IAPP CIPM - Certified Information Privacy Manager (CIPM)

IAPP CIPM Premium Access Download Demo

Page: 7 / 8
Total 243 questions

Question # 61

An organizationâ€™s internal audit team should do all of the following EXCEPT?

Implement processes to correct audit failures.

Verify that technical measures are in place.

Review how operations work in practice.

Ensure policies are being adhered to.

Question # 62

SCENARIO

Please use the following to answer the next QUESTION:

Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on production â€“ not data processing â€“ and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company's relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information.

To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth â€“ his uncle's vice president and longtime confidante â€“ wants to hold off on Anton's idea in favor of converting any paper records held at the company to electronic storage. Kenneth

believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access.

Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down the street will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton's possession can be destroyed within the next few years.

After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe.

Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company's online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check.

Documentation of this analysis will show auditors due diligence.

Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle's legacy to continue for many years to come.

In terms of compliance with regulatory and legislative changes, Anton has a misconception regarding?

The timeline for monitoring.

The method of recordkeeping.

The use of internal employees.

The type of required qualifications.

Question # 63

Which of the following is an example of Privacy by Design (PbD)?

A company hires a professional to structure a privacy program that anticipates the increasing demands of new laws.

The human resources group develops a training program for employees to become certified in privacy policy.

A labor union insists that the details of employers' data protection methods be documented in a new contract.

The information technology group uses privacy considerations to inform the development of new networking software.

Question # 64

SCENARIO

Please use the following to answer the next question:

Liam is the newly appointed information technology (IT) compliance manager at Mesa, a USbased outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the companyâ€™s IT audit manager, who informs him that the auditing team will be conducting a review of Mesaâ€™s privacy compliance risk in a month.

A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultantâ€™s report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card Industryâ€™s Data Security Standard (PCI DSS).

Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.

The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could not understand the point since their office was not located in California or Europe. The marketing director touted his departmentâ€™s success with purchasing email lists and taking a shotgun approach to direct marketing. Both directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.

With three weeks before the audit, Liam updated Mesa's Privacy Notice himself, which was taken and revised from a competitorâ€™s website. He also wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he knew of with access to personal information.

During this time. Liam also filled the backlog of data subject requests for deletion that had been sent to him by the customer service manager. Liam worked with application owners to remove these individual's information and order history from the customer relationship management (CRM) tool, the enterprise resource planning (ERP). the data warehouse and the email server.

At the audit kick-off meeting. Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk had been mitigated to an appropriate level based on the work he had done thus far.

After the audit had been completed, the audit manager and Liam met to discuss her teamâ€™s findings, and much to his dismay. Liam was told that none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened the company up to additional risk and scrutiny. Based on these findings. Liam worked with external counsel and an established privacy consultant to develop a remediation plan.

Given the feedback provided to Liam after the audit, what maturity level would the audit team most likely have assigned to Mesaâ€™s privacy policies and procedures if they use the Privacy Maturity Model (PMM)?

Repeatable.

Ad-hoc.

Defined.

Managed.

Question # 65

SCENARIO

Please use the following to answer the next QUESTION:

Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia to help run his aging grandfather's law practice. The elder McAdams desired a limited, lighter role in the

practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and assesses the office's strategies for growth.

Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to modernize the office, mostly in regard to the handling of clients' personal data. His first goal is to digitize all the records kept in file cabinets, as many of the documents contain personally identifiable financial and medical data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/ printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing policy by the year's end.

Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following day, to get insight into how the office computer system is currently set-up and managed.

Richard needs to closely monitor the vendor in charge of creating the firm's database mainly because of what?

The vendor will be required to report any privacy violations to the appropriate authorities.

The vendor may not be aware of the privacy implications involved in the project.

The vendor may not be forthcoming about the vulnerabilities of the database.

The vendor will be in direct contact with all of the law firm's personal data.

Question # 66

In which situation would a Privacy Impact Assessment (PIA) be the least likely to be required?

If a company created a credit-scoring platform five years ago.

If a health-care professional or lawyer processed personal data from a patient's file.

If a social media company created a new product compiling personal data to generate user profiles.

If an after-school club processed children's data to determine which children might have food allergies.

