• Home
  • Blogs
  • Check the Free demo of our CIPM Exam Dumps with 182 Questions [Q103-Q127]

Check the Free demo of our CIPM Exam Dumps with 182 Questions [Q103-Q127]

Share

Check the Free demo of our CIPM Exam Dumps with 182 Questions

Clear your concepts with CIPM Questions Before Attempting Real exam


Study Guides for CIPM Evaluation

Manuals help a candidate study for the CIPM exam by exposing them to different approaches to the assessed topics, and many sample questions to check their understanding. Here are some of the study guides that will arm you with in-depth knowledge for the actual validation:

  • Complete CIPM Practice Exam: Privacy Manager 90 Questions

    This guide by Privacy Law Practice Exams is a question handbook that candidates can use to test their readiness for the real exam. If the candidate has already taken the training and feels ready to sit for the CIPM, this book will help him/her determine whether he/she is ready or not for the actual testing process. Overall, it contains 90 questions that help the candidate familiarize with the exam format, with explanations and pointers for the candidate. The practice items will also help the student get familiar with the exam setting and structure.

  • CIPM: Focused Preparation: Preparation for Certified Information Privacy Manager Certification Exam

    The manual by Timothy Smit and Gabe Smit is an ideal support resource for any candidate aiming to ace the CIPM exam. It has 90 revision questions to test how well the candidate is conversant with privacy program concepts and skills. It also has guidance tips for the candidate to get familiar with the real exam and identify the tricks in the final exam questions.

  • IAPP CIPM Study Guides

    Candidates angling for the CIPM test can utilize the free study book found on the vendor’s site. The free book includes key knowledge areas regarding the CIPM, steps to use during exam prep, sample questions, and general information about the evaluation. Likewise, applicants can also purchase a relevant handbook from the IAPP Store, which has a number of materials covering various aspects of data privacy.

 

NEW QUESTION # 103
SCENARIO
Please use the following to answer the next QUESTION:
Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia to help run his aging grandfather's law practice. The elder McAdams desired a limited, lighter role in the practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and assesses the office's strategies for growth.
Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to modernize the office, mostly in regard to the handling of clients' personal data. His first goal is to digitize all the records kept in file cabinets, as many of the documents contain personally identifiable financial and medical data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/ printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing policy by the year's end.
Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following day, to get insight into how the office computer system is currently set-up and managed.
Which of the following policy statements needs additional instructions in order to further protect the personal data of their clients?

  • A. Before any copiers, printers, or fax machines are replaced or resold, the hard drives of these devices must be deleted before leaving the office.
  • B. All unused copies, prints, and faxes must be discarded in a designated recycling bin located near the work station and emptied daily.
  • C. All faxes sent from the office must be documented and the phone number used must be double checked to ensure a safe arrival.
  • D. When sending a print job containing personal data, the user must not leave the information visible on the computer screen following the print command and must retrieve the printed document immediately.

Answer: D


NEW QUESTION # 104
SCENARIO
Please use the following to answer the next QUESTION:
As they company's new chief executive officer, Thomas Goddard wants to be known as a leader in data protection. Goddard recently served as the chief financial officer of Hoopy.com, a pioneer in online video viewing with millions of users around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically Questionable practices, including unauthorized sales of personal data to marketers. Hoopy also was the target of credit card data theft that made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the company's claims that "appropriate" data protection safeguards were in place. The scandal affected the company's business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard's mentor, was forced to step down.
Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Medialite, which is just emerging from its start-up phase. He sold the company's board and investors on his vision of Medialite building its brand partly on the basis of industry-leading data protection standards and procedures. He may have been a key part of a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job, he calls you into his office and explains that your primary work responsibility is to bring his vision for privacy to life. But you also detect some reservations. "We want Medialite to have absolutely the highest standards," he says. "In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company's finances. So, while I want the best solutions across the board, they also need to be cost effective." You are told to report back in a week's time with your recommendations. Charged with this ambiguous mission, you depart the executive suite, already considering your next steps.
What metric can Goddard use to assess whether costs associated with implementing new privacy protections are justified?

  • A. Compliance ratio
  • B. Implementation measure
  • C. Cost-effective mean
  • D. Return on investment

Answer: D


NEW QUESTION # 105
SCENARIO
Please use the following to answer the next question:
As the director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.
You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.
Initially, your work was greeted with little confidence or enthusiasm by the company's "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient
"buy-in" to begin putting the proper procedures into place.
Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.
You are left contemplating: What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success? What are the next action steps?
Which of the following would be most effectively used as a guide to a systems approach to implementing data protection?

  • A. International Organization for Standardization 27000 Series
  • B. Data Life Cycle Management Standards
  • C. United Nations Privacy Agency Standards
  • D. International Organization for Standardization 9000 Series

Answer: A


NEW QUESTION # 106
What is a key feature of the privacy metric template adapted from the National Institute of Standards and Technology (NIST)?

  • A. It provides suggestions about how to collect and measure data.
  • B. It is focused on organizations that do business internationally.
  • C. It can be tailored to an organization's particular needs.
  • D. It is updated annually to reflect changes in government policy.

Answer: C

Explanation:
Explanation
A key feature of the privacy metric template adapted from the National Institute of Standards and Technology (NIST) is that it can be tailored to an organization's particular needs. The privacy metric template is a tool that helps organizations measure their privacy performance and outcomes based on their own goals and objectives7 The template consists of four components: privacy objective, privacy outcome category, privacy outcome statement, and privacy metric statement. The template allows organizations to customize each component according to their specific context, scope, scale, and level of detail8 The template also provides examples and guidance on how to use it effectively and consistently9 The other options are not key features of the privacy metric template adapted from NIST. The template does not provide suggestions on how to collect and measure data, but rather focuses on defining what data to collect and measure based on the desired privacy outcomes. The template is not updated annually to reflect changes in government policy, but rather reflects a general framework that can be applied across different sectors and jurisdictions. The template is not focused on organizations that do business internationally, but rather can be used by any organization regardless of its geographic scope or location. References: 7: Privacy Framework | NIST; 8: NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management Version 1.0; 9: NIST Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management Version 1.0


NEW QUESTION # 107
Which of the following is NOT recommended for effective Identity Access Management?

  • A. Unique user IDs.
  • B. Demographics.
  • C. User responsibility.
  • D. Credentials (e.g.. password).

Answer: B

Explanation:
Identity and Access Management (IAM) is a process that helps organizations secure their systems and data by controlling who has access to them and what they can do with that access. Effective IAM includes a number of best practices, such as:
Unique user IDs: Each user should have a unique ID that is used to identify them across all systems and applications.
Credentials: Users should be required to provide authentication credentials, such as a password or biometric data, in order to access systems and data.
User responsibility: Users should be made aware of their responsibilities when it comes to security, such as the need to keep their passwords secret and the importance of reporting suspicious activity.
Demographics refers to the statistical characteristics of a population, such as age, gender, income, etc. While demographic data may be collected and used for various purposes, it is not a recommended practice for effective IAM. Demographic data is not a reliable method of identification or authentication, and it is not used to provide access to systems and data.
Reference:
https://aws.amazon.com/iam/
https://en.wikipedia.org/wiki/Identity_and_access_management
https://en.wikipedia.org/wiki/Demographics


NEW QUESTION # 108
Formosa International operates in 20 different countries including the United States and France. What organizational approach would make complying with a number of different regulations easier?

  • A. Data mapping.
  • B. Rationalizing requirements.
  • C. Decentralized privacy management.
  • D. Fair Information Practices.

Answer: B

Explanation:
Explanation
Rationalizing requirements is an organizational approach that involves identifying and harmonizing the common elements of different privacy regulations and standards. This can make compliance easier and more efficient, as well as reduce the risk of conflicts or gaps in privacy protection. Rationalizing requirements can also help to create a consistent privacy policy and culture across different jurisdictions and business units. References: CIPM Study Guide, page 23.


NEW QUESTION # 109
For an organization that has just experienced a data breach, what might be the least relevant metric for a company's privacy and governance team?

  • A. The number of employees who have completed data awareness training.
  • B. The number of security patches applied to company devices.
  • C. The number of privacy rights requests that have been exercised.
  • D. The number of Privacy Impact Assessments that have been completed.

Answer: B

Explanation:
Explanation
The number of security patches applied to company devices might be the least relevant metric for a company's privacy and governance team after a data breach. While security patches are important for preventing future breaches, they do not directly measure the impact or response of the current breach. The other metrics are more relevant for assessing how the company handled the breach, such as how it complied with the privacy rights of affected individuals, how it evaluated the privacy risks of its systems, and how it trained its employees on data awareness. References: CIPM Study Guide, page 28.


NEW QUESTION # 110
Which will best assist you in quickly identifying weaknesses in your network and storage?

  • A. Reviewing your privacy program metrics.
  • B. Establishing a complaint-monitoring process.
  • C. Reviewing your role-based access controls.
  • D. Running vulnerability scanning tools.

Answer: D


NEW QUESTION # 111
SCENARIO
Please use the following to answer the next QUESTION:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!" Which is the best first step in understanding the data security practices of a potential vendor?

  • A. Requiring the vendor to complete a questionnaire assessing International Organization for Standardization (ISO) 27001 compliance.
  • B. Conducting a physical audit of the vendor's facilities.
  • C. Conducting a penetration test of the vendor's data security structure.
  • D. Examining investigation records of any breaches the vendor has experienced.

Answer: D


NEW QUESTION # 112
SCENARIO
Please use the following to answer the next QUESTION:
Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used the same vendor to operate all aspects of an online store for several years. As a small nonprofit, the Society cannot afford the higher-priced options, but you have been relatively satisfied with this budget vendor, Shopping Cart Saver (SCS). Yes, there have been some issues. Twice, people who purchased items from the store have had their credit card information used fraudulently subsequent to transactions on your site, but in neither case did the investigation reveal with certainty that the Society's store had been hacked. The thefts could have been employee-related.
Just as disconcerting was an incident where the organization discovered that SCS had sold information it had collected from customers to third parties. However, as Jason Roland, your SCS account representative, points out, it took only a phone call from you to clarify expectations and the "misunderstanding" has not occurred again.
As an information-technology program manager with the Society, the role of the privacy professional is only one of many you play. In all matters, however, you must consider the financial bottom line. While these problems with privacy protection have been significant, the additional revenues of sales of items such as shirts and coffee cups from the store have been significant. The Society's operating budget is slim, and all sources of revenue are essential.
Now a new challenge has arisen. Jason called to say that starting in two weeks, the customer data from the store would now be stored on a data cloud. "The good news," he says, "is that we have found a low-cost provider in Finland, where the data would also be held. So, while there may be a small charge to pass through to you, it won't be exorbitant, especially considering the advantages of a cloud." Lately, you have been hearing about cloud computing and you know it's fast becoming the new paradigm for various applications. However, you have heard mixed reviews about the potential impacts on privacy protection. You begin to research and discover that a number of the leading cloud service providers have signed a letter of intent to work together on shared conventions and technologies for privacy protection. You make a note to find out if Jason's Finnish provider is signing on.
What process can best answer your Questions about the vendor's data security safeguards?

  • A. A public records search for earlier legal violations
  • B. A reference check with other clients
  • C. A table top demonstration of a potential threat
  • D. A second-party of supplier audit

Answer: B


NEW QUESTION # 113
SCENARIO
Please use the following to answer the next QUESTION:
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company's flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Questions about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Questions as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user's sensitive medical information for the medical appointment scheduler. In fact, all of the user's information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO's philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called Eurek a. Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What administrative safeguards should be implemented to protect the collected data while in use by Manasa and her product management team?

  • A. Limit data transfers to the US by keeping data collected in Europe within a local data center.
  • B. Implement a policy restricting data access on a "need to know" basis.
  • C. Conduct a Privacy Impact Assessment (PIA) to evaluate the risks involved.
  • D. Document the data flows for the collected data.

Answer: D


NEW QUESTION # 114
In addition to regulatory requirements and business practices, what important factors must a global privacy strategy consider?

  • A. Political history
  • B. Cultural norms
  • C. Monetary exchange
  • D. Geographic features

Answer: D


NEW QUESTION # 115
The General Data Protection Regulation (GDPR) specifies fines that may be levied against data controllers for certain infringements. Which of the following will be subject to administrative fines of up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year?

  • A. Failure to provide the means for a data subject to rectify inaccuracies in personal data
  • B. Failure to implement technical and organizational measures to ensure data protection is enshrined by design and default
  • C. Failure to process personal information in a manner compatible with its original purpose
  • D. Failure to demonstrate that consent was given by the data subject to the processing of their personal data where it is used as the basis for processing

Answer: D

Explanation:
Explanation/Reference: https://gdpr-info.eu/art-8-gdpr/


NEW QUESTION # 116
Which of the following is the optimum first step to take when creating a Privacy Officer governance model?

  • A. Provide flexibility to the General Counsel Office.
  • B. Involve senior leadership.
  • C. Leverage communications and collaboration with public affairs teams.
  • D. Develop internal partnerships with IT and information security.

Answer: D


NEW QUESTION # 117
SCENARIO
Please use the following to answer the next QUESTION:
As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.
You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.
Initially, your work was greeted with little confidence or enthusiasm by the company's "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.
Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.
You are left contemplating:
What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success?
What are the next action steps?
What analytic can be used to track the financial viability of the program as it develops?

  • A. Gap analysis.
  • B. Return to investment.
  • C. Cost basis.
  • D. Breach impact modeling.

Answer: B


NEW QUESTION # 118
SCENARIO
Please use the following to answer the next question:
Paul Daniels, with years of experience as a CEO, is worried about his son Carlton's successful venture, Gadgo.
A technological innovator in the communication industry that quickly became profitable, Gadgo has moved beyond its startup phase. While it has retained its vibrant energy, Paul fears that under Carlton's direction, the company may not be taking its risks or obligations as seriously as it needs to. Paul has hired you, a privacy Consultant, to assess the company and report to both father and son. "Carlton won't listen to me," Paul says, "but he may pay attention to an expert." Gadgo's workplace is a clubhouse for innovation, with games, toys, snacks, espresso machines, giant fish tanks and even an iguana who regards you with little interest. Carlton, too, seems bored as he describes to you the company's procedures and technologies for data protection. It's a loose assemblage of controls, lacking consistency and with plenty of weaknesses. "This is a technology company," Carlton says. "We create. We innovate. I don't want unnecessary measures that will only slow people down and clutter their thoughts." The meeting lasts until early evening. Upon leaving, you walk through the office. It looks as if a strong windstorm has recently blown through, with papers scattered across desks and tables and even the floor. A
"cleaning crew" of one teenager is emptying the trash bins. A few computers have been left on for the night; others are missing. Carlton takes note of your attention to this: "Most of my people take their laptops home with them, or use their own tablets or phones. I want them to use whatever helps them to think and be ready day or night for that great insight. It may only come once!" What phase in the Privacy Maturity Model (PMM) does Gadgo's privacy program best exhibit?

  • A. Repeatable
  • B. Managed
  • C. Defined
  • D. Ad hoc

Answer: D


NEW QUESTION # 119
"Collection," "access" and "destruction" are aspects of what privacy management process?

  • A. The business case
  • B. The data governance strategy
  • C. The metric life cycle
  • D. The breach response plan

Answer: B


NEW QUESTION # 120
What is the main function of the Asia-Pacific Economic Cooperation Privacy Framework?

  • A. Protecting data from parties outside the region.
  • B. Enabling regional data transfers.
  • C. Establishing legal requirements for privacy protection in the region.
  • D. Marketing privacy protection technologies developed in the region.

Answer: B

Explanation:
Explanation
The main function of the Asia-Pacific Economic Cooperation Privacy Framework is enabling regional data transfers while protecting information privacy across APEC member economies. The Framework promotes a flexible approach to information privacy protection that avoids the creation of unnecessary barriers to information flows3 It is based on a set of common privacy principles that are consistent with the core values of the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data3 The Framework also provides guidance for domestic implementation and international implementation of the privacy principles through various mechanisms, such as cross-border privacy rules (CBPRs), accountability agents, regulators, enforcement cooperation, and capacity building3 The Framework aims to facilitate the safe transfer of information between economies, enhance consumer trust and confidence in online transactions and information networks, encourage the use of electronic data to enhance and expand business opportunities, and provide technical assistance to economies that have yet to address privacy from a regulatory or policy perspective4 References: 3: APEC PRIVACY PRINCIPLES; 4: APEC Data Privacy Pathfinder


NEW QUESTION # 121
An organization's business continuity plan or disaster recovery plan does NOT typically include what?

  • A. Statement of organizational responsibilities
  • B. Recovery time objectives
  • C. Retention schedule for storage and destruction of information
  • D. Emergency Response Guidelines

Answer: C


NEW QUESTION # 122
SCENARIO
Please use the following to answer the next QUESTION:
For 15 years, Albert has worked at Treasure Box - a mail order company in the United States (U.S.) that used to sell decorative candles around the world, but has recently decided to limit its shipments to customers in the 48 contiguous states. Despite his years of experience, Albert is often overlooked for managerial positions. His frustration about not being promoted, coupled with his recent interest in issues of privacy protection, have motivated Albert to be an agent of positive change.
He will soon interview for a newly advertised position, and during the interview, Albert plans on making executives aware of lapses in the company's privacy program. He feels certain he will be rewarded with a promotion for preventing negative consequences resulting from the company's outdated policies and procedures.
For example, Albert has learned about the AICPA (American Institute of Certified Public Accountans)/CICA (Canadian Institute of Chartered Accountants) Privacy Maturity Model (PMM). Albert thinks the model is a useful way to measure Treasure Box's ability to protect personal dat a. Albert has noticed that Treasure Box fails to meet the requirements of the highest level of maturity of this model; at his interview, Albert will pledge to assist the company with meeting this level in order to provide customers with the most rigorous security available.
Albert does want to show a positive outlook during his interview. He intends to praise the company's commitment to the security of customer and employee personal data against external threats. However, Albert worries about the high turnover rate within the company, particularly in the area of direct phone marketing. He sees many unfamiliar faces every day who are hired to do the marketing, and he often hears complaints in the lunch room regarding long hours and low pay, as well as what seems to be flagrant disregard for company procedures.
In addition, Treasure Box has had two recent security incidents. The company has responded to the incidents with internal audits and updates to security safeguards. However, profits still seem to be affected and anecdotal evidence indicates that many people still harbor mistrust. Albert wants to help the company recover. He knows there is at least one incident the public in unaware of, although Albert does not know the details. He believes the company's insistence on keeping the incident a secret could be a further detriment to its reputation. One further way that Albert wants to help Treasure Box regain its stature is by creating a toll-free number for customers, as well as a more efficient procedure for responding to customer concerns by postal mail.
In addition to his suggestions for improvement, Albert believes that his knowledge of the company's recent business maneuvers will also impress the interviewers. For example, Albert is aware of the company's intention to acquire a medical supply company in the coming weeks.
With his forward thinking, Albert hopes to convince the managers who will be interviewing him that he is right for the job.
Based on Albert's observations regarding recent security incidents, which of the following should he suggest as a priority for Treasure Box?

  • A. Working with the Human Resources department to make screening procedures for potential employees more rigorous.
  • B. Evaluating the company's ability to handle personal health information if the plan to acquire the medical supply company goes forward
  • C. Using a third-party auditor to address privacy protection issues not recognized by the prior internal audits.
  • D. Appointing an internal ombudsman to address employee complaints regarding hours and pay.

Answer: B


NEW QUESTION # 123
Under the General Data Protection Regulation (GDPR), which of the following situations would LEAST likely require a controller to notify a data subject?

  • A. A hacker publishes usernames, phone numbers and purchase history online after a cyber-attack
  • B. An encrypted USB key with sensitive personal data is stolen
  • C. A direct marketing email is sent with recipients visible in the 'cc' field
  • D. Personal data of a group of individuals is erroneously sent to the wrong mailing list

Answer: B

Explanation:
Explanation
Under the GDPR, a controller must notify a data subject of a personal data breach without undue delay when the breach is likely to result in a high risk to the rights and freedoms of the data subject, unless one of the following conditions applies: the personal data are rendered unintelligible to any person who is not authorized to access it, such as by encryption; the controller has taken subsequent measures to ensure that the high risk is no longer likely to materialize; or the notification would involve disproportionate effort, in which case a public communication or similar measure may suffice. In this case, an encrypted USB key with sensitive personal data is stolen, but the personal data are presumably unintelligible to the thief, so the controller does not need to notify the data subject. However, the controller still needs to notify the supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
References:
* CIPM Body of Knowledge (2021), Domain IV: Privacy Program Operational Life Cycle, Section B:
Protecting Personal Information, Subsection 2: Data Breach Incident Planning and Management
* CIPM Study Guide (2021), Chapter 8: Protecting Personal Information, Section 8.2: Data Breach
* Incident Planning and Management
* CIPM Textbook (2019), Chapter 8: Protecting Personal Information, Section 8.2: Data Breach Incident Planning and Management
* CIPM Practice Exam (2021), Question 134
* GDPR Article 33 and 3412


NEW QUESTION # 124
SCENARIO
Please use the following to answer the next QUESTION:
Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.
Spencer - a former CEO and currently a senior advisor - said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.
One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason.
"Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company - not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month." Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.
Based on the scenario, Nationwide Grill needs to create better employee awareness of the company's privacy program by doing what?

  • A. Varying the modes of communication.
  • B. Communicating to the staff more often.
  • C. Requiring acknowledgment of company memos.
  • D. Improving inter-departmental cooperation.

Answer: C


NEW QUESTION # 125
SCENARIO
Please use the following to answer the next QUESTION:
Ben works in the IT department of IgNight, Inc., a company that designs lighting solutions for its clients. Although IgNight's customer base consists primarily of offices in the US, some individuals have been so impressed by the unique aesthetic and energy-saving design of the light fixtures that they have requested IgNight's installations in their homes across the globe.
One Sunday morning, while using his work laptop to purchase tickets for an upcoming music festival, Ben happens to notice some unusual user activity on company files. From a cursory review, all the data still appears to be where it is meant to be but he can't shake off the feeling that something is not right. He knows that it is a possibility that this could be a colleague performing unscheduled maintenance, but he recalls an email from his company's security team reminding employees to be on alert for attacks from a known group of malicious actors specifically targeting the industry.
Ben is a diligent employee and wants to make sure that he protects the company but he does not want to bother his hard-working colleagues on the weekend. He is going to discuss the matter with this manager first thing in the morning but wants to be prepared so he can demonstrate his knowledge in this area and plead his case for a promotion.
If this were a data breach, how is it likely to be categorized?

  • A. Confidentiality Breach.
  • B. Integrity Breach.
  • C. Availability Breach.
  • D. Authenticity Breach.

Answer: A


NEW QUESTION # 126
What is the best way to understand the location, use and importance of personal data within an organization?

  • A. By analyzing the data inventory.
  • B. By testing the security of data systems.
  • C. By evaluating methods for collecting data.
  • D. By interviewing employees tasked with data entry.

Answer: C

Explanation:
Explanation
The best way to understand the location, use and importance of personal data within an organization is by evaluating methods for collecting data. This will help to identify the sources, purposes, and categories of data that the organization processes, as well as the data flows and transfers within and outside the organization. By doing so, the organization can assess the risks and opportunities associated with data processing and design appropriate privacy policies and controls. References: [IAPP CIPM Study Guide], page 29-30; [Data Inventory]


NEW QUESTION # 127
......


IAPP CIPM exam is a valuable certification for professionals who are responsible for managing and protecting personal data. CIPM exam covers a wide range of privacy-related topics and requires a significant amount of preparation and study. The CIPM certification is becoming increasingly important in today's business environment, and can help professionals stand out in the job market and advance their careers. The IAPP offers a range of resources and training programs to help candidates prepare for the exam, making it an accessible and achievable goal for privacy professionals.

 

Get professional help from our CIPM Dumps PDF: https://www.examprepaway.com/IAPP/braindumps.CIPM.ete.file.html

Give You Free Regular Updates on CIPM Exam Questions: https://drive.google.com/open?id=1yZXZjjDlswCUxNwDWaQzZL9A0ThCEwma

Related Blogs

more
IAPP CIPM Certification Practice Exam