Share IAPP CIPM exam practice questions and answers from geekcert latest updated CIPM dumps free of charge.
Get the latest uploaded CIPM dumps pdf from google driver online. To get the full IAPP CIPM dumps PDF or dumps
VCE visit: https://www.geekcert.com/cipm.html (Q&As: 90). all IAPP CIPM exam questions have been updated, the answer has been corrected!
Make sure your exam questions are real and effective to help you pass your first exam!
[IAPP CIPM Dumps pdf] Latest IAPP CIPM Dumps PDF collected by geekcert Google Drive:
https://drive.google.com/file/d/1cCdYiO8QtJcDQHH8cpqHTJ1TyNXJt5nX/
[IAPP CIPM Youtube] IAPP CIPM exam questions and answers are shared free of charge from Youtube watching uploads from geekcert
Latest Update IAPP CIPM Exam Practice Questions and Answers Online Test
QUESTION 1
SCENARIO
Please use the following to answer the next question:
Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found
some degree of disorganization after touring the company headquarters. His uncle Henry has always focused on
production ? not data processing ? and Anton is concerned. In several storage rooms, he has found paper files, disks,
and old computers that appear to contain the personal data of current and former employees and customers. Anton
knows
that a single break-in could irrevocably damage the company\\’s relationship with its loyal customers. He intends to set a
goal of guaranteed zero loss of personal information.
To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company.
However, Kenneth? his uncle\\’s vice president and longtime confidante? wants to hold off on Anton\\’s idea in favor of
converting any paper records held at the company to electronic storage. Kenneth believes this process would only take
one or two years. Anton likes this idea; he envisions a password-protected system that only he and Kenneth can
access.
Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will
simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down
the street
will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton\\’s
possession can be destroyed within the next few years.
After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth
insists that the two lost hard drives in question are not cause for concern; all of the data was encrypted and not sensitive in
nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and
customers to be safe.
Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy
protection. Kenneth oversaw the development of the company\\’s online presence about ten years ago, but Anton is not
confident
about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law
background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be
safe for
another five years, at which time he can order another check. Documentation of this analysis will show auditors’ due
diligence.
Anton has started down a long road toward improved management of the company, but he knows the effort is worth it.
Anton wants his uncle\\’s legacy to continue for many years to come.
In terms of compliance with regulatory and legislative changes, Anton has a misconception regarding?
A. The timeline for monitoring
B. The method of recordkeeping
C. The use of internal employees
D. The type of required qualifications
Correct Answer: B
QUESTION 2
What does it mean to “rationalize” data protection requirements?
A. Evaluate the costs and risks of applicable laws and regulations and address those that have the greatest penalties
B. Look for overlaps in-laws and regulations from which a common solution can be developed
C. Determine where laws and regulations are redundant in order to eliminate some from requiring compliance
D. Address the less stringent laws and regulations and inform stakeholders why they are applicable
Correct Answer: C
QUESTION 3
SCENARIO
Please use the following to answer the next question:
As the company\\’s new chief executive officer, Thomas Goddard wants to be known as a leader in data protection.
Goddard recently served as the chief financial officer of Hoopy.com, a pioneer in online video viewing with millions of
users
around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically questionable
practices, including unauthorized sales of personal data to marketers. Hoopy also was the target of credit card data theft
that
made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite
the company\\’s claims that “appropriate” data protection safeguards were in place. The scandal affected the
company\\’s
business as competitors was quick to market an increased level of protection while offering similar entertainment and
media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard\\’s
mentor,
was forced to step down.
Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Mediaite, which is
just emerging from its start-up phase. He sold the company\\’s board and investors on his vision of Mediaite building its
brand partly on the basis of industry-leading data protection standards and procedures. He may have been a key part of
a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in
privacy
protection. In his first week on the job, he calls you into his office and explains that your primary work responsibility is to
bring his vision for privacy to life. But you also detect some reservations. “We want Mediaite to have absolutely the
highest standards,” he says. “In fact, I want us to be able to say that we are the clear industry leader in privacy and data
protection. However, I also need to be a responsible steward of the company\\’s finances. So, while I want the best
solutions across the board, they also need to be cost-effective.”
You are told to report back in a week\\’s time with your recommendations. Charged with this ambiguous mission, you
depart the executive suite, already considering your next steps.
You give a presentation to your CEO about privacy program maturity. What does it mean to have a “managed” privacy program, according to the AICPA/CICA Privacy Maturity Model?
A. Procedures or processes exist, however they are not fully documented and do not cover all relevant aspects.
B. Procedures and processes are fully documented and implemented and cover all relevant aspects.
C. Reviews are conducted to assess the effectiveness of the controls in place.
D. Regular review and feedback are used to ensure continuous improvement toward optimization of the given process.
Correct Answer: C
Reference: https://vvena.nl/wp-content/uploads/2018/04/aicpa_cica_privacy_maturity_model.pdf (page 2, 4th point
under privacy maturity model)
QUESTION 4
Under the General Data Protection Regulation (GDPR), which of the following situations would LEAST likely require a controller to notify a data subject?
A. An encrypted USB key with sensitive personal data is stolen
B. A direct marketing email is sent with recipients visible in the `cc\\’ field
C. Personal data of a group of individuals are erroneously sent to the wrong mailing list
D. A hacker publishes usernames, phone numbers, and purchase history online after a cyber-attack
Correct Answer: B
QUESTION 5
SCENARIO
Please use the following to answer the next question:
You lead the privacy officer for a company that handles information from individuals living in several countries throughout
Europe and the Americas. You begin that morning\\’s privacy review when a contracts officer sends you a message
asking for a phone call. The message lacks clarity and detail, but you presume that data was lost.
When you contact the contracts officer, he tells you that he received a letter in the mail from a vendor stating that the
vendor improperly shared information about your customers. He called the vendor and confirmed that your company
recently surveyed exactly 2000 individuals about their most recent healthcare experience and sent those surveys to the
vendor to transcribe it into a database, but the vendor forgot to encrypt the database as promised in the contract. As a
result, the vendor has lost control of the data.
The vendor is extremely apologetic and offers to take responsibility for sending out the notifications. They tell you they
set aside 2000 stamped postcards because that should reduce the time it takes to get the notice in the mail. One side is
limited to their logo, but the other side is blank and they will accept whatever you want to write. You put their offer on
hold and begin to develop the text around the space constraints. You are content to let the vendor\\’s logo be associated
with
the notification.
The notification explains that your company recently hired a vendor to store information about their most recent
experience at St. Sebastian Hospital\\’s Clinic for Infectious Diseases. The vendor did not encrypt the information and
no longer
has control of it. All 2000 affected individuals are invited to sign-up for email notifications about their information. They
simply need to go to your company\\’s website and watch a quick advertisement, then provide their name, email
address,
and month and year of birth.
You email the incident-response council for their buy-in before 9 a.m. If anything goes wrong in this situation, you want
to diffuse the blame across your colleagues. Over the next eight hours, everyone emails their comments back and forth.
The consultant who leads the incident-response team notes that it is his first day with the company, but he has been in
other industries for 45 years and will do his best. One of the three lawyers on the council causes the conversation to
veer off course, but it eventually gets back on track. At the end of the day, they vote to proceed with the notification you wrote
and use the vendor\\’s postcards.
Shortly after the vendor mails the postcards, you learn the data was on a server that was stolen and make the decision
to have your company offer credit monitoring services. A quick internet search finds a credit monitoring company with a
convincing name: Credit Under Lock and Key (CRUDLOK). Your sales rep has never handled a contract for 2000
people, but develops a proposal in about a day which says CRUDLOK will:
1.
Send an enrollment invitation to everyone the day after the contract is signed.
2.
Enroll someone with just their first name and the last-4 of their national identifier.
3.
Monitor each enrollee\\’s credit for two years from the date of enrollment.
4.
Send a monthly email with their credit rating and offers for credit-related services at market rates.
5.
Charge your company 20% of the cost of any credit restoration.
You execute the contract and the enrollment invitations are emailed to the 2000 individuals. Three days later you sit
down and document all that went well and all that could have gone better. You put it in a file to reference the next time
an incident occurs.
Regarding the notification, which of the following would be the greatest concern?
A. Informing the affected individuals that data from other individuals may have also been affected.
B. Collecting more personally identifiable information than necessary to provide updates to the affected individuals.
C. Using a postcard with the logo of the vendor who make the mistake instead of your company\\’s logo.
D. Trusting a vendor to send out a notice when they already failed once by not encrypting the database.
Correct Answer: D
QUESTION 6
SCENARIO
Please use the following to answer the next question:
As the director of data protection for Consolidated Records Corporation, you are justifiably pleased with your
accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of
relatively minor
data breaches that could easily have been worse. However, you have not had a reportable incident for the three years
that you have been with the company. In fact, you consider your program a model that others in the data storage
industry
may note in their own program development.
You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence
across departments and throughout operations. You were aided along the way by the program\\’s sponsor, the vice
president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.
Initially, your work was greeted with little confidence or enthusiasm by the company\\’s “old guard” among both the
executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that
showed
the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the
current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other
employees were more resistant, but face-to-face meetings with each department and the development of a baseline
privacy training program achieved sufficient “buy-in” to begin putting the proper procedures into place.
Now, privacy protection is an accepted component of all current operations involving personal or protected data and
must be part of the end product of any process of technological development. While your approach is not systematic, it
is
fairly effective.
You are left contemplating: What must be done to maintain the program and develop it beyond just a data breach
prevention program? How can you build on your success? What are the next action steps?
What process could most effectively be used to add privacy protections to a new, comprehensive program being
developed at Consolidated?
A. Privacy by Design
B. Privacy Step Assessment
C. Information Security Planning
D. Innovation Privacy Standards
Correct Answer: C
QUESTION 7
What is the main purpose in notifying data subjects of a data breach?
A. To avoid financial penalties and legal liability
B. To enable regulators to understand trends and developments that may shape the law
C. To ensure organizations have accountability for the sufficiency of their security measures
D. To allow individuals to take any actions required to protect themselves from possible consequences
Correct Answer: C
QUESTION 8
SCENARIO
Please use the following to answer the next question:
You lead the privacy officer for a company that handles information from individuals living in several countries throughout
Europe and the Americas. You begin that morning\\’s privacy review when a contracts officer sends you a message
asking for a phone call. The message lacks clarity and detail, but you presume that data was lost.
When you contact the contracts officer, he tells you that he received a letter in the mail from a vendor stating that the
vendor improperly shared information about your customers. He called the vendor and confirmed that your company
recently surveyed exactly 2000 individuals about their most recent healthcare experience and sent those surveys to the
vendor to transcribe it into a database, but the vendor forgot to encrypt the database as promised in the contract. As a
result, the vendor has lost control of the data.
The vendor is extremely apologetic and offers to take responsibility for sending out the notifications. They tell you they
set aside 2000 stamped postcards because that should reduce the time it takes to get the notice in the mail. One side is
limited to their logo, but the other side is blank and they will accept whatever you want to write. You put their offer on
hold and begin to develop the text around the space constraints. You are content to let the vendor\\’s logo be associated
with
the notification.
The notification explains that your company recently hired a vendor to store information about their most recent
experience at St. Sebastian Hospital\\’s Clinic for Infectious Diseases. The vendor did not encrypt the information and
no longer
has control of it. All 2000 affected individuals are invited to sign-up for email notifications about their information. They
simply need to go to your company\\’s website and watch a quick advertisement, then provide their name, email
address,
and month and year of birth.
You email the incident-response council for their buy-in before 9 a.m. If anything goes wrong in this situation, you want
to diffuse the blame across your colleagues. Over the next eight hours, everyone emails their comments back and forth.
The consultant who leads the incident-response team notes that it is his first day with the company, but he has been in
other industries for 45 years and will do his best. One of the three lawyers on the council causes the conversation to
veer
off course, but it eventually gets back on track. At the end of the day, they vote to proceed with the notification you wrote
and use the vendor\\’s postcards.
Shortly after the vendor mails the postcards, you learn the data was on a server that was stolen and make the decision
to have your company offer credit monitoring services. A quick internet search finds a credit monitoring company with a
convincing name: Credit Under Lock and Key (CRUDLOK). Your sales rep has never handled a contract for 2000
people, but develops a proposal in about a day which says CRUDLOK will:
1.
Send an enrollment invitation to everyone the day after the contract is signed.
2.
Enroll someone with just their first name and the last-4 of their national identifier.
3.
Monitor each enrollee\\’s credit for two years from the date of enrollment.
4.
Send a monthly email with their credit rating and offers for credit-related services at market rates.
5.
Charge your company 20% of the cost of any credit restoration.
You execute the contract and the enrollment invitations are emailed to the 2000 individuals. Three days later you sit
down and document all that went well and all that could have gone better. You put it in a file to reference the next time
an incident occurs.
Regarding the credit monitoring, which of the following would be the greatest concern?
A. The vendor\\’s representative does not have enough experience
B. Signing a contract with CRUDLOK which lasts longer than one year
C. The company did not collect enough identifiers to monitor one\\’s credit
D. You are going to notify affected individuals via a letter followed by an email
Correct Answer: A
QUESTION 9
SCENARIO
Please use the following to answer the next question:
Martin Briseno is the director of human resources at the Canyon City location of the U.S. hotel chain Pacific Suites. In
1998, Briseno decided to change the hotel\\’s on-the-job mentoring model to a standardized training program for
employees
who was progressing from line positions into supervisory positions? He developed a curriculum comprising a series of
lessons, scenarios, and assessments, which were delivered in-person to small groups. Interest in the training increased,
leading Briseno to work with corporate HR specialists and software engineers to offer the program in an online format.
The online program saved the cost of a trainer and allowed participants to work through the material at their own pace.
Upon hearing about the success of Briseno\\’s program, Pacific Suites corporate Vice President Maryanne Silva-Hayes
expanded the training and offered it company-wide. Employees who completed the program received certification as a
Pacific Suites Hospitality Supervisor. By 2001, the program had grown to provide industry-wide training. Personnel at
hotels across the country could sign up and pay to take the course online. As the program became increasingly
profitable,
Pacific Suites developed an offshoot business, Pacific Hospitality Training (PHT). The sole focus of PHT was
developing and marketing a variety of online courses and course progressions providing a number of professional
certifications in
the hospitality industry.
By setting up a user account with PHT, course participants could access an information library, sign up for courses, and
take end-of-course certification tests. When a user opened a new account, all information was saved by default,
including
the user\\’s name, date of birth, contact information, credit card information, employer, and job title. The registration
page offered an opt-out choice that users could click to not have their credit card numbers saved. Once a user name
and password were established, users could return to check their course status, review and reprint their certifications, and
sign up and pay for new courses. Between 2002 and 2008, PHT issued more than 700,000 professional certifications.
PHT\\’s profits declined in 2009 and 2010, the victim of industry downsizing and increased competition from e-learning
providers. By 2011, Pacific Suites was out of the online certification business and PHT was dissolved. The training
program\\’s systems and records remained in Pacific Suites\\’ digital archives, un-accessed and unused. Briseno and
Silva-Hayes moved on to work for other companies, and there was no plan for handling the archived data after the program
ended. After PHT was dissolved, Pacific Suites executives turned their attention to crucial day-to-day operations. They
planned to deal with the PHT materials once resources allowed.
In 2012, the Pacific Suites computer network was hacked. Malware installed on the online reservation system exposed
the credit card information of hundreds of hotel guests. While targeting the financial data on the reservation site,
hackers
also discovered the archived training course data and registration accounts of Pacific Hospitality Training\\’s customers.
The result of the hack was the exfiltration of the credit card numbers of recent hotel guests and the exfiltration of the
PHT
database with all its contents.
A Pacific Suites systems analyst discovered the information security breach in a routine scan of activity reports. Pacific
Suites quickly notified credit card companies and recent hotel guests of the breach, attempting to prevent serious harm.
Technical security engineers faced a challenge in dealing with the PHT data.
PHT course administrators and the IT engineers did not have a system for tracking, cataloging, and storing
information. Pacific Suites has procedures in place for data access and storage, but those procedures were not
implemented when
PHT was formed. When the PHT database was acquired by Pacific Suites, it had no owner or oversight. By the time
technical security engineers determined what private information was compromised, at least 8,000 credit card holders
were
potential victims of fraudulent activity.
How would a strong data life cycle management policy have helped prevent the breach?
A. Information would have been ranked according to the importance and stored in separate locations
B. The most sensitive information would have been immediately erased and destroyed
C. The most important information would have been regularly assessed and tested for security
D. Information would have been categorized and assigned a deadline for destruction
Correct Answer: D
QUESTION 10
SCENARIO
Please use the following to answer the next question:
Martin Briseno is the director of human resources at the Canyon City location of the U.S. hotel chain Pacific Suites. In
1998, Briseno decided to change the hotel\\’s on-the-job mentoring model to a standardized training program for
employees
who was progressing from line positions into supervisory positions? He developed a curriculum comprising a series of lessons, scenarios, and assessments, which was delivered in-person to small groups. Interest in the training increased,
leading Briseno to work with corporate HR specialists and software engineers to offer the program in an online format.
The online program saved the cost of a trainer and allowed participants to work through the material at their own pace.
Upon hearing about the success of Briseno\\’s program, Pacific Suites corporate Vice President Maryanne Silva-Hayes
expanded the training and offered it company-wide. Employees who completed the program received certification as a
Pacific Suites Hospitality Supervisor. By 2001, the program had grown to provide industry-wide training. Personnel at
hotels across the country could sign up and pay to take the course online. As the program became increasingly
profitable,
Pacific Suites developed an offshoot business, Pacific Hospitality Training (PHT). The sole focus of PHT was
developing and marketing a variety of online courses and course progressions providing a number of professional
certifications in
the hospitality industry.
By setting up a user account with PHT, course participants could access an information library, sign up for courses, and
take end-of-course certification tests. When a user opened a new account, all information was saved by default,
including
the user\\’s name, date of birth, contact information, credit card information, employer, and job title. The registration
page offered an opt-out choice that users could click to not have their credit card numbers saved. Once a user name
and password were established, users could return to check their course status, review and reprint their certifications, and
sign up and pay for new courses. Between 2002 and 2008, PHT issued more than 700,000 professional certifications.
PHT\\’s profits declined in 2009 and 2010, the victim of industry downsizing and increased competition from e-learning
providers. By 2011, Pacific Suites was out of the online certification business and PHT was dissolved. The training
program\\’s systems and records remained in Pacific Suites\\’ digital archives, un-accessed and unused. Briseno and
Silva-Hayes moved on to work for other companies, and there was no plan for handling the archived data after the
program
ended. After PHT was dissolved, Pacific Suites executives turned their attention to crucial day-to-day operations. They
planned to deal with the PHT materials once resources allowed.
In 2012, the Pacific Suites computer network was hacked. Malware installed on the online reservation system exposed
the credit card information of hundreds of hotel guests. While targeting the financial data on the reservation site,
hackers
also discovered the archived training course data and registration accounts of Pacific Hospitality Training\\’s customers.
The result of the hack was the exfiltration of the credit card numbers of recent hotel guests and the exfiltration of the
PHT
database with all its contents.
A Pacific Suites systems analyst discovered the information security breach in a routine scan of activity reports. Pacific
Suites quickly notified credit card companies and recent hotel guests of the breach, attempting to prevent serious harm.
Technical security engineers faced a challenge in dealing with the PHT data.
PHT course administrators and the IT engineers did not have a system for tracking, cataloging, and storing
information. Pacific Suites has procedures in place for data access and storage, but those procedures were not
implemented when PHT was formed. When the PHT database was acquired by Pacific Suites, it had no owner or oversight. By the time
technical security engineers determined what private information was compromised, at least 8,000 credit card holders
were
potential victims of fraudulent activity.
How was Pacific Suites responsible for protecting the sensitive information of its offshoot, PHT?
A. As the parent company, it should have transferred personnel to oversee the secure handling of PHT\\’s data.
B. As the parent company, it should have performed an assessment of PHT\\’s infrastructure and confirmed complete
separation of the two networks.
C. As the parent company, it should have ensured its existing data access and storage procedures were integrated into
PHT\\’s system.
D. As the parent company, it should have replaced PHT\\’s electronic files with hard-copy documents stored securely on
site.
Correct Answer: C
QUESTION 11
Which term describes a piece of personal data that alone may not identify an individual?
A. Unbundled data
B. A singularity
C. Non-aggregated info point
D. A single attribute
Correct Answer: A
QUESTION 12
SCENARIO
Please use the following to answer the next question:
Martin Briseno is the director of human resources at the Canyon City location of the U.S. hotel chain Pacific Suites. In
1998, Briseno decided to change the hotel\\’s on-the-job mentoring model to a standardized training program for
employees
who was progressing from line positions into supervisory positions? He developed a curriculum comprising a series of
lessons, scenarios, and assessments, which were delivered in-person to small groups. Interest in the training increased,
leading Briseno to work with corporate HR specialists and software engineers to offer the program in an online format.
The online program saved the cost of a trainer and allowed participants to work through the material at their own pace.
Upon hearing about the success of Briseno\\’s program, Pacific Suites corporate Vice President Maryanne Silva-Hayes
expanded the training and offered it company-wide. Employees who completed the program received certification as a
Pacific Suites Hospitality Supervisor. By 2001, the program had grown to provide industry-wide training. Personnel at
hotels across the country could sign up and pay to take the course online. As the program became increasingly
profitable,
Pacific Suites developed an offshoot business, Pacific Hospitality Training (PHT). The sole focus of PHT was
developing and marketing a variety of online courses and course progressions providing a number of professional
certifications in
the hospitality industry.
By setting up a user account with PHT, course participants could access an information library, sign up for courses, and
take end-of-course certification tests. When a user opened a new account, all information was saved by default,
including
the user\\’s name, date of birth, contact information, credit card information, employer, and job title. The registration
page offered an opt-out choice that users could click to not have their credit card numbers saved. Once a user name
and password were established, users could return to check their course status, review and reprint their certifications,
and sign up and pay for new courses. Between 2002 and 2008, PHT issued more than 700,000 professional
certifications.
PHT\\’s profits declined in 2009 and 2010, the victim of industry downsizing and increased competition from e-learning
providers. By 2011, Pacific Suites was out of the online certification business and PHT was dissolved. The training
program\\’s systems and records remained in Pacific Suites\\’ digital archives, un-accessed and unused. Briseno and
Silva-Hayes moved on to work for other companies, and there was no plan for handling the archived data after the
program ended. After PHT was dissolved, Pacific Suites executives turned their attention to crucial day-to-day
operations. They planned to deal with the PHT materials once resources allowed.
In 2012, the Pacific Suites computer network was hacked. Malware installed on the online reservation system exposed
the credit card information of hundreds of hotel guests. While targeting the financial data on the reservation site, hackers
also discovered the archived training course data and registration accounts of Pacific Hospitality Training\\’s customers.
The result of the hack was the exfiltration of the credit card numbers of recent hotel guests and the exfiltration of the
PHT database with all its contents.
A Pacific Suites systems analyst discovered the information security breach in a routine scan of activity reports. Pacific
Suites quickly notified credit card companies and recent hotel guests of the breach, attempting to prevent serious harm.
Technical security engineers faced a challenge in dealing with the PHT data.
PHT course administrators and the IT engineers did not have a system for tracking, cataloging, and storing
information. Pacific Suites has procedures in place for data access and storage, but those procedures were not
implemented when PHT was formed. When the PHT database was acquired by Pacific Suites, it had no owner or
oversight. By the time technical security engineers determined what private information was compromised, at least
8,000 credit card holders were potential victims of fraudulent activity.
What key mistake set the company up to be vulnerable to a security breach?
A. Collecting too much information and keeping it for too long
B. Overlooking the need to organize and categorize data
C. Failing to outsource training and data management to professionals
D. Neglecting to make a backup copy of archived electronic files
Correct Answer: B
QUESTION 13
SCENARIO
Please use the following to answer the next question:
Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used the same vendor to operate all
aspects of an online store for several years. As a small nonprofit, the Society cannot afford the higher-priced options,
but
you have been relatively satisfied with this budget vendor, Shopping Cart Saver (SCS). Yes, there have been some
issues. Twice, people who purchased items from the store have had their credit card information used fraudulently
subsequent to transactions on your site, but in neither case did the investigation reveal with certainty that the Society\\’s store had been hacked. The thefts could have been employee-related.
Just as disconcerting was an incident where the organization discovered that SCS had sold information it had collected
from customers to third parties. However, as Jason Roland, your SCS account representative, points out, it took only a
phone call from you to clarify expectations and the “misunderstanding” has not occurred again.
As an information-technology program manager with the Society, the role of the privacy professional is only one of many
you play. In all matters, however, you must consider the financial bottom line. While these problems with privacy
protection have been significant, the additional revenues of sales of items such as shirts and coffee cups from the store
have been significant. The Society\\’s operating budget is slim, and all sources of revenue are essential.
Now a new challenge has arisen. Jason called to say that starting in two weeks, the customer data from the store would
now be stored on a data cloud. “The good news,” he says, “is that we have found a low-cost provider in Finland, where
the data would also be held. So, while there may be a small charge to pass through to you, it won\\’t be exorbitant,
especially considering the advantages of a cloud.”
Lately, you have been hearing about cloud computing and you know it\\’s fast becoming the new paradigm for various
applications. However, you have heard mixed reviews about the potential impacts on privacy protection. You begin to
research and discover that a number of the leading cloud service providers have signed a letter of intent to work
together on shared conventions and technologies for privacy protection. You make a note to find out if Jason\\’s Finnish
provider
is signing on.
After conducting research, you discover a primary data protection issue with cloud computing. Which of the following
should be your biggest concern?
A. An open programming model that results in easy access
B. An unwillingness of cloud providers to provide security information
C. A lack of vendors in the cloud computing market
D. A reduced resilience of data structures that may lead to data loss.
Correct Answer: B
For the full IAPP CIPM exam dumps from geekcert CIPM Dumps pdf or Dumps VCE visit: https://www.geekcert.com/cipm.html (Q&As: 90 dumps)
ps.
Get free IAPP CIPM dumps PDF online: https://drive.google.com/file/d/1cCdYiO8QtJcDQHH8cpqHTJ1TyNXJt5nX/