ExamGecko
Login
Home / IAPP / CIPM / List of questions
Ask Question

IAPP CIPM Practice Test - Questions Answers, Page 2

List of questions

Question 11

Report
Export
Collapse

An executive for a multinational online retail company in the United States is looking for guidance in developing her company's privacy program beyond what is specifically required by law.

What would be the most effective resource for the executive to consult?

Internal auditors.

Internal auditors.

Industry frameworks.

Industry frameworks.

Oversight organizations.

Oversight organizations.

Breach notifications from competitors.

Breach notifications from competitors.
Suggested answer: B

Explanation:

Industry frameworks are the most effective resource for an executive who wants to develop her company's privacy program beyond what is specifically required by law. Industry frameworks are collections of best practices, standards, and guidelines that help organizations establish and improve their privacy policies and procedures. Industry frameworks can help organizations demonstrate their commitment to privacy, enhance their reputation and trustworthiness, and comply with multiple privacy regulations.Some examples of industry frameworks are the NIST Privacy Framework2, the ISO 27701 Privacy Information Management System3, and the AICPA/CICA Generally Accepted Privacy Principles (GAPP)4. The other options are not as effective as industry frameworks for developing a privacy program. Internal auditors can help evaluate the effectiveness and compliance of existing privacy controls, but they may not provide guidance on how to improve or expand them. Oversight organizations can enforce privacy laws and regulations, but they may not offer advice on how to go beyond the legal requirements. Breach notifications from competitors can alert organizations to potential threats and vulnerabilities, but they may not suggest how to prevent or mitigate them.Reference:NIST Privacy Framework;ISO 27701 Privacy Information Management System;AICPA/CICA Generally Accepted Privacy Principles (GAPP)

asked 22/11/2024
Ivan Rodrigo Velasco Capote
34 questions

Question 12

Report
Export
Collapse

What is one reason the European Union has enacted more comprehensive privacy laws than the United States?

To ensure adequate enforcement of existing laws.

To ensure adequate enforcement of existing laws.

To ensure there is adequate funding for enforcement.

To ensure there is adequate funding for enforcement.

To allow separate industries to set privacy standards.

To allow separate industries to set privacy standards.

To allow the free movement of data between member countries.

To allow the free movement of data between member countries.
Suggested answer: D

Explanation:

One reason the European Union has enacted more comprehensive privacy laws than the United States is to allow the free movement of data between member countries. The EU considers data protection as a fundamental right that applies to all individuals within its territory, regardless of their nationality or residence.The EU has adopted a harmonized legal framework for data protection, such as the GDPR1and the ePrivacy Directive5, that applies to all member states and ensures a consistent level of protection across the EU. The EU also requires that any transfers of personal data outside the EU are subject to adequate safeguards or exceptions that guarantee an equivalent level of protection. The EU's approach to data protection aims to facilitate the internal market and promote economic and social integration among member states by removing barriers and restrictions to the cross-border flow of data. The other options are not reasons why the EU has enacted more comprehensive privacy laws than the US. The EU does not necessarily have more adequate enforcement or funding for its privacy laws than the US, although it does have a network of independent supervisory authorities that monitor and enforce compliance with the EU data protection rules. The EU does not allow separate industries to set privacy standards, but rather imposes uniform and binding rules for all sectors and activities that involve personal data processing.Reference:GDPR;ePrivacy Directive

asked 22/11/2024
sicnarep sicnarep
44 questions

Question 13

Report
Export
Collapse

All of the following changes will likely trigger a data inventory update EXCEPT?

Outsourcing the Customer Relationship Management (CRM) function.

Outsourcing the Customer Relationship Management (CRM) function.

Acquisition of a new subsidiary.

Acquisition of a new subsidiary.

Onboarding of a new vendor.

Onboarding of a new vendor.

Passage of a new privacy regulation.

Passage of a new privacy regulation.
Suggested answer: D

Explanation:

All of the changes listed will likely trigger a data inventory update except for the passage of a new privacy regulation. A data inventory is a record of all personal data that an organization collects, processes, stores, shares, or disposes of. A data inventory helps an organization understand what types of personal data it holds, where it comes from, where it goes, and how it is protected. A data inventory should be updated regularly to reflect any changes in the organization's data processing activities or practices. Some examples of changes that would trigger a data inventory update are outsourcing a business function, acquiring a new subsidiary, or onboarding a new vendor. These changes may involve new sources or destinations of personal data, new purposes or categories of processing, new security measures or risks, or new contractual agreements or obligations. The passage of a new privacy regulation may not trigger a data inventory update unless it affects the organization's existing data processing activities or practices. However, it may trigger a compliance assessment or gap analysis to determine if the organization needs to make any adjustments to its privacy program or policies to meet the new legal requirements.Reference:Data Inventory Hub;Data Inventory: What It Is & How To Create One

asked 22/11/2024
Christos Katopis
33 questions

Question 14

Report
Export
Collapse

SCENARIO

Please use the following to answer the next QUESTION:

Paul Daniels, with years of experience as a CEO, is worried about his son Carlton's successful venture, Gadgo. A technological innovator in the communication industry that quickly became profitable, Gadgo has moved beyond its startup phase. While it has retained its vibrant energy, Paul fears that under Carlton's direction, the company may not be taking its risks or obligations as seriously as it needs to. Paul has hired you, a Privacy Consultant, to assess the company and report to both father and son. 'Carlton won't listen to me,' Paul says, 'but he may pay attention to an expert.'

Gadgo's workplace is a clubhouse for innovation, with games, toys, snacks. espresso machines, giant fish tanks and even an iguana who regards you with little interest. Carlton, too, seems bored as he describes to you the company's procedures and technologies for data protection. It's a loose assemblage of controls, lacking consistency and with plenty of weaknesses. 'This is a technology company,' Carlton says. 'We create. We innovate. I don't want unnecessary measures that will only slow people down and clutter their thoughts.'

The meeting lasts until early evening. Upon leaving, you walk through the office it looks as if a strong windstorm has recently blown through, with papers scattered across desks and tables and even the floor. A 'cleaning crew' of one teenager is emptying the trash bins. A few computers have been left on for the night, others are missing. Carlton takes note of your attention to this: 'Most of my people take their laptops home with them, or use their own tablets or phones. I want them to use whatever helps them to think and be ready day or night for that great insight. It may only come once!'

What would be the best kind of audit to recommend for Gadgo?

A supplier audit.

A supplier audit.

An internal audit.

An internal audit.

A third-party audit.

A third-party audit.

A self-certification.

A self-certification.
Suggested answer: C

Explanation:

This answer is the best kind of audit to recommend for Gadgo, as it can provide an independent and objective assessment of the company's privacy program and practices, as well as identify any gaps, weaknesses or risks that need to be addressed or improved. A third-party audit is conducted by an external auditor who has the necessary expertise, experience and credentials to evaluate the company's compliance with the applicable laws, regulations, standards and best practices for data protection.A third-party audit can also help to enhance the company's reputation and trust among its customers, partners and stakeholders, as well as demonstrate its commitment and accountability for privacy protection.Reference: IAPP CIPM Study Guide, page 881; ISO/IEC 27002:2013, section 18.2.1

asked 22/11/2024
Mikolaj Roeper
36 questions

Question 15

Report
Export
Collapse

SCENARIO

Please use the following to answer the next QUESTION:

Paul Daniels, with years of experience as a CEO, is worried about his son Carlton's successful venture, Gadgo. A technological innovator in the communication industry that quickly became profitable, Gadgo has moved beyond its startup phase. While it has retained its vibrant energy, Paul fears that under Carlton's direction, the company may not be taking its risks or obligations as seriously as it needs to. Paul has hired you, a Privacy Consultant, to assess the company and report to both father and son. 'Carlton won't listen to me,' Paul says, 'but he may pay attention to an expert.'

Gadgo's workplace is a clubhouse for innovation, with games, toys, snacks. espresso machines, giant fish tanks and even an iguana who regards you with little interest. Carlton, too, seems bored as he describes to you the company's procedures and technologies for data protection. It's a loose assemblage of controls, lacking consistency and with plenty of weaknesses. 'This is a technology company,' Carlton says. 'We create. We innovate. I don't want unnecessary measures that will only slow people down and clutter their thoughts.'

The meeting lasts until early evening. Upon leaving, you walk through the office it looks as if a strong windstorm has recently blown through, with papers scattered across desks and tables and even the floor. A 'cleaning crew' of one teenager is emptying the trash bins. A few computers have been left on for the night, others are missing. Carlton takes note of your attention to this: 'Most of my people take their laptops home with them, or use their own tablets or phones. I want them to use whatever helps them to think and be ready day or night for that great insight. It may only come once!'

