Free IAPP CIPM Exam Questions

Question 1

SCENARIO

Please use the following to answer the next question:

Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia

to help run his aging grandfather's law practice. The elder McAdams desired a limited, lighter role in the

practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring

Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who

handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and

assesses the office's strategies for growth.

Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to

modernize the office, mostly in regard to the handling of clients' personal data. His first goal is to digitize all the

records kept in file cabinets, as many of the documents contain personally identifiable financial and medical

data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the

day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues

unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/

printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the

same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that

personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing

policy by the year's end.

Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and

an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams

granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but

also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following

day, to get insight into how the office computer system is currently set-up and managed.

Richard believes that a transition from the use of fax machine to Internet faxing provides all of the following

security benefits EXCEPT?

A : eater accessibility to the faxes at an off-site location.

B : ability to encrypt the transmitted faxes through a secure server.

C : duction of the risk of data being seen or copied by unauthorized personnel.

D : ability to store faxes electronically, either on the user's PC or a password-protected network server.

Answer: A

Question 2

When implementing an organization's privacy program, what right should be granted to the data subject?

A : To have their data amended or erased if errors are found.

B : To limit or refuse the disclosure of their data for any reason.

C : To provide feedback regarding an organization's privacy policy.

D : To verify that an organization uses the highest level of privacy protection available.

Answer: A

Question 3

SCENARIO

Please use the following to answer the next question:

It's just what you were afraid of. Without consulting you, the information technology director at your organization

launched a new initiative to encourage employees to use personal devices for conducting business. The

initiative made purchasing a new, high-specification laptop computer an attractive option, with discounted

laptops paid for as a payroll deduction spread over a year of paychecks. The organization is also paying the

sales taxes. It's a great deal, and after a month, more than half the organization's employees have signed on

and acquired new laptops. Walking through the facility, you see them happily customizing and comparing notes

on their new computers, and at the end of the day, most take their laptops with them, potentially carrying

personal data to their homes or other unknown locations. It's enough to give you data-protection nightmares,

and you've pointed out to the information technology Director and many others in the organization the potential

hazards of this new practice, including the inevitability of eventual data loss or theft.

Today you have in your office a representative of the organization's marketing department who shares with you,

reluctantly, a story with potentially serious consequences. The night before, straight from work, with laptop in

hand, he went to the Bull and Horn Pub to play billiards with his friends. A fine night of sport and socializing

began, with the laptop "safely" tucked on a bench, beneath his jacket. Later that night, when it was time to

depart, he retrieved the jacket, but the laptop was gone. It was not beneath the bench or on another bench

nearby. The waitstaff had not seen it. His friends were not playing a joke on him. After a sleepless night, he

confirmed it this morning, stopping by the pub to talk to the cleanup crew. They had not found it. The laptop was

missing. Stolen, it seems. He looks at you, embarrassed and upset.

You ask him if the laptop contains any personal data from clients, and, sadly, he nods his head, yes. He

believes it contains files on about 100 clients, including names, addresses and governmental identification

numbers. He sighs and places his head in his hands in despair.

What should you do first to ascertain additional information about the loss of data?

A : terview the person reporting the incident following a standard protocol

B : ll the police to investigate even if you are unsure a crime occurred

C : vestigate the background of the person reporting the incident

D : eck company records of the latest backups to see what data may be recoverable

Answer: A

Question 4

Which item below best represents how a Privacy Group can effectively communicate with functional areas?

A : ly solely on items from work units for constructing an impact assessment.

B : rk closely with functional areas by acting as both an advisor and advocate.

C : cus attention on Directors and Senior Managers as they are responsible for the work.

D : oose a work unit representative and funnel all communications through that one person.

Answer: B

Question 5

SCENARIO -

Please use the following to answer the next question:

You were recently hired by InStyle Data Corp. as a privacy manager to help InStyle Data Corp. became compliant with a new data protection law.

The law mandates that businesses have reasonable and appropriate security measures in place to protect personal data. Violations of that mandate are heavily fined and the legislators have stated that they will aggressively pursue companies that don't comply with the new law.

You are paired with a security manager and tasked with reviewing InStyle Data Corp.'s current state and advising the business how it can meet the “reasonable and appropriate security’ requirement. InStyle Data Corp has grown rapidly and has not kept a data inventory or completed a data mapping. InStyle Data Corp. has also developed security-related policies ad hoc and many have never been implemented. The various teams involved in the creation and testing of InStyle Data Corp.'s products experience significant turnover and do not have well defined roles. There's little documentation addressing what personal data is processed by which product and for what purpose.

Work needs to begin on this project immediately so that InStyle Data Corp. can become compliant by the time the law goes into effect. You and your partner discover that InStyle Data Corp. regularly sends files containing sensitive personal data back to its customers, through email, sometimes using InStyle Data Corp employees personal email accounts. You also learn that InStyle Data Corp.'s privacy and information security teams are not informed of new personal data flows, new products developed by InStyle Data Corp. that process personal data, or updates to existing InStyle Data Corp. products that may change what or how the personal data is processed until after the product or update has gone live.

Through a review of InStyle Data Corp’ test and development environment logs, you discover InStyle Data Corp. sometimes gives login credentials to any InStyle Data Corp. employee or contractor who requests them. The test environment only contains dummy data, but the development environment contains personal data, including Social Security Numbers, health information, and financial information. All credentialed InStyle Data Corp. employees and contractors have the ability to alter and delete personal data in both environments regardless of their role or what project they are working on.

You and your partner provide a gap assessment citing the issues you spotted, along with recommended remedial actions and a method to measure implementation. InStyle Data Corp. implements all of the recommended security controls. You review the processes, roles, controls, and measures taken to appropriately protect the personal data at every step. However, you realize there is no plan for monitoring and nothing in place addressing sanctions for violations of the updated policies and procedures. InStyle Data Corp. pushes back, stating they do not have the resources for such monitoring.

What aspect of the data management life cycle have you as Privacy Manager NOT accounted for?

A : Auditability

B : Minimalism

C : Enforcement

D : Retrievability

Answer: C