ExamGecko
Login
Home / IAPP / CIPM / List of questions
Ask Question

IAPP CIPM Practice Test - Questions Answers, Page 20

Add to Whishlist

List of questions

Question 191

Report Export Collapse

With whom would it be best for a privacy professional in an organization to consult regarding Privacy-Enhancing Technologies (PETs)?

Become a Premium Member for full access
  Unlock Premium Member

Question 192

Report Export Collapse

SCENARIO

Please use the following to answer the next question:

Liam is the newly appointed information technology (IT) compliance manager at Mesa, a USbased outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company's IT audit manager, who informs him that the auditing team will be conducting a review of Mesa's privacy compliance risk in a month.

A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant's report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card Industry's Data Security Standard (PCI DSS).

Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.

The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could not understand the point since their office was not located in California or Europe. The marketing director touted his department's success with purchasing email lists and taking a shotgun approach to direct marketing. Both directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.

With three weeks before the audit, Liam updated Mesa's Privacy Notice himself, which was taken and revised from a competitor's website. He also wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he knew of with access to personal information.

During this time. Liam also filled the backlog of data subject requests for deletion that had been sent to him by the customer service manager. Liam worked with application owners to remove these individual's information and order history from the customer relationship management (CRM) tool, the enterprise resource planning (ERP). the data warehouse and the email server.

At the audit kick-off meeting. Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk had been mitigated to an appropriate level based on the work he had done thus far.

After the audit had been completed, the audit manager and Liam met to discuss her team's findings, and much to his dismay. Liam was told that none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened the company up to additional risk and scrutiny. Based on these findings. Liam worked with external counsel and an established privacy consultant to develop a remediation plan.

Given the feedback provided to Liam after the audit, what maturity level would the audit team most likely have assigned to Mesa's privacy policies and procedures if they use the Privacy Maturity Model (PMM)?

Become a Premium Member for full access
  Unlock Premium Member

Question 193

Report Export Collapse

An organization can use Privacy-Enhancing Technologies (PETs) to?

Become a Premium Member for full access
  Unlock Premium Member

Question 194

Report Export Collapse

All of the following are accurate regarding the use of technical security controls EXCEPT?

Become a Premium Member for full access
  Unlock Premium Member

Question 195

Report Export Collapse

What is the main reason for conducting a data inventory or data map of your organization?

Become a Premium Member for full access
  Unlock Premium Member

Question 196

Report Export Collapse

The first step an organization should take when considering the use of a third-party's AI-based resume ranking tool is to?

Become a Premium Member for full access
  Unlock Premium Member

Question 197

Report Export Collapse

All of the following should be mandatory in the contract for the outsourced vendor EXCEPT?

Become a Premium Member for full access
  Unlock Premium Member

Question 198

Report Export Collapse

A new business crafting its privacy policy is struggling with how it will define the term 'personal data.'

Which of the following should inform this decision?

Become a Premium Member for full access
  Unlock Premium Member

Question 199

Report Export Collapse

In a mobile app for purchasing and selling concert tickets, users are prompted to create a personalized profile prior to engaging in transactions. Once registered, users can securely access their profiles within the app, empowering them to manage and modify personal data as needed.

Which foundational Privacy by Design (PbD) principle does this feature follow?

Become a Premium Member for full access
  Unlock Premium Member

Question 200

Report Export Collapse

All of the following would be answered through the creation of a data inventory EXCEPT?

Become a Premium Member for full access
  Unlock Premium Member
Total 201 questions
Go to page: of 21
Open VPLUS File
Convert VPLUS to PDF