What phase in the Privacy Maturity Model (PMM) does Gadgo's privacy program best exhibit?

Ad hoc.

Ad hoc.

Defined.

Defined.

Repeatable.

Repeatable.

Managed.

Managed.
Suggested answer: A

Explanation:

This answer is the best way to describe the phase in the Privacy Maturity Model (PMM) that Gadgo's privacy program best exhibits, as it shows that the company has no formal or consistent approach to privacy protection and that its privacy practices are largely reactive, unplanned and uncoordinated. The ad hoc phase is the lowest level of maturity in the PMM, which is a framework that measures the effectiveness and maturity of an organization's privacy program based on five phases: ad hoc, repeatable, defined, managed and optimized.The ad hoc phase indicates that the organization has little or no awareness of its privacy obligations and risks, and that its privacy activities are dependent on individual efforts or initiatives, rather than on organizational policies or processes.Reference: IAPP CIPM Study Guide, page 891; ISO/IEC 27002:2013, section 18.1.1

asked 22/11/2024
Shivanth Jha
34 questions

Question 16

Report
Export
Collapse

Incipia Corporation just trained the last of its 300 employees on their new privacy policies and procedures.

If Incipia wanted to analyze the effectiveness of the training over the next 6 months, which form of trend analysis should they use?

Cyclical.

Cyclical.

Irregular.

Irregular.

Statistical.

Statistical.

Standard variance.

Standard variance.
Suggested answer: C

Explanation:

This answer is the best form of trend analysis that Incipia Corporation should use to analyze the effectiveness of the training over the next six months, as it can provide a quantitative and objective way to measure and compare the results and outcomes of the training against predefined criteria or indicators. Statistical trend analysis is a method that involves collecting, analyzing and presenting data using statistical tools and techniques, such as charts, graphs, tables or formulas.Statistical trend analysis can help to identify patterns, changes or correlations in the data over time, as well as to evaluate the performance and impact of the training on the organization's privacy program and objectives.Reference: IAPP CIPM Study Guide, page 901; ISO/IEC 27002:2013, section 18.1.3

asked 22/11/2024
Przemysław Doczkal
39 questions

Question 17

Report
Export
Collapse

SCENARIO

Please use the following to answer the next QUESTION:

Ben works in the IT department of IgNight, Inc., a company that designs lighting solutions for its clients. Although IgNight's customer base consists primarily of offices in the US, some individuals have been so impressed by the unique aesthetic and energy-saving design of the light fixtures that they have requested

IgNight's installations in their homes across the globe.

One Sunday morning, while using his work laptop to purchase tickets for an upcoming music festival, Ben happens to notice some unusual user activity on company files. From a cursory review, all the data still appears to be where it is meant to be but he can't shake off the feeling that something is not right. He knows that it is a possibility that this could be a colleague performing unscheduled maintenance, but he recalls an email from his company's security team reminding employees to be on alert for attacks from a known group of malicious actors specifically targeting the industry.

Ben is a diligent employee and wants to make sure that he protects the company but he does not want to bother his hard-working colleagues on the weekend. He is going to discuss the matter with this manager first thing in the morning but wants to be prepared so he can demonstrate his knowledge in this area and plead his case for a promotion.

To determine the steps to follow, what would be the most appropriate internal guide for Ben to review?

Incident Response Plan.

Incident Response Plan.

Code of Business Conduct.

Code of Business Conduct.

IT Systems and Operations Handbook.

IT Systems and Operations Handbook.

Business Continuity and Disaster Recovery Plan.

Business Continuity and Disaster Recovery Plan.
Suggested answer: A

Explanation:

The most appropriate internal guide for Ben to review is the Incident Response Plan. An Incident Response Plan is a document that outlines how an organization will respond to a security incident, such as a data breach, a cyberattack, or a malware infection. An Incident Response Plan typically includes:

The roles and responsibilities of the incident response team and other stakeholders

The procedures and protocols for detecting, containing, analyzing, and resolving incidents

The communication and escalation channels for reporting and notifying incidents

The tools and resources for conducting incident response activities

The criteria and methods for evaluating and improving the incident response process

An Incident Response Plan helps an organization prepare for and deal with security incidents in an effective and efficient manner. It also helps an organization minimize the impact and damage of security incidents, comply with legal and regulatory obligations, and restore normal operations as soon as possible.

