CIPM Exam Dumps - Certified Information Privacy Manager (CIPM)

Go to page:

<< First
Prev
1
2
3
4
5
6
7
8
9
Next
Last >>

Question # 65

SCENARIO

Please use the following to answer the next QUESTION:

John is the new privacy officer at the prestigious international law firm â€“ A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.

During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor â€“ MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.

John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.

At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution. Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.

Which of the following is a TRUE statement about the relationship among the organizations?

Cloud Inc. must notify A&M LLP of a data breach immediately.

MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP.

Cloud Inc. should enter into a data processor agreement with A&M LLP.

A&M LLP's service contract must be amended to list Cloud Inc. as a sub-processor.

Full Access

Question # 66

SCENARIO

Please use the following to answer the next QUESTION:

Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used the same vendor to operate all aspects of an online store for several years. As a small nonprofit, the Society cannot afford the higher-priced options, but you have been relatively satisfied with this budget vendor, Shopping Cart Saver (SCS). Yes, there have been some issues. Twice, people who purchased items from the store have had their credit card information used fraudulently subsequent to transactions on your site, but in neither case did the investigation reveal with certainty that the Societyâ€™s store had been hacked. The thefts could have been employee-related.

Just as disconcerting was an incident where the organization discovered that SCS had sold information it had collected from customers to third parties. However, as Jason Roland, your SCS account representative, points

out, it took only a phone call from you to clarify expectations and the â€œmisunderstandingâ€ has not occurred again.

As an information-technology program manager with the Society, the role of the privacy professional is only one of many you play. In all matters, however, you must consider the financial bottom line. While these problems with privacy protection have been significant, the additional revenues of sales of items such as shirts and coffee cups from the store have been significant. The Societyâ€™s operating budget is slim, and all sources of revenue are essential.

Now a new challenge has arisen. Jason called to say that starting in two weeks, the customer data from the store would now be stored on a data cloud. â€œThe good news,â€ he says, â€œis that we have found a low-cost provider in Finland, where the data would also be held. So, while there may be a small charge to pass through to you, it wonâ€™t be exorbitant, especially considering the advantages of a cloud.â€

Lately, you have been hearing about cloud computing and you know itâ€™s fast becoming the new paradigm for various applications. However, you have heard mixed reviews about the potential impacts on privacy protection. You begin to research and discover that a number of the leading cloud service providers have signed a letter of intent to work together on shared conventions and technologies for privacy protection. You make a note to find out if Jasonâ€™s Finnish provider is signing on.

What is the best way for your vendor to be clear about the Societyâ€™s breach notification expectations?

Include notification provisions in the vendor contract

Arrange regular telephone check-ins reviewing expectations

Send a memorandum of understanding on breach notification

Email the regulations that require breach notifications

Full Access

Question # 67

What is one reason the European Union has enacted more comprehensive privacy laws than the United States?

To ensure adequate enforcement of existing laws.

To ensure there is adequate funding for enforcement.

To allow separate industries to set privacy standards.

To allow the free movement of data between member countries.

Full Access

Question # 68

SCENARIO

Please use the following to answer the next QUESTION:

As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.

You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.

Initially, your work was greeted with little confidence or enthusiasm by the company's "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.

Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.

You are left contemplating:

What must be done to maintain the program and develop it beyond just a data breach prevention program? How can you build on your success?

What are the next action steps?

What analytic can be used to track the financial viability of the program as it develops?

Cost basis.

Gap analysis.

Return to investment.

Breach impact modeling.

Full Access

Question # 69

SCENARIO

Please use the following to answer the next QUESTION:

Perhaps Jack Kelly should have stayed in the U.S. He enjoys a formidable reputation inside the company, Special Handling Shipping, for his work in reforming certain "rogue" offices. Last year, news broke that a police sting operation had revealed a drug ring operating in the Providence, Rhode Island office in the United States. Video from the office's video surveillance cameras leaked to news operations showed a drug exchange between Special Handling staff and undercover officers.

In the wake of this incident, Kelly had been sent to Providence to change the "hands off" culture that upper management believed had let the criminal elements conduct their illicit transactions. After a few weeks under Kelly's direction, the office became a model of efficiency and customer service. Kelly monitored his workers' activities using the same cameras that had recorded the illegal conduct of their former co-workers.

Now Kelly has been charged with turning around the office in Cork, Ireland, another trouble spot. The company has received numerous reports of the staff leaving the office unattended. When Kelly arrived, he found that even when present, the staff often spent their days socializing or conducting personal business on their mobile phones. Again, he observed their behaviors using surveillance cameras. He issued written reprimands to six staff members based on the first day of video alone.

Much to Kelly's surprise and chagrin, he and the company are now under investigation by the Data Protection Commissioner of Ireland for allegedly violating the privacy rights of employees. Kelly was told that the company's license for the cameras listed facility security as their main use, but he does not know why this matters. He has pointed out to his superiors that the company's training programs on privacy protection and data collection mention nothing about surveillance video.

You are a privacy protection consultant, hired by the company to assess this incident, report on the legal and compliance issues, and recommend next steps.

What does this example best illustrate about training requirements for privacy protection?

Training needs must be weighed against financial costs.

Training on local laws must be implemented for all personnel.

Training must be repeated frequently to respond to new legislation.

Training must include assessments to verify that the material is mastered.

Full Access

Question # 70

When developing a privacy program and selecting a program sponsor or "champion" the least important consideration should be that they?

Are a part of the organization's top management

Have the authority to approve policy and provide funding.

Will be an effective advocate and understand the importance of privacy.

Have accountability for the organization's privacy and/or information security, risk, compliance or legal decisions.

Full Access

Question # 71

A systems audit uncovered a shared drive folder containing sensitive employee data with no access controls and therefore was available for all employees to view. What is the first step to mitigate further risks?

Notify all employees whose information was contained in the file.

Check access logs to see who accessed the folder.

Notify legal counsel of a privacy incident.

Restrict access to the folder.

Full Access

Question # 72

SCENARIO

Please use the following to answer the next QUESTION:

Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new privacy officer. The company is based in California but thanks to some great publicity from a social media influencer last year, the company has received an influx of sales from the EU and has set up a regional office in Ireland to support this expansion. To become familiar with Ace Spaceâ€™s practices and assess what her privacy priorities will be, Penny has set up meetings with a number of colleagues to hear about the work that they have been doing and their compliance efforts.

Pennyâ€™s colleague in Marketing is excited by the new sales and the companyâ€™s plans, but is also concerned that Penny may curtail some of the growth opportunities he has planned. He tells her â€œI heard someone in the breakroom talking about some new privacy laws but I really donâ€™t think it affects us. Weâ€™re just a small company. I mean we just sell accessories online, so whatâ€™s the real risk?â€ He has also told her that he works with a number of small companies that help him get projects completed in a hurry. â€œWeâ€™ve got to meet our deadlines otherwise we lose money. I just sign the contracts and get Jim in finance to push through the payment. Reviewing the contracts takes time that we just donâ€™t have.â€

In her meeting with a member of the IT team, Penny has learned that although Ace Space has taken a number of precautions to protect its website from malicious activity, it has not taken the same level of care of its physical files or internal infrastructure. Pennyâ€™s colleague in IT has told her that a former employee lost an encrypted USB key with financial data on it when he left. The company nearly lost access to their customer database last year after they fell victim to a phishing attack. Penny is told by her IT colleague that the IT team â€œdidnâ€™t know what to do or who should do what. We hadnâ€™t been trained on it but weâ€™re a small team though, so it worked out OK in the end.â€ Penny is concerned that these issues will compromise Ace Spaceâ€™s privacy and data protection.

Penny is aware that the company has solid plans to grow its international sales and will be working closely with the CEO to give the organization a data â€œshake upâ€. Her mission is to cultivate a strong privacy culture within the company.

Penny has a meeting with Ace Spaceâ€™s CEO today and has been asked to give her first impressions and an overview of her next steps.

What information will be LEAST crucial from a privacy perspective in Pennyâ€™s review of vendor contracts?

Audit rights

Liability for a data breach

Pricing for data security protections

The data a vendor will have access to

Full Access

Answer:

Explanation:

The information that will be least crucial from a privacy perspective in Pennyâ€™s review of vendor contracts is the pricing for data security protections Â©. This is because the pricing for data security protections is a business decision that does not directly affect the privacy rights and obligations of Ace Space and its customers. The pricing for data security protections may be relevant for budgeting and negotiating purposes, but it does not determine the level or adequacy of data security measures that the vendor must provide to protect personal data.

The other options are more crucial from a privacy perspective in Pennyâ€™s review of vendor contracts. Audit rights (A) are important to ensure that Ace Space can monitor and verify the vendorâ€™s compliance with the contract terms and the applicable privacy laws and regulations. Audit rights allow Ace Space to access the vendorâ€™s records, systems, policies and procedures related to personal data processing and to conduct inspections or assessments as needed. Liability for a data breach (B) is important to allocate the responsibility and consequences of a data breach involving personal data that the vendor processes on behalf of Ace Space. Liability for a data breach may include indemnification, compensation, notification, remediation and termination clauses that protect Ace Spaceâ€™s interests and obligations in the event of a data breach. The data a vendor will have access to (D) is important to define the scope, purpose, duration and conditions of the personal data processing that the vendor will perform for Ace Space. The data a vendor will have access to may include the categories, types, sources, recipients and retention periods of personal data that the vendor will collect, store, use or share on behalf of Ace Space.

[References:, CIPM Body of Knowledge Domain II: Privacy Program Operational Life Cycle - Task 3: Implement privacy program components - Subtask 3: Establish third-party processor management program, CIPM Study Guide - Chapter 4: Privacy Program Operational Life Cycle - Section 4.3: Third-Party Processor Management, ]

Go to page: