Verified CIPM Dumps Q&As - CIPM Test Engine with Correct Answers [Q19-Q42]

Verified CIPM Dumps Q&As - CIPM Test Engine with Correct Answers

Pass Your CIPM Dumps as PDF Updated on 2023 With 182 Questions

NEW QUESTION # 19
What is the key factor that lays the foundation for all other elements of a privacy program?

• A. The structure of a privacy team
• B. A responsible internal stakeholder
• C. The applicable privacy regulations
• D. A privacy mission statement

Answer: C

NEW QUESTION # 20
If your organization has a recurring issue with colleagues not reporting personal data breaches, all of the following are advisable to do EXCEPT?

• A. Distribute a phishing exercise to all employees to test their ability to recognize a threat attempt.
• B. Provide role-specific training to areas where breaches are happening so they are more aware.
• C. Communicate to everyone that breaches must be reported and how they should be reported.
• D. Carry out a root cause analysis on each breach to understand why the incident happened.

Answer: A

Explanation:
Explanation
Distributing a phishing exercise to all employees is not advisable to do if your organization has a recurring issue with colleagues not reporting personal data breaches. A phishing exercise is a simulated attack that tests the awareness and response of employees to malicious emails that attempt to obtain sensitive information or compromise systems. While phishing exercises can be useful to train employees on how to recognize and avoid phishing attacks, they are not directly related to the issue of reporting personal data breaches. The other options are more appropriate to address the root cause of the issue, communicate the expectations and procedures for reporting breaches, and provide specific training to areas where breaches are happening1, 2. References: CIPM - International Association of Privacy Professionals, Free CIPM Study Guide - International Association of Privacy Professionals

NEW QUESTION # 21
SCENARIO
Please use the following to answer the next question:
Paul Daniels, with years of experience as a CEO, is worried about his son Carlton's successful venture, Gadgo.
A technological innovator in the communication industry that quickly became profitable, Gadgo has moved beyond its startup phase. While it has retained its vibrant energy, Paul fears that under Carlton's direction, the company may not be taking its risks or obligations as seriously as it needs to. Paul has hired you, a privacy Consultant, to assess the company and report to both father and son. "Carlton won't listen to me," Paul says, "but he may pay attention to an expert." Gadgo's workplace is a clubhouse for innovation, with games, toys, snacks, espresso machines, giant fish tanks and even an iguana who regards you with little interest. Carlton, too, seems bored as he describes to you the company's procedures and technologies for data protection. It's a loose assemblage of controls, lacking consistency and with plenty of weaknesses. "This is a technology company," Carlton says. "We create. We innovate. I don't want unnecessary measures that will only slow people down and clutter their thoughts." The meeting lasts until early evening. Upon leaving, you walk through the office. It looks as if a strong windstorm has recently blown through, with papers scattered across desks and tables and even the floor. A
"cleaning crew" of one teenager is emptying the trash bins. A few computers have been left on for the night; others are missing. Carlton takes note of your attention to this: "Most of my people take their laptops home with them, or use their own tablets or phones. I want them to use whatever helps them to think and be ready day or night for that great insight. It may only come once!" What phase in the Privacy Maturity Model (PMM) does Gadgo's privacy program best exhibit?

• A. Ad hoc
• B. Managed
• C. Defined
• D. Repeatable

Answer: A

NEW QUESTION # 22
SCENARIO
Please use the following to answer the next question:
For 15 years, Albert has worked at Treasure Box - a mail order company in the United States (U.S.) that used to sell decorative candles around the world, but has recently decided to limit its shipments to customers in the
48 contiguous states. Despite his years of experience, Albert is often overlooked for managerial positions. His frustration about not being promoted, coupled with his recent interest in issues of privacy protection, have motivated Albert to be an agent of positive change.
He will soon interview for a newly advertised position, and during the interview, Albert plans on making executives aware of lapses in the company's privacy program. He feels certain he will be rewarded with a promotion for preventing negative consequences resulting from the company's outdated policies and procedures.
For example, Albert has learned about the AICPA (American Institute of Certified Public Accountans)/CICA (Canadian Institute of Chartered Accountants) Privacy Maturity Model (PMM). Albert thinks the model is a useful way to measure Treasure Box's ability to protect personal data. Albert has noticed that Treasure Box fails to meet the requirements of the highest level of maturity of this model; at his interview, Albert will pledge to assist the company with meeting this level in order to provide customers with the most rigorous security available.
Albert does want to show a positive outlook during his interview. He intends to praise the company's commitment to the security of customer and employee personal data against external threats. However, Albert worries about the high turnover rate within the company, particularly in the area of direct phone marketing. He sees many unfamiliar faces every day who are hired to do the marketing, and he often hears complaints in the lunch room regarding long hours and low pay, as well as what seems to be flagrant disregard for company procedures.
In addition, Treasure Box has had two recent security incidents. The company has responded to the incidents with internal audits and updates to security safeguards. However, profits still seem to be affected and anecdotal evidence indicates that many people still harbor mistrust. Albert wants to help the company recover.
He knows there is at least one incident the public in unaware of, although Albert does not know the details. He believes the company's insistence on keeping the incident a secret could be a further detriment to its reputation. One further way that Albert wants to help Treasure Box regain its stature is by creating a toll-free number for customers, as well as a more efficient procedure for responding to customer concerns by postal mail.
In addition to his suggestions for improvement, Albert believes that his knowledge of the company's recent business maneuvers will also impress the interviewers. For example, Albert is aware of the company's intention to acquire a medical supply company in the coming weeks.
With his forward thinking, Albert hopes to convince the managers who will be interviewing him that he is right for the job.
Based on Albert's observations regarding recent security incidents, which of the following should he suggest as a priority for Treasure Box?

• A. Evaluating the company's ability to handle personal health information if the plan to acquire the medical supply company goes forward
• B. Using a third-party auditor to address privacy protection issues not recognized by the prior internal audits.
• C. Working with the Human Resources department to make screening procedures for potential employees more rigorous.
• D. Appointing an internal ombudsman to address employee complaints regarding hours and pay.

Answer: A

NEW QUESTION # 23
SCENARIO
Please use the following to answer the next question:
As the director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.
You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.
Initially, your work was greeted with little confidence or enthusiasm by the company's "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient
"buy-in" to begin putting the proper procedures into place.
Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.
You are left contemplating: What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success? What are the next action steps?
What process could most effectively be used to add privacy protections to a new, comprehensive program being developed at Consolidated?

• A. Privacy by Design
• B. Information Security Planning
• C. Innovation Privacy Standards
• D. Privacy Step Assessment

Answer: B

NEW QUESTION # 24
SCENARIO
Please use the following to answer the next QUESTION:
John is the new privacy officer at the prestigious international law firm - A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.
During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor - MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime.
Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution.
Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is NOT an obligation of MessageSafe as the email continuity service provider for A&M LLP?

• A. Security commitment.
• B. Certifications to relevant frameworks.
• C. Privacy compliance.
• D. Data breach notification to A&M LLP.

Answer: B

Explanation:
Explanation
An obligation that is not applicable to MessageSafe as the email continuity service provider for A&M LLP is obtaining certifications to relevant frameworks. Certifications are voluntary mechanisms that enable data controllers or processors to demonstrate their compliance with the GDPR or other standards by obtaining a certification issued by an accredited certification body7 Certifications can provide benefits such as enhancing transparency, accountability, trust, and competitive advantage for data controllers or processors. However, they are not mandatory under the GDPR or other laws and do not reduce or eliminate the legal obligations or liabilities of data controllers or processors8 Therefore, MessageSafe is not obliged to obtain certifications to relevant frameworks as the email continuity service provider for A&M LLP. However, it may choose to do so if it wishes to showcase its compliance efforts or gain a competitive edge in the market. References: 7: Article
42 GDPR | General Data Protection Regulation (GDPR); 8: Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation 2016/679 | European Data Protection Board

NEW QUESTION # 25
SCENARIO
Please use the following to answer the next QUESTION:
Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia to help run his aging grandfather's law practice. The elder McAdams desired a limited, lighter role in the practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and assesses the office's strategies for growth.
Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to modernize the office, mostly in regard to the handling of clients' personal data. His first goal is to digitize all the records kept in file cabinets, as many of the documents contain personally identifiable financial and medical data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/ printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing policy by the year's end.
Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following day, to get insight into how the office computer system is currently set-up and managed.
Richard believes that a transition from the use of fax machine to Internet faxing provides all of the following security benefits EXCEPT?

• A. Greater accessibility to the faxes at an off-site location.
• B. The ability to encrypt the transmitted faxes through a secure server.
• C. Reduction of the risk of data being seen or copied by unauthorized personnel.
• D. The ability to store faxes electronically, either on the user's PC or a password-protected network server.

Answer: A

Explanation:
Explanation
A transition from the use of fax machine to Internet faxing does not provide the security benefit of greater accessibility to the faxes at an off-site location. This is because Internet faxing requires a secure internet connection and a compatible device to access the faxes online. If the user is at an off-site location that does not have these requirements, they may not be able to access their faxes. Furthermore, greater accessibility may not necessarily be a security benefit, as it may also increase the risk of unauthorized access or interception by third parties. Therefore, this option is not a security benefit of Internet faxing.
The other options are security benefits of Internet faxing. The ability to encrypt the transmitted faxes through a secure server ensures that the faxes are protected from eavesdropping or tampering during transmission. The reduction of the risk of data being seen or copied by unauthorized personnel eliminates the need for physical security measures such as locks or shredders for fax machines and paper documents. The ability to store faxes electronically, either on the user's PC or a password-protected network server, allows for better control and management of the faxes and reduces the storage space and costs associated with paper documents. References: 1: Is Online Fax Secure in 2023? All You Need to Know!; 2: Is faxing secure: How to fax from a computer safely - PandaDoc

NEW QUESTION # 26
What is the main purpose in notifying data subjects of a data breach?

• A. To allow individuals to take any actions required to protect themselves from possible consequences
• B. To ensure organizations have accountability for the sufficiency of their security measures
• C. To avoid financial penalties and legal liability
• D. To enable regulators to understand trends and developments that may shape the law

Answer: A

Explanation:
Explanation
The main purpose in notifying data subjects of a data breach is to allow individuals to take any actions required to protect themselves from possible consequences, such as identity theft, fraud, or discrimination.
This is consistent with the principle of transparency and the right to information under the GDPR. The other options are not the main purpose of notification, although they may be secondary effects or benefits of the process. References:
* Data protection impact assessments | ICO
* [Art. 34 GDPR - Communication of a personal data breach to the data subject - GDPR.eu]

NEW QUESTION # 27
A systems audit uncovered a shared drive folder containing sensitive employee data with no access controls and therefore was available for all employees to view. What is the first step to mitigate further risks?

• A. Notify legal counsel of a privacy incident.
• B. Check access logs to see who accessed the folder.
• C. Notify all employees whose information was contained in the file.
• D. Restrict access to the folder.

Answer: D

Explanation:
Explanation
The first step to mitigate further risks when a systems audit uncovers a shared drive folder containing sensitive employee data with no access controls is to restrict access to the folder. This can be done by implementing appropriate access controls, such as user authentication, role-based access, and permissions, to ensure that only authorized individuals can view and access the sensitive data.

NEW QUESTION # 28
Under the General Data Protection Regulation (GDPR), which of the following situations would LEAST likely require a controller to notify a data subject?

• A. A hacker publishes usernames, phone numbers and purchase history online after a cyber-attack
• B. An encrypted USB key with sensitive personal data is stolen
• C. Personal data of a group of individuals is erroneously sent to the wrong mailing list
• D. A direct marketing email is sent with recipients visible in the 'cc' field

Answer: B

Explanation:
Explanation
Under the GDPR, a controller must notify a data subject of a personal data breach without undue delay when the breach is likely to result in a high risk to the rights and freedoms of the data subject, unless one of the following conditions applies: the personal data are rendered unintelligible to any person who is not authorized to access it, such as by encryption; the controller has taken subsequent measures to ensure that the high risk is no longer likely to materialize; or the notification would involve disproportionate effort, in which case a public communication or similar measure may suffice. In this case, an encrypted USB key with sensitive personal data is stolen, but the personal data are presumably unintelligible to the thief, so the controller does not need to notify the data subject. However, the controller still needs to notify the supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons.
References:
* CIPM Body of Knowledge (2021), Domain IV: Privacy Program Operational Life Cycle, Section B:
Protecting Personal Information, Subsection 2: Data Breach Incident Planning and Management
* CIPM Study Guide (2021), Chapter 8: Protecting Personal Information, Section 8.2: Data Breach
* Incident Planning and Management
* CIPM Textbook (2019), Chapter 8: Protecting Personal Information, Section 8.2: Data Breach Incident Planning and Management
* CIPM Practice Exam (2021), Question 134
* GDPR Article 33 and 3412

NEW QUESTION # 29
SCENARIO
Please use the following to answer the next question:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it:
a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!" Since it is too late to restructure the contract with the vendor or prevent the app from being deployed, what is the best step for you to take next?

• A. Insist on an audit of the vendor's privacy procedures and safeguards.
• B. Develop security protocols for the vendor and mandate that they be deployed.
• C. Ask the vendor for verifiable information about their privacy protections so weaknesses can be identified.
• D. Implement a more comprehensive suite of information security controls than the one used by the vendor.

Answer: C

Explanation:
Explanation/Reference:

NEW QUESTION # 30
Which of the documents below assists the Privacy Manager in identifying and responding to a request from an individual about what personal information the organization holds about then with whom the information is shared?

• A. Personal information inventory
• B. Privacy policy
• C. Records retention schedule
• D. Risk register

Answer: A

Explanation:
Explanation
A personal information inventory is a document that assists the Privacy Manager in identifying and responding to a request from an individual about what personal information the organization holds about them and with whom the information is shared. A personal information inventory is a comprehensive and detailed record of all personal information that an organization collects, uses, discloses, stores, and disposes of. It helps an organization map its data flows, assess its privacy risks, comply with its legal obligations, and respond to data subject requests. A personal information inventory should include information such as: the categories and sources of personal information; the purposes and legal bases for processing; the recipients and transfers of personal information; the retention periods and disposal methods; and the security measures and safeguards.
References:
* CIPM Body of Knowledge (2021), Domain IV: Privacy Program Operational Life Cycle, Section B:
Protecting Personal Information, Subsection 3: Data Inventory
* CIPM Study Guide (2021), Chapter 8: Protecting Personal Information, Section 8.3: Data Inventory
* CIPM Textbook (2019), Chapter 8: Protecting Personal Information, Section 8.3: Data Inventory
* CIPM Practice Exam (2021), Question 138

NEW QUESTION # 31
What is the main reason to begin with 3-5 key metrics during the program development process?

• A. To minimize selective data use.
• B. To keep the process limited to as few people as possible.
• C. To avoid undue financial costs.
• D. To keep the focus on the main organizational objectives.

Answer: D

Explanation:
Explanation
This answer is the main reason to begin with 3-5 key metrics during the program development process, as it can help to align the privacy program with the organization's vision, mission and goals, and to measure the progress and performance of the program against these objectives. Key metrics are indicators that reflect the most important or critical aspects of the privacy program, such as compliance, risk, maturity, effectiveness or value. By starting with a small number of key metrics, the program development process can avoid being overwhelmed or distracted by too many or irrelevant data points, and can prioritize and concentrate on the areas that matter most for the organization.

NEW QUESTION # 32
SCENARIO
Please use the following to answer the next question:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing.
You worry too much, but that's why you're so good at your job!"
Which is the best first step in understanding the data security practices of a potential vendor?

• A. Conducting a penetration test of the vendor's data security structure.
• B. Conducting a physical audit of the vendor's facilities.
• C. Requiring the vendor to complete a questionaire assessing International Organization for Standardization (ISO) 27001 compliance.
• D. Examining investigation records of any breaches the vendor has experienced.

Answer: D

NEW QUESTION # 33
SCENARIO
Please use the following to answer the next QUESTION:
Ben works in the IT department of IgNight, Inc., a company that designs lighting solutions for its clients.
Although IgNight's customer base consists primarily of offices in the US, some individuals have been so impressed by the unique aesthetic and energy-saving design of the light fixtures that they have requested IgNight's installations in their homes across the globe.
One Sunday morning, while using his work laptop to purchase tickets for an upcoming music festival, Ben happens to notice some unusual user activity on company files. From a cursory review, all the data still appears to be where it is meant to be but he can't shake off the feeling that something is not right. He knows that it is a possibility that this could be a colleague performing unscheduled maintenance, but he recalls an email from his company's security team reminding employees to be on alert for attacks from a known group of malicious actors specifically targeting the industry.
Ben is a diligent employee and wants to make sure that he protects the company but he does not want to bother his hard-working colleagues on the weekend. He is going to discuss the matter with this manager first thing in the morning but wants to be prepared so he can demonstrate his knowledge in this area and plead his case for a promotion.
Going forward, what is the best way for IgNight to prepare its IT team to manage these kind of security events?

• A. Share communications relating to scheduled maintenance.
• B. Tabletop exercises.
• C. IT security awareness training.
• D. Update its data inventory.

Answer: B

Explanation:
Explanation
The best way for IgNight to prepare its IT team to manage these kind of security events is to conduct tabletop exercises. Tabletop exercises are simulated scenarios that test the organization's ability to respond to security incidents in a realistic and interactive way. Tabletop exercises typically involve:
* A facilitator who guides the participants through the scenario and injects additional challenges or variables
* A scenario that describes a plausible security incident based on real-world threats or past incidents
* A set of objectives that define the expected outcomes and goals of the exercise
* A set of questions that prompt the participants to discuss their roles, responsibilities, actions, decisions, and communications during the incident response process
* A feedback mechanism that collects the participants' opinions and suggestions on how to improve the incident response plan and capabilities Tabletop exercises help an organization prepare for and deal with security incidents by:
* Enhancing the awareness and skills of the IT team and other stakeholders involved in incident response
* Identifying and addressing the gaps, weaknesses, and challenges in the incident response plan and process
* Improving the coordination and collaboration among the IT team and other stakeholders during incident response
* Evaluating and validating the effectiveness and efficiency of the incident response plan and process
* Generating and implementing lessons learned and best practices for incident response The other options are not as effective or useful as tabletop exercises for preparing the IT team to manage security events. Updating the data inventory is a good practice for maintaining an accurate and comprehensive record of the personal data that the organization collects, processes, stores, shares, or disposes of. However, it does not test or improve the organization's incident response capabilities or readiness. IT security awareness training is a good practice for educating the IT team and other employees on the basic principles and practices of cybersecurity. However, it does not simulate or replicate the real-world situations and challenges that the IT team may face during security incidents. Sharing communications relating to scheduled maintenance is a good practice for informing the IT team and other stakeholders of the planned activities and potential impacts on the IT systems and infrastructure. However, it does not prepare the IT team for dealing with unplanned or unexpected security events that may require immediate and coordinated response. References: CISA Tabletop Exercise Packages; Cybersecurity Tabletop Exercise Examples, Best Practices, and Considerations; Six Tabletop Exercises to Help Prepare Your Cybersecurity Team

NEW QUESTION # 34
When implementing Privacy by Design (PbD), what would NOT be a key consideration?

• A. Collection limitation.
• B. Limitations on liability.
• C. Purpose specification.
• D. Data minimization.

Answer: B

NEW QUESTION # 35
When supporting the business and data privacy program expanding into a new jurisdiction, it is important to do all of the following EXCEPT?

• A. Identify the stakeholders.
• B. Appoint a new Privacy Officer (PO) for that jurisdiction.
• C. Perform an assessment of the laws applicable in that new jurisdiction.
• D. Consider culture and whether the privacy framework will need to account for changes in culture.

Answer: B

Explanation:
Explanation
When expanding into a new jurisdiction, it is not necessary to appoint a new Privacy Officer (PO) for that jurisdiction, unless the local law requires it. The other options are important steps to ensure compliance with the new jurisdiction's privacy laws and regulations, as well as to align the privacy program with the business objectives and culture of the new market. References: CIPM Body of Knowledge, Domain I: Privacy Program Governance, Task 1: Establish the privacy program vision and strategy.

NEW QUESTION # 36
SCENARIO
Please use the following to answer the next question:
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company's flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments.
After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Question about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Question as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user's sensitive medical information for the medical appointment scheduler. In fact, all of the user's information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO's philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called "Eureka." Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What security controls are missing from the Eureka program?

• A. Collection of data without a defined purpose might violate the fairness principle
• B. Data access is not limited to those who "need to know" for their role
• C. Encryption of the data at rest prevents European users from having the right of access and the right of portability of their data
• D. Storage of medical data in the cloud is not permissible under the General Data Protection Regulation (GDPR)

Answer: B

NEW QUESTION # 37
Integrating privacy requirements into functional areas across the organization happens at which stage of the privacy operational life cycle?

• A. Assessing data.
• B. Responding to requests and incidents.
• C. Sustaining program performance.
• D. Protecting personal data.

Answer: D

Explanation:
Explanation
Integrating privacy requirements into functional areas across the organization happens at the "protect" stage of the privacy operational life cycle. This stage involves implementing privacy policies, procedures, and controls to ensure that personal data is processed in a lawful, fair, and transparent manner. The other stages of the privacy operational life cycle are "assess", "align", "respond", and "sustain". References: CIPM Body of Knowledge, Domain III: Privacy Program Operational Life Cycle, Section B: Protect.

NEW QUESTION # 38
When devising effective employee policies to address a particular issue, which of the following should be included in the first draft?

• A. Explanation of how the policy is applied within the organization.
• B. Roles and responsibilities of the different groups of individuals.
• C. Rationale for the policy.
• D. Points of contact for the employee.

Answer: C

Explanation:
Explanation
When devising effective employee policies to address a particular issue, it is important to include the rationale for the policy in the first draft, as it explains why the policy is needed and what benefits it brings to the organization and its employees. The rationale can also help to gain support and buy-in from the management and staff, as well as to align the policy with the organizational values and goals. The other options are also important elements of an employee policy, but they can be added or refined in later drafts. References: CIPM Body of Knowledge, Domain IV: Privacy Program Communication Activities, Task 2: Develop internal communication plans.

NEW QUESTION # 39
In a sample metric template, what does "target" mean?

• A. The frequency at which the data is sampled
• B. The suggested volume of data to collect
• C. The percentage of completion
• D. The threshold for a satisfactory rating

Answer: D

Explanation:
Explanation
In a sample metric template, the target is the threshold for a satisfactory rating. It is the desired or expected value for the metric that indicates a successful performance or outcome. For example, if the metric is the percentage of employees who completed privacy training, the target could be 90% or higher. References: IAPP CIPM Study Guide, page 22.

NEW QUESTION # 40
Which of the following best demonstrates the effectiveness of a firm's privacy incident response process?

• A. The decrease of mean time to resolve privacy incidents
• B. The decrease of notifiable breaches
• C. The increase of privacy incidents reported by users
• D. The decrease of security breaches

Answer: A

Explanation:
Explanation
The decrease of mean time to resolve privacy incidents best demonstrates the effectiveness of a firm's privacy incident response process. This metric measures how quickly and efficiently the firm can identify, contain, analyze, remediate, and report privacy incidents. A lower mean time to resolve indicates a higher level of preparedness, responsiveness, and resilience in handling privacy incidents. References: IAPP CIPM Study Guide, page 25.

NEW QUESTION # 41
SCENARIO
Please use the following to answer the next QUESTION:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!" Which is the best first step in understanding the data security practices of a potential vendor?

• A. Conducting a penetration test of the vendor's data security structure.
• B. Requiring the vendor to complete a questionnaire assessing International Organization for Standardization (ISO) 27001 compliance.
• C. Conducting a physical audit of the vendor's facilities.
• D. Examining investigation records of any breaches the vendor has experienced.

Answer: B

Explanation:
Explanation
This answer is the best first step in understanding the data security practices of a potential vendor, as it can provide a quick and easy way to evaluate the vendor's alignment with a widely recognized and respected standard for information security management systems (ISMS). Requiring the vendor to complete a questionnaire assessing ISO 27001 compliance can help you to obtain relevant and consistent information about the vendor's data security policies, objectives, risks, controls, processes and performance. The questionnaire can also help you to compare different vendors based on their level of compliance and identify any areas that need further clarification or verification. References: IAPP CIPM Study Guide, page 82; ISO/IEC 27002:2013, section 15.1.2

NEW QUESTION # 42
......

Pass IAPP CIPM Exam Info and Free Practice Test: https://www.trainingquiz.com/CIPM-practice-quiz.html

IAPP CIPM Real Exam Questions and Answers FREE: https://drive.google.com/open?id=1ebzXOqcWZUefBGq0kfJbwwzM4Dw1yCIh