The other options are not as relevant or useful as the Incident Response Plan for Ben's situation. The Code of Business Conduct is a document that defines the ethical standards and expectations for the organization's employees and stakeholders. It may include some general principles or policies related to security, but it does not provide specific guidance on how to handle security incidents. The IT Systems and Operations Handbook is a document that describes the technical aspects and functions of the organization's IT systems and infrastructure. It may include some information on security controls and configurations, but it does not provide detailed instructions on how to perform incident response tasks. The Business Continuity and Disaster Recovery Plan is a document that outlines how an organization will continue its critical functions and operations in the event of a disruption or disaster, such as a natural disaster, a power outage, or a fire. It may include some measures to protect or recover data and systems, but it does not focus on security incidents or threats.Reference:What Is an Incident Response Plan for IT?;Incident Response Plan (IRP) Basics

asked 22/11/2024
Mohamed Mohamed
48 questions

Question 18

Report
Export
Collapse

SCENARIO

Please use the following to answer the next QUESTION:

Ben works in the IT department of IgNight, Inc., a company that designs lighting solutions for its clients. Although IgNight's customer base consists primarily of offices in the US, some individuals have been so impressed by the unique aesthetic and energy-saving design of the light fixtures that they have requested IgNight's installations in their homes across the globe.

One Sunday morning, while using his work laptop to purchase tickets for an upcoming music festival, Ben happens to notice some unusual user activity on company files. From a cursory review, all the data still appears to be where it is meant to be but he can't shake off the feeling that something is not right. He knows that it is a possibility that this could be a colleague performing unscheduled maintenance, but he recalls an email from his company's security team reminding employees to be on alert for attacks from a known group of malicious actors specifically targeting the industry.

Ben is a diligent employee and wants to make sure that he protects the company but he does not want to bother his hard-working colleagues on the weekend. He is going to discuss the matter with this manager first thing in the morning but wants to be prepared so he can demonstrate his knowledge in this area and plead his case for a promotion.

If this were a data breach, how is it likely to be categorized?

Availability Breach.

Availability Breach.

Authenticity Breach.

Authenticity Breach.

Confidentiality Breach.

Confidentiality Breach.

Integrity Breach.

Integrity Breach.
Suggested answer: C

Explanation:

If this were a data breach, it is likely to be categorized as a confidentiality breach. A confidentiality breach is a type of data breach that involves unauthorized or accidental disclosure of or access to personal data. A confidentiality breach violates the principle of confidentiality, which requires that personal data is protected from unauthorized or unlawful use or disclosure. A confidentiality breach can occur when personal data is exposed to unauthorized parties, such as hackers, competitors, or third parties without consent. A confidentiality breach can also occur when personal data is sent to incorrect recipients, such as by email or mail.

The other options are not likely to be the correct category for this data breach. An availability breach is a type of data breach that involves accidental or unauthorized loss of access to or destruction of personal data. An availability breach violates the principle of availability, which requires that personal data is accessible and usable by authorized parties when needed. An availability breach can occur when personal data is deleted, corrupted, encrypted, or otherwise rendered inaccessible by malicious actors or technical errors. An authenticity breach is a type of data breach that involves unauthorized or accidental alteration of personal data. An authenticity breach violates the principle of authenticity, which requires that personal data is accurate and up to date. An authenticity breach can occur when personal data is modified, tampered with, or falsified by malicious actors or human errors. An integrity breach is a type of data breach that involves unauthorized or accidental alteration of personal data that affects its quality or reliability. An integrity breach violates the principle of integrity, which requires that personal data is complete and consistent with its intended purpose. An integrity breach can occur when personal data is incomplete, inconsistent, outdated, or inaccurate due to malicious actors or human errors.Reference:Personal Data Breaches: A Guide;Guidance on the Categorisation and Notification of Personal Data Breaches

asked 22/11/2024
Mikolaj Roeper
36 questions

Question 19

Report
Export
Collapse

SCENARIO

Please use the following to answer the next QUESTION:

Ben works in the IT department of IgNight, Inc., a company that designs lighting solutions for its clients. Although IgNight's customer base consists primarily of offices in the US, some individuals have been so impressed by the unique aesthetic and energy-saving design of the light fixtures that they have requested IgNight's installations in their homes across the globe.

One Sunday morning, while using his work laptop to purchase tickets for an upcoming music festival, Ben happens to notice some unusual user activity on company files. From a cursory review, all the data still appears to be where it is meant to be but he can't shake off the feeling that something is not right. He knows that it is a possibility that this could be a colleague performing unscheduled maintenance, but he recalls an email from his company's security team reminding employees to be on alert for attacks from a known group of malicious actors specifically targeting the industry.

Ben is a diligent employee and wants to make sure that he protects the company but he does not want to bother his hard-working colleagues on the weekend. He is going to discuss the matter with this manager first thing in the morning but wants to be prepared so he can demonstrate his knowledge in this area and plead his case for a promotion.

Going forward, what is the best way for IgNight to prepare its IT team to manage these kind of security events?

Tabletop exercises.

Tabletop exercises.

Update its data inventory.

Update its data inventory.

IT security awareness training.

IT security awareness training.

Share communications relating to scheduled maintenance.

Share communications relating to scheduled maintenance.
Suggested answer: A

Explanation:

The best way for IgNight to prepare its IT team to manage these kind of security events is to conduct tabletop exercises. Tabletop exercises are simulated scenarios that test the organization's ability to respond to security incidents in a realistic and interactive way. Tabletop exercises typically involve:

A facilitator who guides the participants through the scenario and injects additional challenges or variables

A scenario that describes a plausible security incident based on real-world threats or past incidents

A set of objectives that define the expected outcomes and goals of the exercise

A set of questions that prompt the participants to discuss their roles, responsibilities, actions, decisions, and communications during the incident response process

A feedback mechanism that collects the participants' opinions and suggestions on how to improve the incident response plan and capabilities

Tabletop exercises help an organization prepare for and deal with security incidents by:

Enhancing the awareness and skills of the IT team and other stakeholders involved in incident response

Identifying and addressing the gaps, weaknesses, and challenges in the incident response plan and process

Improving the coordination and collaboration among the IT team and other stakeholders during incident response

Evaluating and validating the effectiveness and efficiency of the incident response plan and process

Generating and implementing lessons learned and best practices for incident response

The other options are not as effective or useful as tabletop exercises for preparing the IT team to manage security events. Updating the data inventory is a good practice for maintaining an accurate and comprehensive record of the personal data that the organization collects, processes, stores, shares, or disposes of. However, it does not test or improve the organization's incident response capabilities or readiness. IT security awareness training is a good practice for educating the IT team and other employees on the basic principles and practices of cybersecurity. However, it does not simulate or replicate the real-world situations and challenges that the IT team may face during security incidents. Sharing communications relating to scheduled maintenance is a good practice for informing the IT team and other stakeholders of the planned activities and potential impacts on the IT systems and infrastructure. However, it does not prepare the IT team for dealing with unplanned or unexpected security events that may require immediate and coordinated response.Reference:CISA Tabletop Exercise Packages;Cybersecurity Tabletop Exercise Examples, Best Practices, and Considerations;Six Tabletop Exercises to Help Prepare Your Cybersecurity Team

asked 22/11/2024
Samya Sharab
40 questions

Question 20

Report
Export
Collapse

How are individual program needs and specific organizational goals identified in privacy framework development?

By employing metrics to align privacy protection with objectives.

By employing metrics to align privacy protection with objectives.

Through conversations with the privacy team.

Through conversations with the privacy team.

By employing an industry-standard needs analysis.

By employing an industry-standard needs analysis.

Through creation of the business case.

Through creation of the business case.
Suggested answer: D

Explanation:

The creation of the business case is the first step in privacy framework development, as it helps to identify the individual program needs and specific organizational goals. The business case is a document that outlines the rationale, objectives, benefits, costs, risks, and alternatives for implementing a privacy program. It also helps to communicate the value of privacy to stakeholders and gain their support. The other options are subsequent steps in privacy framework development, after the business case has been established.Reference:CIPM Study Guide, page 15.

asked 22/11/2024
Jaroslaw Walaszek
37 questions
Total 201 questions
Go to page: of 21
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

SCENARIO Please use the following to answer the next QUESTION: As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development. You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change. Initially, your work was greeted with little confidence or enthusiasm by the company's 'old guard' among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient 'buy-in' to begin putting the proper procedures into place. Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective. You are left contemplating: What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success? What are the next action steps? What practice would afford the Director the most rigorous way to check on the program's compliance with laws, regulations and industry best practices?
When devising effective employee policies to address a particular issue, which of the following should be included in the first draft?
What is the function of the privacy operational life cycle?
SCENARIO Please use the following to answer the next QUESTION: You lead the privacy office for a company that handles information from individuals living in several countries throughout Europe and the Americas. You begin that morning's privacy review when a contracts officer sends you a message asking for a phone call. The message lacks clarity and detail, but you presume that data was lost. When you contact the contracts officer, he tells you that he received a letter in the mail from a vendor stating that the vendor improperly shared information about your customers. He called the vendor and confirmed that your company recently surveyed exactly 2000 individuals about their most recent healthcare experience and sent those surveys to the vendor to transcribe it into a database, but the vendor forgot to encrypt the database as promised in the contract. As a result, the vendor has lost control of the data. The vendor is extremely apologetic and offers to take responsibility for sending out the notifications. They tell you they set aside 2000 stamped postcards because that should reduce the time it takes to get the notice in the mail. One side is limited to their logo, but the other side is blank and they will accept whatever you want to write. You put their offer on hold and begin to develop the text around the space constraints. You are content to let the vendor's logo be associated with the notification. The notification explains that your company recently hired a vendor to store information about their most recent experience at St. Sebastian Hospital's Clinic for Infectious Diseases. The vendor did not encrypt the information and no longer has control of it. All 2000 affected individuals are invited to sign-up for email notifications about their information. They simply need to go to your company's website and watch a quick advertisement, then provide their name, email address, and month and year of birth. You email the incident-response council for their buy-in before 9 a.m. If anything goes wrong in this situation, you want to diffuse the blame across your colleagues. Over the next eight hours, everyone emails their comments back and forth. The consultant who leads the incident-response team notes that it is his first day with the company, but he has been in other industries for 45 years and will do his best. One of the three lawyers on the council causes the conversation to veer off course, but it eventually gets back on track. At the end of the day, they vote to proceed with the notification you wrote and use the vendor's postcards. Shortly after the vendor mails the postcards, you learn the data was on a server that was stolen, and make the decision to have your company offer credit monitoring services. A quick internet search finds a credit monitoring company with a convincing name: Credit Under Lock and Key (CRUDLOK). Your sales rep has never handled a contract for 2000 people, but develops a proposal in about a day which says CRUDLOK will: 1. Send an enrollment invitation to everyone the day after the contract is signed. 2. Enroll someone with just their first name and the last-4 of their national identifier. 3. Monitor each enrollee's credit for two years from the date of enrollment. 4. Send a monthly email with their credit rating and offers for credit-related services at market rates. 5. Charge your company 20% of the cost of any credit restoration. You execute the contract and the enrollment invitations are emailed to the 2000 individuals. Three days later you sit down and document all that went well and all that could have gone better. You put it in a file to reference the next time an incident occurs. What is the most concerning limitation of the incident-response council?
What is least likely to be achieved by implementing a Data Lifecycle Management (DLM) program?
Under the General Data Protection Regulation (GDPR), what must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?
Integrating privacy requirements into functional areas across the organization happens at which stage of the privacy operational life cycle?
The General Data Protection Regulation (GDPR) specifies fines that may be levied against data controllers for certain infringements. Which of the following will be subject to administrative fines of up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year?
SCENARIO Please use the following to answer the next QUESTION: Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family. This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. 'It's going to be great,' the developer, Deidre Hoffman, tells you, 'if, that is, we actually get it working!' She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. 'It's just three young people,' she says, 'but they do great work.' She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. 'They do good work, so I chose them.' Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, 'I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!' Since it is too late to restructure the contract with the vendor or prevent the app from being deployed, what is the best step for you to take next?
SCENARIO Please use the following to answer the next QUESTION: Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on production -- not data processing -- and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company's relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information. To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth -- his uncle's vice president and longtime confidante -- wants to hold off on Anton's idea in favor of converting any paper records held at the company to electronic storage. Kenneth believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access. Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down the street will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton's possession can be destroyed within the next few years. After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe. Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company's online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check. Documentation of this analysis will show auditors due diligence. Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle's legacy to continue for many years to come. To improve the facility's system of data security, Anton should consider following through with the plan for which of the following?