Related questions

SCENARIO Please use the following to answer the next QUESTION: As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development. You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change. Initially, your work was greeted with little confidence or enthusiasm by the company's 'old guard' among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient 'buy-in' to begin putting the proper procedures into place. Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective. You are left contemplating: What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success? What are the next action steps? What practice would afford the Director the most rigorous way to check on the program's compliance with laws, regulations and industry best practices?
When devising effective employee policies to address a particular issue, which of the following should be included in the first draft?
What is the function of the privacy operational life cycle?
SCENARIO Please use the following to answer the next QUESTION: You lead the privacy office for a company that handles information from individuals living in several countries throughout Europe and the Americas. You begin that morning's privacy review when a contracts officer sends you a message asking for a phone call. The message lacks clarity and detail, but you presume that data was lost. When you contact the contracts officer, he tells you that he received a letter in the mail from a vendor stating that the vendor improperly shared information about your customers. He called the vendor and confirmed that your company recently surveyed exactly 2000 individuals about their most recent healthcare experience and sent those surveys to the vendor to transcribe it into a database, but the vendor forgot to encrypt the database as promised in the contract. As a result, the vendor has lost control of the data. The vendor is extremely apologetic and offers to take responsibility for sending out the notifications. They tell you they set aside 2000 stamped postcards because that should reduce the time it takes to get the notice in the mail. One side is limited to their logo, but the other side is blank and they will accept whatever you want to write. You put their offer on hold and begin to develop the text around the space constraints. You are content to let the vendor's logo be associated with the notification. The notification explains that your company recently hired a vendor to store information about their most recent experience at St. Sebastian Hospital's Clinic for Infectious Diseases. The vendor did not encrypt the information and no longer has control of it. All 2000 affected individuals are invited to sign-up for email notifications about their information. They simply need to go to your company's website and watch a quick advertisement, then provide their name, email address, and month and year of birth. You email the incident-response council for their buy-in before 9 a.m. If anything goes wrong in this situation, you want to diffuse the blame across your colleagues. Over the next eight hours, everyone emails their comments back and forth. The consultant who leads the incident-response team notes that it is his first day with the company, but he has been in other industries for 45 years and will do his best. One of the three lawyers on the council causes the conversation to veer off course, but it eventually gets back on track. At the end of the day, they vote to proceed with the notification you wrote and use the vendor's postcards. Shortly after the vendor mails the postcards, you learn the data was on a server that was stolen, and make the decision to have your company offer credit monitoring services. A quick internet search finds a credit monitoring company with a convincing name: Credit Under Lock and Key (CRUDLOK). Your sales rep has never handled a contract for 2000 people, but develops a proposal in about a day which says CRUDLOK will: 1. Send an enrollment invitation to everyone the day after the contract is signed. 2. Enroll someone with just their first name and the last-4 of their national identifier. 3. Monitor each enrollee's credit for two years from the date of enrollment. 4. Send a monthly email with their credit rating and offers for credit-related services at market rates. 5. Charge your company 20% of the cost of any credit restoration. You execute the contract and the enrollment invitations are emailed to the 2000 individuals. Three days later you sit down and document all that went well and all that could have gone better. You put it in a file to reference the next time an incident occurs. What is the most concerning limitation of the incident-response council?
What is least likely to be achieved by implementing a Data Lifecycle Management (DLM) program?
Under the General Data Protection Regulation (GDPR), what must be included in a written agreement between the controller and processor in relation to processing conducted on the controller's behalf?
Integrating privacy requirements into functional areas across the organization happens at which stage of the privacy operational life cycle?
The General Data Protection Regulation (GDPR) specifies fines that may be levied against data controllers for certain infringements. Which of the following will be subject to administrative fines of up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year?
SCENARIO Please use the following to answer the next QUESTION: Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family. This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. 'It's going to be great,' the developer, Deidre Hoffman, tells you, 'if, that is, we actually get it working!' She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. 'It's just three young people,' she says, 'but they do great work.' She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. 'They do good work, so I chose them.' Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, 'I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!' Since it is too late to restructure the contract with the vendor or prevent the app from being deployed, what is the best step for you to take next?
SCENARIO Please use the following to answer the next QUESTION: Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on production -- not data processing -- and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company's relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information. To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth -- his uncle's vice president and longtime confidante -- wants to hold off on Anton's idea in favor of converting any paper records held at the company to electronic storage. Kenneth believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access. Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down the street will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton's possession can be destroyed within the next few years. After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe. Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company's online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check. Documentation of this analysis will show auditors due diligence. Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle's legacy to continue for many years to come. To improve the facility's system of data security, Anton should consider following through with the plan for which of the following?