Pearson CIPM New Attempt

Certified Information Privacy Manager (CIPM) Questions and Answers

Question 45

SCENARIO

Please use the following to answer the next QUESTION:

It's just what you were afraid of. Without consulting you, the information technology director at your organization launched a new initiative to encourage employees to use personal devices for conducting business. The initiative made purchasing a new, high-specification laptop computer an attractive option, with discounted laptops paid for as a payroll deduction spread over a year of paychecks. The organization is also paying the sales taxes. It's a great deal, and after a month, more than half the organization's employees have signed on and acquired new laptops. Walking through the facility, you see them happily customizing and comparing notes on their new computers, and at the end of the day, most take their laptops with them, potentially carrying personal data to their homes or other unknown locations. It's enough to give you data- protection nightmares, and you've pointed out to the information technology Director and many others in the organization the potential hazards of this new practice, including the inevitability of eventual data loss or theft.

Today you have in your office a representative of the organization's marketing department who shares with you, reluctantly, a story with potentially serious consequences. The night before, straight from work, with laptop in hand, he went to the Bull and Horn Pub to play billiards with his friends. A fine night of sport and socializing began, with the laptop "safely" tucked on a bench, beneath his jacket. Later that night, when it was time to depart, he retrieved the jacket, but the laptop was gone. It was not beneath the bench or on another bench nearby. The waitstaff had not seen it. His friends were not playing a joke on him. After a sleepless night, he confirmed it this morning, stopping by the pub to talk to the cleanup crew. They had not found it. The laptop was missing. Stolen, it seems. He looks at you, embarrassed and upset.

You ask him if the laptop contains any personal data from clients, and, sadly, he nods his head, yes. He believes it contains files on about 100 clients, including names, addresses and governmental identification numbers. He sighs and places his head in his hands in despair.

What should you do first to ascertain additional information about the loss of data?

Options:

Interview the person reporting the incident following a standard protocol.

Call the police to investigate even if you are unsure a crime occurred.

Investigate the background of the person reporting the incident.

Check company records of the latest backups to see what data may be recoverable.

Question 46

Which of the following best describes proper compliance for an international organization using Binding Corporate Rules (BCRs) as a controller or processor?

Options:

Employees must sign an ad hoc contractual agreement each time personal data is exported.

All employees are subject to the rules in their entirety, regardless of where the work is taking place.

All employees must follow the privacy regulations of the jurisdictions where the current scope of their work is established.

Employees who control personal data must complete a rigorous certification procedure, as they are exempt from legal enforcement.

Question 47

You would like your organization to be independently audited to demonstrate compliance with international privacy standards and to identify gaps for remediation.

Which type of audit would help you achieve this objective?

Options:

First-party audit.

Second-party audit.

Third-party audit.

Fourth-party audit.

Answer:

Explanation:

A third-party audit would help an organization achieve the objective of demonstrating compliance with international privacy standards and identifying gaps for remediation. A third-party audit is an audit conducted by an independent and external auditor who is not affiliated with either the audited organization or its customers. A third-party audit can provide an objective and impartial assessment of the organization’s privacy practices and policies, as well as verify its compliance with relevant standards and regulations. A third-party audit can also help the organization identify areas for improvement and recommend corrective actions. A third-party audit can enhance the organization’s reputation, trustworthiness, and credibility among its stakeholders and customers.

A first-party audit is an audit conducted by the organization itself or by someone within the organization who has been designated as an auditor. A first-party audit is also known as an internal audit. A first-party audit can help the organization monitor its own performance, evaluate its compliance with internal policies and procedures, and identify potential risks and opportunities for improvement. However, a first-party audit may not be sufficient to demonstrate compliance with external standards and regulations, as it may lack independence and objectivity.

A second-party audit is an audit conducted by a party that has an interest in or a relationship with the audited organization, such as a customer, a supplier, or a partner. A second-party audit is also known as an external audit. A second-party audit can help the party verify that the audited organization meets its contractual obligations, expectations, and requirements. A second-party audit can also help the party evaluate the quality and reliability of the audited organization’s products or services. However, a second-party audit may not be able to provide a comprehensive and unbiased assessment of the audited organization’s privacy practices and policies, as it may be influenced by the party’s own interests and objectives. References: Types of Audits: 14 Types of Audits and Level of Assurance (2022)

Question 48

SCENARIO

Please use the following to answer the next QUESTION:

Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.

This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them."

Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her

about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!"

What safeguard can most efficiently ensure that privacy protection is a dimension of relationships with vendors?

Options:

Include appropriate language about privacy protection in vendor contracts.

Perform a privacy audit on any vendor under consideration.

Require that a person trained in privacy protection be part of all vendor selection teams.

Do business only with vendors who are members of privacy trade associations.

Labour Day Special - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: top65certs

Certified Information Privacy Manager (CIPM) Questions and Answers

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation: