IAPP CIPM - Certified Information Privacy Manager (CIPM)

Page: 8 / 8
Total 262 questions

SCENARIO

Please use the following to answer the next question:

The risk committee of your organization is particularly concerned not only by the number and frequency of data breaches reported to it over the past 12 months, but also the inconsistency in responses and poor incident response turnaround times.

Upon reviewing the current incident response plan (IRP), it was discovered that while the business continuity plan (BCP) had been updated on time, the IRP, linked to the BCP, was last updated over three years ago.

What additional procedure and/or process would best reduce future incidents?

Contact internal teams impacted by incidents.

Notify stakeholders of changes.

Ensure the IRP is on the same scheduled review cycle as the BCP.

Add comments to record past actions.

Question # 72

If an organization maintains a separate ethics office, to whom would its officer typically report to in order to retain the greatest degree of independence?

The Board of Directors.

The Chief Financial Officer.

The Human Resources Director.

The organization's General Counsel.

Explanation:

If an organization maintains a separate ethics office, its officer would typically report to the Board of Directors in order to retain the greatest degree of independence.Â This is because the Board of Directors is the highest governing body of the organization and has the authority and responsibility to oversee the ethical conduct and performance of the organization and its management1Â Reporting to the Board of Directors would enable the ethics officer to avoid any potential conflicts of interest or undue influence from other senior executives or managers who may have a stake in the ethical issues or decisions that the ethics office handles2Â Reporting to the Board of Directors would also enhance the credibility and legitimacy of the ethics office and its recommendations, as well as demonstrate the organizationâ€™s commitment to ethical values and culture3

The other options are not as suitable as reporting to the Board of Directors for retaining the greatest degree of independence for the ethics office.Â Reporting to the Chief Financial Officer may create a conflict of interest or a perception of bias if the ethical issues or decisions involve financial matters or implications4Â Reporting to the Human Resources Director may limit the scope or authority of the ethics office to deal with ethical issues or decisions that go beyond human resources policies or practices5Â Reporting to the organizationâ€™s General Counsel may blur the distinction or create confusion between legal compliance and ethical conduct, as well as raise concerns about attorney-client privilege or confidentiality6Â References:Â 1:Â Board Responsibilities | BoardSource;Â 2:Â Ethics Officer: Job Description, Duties and Requirements;Â 3:Â The Role Of The Ethics And Compliance Officer In The 21st Century | Corporate Compliance Insights;Â 4:Â Ethics Officer: Job Description, Duties and Requirements;Â 5:Â Ethics Officer: Job Description, Duties and Requirements;Â 6:Â Ethics Officer: Job Description, Duties and Requirements

[Reference: https://hbr.org/1994/03/managing-for-organizational-integrity, , ]

Question # 73

SCENARIO

Please use the following lo answer the next question:

You are the privacy manager within the privacy office of a National Forest Parks and Recreation Department. While having lunch with a colleague from the IT division, you learn that the IT director has put out a request for proposal (RFP) which calls for a system that collects the personal data of park attendees.

You consult with a few other colleagues in IT and learn that the RFP is worded such that it leaves it to the vendors to demonstrate what information they would collect from people who enter parks anywhere in the country, either in a vehicle or on foot. A partial list of the information collected includes:

â€¢ personal identifiers such as name, address, age, gender;

â€¢ vehicle registration information:

â€¢ facial images of park attendees;

â€¢ health information (e.g.. physical disabilities, use of mobility devices)

The stated purpose of the RFP is to:

"Improve the National Forest. Parks, and Recreation Department's ability to track and monitor service usage thereby Increasing the robustness of our customer data and to improve service offerings.''

Companies have already started submitting proposals for software solutions that address these information gathering practices. There is only one week left before the RFP closes.

The IT department has put together an RFP evaluation team but no one from the privacy office has been a Dart of the RFP ud to this point. This occurred deposite the factâ€¦.

Which of the following is the least important privacy consideration associated with assessing data when implementing a large-scale project like this?

Standardization of privacy safeguards on a national scale.

Classification of the types of personal information collected by the system

Identifying operational risks associated with data storage, access and disposal.

Third-party vendor assessment to determine how well privacy practices of vendors align with your organization's practices.

Question # 74

SCENARIO

Please use the following to answer the next QUESTION:

It's just what you were afraid of. Without consulting you, the information technology director at your organization launched a new initiative to encourage employees to use personal devices for conducting business. The initiative made purchasing a new, high-specification laptop computer an attractive option, with discounted laptops paid for as a payroll deduction spread over a year of paychecks. The organization is also paying the sales taxes. It's a great deal, and after a month, more than half the organization's employees have signed on and acquired new laptops. Walking through the facility, you see them happily customizing and comparing notes on their new computers, and at the end of the day, most take their laptops with them, potentially carrying personal data to their homes or other unknown locations. It's enough to give you data- protection nightmares, and you've pointed out to the information technology Director and many others in the organization the potential hazards of this new practice, including the inevitability of eventual data loss or theft.

Today you have in your office a representative of the organization's marketing department who shares with you, reluctantly, a story with potentially serious consequences. The night before, straight from work, with laptop in hand, he went to the Bull and Horn Pub to play billiards with his friends. A fine night of sport and socializing began, with the laptop "safely" tucked on a bench, beneath his jacket. Later that night, when it was time to depart, he retrieved the jacket, but the laptop was gone. It was not beneath the bench or on another bench nearby. The waitstaff had not seen it. His friends were not playing a joke on him. After a sleepless night, he confirmed it this morning, stopping by the pub to talk to the cleanup crew. They had not found it. The laptop was missing. Stolen, it seems. He looks at you, embarrassed and upset.

You ask him if the laptop contains any personal data from clients, and, sadly, he nods his head, yes. He believes it contains files on about 100 clients, including names, addresses and governmental identification numbers. He sighs and places his head in his hands in despair.

From a business standpoint, what is the most productive way to view employee use of personal equipment for work-related tasks?

The use of personal equipment is a cost-effective measure that leads to no greater security risks than are always present in a modern organization.

Any computer or other equipment is company property whenever it is used for company business.

While the company may not own the equipment, it is required to protect the business-related data on any equipment used by its employees.

The use of personal equipment must be reduced as it leads to inevitable security risks.

Question # 75

Why were the nongovernmental privacy organizations, Electronic Frontier Foundation (EFF) and Electronic Privacy Information Center (EPIC), established?

To promote consumer confidence in the Internet industry.

To improve the user experience during online shopping.

To protect civil liberties and raise consumer awareness.

To promote security on the Internet through strong encryption.

Question # 76

SCENARIO

Please use the following to answer the next QUESTION:

As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.

You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.

Initially, your work was greeted with little confidence or enthusiasm by the company's "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.

Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.

You are left contemplating:

What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success?

What are the next action steps?

What process could most effectively be used to add privacy protections to a new, comprehensive program being developed at Consolidated?

Privacy by Design.

Privacy Step Assessment.

Information Security Planning.

Innovation Privacy Standards.

Question # 77

Which of the following helps build trust with customers and stakeholders?

Only publish what is legally necessary to reduce your liability.

Enable customers to view and change their own personal information within a dedicated portal.

Publish your privacy policy using broad language to ensure all of your organizationâ€™s activities are captured.

Provide a dedicated privacy space with the privacy policy, explanatory documents and operation frameworks.

Question # 78

Read the following steps:

Perform frequent data back-ups.

Perform test restorations to verify integrity of backed-up data.

Maintain backed-up data offline or on separate servers.

These steps can help an organization recover from what?

Phishing attacks

Authorization errors

Ransomware attacks

Stolen encryption keys

Weekend Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: xmas50

IAPP CIPM - Certified Information Privacy Manager (CIPM)

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation:

The Answer Is:

Explanation: