IAPP CIPM Exam Dumps

Certified Information Privacy Manager (CIPM)

IAPP CIPM Sample Questions

Question # 1

The General Data Protection Regulation (GDPR) specifies fines that may be levied againstdata controllers for certain infringements. Which of the following will be subject toadministrative fines of up to 10 000 000 EUR, or in the case of an undertaking, up to 2% ofthe total worldwide annual turnover of the preceding financial year?

A. Failure to demonstrate that consent was given by the data subject to the processing oftheir personal data where it is used as the basis for processing 
B. Failure to implement technical and organizational measures to ensure data protection isenshrined by design and default 
C. Failure to process personal information in a manner compatible with its original purpose 
D. Failure to provide the means for a data subject to rectify inaccuracies in personal data 

Show Answer

Question # 2

SCENARIOPlease use the following to answer the next QUESTION:It's just what you were afraid of. Without consulting you, the information technology directorat your organization launched a new initiative to encourage employees to use personaldevices for conducting business. The initiative made purchasing a new, high-specificationlaptop computer an attractive option, with discounted laptops paid for as a payrolldeduction spread over a year of paychecks. The organization is also paying the salestaxes. It's a great deal, and after a month, more than half the organization's employeeshave signed on and acquired new laptops. Walking through the facility, you see themhappily customizing and comparing notes on their new computers, and at the end of theday, most take their laptops with them, potentially carrying personal data to their homes orother unknown locations. It's enough to give you data- protection nightmares, and you'vepointed out to the information technology Director and many others in the organization thepotential hazards of this new practice, including the inevitability of eventual data loss ortheft.Today you have in your office a representative of the organization's marketing departmentwho shares with you, reluctantly, a story with potentially serious consequences. The nightbefore, straight from work, with laptop in hand, he went to the Bull and Horn Pub to playbilliards with his friends. A fine night of sport and socializing began, with the laptop "safely"tucked on a bench, beneath his jacket. Later that night, when it was time to depart, heretrieved the jacket, but the laptop was gone. It was not beneath the bench or on anotherbench nearby. The waitstaff had not seen it. His friends were not playing a joke on him.After a sleepless night, he confirmed it this morning, stopping by the pub to talk to thecleanup crew. They had not found it. The laptop was missing. Stolen, it seems. He looks atyou, embarrassed and upset.You ask him if the laptop contains any personal data from clients, and, sadly, he nods hishead, yes. He believes it contains files on about 100 clients, including names, addressesand governmental identification numbers. He sighs and places his head in his hands indespair.Which is the best way to ensure that data on personal equipment is protected?

A. User risk training. 
B. Biometric security. 
C. Encryption of the data. 
D. Frequent data backups. 

Show Answer

Question # 3

Read the following steps:Perform frequent data back-ups.Perform test restorations to verify integrity of backed-up data.Maintain backed-up data offline or on separate servers.These steps can help an organization recover from what

A. Phishing attacks
B. Authorization errors 
C. Ransomware attacks
D. Stolen encryption keys

Show Answer

Question # 4

“Collection”, “access” and “destruction” are aspects of what privacy management process?

A. The data governance strategy 
B. The breach response plan 
C. The metric life cycle 
D. The business case 

Show Answer

Question # 5

SCENARIOPlease use the following to answer the next QUESTION.Manasa is a product manager at Omnipresent Omnimedia, where she is responsible forleading the development of the company’s flagship product, the Handy Helper. The HandyHelper is an application that can be used in the home to manage family calendars, doonline shopping, and schedule doctor appointments.After having had a successful launch in the United States, the Handy Helper is about to bemade available for purchase worldwide.The packaging and user guide for the Handy Helper indicate that it is a “privacy friendly”product suitable for the whole family, including children, but does not provide any furtherdetail or privacy notice. In order to use the application, a family creates a single account,and the primary user has access to all information about the other users. Upon start up, theprimary user must check a box consenting to receive marketing emails from OmnipresentOmnimedia and selected marketing partners in order to be able to use the application.Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreementwith a European distributor of Handy Helper when he fielded many Questions about theproduct from the distributor. Sanjay needed to look more closely at the product in order tobe able to answer the Questions as he was not involved in the product developmentprocess.In speaking with the product team, he learned that the Handy Helper collected and storedall of a user’s sensitive medical information for the medical appointment scheduler. In fact,all of the user’s information is stored by Handy Helper for the additional purpose of creatingadditional products and to analyze usage of the product. This data is all stored in the cloudand is encrypted both during transmission and at rest.Consistent with the CEO’s philosophy that great new product ideas can come from anyone,all Omnipresent Omnimedia employees have access to user data under a program called“Eureka.” Omnipresent Omnimedia is hoping that at some point in the future, the data willreveal insights that could be used to create a fully automated application that runs onartificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-termgoal.What security controls are missing from the Eureka program?

A. Storage of medical data in the cloud is not permissible under the General DataProtection Regulation (GDPR) 
B. Data access is not limited to those who “need to know” for their role 
C. Collection of data without a defined purpose might violate the fairness principle 
D. Encryption of the data at rest prevents European users from having the right of accessand the right of portability of their data 

Show Answer

Question # 6

SCENARIOPlease use the following to answer the next QUESTION:Richard McAdams recently graduated law school and decided to return to the small town ofLexington, Virginia to help run his aging grandfather's law practice. The elder McAdamsdesired a limited, lighter role in the practice, with the hope that his grandson wouldeventually take over when he fully retires. In addition to hiring Richard, Mr. McAdamsemploys two paralegals, an administrative assistant, and a part-time IT specialist whohandles all of their basic networking needs. He plans to hire more employees once Richardgets settled and assesses the office's strategies for growth.Immediately upon arrival, Richard was amazed at the amount of work that needed to donein order to modernize the office, mostly in regard to the handling of clients' personal data.His first goal is to digitize all the records kept in file cabinets, as many of the documentscontain personally identifiable financial and medical data. Also, Richard has noticed themassive amount of copying by the administrative assistant throughout the day, a practicethat not only adds daily to the number of files in the file cabinets, but may create securityissues unless a formal policy is firmly in place Richard is also concerned with the overuseof the communal copier/ printer located in plain view of clients who frequent the building.Yet another area of concern is the use of the same fax machine by all of the employees.Richard hopes to reduce its use dramatically in order to ensure that personal data receivesthe utmost security and protection, and eventually move toward a strict Internet faxingpolicy by the year's end.Richard expressed his concerns to his grandfather, who agreed, that updating datastorage, data security, and an overall approach to increasing the protection of personaldata in all facets is necessary Mr. McAdams granted him the freedom and authority to doso. Now Richard is not only beginning a career as an attorney, but also functioning as theprivacy officer of the small firm. Richard plans to meet with the IT employee thefollowing day, to get insight into how the office computer system is currently set-up andmanaged.Richard believes that a transition from the use of fax machine to Internet faxing provides allof the following security benefits EXCEPT?

A. Greater accessibility to the faxes at an off-site location. 
B. The ability to encrypt the transmitted faxes through a secure server. 
C. Reduction of the risk of data being seen or copied by unauthorized personnel. 
D. The ability to store faxes electronically, either on the user's PC or a password-protectednetwork server. 

Show Answer

Question # 7

Which of the following is NOT a type of privacy program metric? 

A. Business enablement metrics. 
B. Data enhancement metrics. 
C. Value creation metrics. 
D. Risk-reduction metrics. 

Show Answer

Question # 8

An organization's business continuity plan or disaster recovery plan does NOT typicallyinclude what?

A. Recovery time objectives. 
B. Emergency response guidelines. 
C. Statement of organizational responsibilities. 
D. Retention schedule for storage and destruction of information. 

Show Answer

Question # 9

Under the General Data Protection Regulation (GDPR), which situation would be LEASTlikely to require a Data Protection Impact Assessment (DPIA)?

A. A health clinic processing its patients’ genetic and health data 
B. The use of a camera system to monitor driving behavior on highways 
C. A Human Resources department using a tool to monitor its employees’ internet activity 
D. An online magazine using a mailing list to send a generic daily digest to marketingemails 

Show Answer

Question # 10

SCENARIOPlease use the following to answer the next QUESTION:Martin Briseño is the director of human resources at the Canyon City location of the U.S.hotel chain Pacific Suites. In 1998, Briseño decided to change the hotel’s on-the-jobmentoring model to a standardized training program for employees who were progressingfrom line positions into supervisory positions. He developed a curriculum comprising aseries of lessons, scenarios, and assessments, which was delivered in-person to smallgroups. Interest in the training increased, leading Briseño to work with corporate HRspecialists and software engineers to offer the program in an online format. The onlineprogram saved the cost of a trainer and allowed participants to work through the material attheir own pace.Upon hearing about the success of Briseño’s program, Pacific Suites corporate VicePresident Maryanne Silva-Hayes expanded the training and offered it company-wide.Employees who completed the program received certification as a Pacific Suites HospitalitySupervisor. By 2001, the program had grown to provide industry-wide training. Personnelat hotels across the country could sign up and pay to take the course online. As theprogram became increasingly profitable, Pacific Suites developed an offshoot business,Pacific Hospitality Training (PHT). The sole focus of PHT was developing and marketing avariety of online courses and course progressions providing a number of professionalcertifications in the hospitality industry.By setting up a user account with PHT, course participants could access an informationlibrary, sign up for courses, and take end-of-course certification tests. When a user openeda new account, all information was saved by default, including the user’s name, date ofbirth, contact information, credit card information, employer, and job title. The registrationpage offered an opt-out choice that users could click to not have their credit card numberssaved. Once a user name and password were established, users could return to checktheir course status, review and reprint their certifications, and sign up and pay for newcourses. Between 2002 and 2008, PHT issued more than 700,000 professionalcertifications.PHT’s profits declined in 2009 and 2010, the victim of industry downsizing and increasedcompetition from e- learning providers. By 2011, Pacific Suites was out of the onlinecertification business and PHT was dissolved. The training program’s systems and recordsremained in Pacific Suites’ digital archives, un-accessed and unused. Briseño and SilvaHayes moved on to work for other companies, and there was no plan for handling thearchived data after the program ended. After PHT was dissolved, Pacific Suites executivesturned their attention to crucial day-to-day operations. They planned to deal with the PHTmaterials once resources allowed.In 2012, the Pacific Suites computer network was hacked. Malware installed on the onlinereservation system exposed the credit card information of hundreds of hotel guests. Whiletargeting the financial data on the reservation site, hackers also discovered the archivedtraining course data and registration accounts of Pacific Hospitality Training’s customers.The result of the hack was the exfiltration of the credit card numbers of recent hotel guestsand the exfiltration of the PHT database with all its contents.A Pacific Suites systems analyst discovered the information security breach in a routinescan of activity reports. Pacific Suites quickly notified credit card companies and recenthotel guests of the breach, attempting to prevent serious harm. Technical securityengineers faced a challenge in dealing with the PHT data.PHT course administrators and the IT engineers did not have a system for tracking,cataloguing, and storing information. Pacific Suites has procedures in place for data accessand storage, but those procedures were not implemented when PHT was formed. Whenthe PHT database was acquired by Pacific Suites, it had no owner or oversight. By the timetechnical security engineers determined what private information was compromised, atleast 8,000 credit card holders were potential victims of fraudulent activity.How was Pacific Suites responsible for protecting the sensitive information of its offshoot,PHT?

A. As the parent company, it should have transferred personnel to oversee the securehandling of PHT’s data. 
B. As the parent company, it should have performed an assessment of PHT’s infrastructureand confirmed complete separation of the two networks. 
C. As the parent company, it should have ensured its existing data access and storageprocedures were integrated into PHT’s system. 
D. As the parent company, it should have replaced PHT’s electronic files with hard-copydocuments stored securely on site. 

Show Answer

Question # 11

What is most critical when outsourcing data destruction service?

A. Obtain a certificate of data destruction. 
B. Confirm data destruction must be done on-site. 
C. Conduct an annual in-person audit of the provider’s facilities. 
D. Ensure that they keep an asset inventory of the original data. 

Show Answer

Question # 12

For an organization that has just experienced a data breach, what might be the leastrelevant metric for a company's privacy and governance team?

A. The number of security patches applied to company devices. 
B. The number of privacy rights requests that have been exercised. 
C. The number of Privacy Impact Assessments that have been completed.
D. The number of employees who have completed data awareness training.

Show Answer