[Dec 14, 2021] Step by Step Guide to Prepare for CIPM Exam BrainDumps [Q20-Q44]

Share

Dec 14, 2021 Step by Step Guide to Prepare for CIPM Exam BrainDumps

Certified Information Privacy Manager CIPM Real Exam Questions and Answers FREE Updated on 2021


Study Guides for CIPM Evaluation

Manuals help a candidate study for the CIPM exam by exposing them to different approaches to the assessed topics, and many sample questions to check their understanding. Here are some of the study guides that will arm you with in-depth knowledge for the actual validation:

  • IAPP CIPM Study Guides

    Candidates angling for the CIPM test can utilize the free study book found on the vendor’s site. The free book includes key knowledge areas regarding the CIPM, steps to use during exam prep, sample questions, and general information about the evaluation. Likewise, applicants can also purchase a relevant handbook from the IAPP Store, which has a number of materials covering various aspects of data privacy.

  • Complete CIPM Practice Exam: Privacy Manager 90 Questions

    This guide by Privacy Law Practice Exams is a question handbook that candidates can use to test their readiness for the real exam. If the candidate has already taken the training and feels ready to sit for the CIPM, this book will help him/her determine whether he/she is ready or not for the actual testing process. Overall, it contains 90 questions that help the candidate familiarize with the exam format, with explanations and pointers for the candidate. The practice items will also help the student get familiar with the exam setting and structure.

  • CIPM: Focused Preparation: Preparation for Certified Information Privacy Manager Certification Exam

    The manual by Timothy Smit and Gabe Smit is an ideal support resource for any candidate aiming to ace the CIPM exam. It has 90 revision questions to test how well the candidate is conversant with privacy program concepts and skills. It also has guidance tips for the candidate to get familiar with the real exam and identify the tricks in the final exam questions.

 

NEW QUESTION 20
What should a privacy professional keep in mind when selecting which metrics to collect?

  • A. Metrics should be reported to the public.
  • B. Metrics should reveal strategies for increasing company earnings.
  • C. The number of metrics should be limited at first.
  • D. A variety of metrics should be collected before determining their specific functions.

Answer: A

Explanation:
Explanation/Reference:

 

NEW QUESTION 21
SCENARIO
Please use the following to answer the next question:
Perhaps Jack Kelly should have stayed in the U.S. He enjoys a formidable reputation inside the company, Special Handling Shipping, for his work in reforming certain "rogue" offices. Last year, news broke that a police sting operation had revealed a drug ring operating in the Providence, Rhode Island office in the United States.
Video from the office's video surveillance cameras leaked to news operations showed a drug exchange between Special Handling staff and undercover officers.
In the wake of this incident, Kelly had been sent to Providence to change the "hands off" culture that upper management believed had let the criminal elements conduct their illicit transactions. After a few weeks under Kelly's direction, the office became a model of efficiency and customer service. Kelly monitored his workers' activities using the same cameras that had recorded the illegal conduct of their former co-workers.
Now Kelly has been charged with turning around the office in Cork, Ireland, another trouble spot. The company has received numerous reports of the staff leaving the office unattended. When Kelly arrived, he found that even when present, the staff often spent their days socializing or conducting personal business on their mobile phones. Again, he observed their behaviors using surveillance cameras. He issued written reprimands to six staff members based on the first day of video alone.
Much to Kelly's surprise and chagrin, he and the company are now under investigation by the Data Protection Commissioner of Ireland for allegedly violating the privacy rights of employees. Kelly was told that the company's license for the cameras listed facility security as their main use, but he does not know why this matters. He has pointed out to his superiors that the company's training programs on privacy protection and data collection mention nothing about surveillance video.
You are a privacy protection consultant, hired by the company to assess this incident, report on the legal and compliance issues, and recommend next steps.
What should you advise this company regarding the status of security cameras at their offices in the United States?

  • A. Add security cameras at facilities that are now without them.
  • B. Set policies about the purpose and use of the security cameras.
  • C. Restrict access to surveillance video taken by the security cameras and destroy the recordings after a designated period of time.
  • D. Reduce the number of security cameras located inside the building.