Question # 67

SCENARIO

Please use the following to answer the next question

You were recently hired by InStyte Date Corp as a privacy manager to help InStyle Data Corp become compliant with a new data protection law

The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don t comply with the new law

You are paved with a security manager and tasked with reviewing InStyle Data Corp s current state and advising the business how it can meet the "reasonable and appropriate security" requirement InStyle Data Corp has grown rapidly and has not kept a data inventory or completed a data mapping InStyte Data Corp has also developed security-related policies ad hoc and many have never been implemented The various teams involved in the creation and testing of InStyle Data Corp s products experience significant turnover and do not have well defined roles There's little documentation addressing what personal data is processed by which product and for what purpose

Work needs to begin on this project immediately so that InStyle Data Corp can become compliant by the time the law goes into effect. You and you partner discover that InStyle Data Corp regularly sends files containing sensitive personal data back to its customers through email sometimes using InStyle Data Corp employees personal email accounts. You also team that InStyle Data Corp s privacy and information security teams are not informed of new personal data flows, new products developed by InStyte Data Corp that process personal data, or updates to existing InStyle Data Corp products that may change what or how the personal data is processed until after the product or update has gone have.

Through a review of InStyle Date Corpâ€™s test and development environment logs, you discover InStyle Data Corp sometimes gives login credentials to any InStyle Data Corp employee or contractor who requests them. The test environment only contains dummy data but the development environment contains personal data including Social Security Numbers, hearth ^formation and financial information All credentialed InStyle Data Corp employees and contractors have the ability to after and delete personal data in both environments regardless of their role or what project they are working on.

You and your partner provide a gap assessment citing the issues you spotted, along with recommended remedial actions and a method to measure implementation InStyle Data Corp implements all of the recommended security controls You review the processes roles, controls and measures taken to appropriately protect the personal data at every stop However, you realize there is no plan for monitoring and nothing in place addressing sanctions for violations of the updated policies and procedures InStyle Data Corp pushes back, stating they do not have the resources for such monitoring.

Having completed the gap assessment, you and your partner need to first undertake a thorough review of?

Data life cyde

Security policies.

System development life cycle.

Privacy Impact (PIA).

Question # 68

An organization's business continuity plan or disaster recovery plan does NOT typically include what?

Recovery time objectives.

Emergency response guidelines.

Statement of organizational responsibilities.

Retention schedule for storage and destruction of information.

Explanation:

An organizationâ€™s business continuity plan or disaster recovery plan does not typically include a retention schedule for storage and destruction of information. A retention schedule is a document that specifies how long different types of information should be kept by an organization before they are disposed of or destroyed. A retention schedule is usually based on legal, regulatory, operational, historical, or archival requirements. A retention schedule is part of an organizationâ€™s information governance or records management policy, not its business continuity or disaster recovery plan.

A business continuity plan (BCP) is a document that outlines how an organization will continue its critical functions and operations in the event of a disruption or disaster. A BCP usually includes:

Contact information and service level agreements (SLAs) for key personnel, stakeholders, providers, backup site operators, etc.

Business impact analysis (BIA) that identifies the potential impacts of disruption on all aspects of the business, such as financial, legal, reputational, etc.

Risk assessment that identifies and evaluates the likelihood and severity of various threats and vulnerabilities that could cause disruption or disaster.

Identification of critical functions that are essential for the survival and recovery of the business.

Communications plan that specifies how to communicate with internal and external parties during and after a disruption or disaster.

Testing plan that specifies how to test and update the BCP regularly to ensure its effectiveness and validity.

A disaster recovery plan (DRP) is a document that outlines how an organization will restore its IT systems, data, applications, and infrastructure in the event of a disruption or disaster. A DRP usually includes:

Recovery time objectives (RTOs) that specify how quickly each IT system or service needs to be restored after a disruption or disaster.

Recovery point objectives (RPOs) that specify how much data loss is acceptable for each IT system or service after a disruption or disaster.

Emergency response guidelines that specify how to respond to and contain a disruption or disaster, such as activating the DRP, declaring a disaster, notifying the stakeholders, etc.

Statement of organizational responsibilities that specifies who is responsible for what tasks and roles during and after a disruption or disaster, such as initiating the DRP, executing the recovery procedures, restoring the IT systems or services, etc.

Recovery procedures that specify how to recover each IT system or service from backup sources, such as backup tapes, disks, cloud services, etc.

Testing plan that specifies how to test and update the DRP regularly to ensure its effectiveness and validity.Â References:Â [Business Continuity Plan (BCP) Definition]; [Disaster Recovery Plan (DRP) Definition]

Question # 69

Which of the following is NOT recommended for effective Identity Access Management?

Demographics.

Unique user IDs.

User responsibility.

Credentials (e.g.. password).

Question # 70

The main reason the response to this incident should be integrated into the Business Continuity Plan (BCP) is because?

The repercussions for the company could have significant environmental impacts.

The need for retraining employees will be paramount.

Major stakeholders are involved from every critical area of the business.

The impact on the company's competitive advantage is potentially significant.

New Year Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

IAPP CIPM - Certified Information Privacy Manager (CIPM)

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation: