CIPM Online Practice Questions and Answers

SCENARIO Please use the following to answer the next QUESTION: Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as

names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.

Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced. Spencer ?a former CEO and currently a senior advisor ?said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any

security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.

One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason.

"Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information

compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to

successfully manage the company's incident response.

Spencer replied that acting with reason means allowing security to be handled by the security functions within the company ?not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to

prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of

information means that it is often ignored altogether.

Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."

Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules.

Silently, Natalia agreed.

The senior advisor, Spencer, has a misconception regarding?

A. The amount of responsibility that a data controller retains.

B. The appropriate role of an organization's security department.

C. The degree to which training can lessen the number of security incidents.

D. The role of Human Resources employees in an organization's privacy program.

SCENARIO

Please use the following to answer the next QUESTION:

Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on production ?not data processing ?and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company's relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information.

To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth ?his uncle's vice president and longtime confidante ?wants to hold off on Anton's idea in favor of converting any paper records held at the company to electronic storage. Kenneth believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access.

Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down the street will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton's possession can be destroyed within the next few years.

After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe.

Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company's online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check.

Documentation of this analysis will show auditors due diligence.

Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle's legacy to continue for many years to come.

Which of Anton's plans for improving the data management of the company is most unachievable?

A. His initiative to achieve regulatory compliance.

B. His intention to transition to electronic storage.

C. His objective for zero loss of personal information.

D. His intention to send notice letters to customers and employees.

Which of the following is NOT a type of privacy program metric?

A. Business enablement metrics.

B. Data enhancement metrics.

C. Value creation metrics.

D. Commercial metrics.

SCENARIO

Please use the following to answer the next QUESTION:

Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.

This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them."

Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!"

You want to point out that normal protocols have NOT been followed in this matter. Which process in particular has been neglected?

A. Forensic inquiry.

B. Data mapping.

C. Privacy breach prevention.

D. Vendor due diligence vetting.

SCENARIO

Please use the following to answer the next QUESTION:

Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.

This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them."

Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!"

Which is the best first step in understanding the data security practices of a potential vendor?

A. Requiring the vendor to complete a questionnaire assessing International Organization for Standardization (ISO) 27001 compliance.

B. Conducting a physical audit of the vendor's facilities.

C. Conducting a penetration test of the vendor's data security structure.

D. Examining investigation records of any breaches the vendor has experienced.

What is a key feature of the privacy metric template adapted from the National Institute of Standards and Technology (NIST)?

A. It provides suggestions about how to collect and measure data.

B. It can be tailored to an organization's particular needs.

C. It is updated annually to reflect changes in government policy.

D. It is focused on organizations that do business internationally.

Which of the documents below assists the Privacy Manager in identifying and responding to a request from an individual about what personal information the organization holds about then with whom the information is shared?

A. Risk register

B. Privacy policy

C. Records retention schedule

D. Personal information inventory

For an organization that has just experienced a data breach, what might be the least relevant metric for a company's privacy and governance team?

A. The number of security patches applied to company devices.

B. The number of privacy rights requests that have been exercised.

C. The number of Privacy Impact Assessments that have been completed.

D. The number of employees who have completed data awareness training.

SCENARIO

Please use the following to answer the next question:

Felicity is the Chief Executive Officer (CEO) of an international clothing company that does business in several countries, including the United States (U.S.), the United Kingdom (UK), and Canada. For the first five years under Felicity's

leadership, the company was highly successful due its higher profile on the Internet via target advertising and the use of social media. However, business has dropped in recent months, and Felicity is looking to cut costs across all

departments.

She has prepared to meet with the Chief Information Officer (CIO), Jin, who is also head of the company's privacy program.

After reviewing many of Jin's decisions, Felicity firmly believes that, although well-intentioned, Jin overspends company resources. Felicity has taken several notes on ways she believes the company can spend less money trying to uphold its

privacy mission. First, Felicity intends to discuss the size of the company's information security budget with Jin. Felicity proposes to streamline information security by putting it solely within the purview of the company's Information Technology

(IT) experts, since personal data within the company is stored electronically.

She is also perplexed by the Privacy Impact Assessments (PIAs) Jin facilitated at some of the company's locations. Jin carefully documented the approximate amount of man-hours the PIAs took to complete, and Felicity is astounded at the

amount. She cannot understand why so much time has been spent on sporadic PIAs.

Felicity has also recently received complaints from employees, including mid-level managers, about the great burden of paperwork necessary for documenting employee compliance with the company's privacy policy. She hopes Jin can

propose cheaper, more efficient ways of monitoring compliance. In Felicity's view, further evidence of Jin's overzealousness is his insistence on monitoring third-party processors for their observance of the company's privacy policy. New staff

members seem especially overwhelmed. Despite the consistent monitoring, two years ago the company had to pay remediation costs after a security breach of a processor's data system. Felicity wonders whether processors can be held

contractually liable for the costs of any future breaches.

Last in Felicity's notes is a reminder to discuss Jin's previous praise for the company's independent ethics function within the Human Resources (HR) department. Felicity believes that much company time could be saved if the Ethics Officer

position were done away with, and that any ethical concerns were simply brought directly to the executive leadership of the company.

Although Felicity questions many of Jin's decisions, she hopes that their meeting will be productive and that Jin, who is widely respected throughout the company, will help the company save money. Felicity believes that austerity is the only

way forward.

Based on the scenario, Felicity is in danger of NOT exercising enough caution regarding?

A. The company's acceptance of advanced technology.

B. The company's ongoing relationship with outside vendors.

C. The allocation of duties to a Chief Information Officer (CIO).

D. The staff charged with assisting with Privacy Impact Assessments (PIAs).

Which of the following conditions will definitely trigger a Data Protection Impact Assessment (DPIA)?

A. When a company acquires a new business entity.

B. When Human Resources engages a new employee benefit provider.

C. When a new system is deployed to track an individual's location or behavior.

D. When a new application is developed to track data subject access requests.