Answer: B

 

NEW QUESTION 22
What United States federal law requires financial institutions to declare their personal data collection practices?

  • A. SUPCLA, or the federal Superprivacy Act of 2001.
  • B. The Financial Portability and Accountability Act of 2006.
  • C. The Kennedy-Hatch Disclosure Act of 1997.
  • D. The Gramm-Leach-Bliley Act of 1999.

Answer: D

 

NEW QUESTION 23
SCENARIO
Please use the following to answer the next question:
Penny has recently joined Ace Space, a company that sells homeware accessories online, as its new privacy officer. The company is based in California but thanks to some great publicity from a social media influencer last year, the company has received an influx of sales from the EU and has set up a regional office in Ireland to support this expansion. To become familiar with Ace Space's practices and assess what her privacy priorities will be, Penny has set up meetings with a number of colleagues to hear about the work that they have been doing and their compliance efforts.
Penny's colleague in Marketing is excited by the new sales and the company's plans, but is also concerned that Penny may curtail some of the growth opportunities he has planned. He tells her "I heard someone in the breakroom talking about some new privacy laws but I really don't think it affects us. We're just a small company. I mean we just sell accessories online, so what's the real risk?" He has also told her that he works with a number of small companies that help him get projects completed in a hurry. "We've got to meet our deadlines otherwise we lose money. I just sign the contracts and get Jim in finance to push through the payment. Reviewing the contracts takes time that we just don't have." In her meeting with a member of the IT team, Penny has learned that although Ace Space has taken a number of precautions to protect its website from malicious activity, it has not taken the same level of care of its physical files or internal infrastructure. Penny's colleague in IT has told her that a former employee lost an encrypted USB key with financial data on it when he left. The company nearly lost access to their customer database last year after they fell victim to a phishing attack. Penny is told by her IT colleague that the IT team
"didn't know what to do or who should do what. We hadn't been trained on it but we're a small team though, so it worked out OK in the end." Penny is concerned that these issues will compromise Ace Space's privacy and data protection.
Penny is aware that the company has solid plans to grow its international sales and will be working closely with the CEO to give the organization a data "shake up". Her mission is to cultivate a strong privacy culture within the company.
Penny has a meeting with Ace Space's CEO today and has been asked to give her first impressions and an overview of her next steps.
To establish the current baseline of Ace Space's privacy maturity, Penny should consider all of the following factors EXCEPT?

  • A. Ace Space's vendor engagement protocols
  • B. Ace Space's employee training program
  • C. Ace Space's content sharing practices on social media
  • D. Ace Space's documented procedures

Answer: D

 

NEW QUESTION 24
What is the main function of the Asia-Pacific Economic Cooperation Privacy Framework?

  • A. Protecting data from parties outside the region
  • B. Enabling regional data transfers
  • C. Marketing privacy protection technologies developed in the region
  • D. Establishing legal requirements for privacy protection in the region

Answer: B

Explanation:
Explanation/Reference: https://iapp.org/resources/article/apec-privacy-framework/

 

NEW QUESTION 25
Read the following steps:
* Perform frequent data back-ups.
* Perform test restorations to verify integrity of backed-up data.
* Maintain backed-up data offline or on separate servers.
These steps can help an organization recover from what?

  • A. Phishing attacks
  • B. Stolen encryption keys
  • C. Authorization errors
  • D. Ransomware attacks

Answer: D

 

NEW QUESTION 26
Which of the following controls does the PCI DSS framework NOT require?

  • A. Implement strong access control measures.
  • B. Maintain an information security policy.
  • C. Maintain a vulnerability management program.
  • D. Implement strong asset control protocols.

Answer: D

 

NEW QUESTION 27
What is the best way to understand the location, use and importance of personal data within an organization?

  • A. By analyzing the data inventory
  • B. By testing the security of data systems
  • C. By interviewing employees tasked with data entry
  • D. By evaluating methods for collecting data

Answer: D

 

NEW QUESTION 28
SCENARIO
Please use the following to answer the next question:
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company's flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments.
After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Question about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Question as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user's sensitive medical information for the medical appointment scheduler. In fact, all of the user's information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO's philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called "Eureka." Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What step in the system development process did Manasa skip?

  • A. Obtain express written consent from users of the Handy Helper regarding marketing
  • B. Work with Sanjay to review any necessary privacy requirements to be built into the product
  • C. Build the artificial intelligence feature so that users would not have to input sensitive information into the Handy Helper
  • D. Certify that the Handy Helper meets the requirements of the EU-US Privacy Shield Framework

Answer: D

 

NEW QUESTION 29
SCENARIO
Please use the following to answer the next QUESTION:
John is the new privacy officer at the prestigious international law firm - A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.
During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor - MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime.
Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution.
Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is a TRUE statement about the relationship among the organizations?

  • A. Cloud Inc. should enter into a data processor agreement with A&M LLP.
  • B. Cloud Inc. must notify A&M LLP of a data breach immediately.
  • C. MessageSafe is liable if Cloud Inc. fails to protect data from A&M LLP.
  • D. A&M LLP's service contract must be amended to list Cloud Inc. as a sub-processor.

Answer: B

 

NEW QUESTION 30
When implementing Privacy by Design (PbD), what would NOT be a key consideration?

  • A. Data minimization.
  • B. Limitations on liability.
  • C. Purpose specification.
  • D. Collection limitation.

Answer: B

 

NEW QUESTION 31
Which of the following best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

  • A. All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.
  • B. Employees must sign an ad hoc contractual agreement each time personal data is exported.
  • C. Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.
  • D. All employees are subject to the rules in their entirety, regardless of where the work is taking place.

Answer: B

Explanation:
Explanation/Reference: https://www.lexology.com/library/detail.aspx?g=80239951-01b8-409f-9019-953f5233852e

 

NEW QUESTION 32
SCENARIO
Please use the following to answer the next question:
As they company's new chief executive officer, Thomas Goddard wants to be known as a leader in data protection. Goddard recently served as the chief financial officer of Hoopy.com, a pioneer in online video viewing with millions of users around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically Questionable practices, including unauthorized sales of personal data to marketers.
Hoopy also was the target of credit card data theft that made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the company's claims that
"appropriate" data protection safeguards were in place. The scandal affected the company's business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard's mentor, was forced to step down.
Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Medialite, which is just emerging from its start-up phase. He sold the company's board and investors on his vision of Medialite building its brand partly on the basis of industry-leading data protection standards and procedures.
He may have been a key part of a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job, he calls you into his office and explains that your primary work responsibility is to bring his vision for privacy to life. But you also detect some reservations. "We want Medialite to have absolutely the highest standards," he says. "In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company's finances. So, while I want the best solutions across the board, they also need to be cost effective." You are told to report back in a week's time with your recommendations. Charged with this ambiguous mission, you depart the executive suite, already considering your next steps.
The company has achieved a level of privacy protection that established new best practices for the industry.
What is a logical next step to help ensure a high level of protection?

  • A. Develop a strong marketing strategy to communicate the company's privacy practices
  • B. Focus on improving the incident response plan in preparation for any breaks in protection
  • C. Brainstorm methods for developing an enhanced privacy framework
  • D. Shift attention to privacy for emerging technologies as the company begins to use them

Answer: B

 

NEW QUESTION 33
In privacy protection, what is a "covered entity"?

  • A. An organization subject to the privacy provisions of HIPAA
  • B. Hidden gaps in privacy protection that may go unnoticed without expert analysis
  • C. Personal data collected by a privacy organization
  • D. A privacy office or team fully responsible for protecting personal information

Answer: A

 

NEW QUESTION 34
What is the name for the privacy strategy model that describes delegated decision making?

  • A. De-centralized.
  • B. Hybrid.
  • C. De-functionalized.
  • D. Matrix.

Answer: A

 

NEW QUESTION 35
Formosa International operates in 20 different countries including the United States and France.
What organizational approach would make complying with a number of different regulations easier?

  • A. Data mapping.
  • B. Decentralized privacy management.
  • C. Rationalizing requirements.
  • D. Fair Information Practices.

Answer: D

 

NEW QUESTION 36
All of the following changes will likely trigger a data inventory update EXCEPT?

  • A. Acquisition of a new subsidiary
  • B. Passage of new a privacy regulation
  • C. Onboarding of a new vendor
  • D. Outsourcing the Customer Relationship Management (CRM) function

Answer: D

 

NEW QUESTION 37
How are individual program needs and specific organizational goals identified in privacy framework development?

  • A. Through conversations with the privacy team
  • B. By employing an industry-standard needs analysis
  • C. By employing metrics to align privacy protection with objectives
  • D. Through creation of the business case

Answer: C

 

NEW QUESTION 38
An organization's business continuity plan or disaster recovery plan does NOT typically include what?

  • A. Emergency Response Guidelines
  • B. Statement of organizational responsibilities
  • C. Retention schedule for storage and destruction of information
  • D. Recovery time objectives

Answer: C

 

NEW QUESTION 39
SCENARIO
Please use the following to answer the next QUESTION:
John is the new privacy officer at the prestigious international law firm - A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.
During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor - MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime.
Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution.
Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is NOT an obligation of MessageSafe as the email continuity service provider for A&M LLP?

  • A. Certifications to relevant frameworks.
  • B. Security commitment.
  • C. Privacy compliance.
  • D. Data breach notification to A&M LLP.

Answer: A

 

NEW QUESTION 40
Which of the following is an example of Privacy by Design (PbD)?

  • A. The human resources group develops a training program for employees to become certified in privacy policy.
  • B. The information technology group uses privacy considerations to inform the development of new networking software.
  • C. A labor union insists that the details of employers' data protection methods be documented in a new contract.
  • D. A company hires a professional to structure a privacy program that anticipates the increasing demands of new laws.

Answer: C

 

NEW QUESTION 41
SCENARIO
Please use the following to answer the next question:
As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.
You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.
Initially, your work was greeted with little confidence or enthusiasm by the company's "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision-makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.
Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.
You are left contemplating:
What must be done to maintain the program and develop it beyond just a data breach prevention program?
How can you build on your success?
What are the next action steps?
Which of the following would be most effectively used as a guide to a systems approach to implementing data protection?

  • A. Data Lifecycle Management Standards.
  • B. International Organization for Standardization 27000 Series.
  • C. International Organization for Standardization 9000 Series.
  • D. United Nations Privacy Agency Standards.

Answer: B

Explanation:
Explanation/Reference: https://www.itgovernance.co.uk/blog/what-is-the-iso-27000-series-of-standards

 

NEW QUESTION 42
SCENARIO
Please use the following to answer the next question:
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company's flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments.
After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Question about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Question as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user's sensitive medical information for the medical appointment scheduler. In fact, all of the user's information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO's philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called "Eureka." Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What can Sanjay do to minimize the risks of offering the product in Europe?

  • A. Sanjay should write a privacy policy to include with the Handy Helper user guide.
  • B. Sanjay should document the data life cycle of the data collected by the Handy Helper.
  • C. Sanjay should work with Manasa to review and remediate the Handy Helper as a gating item before it is released.
  • D. Sanjay should advise the distributor that Omnipresent Omnimedia has certified to the Privacy Shield Framework and there should be no issues.

Answer: B

 

NEW QUESTION 43
In addition to regulatory requirements and business practices, what important factors must a global privacy strategy consider?

  • A. Cultural norms
  • B. Geographic features
  • C. Political history
  • D. Monetary exchange

Answer: B

 

NEW QUESTION 44
......

Ultimate Guide to Prepare CIPM Certification Exam for Certified Information Privacy Manager: https://www.exams-boost.com/CIPM-valid-materials.html

CIPM Ultimate Study Guide: https://drive.google.com/open?id=1xItBo5mXnYDzPW2VNO3xu-Kw_YBDYrCp