IAPP CIPM Certified Information Privacy Manager (CIPM) Exam Practice Test

Page: 1 / 14
Total 201 questions

Want more questions? Get Premium Access.
()

Question 1

An organization's privacy officer was just notified by the benefits manager that she accidentally sent out the retirement enrollment report of all employees to a wrong vendor.

Which of the following actions should the privacy officer take first?

APerform a risk of harm analysis.

BReport the incident to law enforcement.

CContact the recipient to delete the email.

DSend firm-wide email notification to employees.

Answer : A

The first action that the privacy officer should take after being notified by the benefits manager that she accidentally sent out the retirement enrollment report of all employees to a wrong vendor is to perform a risk of harm analysis.A risk of harm analysis is a process of assessing the potential adverse consequences for the individuals whose personal data has been compromised by a data breach or incident5The purpose of this analysis is to determine whether the breach or incident poses a significant risk of harm to the affected individuals, such as identity theft, fraud, discrimination, physical harm, emotional distress, or reputational damage6The risk of harm analysis should consider various factors, such as the type and amount of data involved, the sensitivity and context of the data, the likelihood and severity of harm, the characteristics of the recipients or unauthorized parties who accessed the data, and the mitigating measures taken or available to reduce the harm7Based on this analysis, the privacy officer can then decide whether to notify the affected individuals, the relevant authorities, or other stakeholders about the breach or incident.Notification is usually required by law or best practice when there is a high risk of harm to the individuals as a result of the breach or incident8Notification can also help to mitigate the harm by allowing the individuals to take protective actions or seek remedies.Therefore, performing a risk of harm analysis is a crucial first step for responding to a data breach or incident.Reference:5:Can a risk of harm itself be a harm? | Analysis | Oxford Academic;6:No Harm Done? Assessing Risk of Harm under the Federal Breach Notification Rule;7:CCOHS: Hazard and Risk - Risk Assessment;8: Breach Notification Requirements in Canada | PrivacySense.net

Question 2

Which of the following privacy frameworks are legally binding?

ABinding Corporate Rules (BCRs).

BGenerally Accepted Privacy Principles (GAPP).

CAsia-Pacific Economic Cooperation (APEC) Privacy Framework.

DOrganization for Economic Co-Operation and Development (OECD) Guidelines.

Answer : A

Binding Corporate Rules (BCRs) are a set of legally binding rules that allow multinational corporations or groups of companies to transfer personal data across borders within their organization in compliance with the EU data protection law1BCRs are approved by the competent data protection authorities in the EU and are enforceable by data subjects and the authorities2BCRs are one of the mechanisms recognized by the EU General Data Protection Regulation (GDPR) to ensure an adequate level of protection for personal data transferred outside the European Economic Area (EEA)3

Question 3

An executive for a multinational online retail company in the United States is looking for guidance in developing her company's privacy program beyond what is specifically required by law.

What would be the most effective resource for the executive to consult?

AInternal auditors.

BIndustry frameworks.

COversight organizations.

DBreach notifications from competitors.

Answer : B

Industry frameworks are the most effective resource for an executive who wants to develop her company's privacy program beyond what is specifically required by law. Industry frameworks are collections of best practices, standards, and guidelines that help organizations establish and improve their privacy policies and procedures. Industry frameworks can help organizations demonstrate their commitment to privacy, enhance their reputation and trustworthiness, and comply with multiple privacy regulations.Some examples of industry frameworks are the NIST Privacy Framework2, the ISO 27701 Privacy Information Management System3, and the AICPA/CICA Generally Accepted Privacy Principles (GAPP)4. The other options are not as effective as industry frameworks for developing a privacy program. Internal auditors can help evaluate the effectiveness and compliance of existing privacy controls, but they may not provide guidance on how to improve or expand them. Oversight organizations can enforce privacy laws and regulations, but they may not offer advice on how to go beyond the legal requirements. Breach notifications from competitors can alert organizations to potential threats and vulnerabilities, but they may not suggest how to prevent or mitigate them.Reference:NIST Privacy Framework;ISO 27701 Privacy Information Management System;AICPA/CICA Generally Accepted Privacy Principles (GAPP)

Question 4

SCENARIO

Please use the following to answer the next QUESTION:

Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.

Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.

Spencer -- a former CEO and currently a senior advisor -- said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.

One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. "Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.

Spencer replied that acting with reason means allowing security to be handled by the security functions within the company -- not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.

Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."

Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.

Based on the scenario, Nationwide Grill needs to create better employee awareness of the company's privacy program by doing what?

AVarying the modes of communication.

BCommunicating to the staff more often.

CImproving inter-departmental cooperation.

DRequiring acknowledgment of company memos.

