CIPM Online Practice Questions and Answers

In a sample metric template, what does "target" mean?

A. The suggested volume of data to collect

B. The percentage of completion

C. The threshold for a satisfactory rating

D. The frequency at which the data is sampled

Read the following steps:

Perform frequent data back-ups.

Perform test restorations to verify integrity of backed-up data. Maintain backed-up data offline or on separate servers.

These steps can help an organization recover from what?

A. Phishing attacks

B. Authorization errors

C. Ransomware attacks

D. Stolen encryption keys

What is the main function of the Asia-Pacific Economic Cooperation Privacy Framework?

A. Enabling regional data transfers.

B. Protecting data from parties outside the region.

C. Establishing legal requirements for privacy protection in the region.

D. Marketing privacy protection technologies developed in the region.

Data retention and destruction policies should meet all of the following requirements EXCEPT?

A. Data destruction triggers and methods should be documented.

B. Personal information should be retained only for as long as necessary to perform its stated purpose.

C. Documentation related to audit controls (third-party or internal) should be saved in a non-permanent format by default.

D. The organization should be documenting and reviewing policies of its other functions to ensure alignment (e.g. HR, business development, finance, etc.).

Which is TRUE about the scope and authority of data protection oversight authorities?

A. The Office of the Privacy Commissioner (OPC) of Canada has the right to impose financial sanctions on violators.

B. All authority in the European Union rests with the Data Protection Commission (DPC).

C. No one agency officially oversees the enforcement of privacy regulations in the United States.

D. The Asia-Pacific Economic Cooperation (APEC) Privacy Frameworks require all member nations to designate a national data protection authority.

SCENARIO Please use the following to answer the next QUESTION: Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as

names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.

Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced. Spencer ?a former CEO and currently a senior advisor ?said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause. One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. "Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone

of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's

corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.

Spencer replied that acting with reason means allowing security to be handled by the security functions within the company ?not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to

prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of

information means that it is often ignored altogether.

Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."

Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules.

Silently, Natalia agreed.

How could the objection to Spencer's training suggestion be addressed?

A. By requiring training only on an as-needed basis.

B. By offering alternative delivery methods for trainings.

C. By introducing a system of periodic refresher trainings.

D. By customizing training based on length of employee tenure.

What is the function of the privacy operational life cycle?

A. It establishes initial plans for privacy protection and implementation

B. It allows the organization to respond to ever-changing privacy demands

C. It ensures that outdated privacy policies are retired on a set schedule

D. It allows privacy policies to mature to a fixed form

SCENARIO

Please use the following to answer the next QUESTION:

Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.

Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging

Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.

Spencer ?a former CEO and currently a senior advisor ?said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.

One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. "Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response. Spencer replied that acting with reason means allowing security to be handled by the security functions within the company ?not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.

Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."

Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.

What is the most realistic step the organization can take to help diminish liability in the event of another incident?

A. Requiring the vendor to perform periodic internal audits.

B. Specifying mandatory data protection practices in vendor contracts.

C. Keeping the majority of processing activities within the organization.

D. Obtaining customer consent for any third-party processing of personal data.

As a Data Protection Officer, one of your roles entails monitoring changes in laws and regulations and updating policies accordingly.

How would you most effectively execute this responsibility?

A. Consult an external lawyer.

B. Regularly engage regulators.

C. Attend workshops and interact with other professionals.

D. Subscribe to email list-serves that report on regulatory changes.

SCENARIO

Please use the following to answer the next QUESTION:

As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development. You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.

Initially, your work was greeted with little confidence or enthusiasm by the company's "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.

Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.

You are left contemplating:

What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success?

What are the next action steps?

What analytic can be used to track the financial viability of the program as it develops?

A. Cost basis.

B. Gap analysis.

C. Return to investment.

D. Breach impact modeling.

SCENARIO

Please use the following to answer the next QUESTION:

It's just what you were afraid of. Without consulting you, the information technology director at your organization launched a new initiative to encourage employees to use personal devices for conducting business. The initiative made purchasing a new, high-specification laptop computer an attractive option, with discounted laptops paid for as a payroll deduction spread over a year of paychecks. The organization is also paying the sales taxes. It's a great deal, and after a month, more than half the organization's employees have signed on and acquired new laptops. Walking through the facility, you see them happily customizing and comparing notes on their new computers, and at the end of the day, most take their laptops with them, potentially carrying personal data to their homes or other unknown locations. It's enough to give you data- protection nightmares, and you've pointed out to the information technology Director and many others in the organization the potential hazards of this new practice, including the inevitability of eventual data loss or theft.

Today you have in your office a representative of the organization's marketing department who shares with you, reluctantly, a story with potentially serious consequences. The night before, straight from work, with laptop in hand, he went to the Bull and Horn Pub to play billiards with his friends. A fine night of sport and socializing began, with the laptop "safely" tucked on a bench, beneath his jacket. Later that night, when it was time to depart, he retrieved the jacket, but the laptop was gone. It was not beneath the bench or on another bench nearby. The waitstaff had not seen it. His friends were not playing a joke on him. After a sleepless night, he confirmed it this morning, stopping by the pub to talk to the cleanup crew. They had not found it. The laptop was missing. Stolen, it seems. He looks at you, embarrassed and upset.

You ask him if the laptop contains any personal data from clients, and, sadly, he nods his head, yes. He believes it contains files on about 100 clients, including names, addresses and governmental identification numbers. He sighs and places his head in his hands in despair.

In order to determine the best course of action, how should this incident most productively be viewed?

A. As the accidental loss of personal property containing data that must be restored.

B. As a potential compromise of personal information through unauthorized access.

C. As an incident that requires the abrupt initiation of a notification campaign.

D. As the premeditated theft of company data, until shown otherwise.

Which of the following controls are generally NOT part of a Privacy Impact Assessment (PIA) review?

A. Access.

B. Incident.

C. Retention.

D. Collection.

Which aspect of a privacy program can best aid an organization's response time to a Data Subject Access Request (DSAR)?

A. Conducting privacy training.

B. Maintaining a written DSAR policy.

C. Creating a comprehensive data inventory.

D. Implementing Privacy Impact Assessment (PIAs).

Under the General Data Protection Regulation (GDPR), what obligation does a data controller or processor have after appointing a Data Protection Officer (DPO)?

A. To submit for approval to the DPO a code of conduct to govern organizational practices and demonstrate compliance with data protection principles.

B. To provide resources necessary to carry out the defined tasks of the DPO and to maintain their expert knowledge.

C. To ensure that the DPO acts as the sole point of contact for individuals’ questions about their personal data.

D. To ensure that the DPO receives sufficient instructions regarding the exercise of their defined tasks.

Training and awareness metrics in a privacy program are necessary to?

A. Identify data breaches.

B. Implement privacy policies.

C. Demonstrate compliance with regulations.

D. Educate customers on the organization's data practices.