SCENARIO
Please use the following to answer the next QUESTION:
Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new privacy officer. The company is based in California but thanks to some great publicity from a social media influencer last year, the company has received an influx of sales from the EU and has set up a regional office in Ireland to support this expansion. To become familiar with Ace Space's practices and assess what her privacy priorities will be, Penny has set up meetings with a number of colleagues to hear about the work that they have been doing and their compliance efforts.
Penny's colleague in Marketing is excited by the new sales and the company's plans, but is also concerned that Penny may curtail some of the growth opportunities he has planned. He tells her "I heard someone in the breakroom talking about some new privacy laws but I really don't think it affects us. We're just a small company. I mean we just sell accessories online, so what's the real risk?" He has also told her that he works with a number of small companies that help him get projects completed in a hurry. "We've got to meet our deadlines otherwise we lose money. I just sign the contracts and get Jim in finance to push through the payment. Reviewing the contracts takes time that we just don't have."
In her meeting with a member of the IT team, Penny has learned that although Ace Space has taken a number of precautions to protect its website from malicious activity, it has not taken the same level of care of its physical files or internal infrastructure. Penny's colleague in IT has told her that a former employee lost an encrypted USB key with financial data on it when he left. The company nearly lost access to their customer database last year after they fell victim to a phishing attack. Penny is told by her IT colleague that the IT team "didn't know what to do or who should do what. We hadn't been trained on it but we're a small team though, so it worked out OK in the end." Penny is concerned that these issues will compromise Ace Space's privacy and data protection.
Penny is aware that the company has solid plans to grow its international sales and will be working closely with the CEO to give the organization a data "shake up". Her mission is to cultivate a strong privacy culture within the company.
Penny has a meeting with Ace Space's CEO today and has been asked to give her first impressions and an overview of her next steps.
To help Penny and her CEO with their objectives, what would be the most helpful approach to address her IT concerns?
A. Roll out an encryption policy
B. Undertake a tabletop exercise
C. Ensure inventory of IT assets is maintained
D. Host a town hall discussion for all IT employees
You would like your organization to be independently audited to demonstrate compliance with international privacy standards and to identify gaps for remediation. Which type of audit would help you achieve this objective?
A. First-party audit.
B. Second-party audit.
C. Third-party audit.
D. Fourth-party audit.
SCENARIO
Please use the following to answer the next QUESTION:
Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with her long-time business partner Sadie, Amira has watched the company grow into a major competitor in the green energy market. The
current line of products includes wind turbines, solar energy panels, and equipment for geothermal systems. A talented team of developers means that NatGen's line of products will only continue to grow.
With the expansion, Amira and Sadie have received advice from new senior staff members brought on to help manage the company's growth. One recent suggestion has been to combine the legal and security functions of the company to
ensure observance of privacy laws and the company's own privacy policy. This sounds overly complicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data in ways that will best suit their needs.
She does not want administrative oversight and complex structuring to get in the way of people doing innovative work.
Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is an unnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will use the best possible
equipment for electronic storage of customer and employee data. She simply needs a list of equipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider before the company gets to that stage.
Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust the monitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers can adjust the
company privacy policy according to what works best for their particular departments. NatGen's CEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would be highly unlikely to raise any
concerns with their customer base, as long as the data is always used in course of normal business activities.
Perhaps what has been most perplexing to Sadie and Amira has been the CIO's recommendation to institute a
privacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise by allowing employees to take turns handling reports of privacy policy violations. The implementation will be easy because the employees
need no special preparation. They will simply have to document any concerns they hear.
Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporate culture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying a unique approach.
What is the most likely reason the Chief Information Officer (CIO) believes that generating a list of needed IT equipment is NOT adequate?
A. The company needs to have policies and procedures in place to guide the purchasing decisions.
B. The privacy notice for customers and the Business Continuity Plan (BCP) still need to be reviewed.
C. Staff members across departments need time to review technical information concerning any new databases.
D. Senior staff members need to first commit to adopting a minimum number of Privacy Enhancing Technologies (PETs).
SCENARIO
Please use the following to answer the next QUESTION:
Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with her long-time business partner Sadie, Amira has watched the company grow into a major competitor in the green energy market. The
current line of products includes wind turbines, solar energy panels, and equipment for geothermal systems. A talented team of developers means that NatGen's line of products will only continue to grow.
With the expansion, Amira and Sadie have received advice from new senior staff members brought on to help manage the company's growth. One recent suggestion has been to combine the legal and security functions of the company to
ensure observance of privacy laws and the company's own privacy policy. This sounds overly complicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data in ways that will best suit their needs.
She does not want administrative oversight and complex structuring to get in the way of people doing innovative work.
Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is an unnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will use the best possible
equipment for electronic storage of customer and employee data. She simply needs a list of equipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider before the company gets to that stage.
Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust the monitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers can adjust the
company privacy policy according to what works best for their particular departments. NatGen's CEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would be highly unlikely to raise any
concerns with their customer base, as long as the data is always used in course of normal business activities.
Perhaps what has been most perplexing to Sadie and Amira has been the CIO's recommendation to institute a
privacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise by allowing employees to take turns handling reports of privacy policy violations. The implementation will be easy because the employees
need no special preparation. They will simply have to document any concerns they hear.
Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporate culture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying a unique approach.
If Amira and Sadie's ideas about adherence to the company's privacy policy go unchecked, the Federal Communications Commission (FCC) could potentially take action against NatGen for what?
A. Deceptive practices.
B. Failing to institute the hotline.
C. Failure to notify of processing.
D. Negligence in consistent training.
SCENARIO
Please use the following to answer the next QUESTION:
Perhaps Jack Kelly should have stayed in the U.S. He enjoys a formidable reputation inside the company, Special Handling Shipping, for his work in reforming certain "rogue" offices. Last year, news broke that a police sting operation had revealed a drug ring operating in the Providence, Rhode Island office in the United States. Video from the office's video surveillance cameras leaked to news operations showed a drug exchange between Special Handling staff and undercover officers.
In the wake of this incident, Kelly had been sent to Providence to change the "hands off" culture that upper management believed had let the criminal elements conduct their illicit transactions. After a few weeks under Kelly's direction, the
office became a model of efficiency and customer service. Kelly monitored his workers' activities using the same cameras that had recorded the illegal conduct of their former co-workers.
Now Kelly has been charged with turning around the office in Cork, Ireland, another trouble spot. The company has received numerous reports of the staff leaving the office unattended. When Kelly arrived, he found that even when present,
the staff often spent their days socializing or conducting personal business on their mobile phones. Again, he observed their behaviors using surveillance cameras. He issued written reprimands to six staff members based on the first day of
video alone.
Much to Kelly's surprise and chagrin, he and the company are now under investigation by the Data Protection Commissioner of Ireland for allegedly violating the privacy rights of employees. Kelly was told that the
company's license for the cameras listed facility security as their main use, but he does not know why this matters. He has pointed out to his superiors that the company's training programs on privacy protection and data collection mention
nothing about surveillance video.
You are a privacy protection consultant, hired by the company to assess this incident, report on the legal and compliance issues, and recommend next steps.
What should you advise this company regarding the status of security cameras at their offices in the United States?
A. Add security cameras at facilities that are now without them.
B. Set policies about the purpose and use of the security cameras.
C. Reduce the number of security cameras located inside the building.
D. Restrict access to surveillance video taken by the security cameras and destroy the recordings after a designated period of time.
What is least likely to be achieved by implementing a Data Lifecycle Management (DLM) program?
A. Reducing storage costs.
B. Ensuring data is kept for no longer than necessary.
C. Crafting policies which ensure minimal data is collected.
D. Increasing awareness of the importance of confidentiality.
SCENARIO Please use the following to answer the next QUESTION: Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, has found some degree of disorganization after touring the company headquarters. His uncle Henry had always focused on
production ?not data processing ?and Anton is concerned. In several storage rooms, he has found paper files, disks, and old computers that appear to contain the personal data of current and former employees and customers. Anton knows that a single break-in could irrevocably damage the company's
relationship with its loyal customers. He intends to set a goal of guaranteed zero loss of personal information.
To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of the company. However, Kenneth ?his uncle's vice president and longtime confidante ?wants to hold off on Anton's idea in favor of
converting any paper records held at the company to electronic storage. Kenneth believes this process would only take one or two years. Anton likes this idea; he envisions a password- protected system that only he and Kenneth can access.
Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but it will simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenware store down the street
will be responsible for their own information management. Then, any unneeded subsidiary data still in Anton's possession can be destroyed within the next few years.
After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers. Kenneth insists that two lost hard drives in Question are not cause for concern; all of the data was encrypted and not sensitive in
nature. Anton does not want to take any chances, however. He intends on sending notice letters to all employees and customers to be safe.
Anton must also check for compliance with all legislative, regulatory, and market requirements related to privacy protection. Kenneth oversaw the development of the company's online presence about ten years ago, but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning another trusted employee with a law background the task of the compliance assessment. After a thorough analysis, Anton knows the company should be safe for another five years, at which time he can order another check.
Documentation of this analysis will show auditors due diligence.
Anton has started down a long road toward improved management of the company, but he knows the effort is worth it. Anton wants his uncle's legacy to continue for many years to come.
Which important principle of Data Lifecycle Management (DLM) will most likely be compromised if Anton executes his plan to limit data access to himself and Kenneth?
A. Practicing data minimalism.
B. Ensuring data retrievability.
C. Implementing clear policies.
D. Ensuring adequacy of infrastructure.
Which of the following is NOT a type of privacy program metric?
A. Business enablement metrics.
B. Data enhancement metrics.
C. Value creation metrics.
D. Commercial metrics.
If an organization maintains a separate ethics office, to whom would its officer typically report to in order to retain the greatest degree of independence?
A. The Board of Directors.
B. The Chief Financial Officer.
C. The Human Resources Director.
D. The organization's General Counsel.
Which of the following is TRUE about the Data Protection Impact Assessment (DPIA) process as required under the General Data Protection Regulation (GDPR)?
A. The DPIA result must be reported to the corresponding supervisory authority.
B. The DPIA report must be published to demonstrate the transparency of the data processing.
C. The DPIA must include a description of the proposed processing operation and its purpose.
D. The DPIA is required if the processing activity entails risk to the rights and freedoms of an EU individual.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only IAPP exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your CIPM exam preparations and IAPP certification application, do not hesitate to visit our Vcedump.com to find your solutions here.