Answer : A

This answer is the best way to create better employee awareness of the company's privacy program, as it can increase the effectiveness and retention of the information by appealing to different learning styles and preferences. Varying the modes of communication can include using different formats and channels, such as posters, emails, memos, videos, webinars, podcasts, newsletters, quizzes, games or interactive modules. Varying the modes of communication can also help to avoid information overload or duplication, which may cause employees to ignore or disregard the privacy messages.Reference: IAPP CIPM Study Guide, page 90; ISO/IEC 27002:2013, section 7.2.2

Question 5

SCENARIO

Please use the following to answer the next QUESTION:

Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia to help run his aging grandfather's law practice. The elder McAdams desired a limited, lighter role in the practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and assesses the office's strategies for growth.

Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to modernize the office, mostly in regard to the handling of clients' personal dat

a. His first goal is to digitize all the records kept in file cabinets, as many of the documents contain personally identifiable financial and medical data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/ printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing policy by the year's end.

Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following day, to get insight into how the office computer system is currently set-up and managed.

Which of the following policy statements needs additional instructions in order to further protect the personal data of their clients?

AAll faxes sent from the office must be documented and the phone number used must be double checked to ensure a safe arrival.

BAll unused copies, prints, and faxes must be discarded in a designated recycling bin located near the work station and emptied daily.

CBefore any copiers, printers, or fax machines are replaced or resold, the hard drives of these devices must be deleted before leaving the office.

DWhen sending a print job containing personal data, the user must not leave the information visible on the computer screen following the print command and must retrieve the printed document immediately.

Answer : B

The policy statement that needs additional instructions in order to further protect the personal data of their clients is: All unused copies, prints, and faxes must be discarded in a designated recycling bin located near the work station and emptied daily. This policy statement is insufficient because it does not specify how the unused copies, prints, and faxes should be discarded. Simply throwing them into a recycling bin may expose them to unauthorized access or theft by anyone who has access to the bin or its contents. Furthermore, emptying the bin daily may not be frequent enough to prevent accumulation or overflow of sensitive documents.

To further protect the personal data of their clients, this policy statement should include additional instructions such as:

All unused copies, prints, and faxes must be shredded before being discarded in a designated recycling bin located near the work station.

The recycling bin must be locked or secured at all times when not in use.

The recycling bin must be emptied at least twice a day or whenever it is full.

These additional instructions would ensure that the unused copies, prints, and faxes are destroyed in a secure manner and that the recycling bin is not accessible to unauthorized persons or prone to overflow.

The other policy statements do not need additional instructions, as they already provide adequate measures to protect the personal data of their clients. Documenting and double-checking the phone number for faxes ensures that the faxes are sent to the correct and intended recipient. Deleting the hard drives of copiers, printers, or fax machines before replacing or reselling them prevents data leakage or recovery by third parties. Not leaving the information visible on the computer screen and retrieving the printed document immediately prevents data exposure or theft by anyone who can see the screen or access the printer.

Question 6

SCENARIO

Please use the following to answer the next QUESTION:

Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company's flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.

The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.

Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Questions about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Questions as he was not involved in the product development process.

In speaking with the product team, he learned that the Handy Helper collected and stored all of a user's sensitive medical information for the medical appointment scheduler. In fact, all of the user's information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.

Consistent with the CEO's philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called Eurek

a. Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.

What administrative safeguards should be implemented to protect the collected data while in use by Manasa and her product management team?

ADocument the data flows for the collected data.

BConduct a Privacy Impact Assessment (PIA) to evaluate the risks involved.

CImplement a policy restricting data access on a 'need to know' basis.

DLimit data transfers to the US by keeping data collected in Europe within a local data center.

Answer : C

An administrative safeguard that should be implemented to protect the collected data while in use by Manasa and her product management team is a policy restricting data access on a ''need to know'' basis.This means that only authorized personnel who have a legitimate business purpose for accessing the data should be able to do so3This would help to prevent unauthorized or unnecessary access, use, or disclosure of sensitive or personal data by internal or external parties.It would also reduce the risk of data breaches, theft, or loss that could compromise the confidentiality, integrity, and availability of the data4Reference:3:HIPAA Security Series #2 - Administrative Safeguards - HHS.gov;4:Administrative Safeguards of the Security Rule: What Are They?

Question 7

What is the name for the privacy strategy model that describes delegated decision making?

ADe-centralized.

BDe-functionalized.

CHybrid.

DMatrix.

Answer : D

A matrix is a type of organizational structure that involves delegated decision making. In a matrix structure, employees report to more than one manager or leader, usually based on different functions or projects. For example, a software developer may report to both a product manager and a technical manager. A matrix structure allows for more flexibility, collaboration, and innovation in complex and dynamic environments.

The other options are not examples of delegated decision making structures. A de-centralized structure involves distributing decision making authority across different levels or units of the organization, rather than concentrating it at the top. A de-functionalized structure involves breaking down functional silos and creating cross-functional teams or processes. A hybrid structure involves combining elements of different types of structures, such as functional, divisional, or matrix.