requiring the vendor to perform periodic internal audits.

B.

Specifying mandatory data protection practices in vendor contracts.

C.

Keeping the majority of processing activities within the organization.

D.

Obtaining customer consent for any third-party processing of personal data.

Buy Now
Questions 11

An organization's business continuity plan or disaster recovery plan does NOT typically include what?

Options:

A.

Recovery time objectives.

B.

Emergency response guidelines.

C.

Statement of organizational responsibilities.

D.

Retention schedule for storage and destruction of information.

Buy Now
Questions 12

SCENARIO

Please use the following to answer the next QUESTION:

Martin Briseño is the director of human resources at the Canyon City location of the U.S. hotel chain Pacific Suites. In 1998, Briseño decided to change the hotel’s on-the-job mentoring model to a standardized training program for employees who were progressing from line positions into supervisory positions. He developed a curriculum comprising a series of lessons, scenarios, and assessments, which was delivered in-person to small groups. Interest in the training increased, leading Briseño to work with corporate HR specialists and software engineers to offer the program in an online format. The online program saved the cost of a trainer and allowed participants to work through the material at their own pace.

Upon hearing about the success of Briseño’s program, Pacific Suites corporate Vice President Maryanne Silva-Hayes expanded the training and offered it company-wide. Employees who completed the program received certification as a Pacific Suites Hospitality Supervisor. By 2001, the program had grown to provide industry-wide training. Personnel at hotels across the country could sign up and pay to take the course online. As the program became increasingly profitable, Pacific Suites developed an offshoot business, Pacific Hospitality Training (PHT). The sole focus of PHT was developing and marketing a variety of online courses and course progressions providing a number of professional certifications in the hospitality industry.

By setting up a user account with PHT, course participants could access an information library, sign up for courses, and take end-of-course certification tests. When a user opened a new account, all information was saved by default, including the user’s name, date of birth, contact information, credit card information, employer, and job title. The registration page offered an opt-out choice that users could click to not have their credit card numbers saved. Once a user name and password were established, users could return to check their course status, review and reprint their certifications, and sign up and pay for new courses. Between 2002 and 2008, PHT issued more than 700,000 professional certifications.

PHT’s profits declined in 2009 and 2010, the victim of industry downsizing and increased competition from e- learning providers. By 2011, Pacific Suites was out of the online certification business and PHT was dissolved. The training program’s systems and records remained in Pacific Suites’ digital archives, un-accessed and unused. Briseño and Silva-Hayes moved on to work for other companies, and there was no plan for handling the archived data after the program ended. After PHT was dissolved, Pacific Suites executives turned their attention to crucial day-to-day operations. They planned to deal with the PHT materials once resources allowed.

In 2012, the Pacific Suites computer network was hacked. Malware installed on the online reservation system exposed the credit card information of hundreds of hotel guests. While targeting the financial data on the reservation site, hackers also discovered the archived training course data and registration accounts of Pacific Hospitality Training’s customers. The result of the hack was the exfiltration of the credit card numbers of recent hotel guests and the exfiltration of the PHT database with all its contents.

A Pacific Suites systems analyst discovered the information security breach in a routine scan of activity reports. Pacific Suites quickly notified credit card companies and recent hotel guests of the breach, attempting to prevent serious harm. Technical security engineers faced a challenge in dealing with the PHT data.

PHT course administrators and the IT engineers did not have a system for tracking, cataloguing, and storing information. Pacific Suites has procedures in place for data access and storage, but those procedures were not implemented when PHT was formed. When the PHT database was acquired by Pacific Suites, it had no owner or oversight. By the time technical security engineers determined what private information was compromised, at least 8,000 credit card holders were potential victims of fraudulent activity.

What key mistake set the company up to be vulnerable to a security breach?

Options:

A.

Collecting too much information and keeping it for too long

B.

Overlooking the need to organize and categorize data

C.

Failing to outsource training and data management to professionals

D.

Neglecting to make a backup copy of archived electronic files

Buy Now
Questions 13

In privacy protection, what is a "covered entity"?

Options:

A.

Personal data collected by a privacy organization.

B.

An organization subject to the privacy provisions of HIPAA.

C.

A privacy office or team fully responsible for protecting personal information.

D.

Hidden gaps in privacy protection that may go unnoticed without expert analysis.

Buy Now
Questions 14

What is the main function of the Asia-Pacific Economic Cooperation Privacy Framework?

Options:

A.

Enabling regional data transfers.

B.

Protecting data from parties outside the region.

C.

Establishing legal requirements for privacy protection in the region.

D.

Marketing privacy protection technologies developed in the region.

Buy Now
Questions 15

“Respond” in the privacy operational lifecycle includes which of the following?

Options:

A.

Information security practices and functional area integration.

B.

Privacy awareness training and compliance monitoring.

C.

Communication to stakeholders and alignment to laws.

D.

Information requests and privacy rights requests.

Buy Now
Questions 16

SCENARIO

Please use the following to answer the next QUESTION:

As they company’s new chief executive officer, Thomas Goddard wants to be known as a leader in data protection. Goddard recently served as the chief financial officer of Hoopy.com, a pioneer in online video viewing with millions of users around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically Questionable practices, including unauthorized sales of personal data to marketers. Hoopy also was the target of credit card data theft that made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the company’s claims that “appropriate” data protection safeguards were in place. The scandal affected the company’s business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard’s mentor, was forced to step down.

Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Medialite, which is just emerging from its start-up phase. He sold the company’s board and investors on his vision of Medialite building its brand partly on the basis of industry-leading data protection standards and procedures. He may have been a key part of a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job, he calls you into his office and explains that your primary work responsibility is to bring his vision for privacy to life. But you also detect some reservations. “We want Medialite to have absolutely the highest standards,” he says. “In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company’s finances. So, while I want the best solutions across the board, they also need to be cost effective.”

You are told to report back in a week’s time with your recommendations. Charged with this ambiguous mission, you depart the executive suite, already considering your next steps.

The company has achieved a level of privacy protection that established new best practices for the industry. What is a logical next step to help ensure a high level of protection?

Options:

A.

Brainstorm methods for developing an enhanced privacy framework

B.

Develop a strong marketing strategy to communicate the company’s privacy practices

C.

Focus on improving the incident response plan in preparation for any breaks in protection

D.

Shift attention to privacy for emerging technologies as the company begins to use them

Buy Now
Questions 17

SCENARIO

Please use the following to answer the next QUESTION:

John is the new privacy officer at the prestigious international law firm – A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.

During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor – MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.

John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.

At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution. Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.

Which of the following is a TRUE statement about the relationship among the organizations?

Options:

A.

Cloud Inc. must notify A&M LLP of a data breach immediately.

B.

MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP.

C.

Cloud Inc. should enter into a data processor agreement with A&M LLP.

D.

A&M LLP's service contract must be amended to list Cloud Inc. as a sub-processor.

Buy Now
Questions 18

What is the main reason to begin with 3-5 key metrics during the program development process?

Options:

A.

To avoid undue financial costs.

B.

To keep the focus on the main organizational objectives.

C.

To minimize selective data use.

D.

To keep the process limited to as few people as possible.

Buy Now
Questions 19

SCENARIO

Please use the following to answer the next QUESTION:

As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.

You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.

Initially, your work was greeted with little confidence or enthusiasm by the company's "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.

Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.

You are left contemplating:

What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success?

What are the next action steps?

What analytic can be used to track the financial viability of the program as it develops?

Options:

A.

Cost basis.

B.

Gap analysis.

C.

Return to investment.

D.

Breach impact modeling.

Buy Now
Questions 20

Under the General Data Protection Regulation (GDPR), which of the following situations would LEAST likely require a controller to notify a data subject?

Options:

A.

An encrypted USB key with sensitive personal data is stolen

B.

A direct marketing email is sent with recipients visible in the ‘cc’ field

C.

Personal data of a group of individuals is erroneously sent to the wrong mailing list

D.

A hacker publishes usernames, phone numbers and purchase history online after a cyber-attack

Buy Now
Questions 21

SCENARIO

Please use the following to answer the next QUESTION:

Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia to help run his aging grandfather's law practice. The elder McAdams desired a limited, lighter role in the

practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and assesses the office's strategies for growth.

Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to modernize the office, mostly in regard to the handling of clients' personal data. His first goal is to digitize all the records kept in file cabinets, as many of the documents contain personally identifiable financial and medical data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/ printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing policy by the year's end.

Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following day, to get insight into how the office computer system is currently set-up and managed.

Richard needs to closely monitor the vendor in charge of creating the firm's database mainly because of what?

Options:

A.

The vendor will be required to report any privacy violations to the appropriate authorities.

B.

The vendor may not be aware of the privacy implications involved in the project.

C.

The vendor may not be forthcoming about the vulnerabilities of the database.

D.

The vendor will be in direct contact with all of the law firm's personal data.

Buy Now
Questions 22

Which of the following is the optimum first step to take when creating a Privacy Officer governance model?

Options:

A.

Involve senior leadership.

B.

Provide flexibility to the General Counsel Office.

C.

Develop internal partnerships with IT and information security.

D.

Leverage communications and collaboration with public affairs teams.

Buy Now
Questions 23

SCENARIO

Please use the following to answer the next QUESTION:

Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used the same vendor to operate all aspects of an online store for several years. As a small nonprofit, the Society cannot afford the higher-priced options, but you have been relatively satisfied with this budget vendor, Shopping Cart Saver (SCS). Yes, there have been some issues. Twice, people who purchased items from the store have had their credit card information used fraudulently subsequent to transactions on your site, but in neither case did the investigation reveal with certainty that the Society’s store had been hacked. The thefts could have been employee-related.

Just as disconcerting was an incident where the organization discovered that SCS had sold information it had collected from customers to third parties. However, as Jason Roland, your SCS account representative, points

out, it took only a phone call from you to clarify expectations and the “misunderstanding” has not occurred again.

As an information-technology program manager with the Society, the role of the privacy professional is only one of many you play. In all matters, however, you must consider the financial bottom line. While these problems with privacy protection have been significant, the additional revenues of sales of items such as shirts and coffee cups from the store have been significant. The Society’s operating budget is slim, and all sources of revenue are essential.

Now a new challenge has arisen. Jason called to say that starting in two weeks, the customer data from the store would now be stored on a data cloud. “The good news,” he says, “is that we have found a low-cost provider in Finland, where the data would also be held. So, while there may be a small charge to pass through to you, it won’t be exorbitant, especially considering the advantages of a cloud.”

Lately, you have been hearing about cloud computing and you know it’s fast becoming the new paradigm for various applications. However, you have heard mixed reviews about the potential impacts on privacy protection. You begin to research and discover that a number of the leading cloud service providers have signed a letter of intent to work together on shared conventions and technologies for privacy protection. You make a note to find out if Jason’s Finnish provider is signing on.

What is the best way for your vendor to be clear about the Society’s breach notification expectations?

Options:

A.

Include notification provisions in the vendor contract

B.

Arrange regular telephone check-ins reviewing expectations

C.

Send a memorandum of understanding on breach notification

D.

Email the regulations that require breach notifications

Buy Now
Exam Code: CIPM
Exam Name: Certified Information Privacy Manager (CIPM)
Last Update: May 8, 2022
Questions: 159
$72  $159.99
$54  $119.99
$45  $99.99
buy now CIPM