What is most critical when outsourcing data destruction service?
A. Obtain a certificate of data destruction.
B. Confirm data destruction must be done on-site.
C. Conduct an annual in-person audit of the provider's facilities.
D. Ensure that they keep an asset inventory of the original data.
SCENARIO
Please use the following to answer the next QUESTION.
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company's flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments.
After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Questions about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Questions as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user's sensitive medical information for the medical appointment scheduler. In fact, all of the user's information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO's philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called "Eureka." Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What security controls are missing from the Eureka program?
A. Storage of medical data in the cloud is not permissible under the General Data Protection Regulation (GDPR)
B. Data access is not limited to those who "need to know" for their role
C. Collection of data without a defined purpose might violate the fairness principle
D. Encryption of the data at rest prevents European users from having the right of access and the right of portability of their data
SCENARIO
Please use the following to answer the next QUESTION:
Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used the same vendor to
operate all aspects of an online store for several years. As a small nonprofit, the Society cannot afford the higher-priced options, but you have been relatively satisfied with this budget vendor, Shopping Cart Saver (SCS). Yes, there have been some issues. Twice, people who purchased items from the store have had their credit card information used fraudulently subsequent to transactions on your site, but in neither case did the investigation reveal with certainty that the Society's store had been hacked. The thefts could have been employee-related.
Just as disconcerting was an incident where the organization discovered that SCS had sold information it had collected from customers to third parties. However, as Jason Roland, your SCS account representative, points out, it took only a phone call from you to clarify expectations and the "misunderstanding" has not occurred again.
As an information-technology program manager with the Society, the role of the privacy professional is only one of many you play. In all matters, however, you must consider the financial bottom line. While these problems with privacy protection have been significant, the additional revenues of sales of items such as shirts and coffee cups from the store have been significant. The Society's operating budget is slim, and all sources of revenue are essential.
Now a new challenge has arisen. Jason called to say that starting in two weeks, the customer data from the store would now be stored on a data cloud. "The good news," he says, "is that we have found a low-cost provider in Finland, where the data would also be held. So, while there may be a small charge to pass through to you, it won't be exorbitant, especially considering the advantages of a cloud."
Lately, you have been hearing about cloud computing and you know it's fast becoming the new paradigm for various applications. However, you have heard mixed reviews about the potential impacts on privacy protection. You begin to research and discover that a number of the leading cloud service providers have signed a letter of intent to work together on shared conventions and technologies for privacy protection. You make a note to find out if Jason's Finnish provider is signing on.
What process can best answer your Questions about the vendor's data security safeguards?
A. A second-party of supplier audit
B. A reference check with other clients
C. A table top demonstration of a potential threat
D. A public records search for earlier legal violations
SCENARIO Please use the following to answer the next QUESTION: Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as
names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced. Spencer ?a former CEO and currently a senior advisor ?said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause. One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. "Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone
of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's
corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company ?not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to
prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of
information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month."
Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules.
Silently, Natalia agreed.
How could the objection to Spencer's training suggestion be addressed?
A. By requiring training only on an as-needed basis.
B. By offering alternative delivery methods for trainings.
C. By introducing a system of periodic refresher trainings.
D. By customizing training based on length of employee tenure.
In privacy protection, what is a "covered entity"?
A. Personal data collected by a privacy organization.
B. An organization subject to the privacy provisions of HIPAA.
C. A privacy office or team fully responsible for protecting personal information.
D. Hidden gaps in privacy protection that may go unnoticed without expert analysis.
Which statement is FALSE regarding the use of technical security controls?
A. Technical security controls are part of a data governance strategy.
B. Technical security controls deployed for one jurisdiction often satisfy another jurisdiction.
C. Most privacy legislation lists the types of technical security controls that must be implemented.
D. A person with security knowledge should be involved with the deployment of technical security controls.
If your organization has a recurring issue with colleagues not reporting personal data breaches, all of the following are advisable to do EXCEPT?
A. Review reporting activity on breaches to understand when incidents are being reported and when they are not to improve communication and training.
B. Improve communication to reinforce to everyone that breaches must be reported and how they should be reported.
C. Provide role-specific training to areas where breaches are happening so they are more aware.
D. Distribute a phishing exercise to all employees to test their ability to recognize a threat attempt.
SCENARIO
Please use the following to answer the next QUESTION:
Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with her long-time business partner Sadie, Amira has watched the company grow into a major competitor in the green energy market. The
current line of products includes wind turbines, solar energy panels, and equipment for geothermal systems. A talented team of developers means that NatGen's line of products will only continue to grow.
With the expansion, Amira and Sadie have received advice from new senior staff members brought on to help manage the company's growth. One recent suggestion has been to combine the legal and security functions of the company to
ensure observance of privacy laws and the company's own privacy policy. This sounds overly complicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data in ways that will best suit their needs.
She does not want administrative oversight and complex structuring to get in the way of people doing innovative work.
Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is an unnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will use the best possible
equipment for electronic storage of customer and employee data. She simply needs a list of equipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider before the company gets to that stage.
Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust the monitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers can adjust the
company privacy policy according to what works best for their particular departments. NatGen's CEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would be highly unlikely to raise any
concerns with their customer base, as long as the data is always used in course of normal business activities.
Perhaps what has been most perplexing to Sadie and Amira has been the CIO's recommendation to institute a privacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise by allowing employees to
take turns handling reports of privacy policy violations. The implementation will be easy because the employees need no special preparation. They will simply have to document any concerns they hear.
Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporate culture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying a unique approach.
What Data Lifecycle Management (DLM) principle should the company follow if they end up allowing departments to interpret the privacy policy differently?
A. Prove the authenticity of the company's records.
B. Arrange for official credentials for staff members.
C. Adequately document reasons for inconsistencies.
D. Create categories to reflect degrees of data importance.
SCENARIO
Please use the following to answer the next QUESTION:
As they company's new chief executive officer, Thomas Goddard wants to be known as a leader in data protection. Goddard recently served as the chief financial officer of Hoopy.com, a pioneer in online video viewing with millions of users
around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically Questionable practices, including unauthorized sales of personal data to marketers. Hoopy also was the target of credit card data theft that
made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the company's claims that "appropriate" data protection safeguards were in place. The scandal affected the company's
business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard's mentor,
was forced to step down.
Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Medialite, which is just emerging from its start-up phase. He sold the company's board and investors on his vision of Medialite building its
brand partly on the basis of industry-leading data protection standards and procedures.
He may have been a key part of a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job, he calls you into his office and explains that your
primary work responsibility is to bring his vision for privacy to life. But you also detect some reservations. "We want Medialite to have absolutely the highest standards," he says. "In fact, I want us to be able to say that we are the clear industry
leader in privacy and data protection. However, I also need to be a responsible steward of the company's finances. So, while I want the best solutions across the board, they also need to be cost effective."
You are told to report back in a week's time with your recommendations. Charged with this ambiguous mission, you depart the executive suite, already considering your next steps.
You give a presentation to your CEO about privacy program maturity. What does it mean to have a "managed" privacy program, according to the AICPA/CICA Privacy Maturity Model?
A. Procedures or processes exist, however they are not fully documented and do not cover all relevant aspects.
B. Procedures and processes are fully documented and implemented, and cover all relevant aspects.
C. Reviews are conducted to assess the effectiveness of the controls in place.
D. Regular review and feedback are used to ensure continuous improvement toward optimization of the given process.
SCENARIO
Please use the following to answer the next QUESTION:
Ben works in the IT department of IgNight, Inc., a company that designs lighting solutions for its clients. Although IgNight's customer base consists primarily of offices in the US, some individuals have been so impressed by the unique aesthetic and energy-saving design of the light fixtures that they have requested IgNight's installations in their homes across the globe.
One Sunday morning, while using his work laptop to purchase tickets for an upcoming music festival, Ben happens to notice some unusual user activity on company files. From a cursory review, all the data still appears to be where it is meant to be but he can't shake off the feeling that something is not right. He knows that it is a possibility that this could be a colleague performing unscheduled maintenance, but he recalls an email from his company's security team reminding employees to be on alert for attacks from a known group of malicious actors specifically targeting the industry.
Ben is a diligent employee and wants to make sure that he protects the company but he does not want to bother his hard-working colleagues on the weekend. He is going to discuss the matter with this manager first thing in the morning but wants to be prepared so he can demonstrate his knowledge in this area and plead his case for a promotion.
Going forward, what is the best way for IgNight to prepare its IT team to manage these kind of security events?
A. Tabletop exercises.
B. Update its data inventory.
C. IT security awareness training.
D. Share communications relating to scheduled maintenance.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPM exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.