
CIPM無料試験問題と解答PDF最新問題2025年12月
最新CIPM試験問題集で最近更新された245問題
国際プライバシー専門家協会(IAPP)が主催する Certified Information Privacy Manager(CIPM)試験は、組織内のプライバシープログラムの管理に関する知識とスキルを評価する専門資格試験です。CIPM資格はグローバルに認知され、個人のプライバシープログラム管理の能力を証明します。
IAPP CIPM(認定情報プライバシーマネージャー)認定試験は、プライバシープログラムを管理する個人の知識と専門知識を証明する、世界的に認められた認定です。この認定は、プライバシーオフィサー、データ保護オフィサー、コンプライアンスオフィサー、リスク管理専門家を含む、組織内でプライバシープログラムを管理する責任を持つ専門家に最適です。
質問 # 133
In regards to the collection of personal data conducted by an organization, what must the data subject be allowed to do?
- A. Evaluate the qualifications of a third-party processor before any data is transferred to that processor.
- B. Obtain a guarantee of prompt notification in instances involving unauthorized access of the data.
- C. Challenge the authenticity of the personal data and have it corrected if needed.
- D. Set a time-limit as to how long the personal data may be stored by the organization.
正解:C
解説:
In regards to the collection of personal data conducted by an organization, the data subject must be allowed to challenge the authenticity of the personal data and have it corrected if needed. This is a fundamental right of data subjects under various data protection laws and regulations, such as the EU General Data Protection Regulation (GDPR) 1, the California Consumer Privacy Act (CCPA) 2, and the Personal Data Protection Act (PDPA) of Singapore 3. This right enables data subjects to verify the accuracy and completeness of their personal data and to request rectification or erasure of any inaccurate or incomplete data. This right also helps organizations to maintain high standards of data quality and integrity.
質問 # 134
SCENARIO
Please use the following to answer the next QUESTION:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing.
You worry too much, but that's why you're so good at your job!"
What safeguard can most efficiently ensure that privacy protection is a dimension of relationships with vendors?
- A. Require that a person trained in privacy protection be part of all vendor selection teams.
- B. Include appropriate language about privacy protection in vendor contracts.
- C. Perform a privacy audit on any vendor under consideration.
- D. Do business only with vendors who are members of privacy trade associations.
正解:B
解説:
This answer is the best way to ensure that privacy protection is a dimension of relationships with vendors, as it can establish clear and binding terms and conditions for both parties regarding their roles and responsibilities for data processing activities. Including appropriate language about privacy protection in vendor contracts can help to define the scope, purpose, duration and type of data processing, as well as the rights and obligations of both parties. The contracts can also specify the technical and organizational measures that the vendor must implement to protect the data from unauthorized or unlawful access, use, disclosure, alteration or destruction, and to notify the organization of any security incidents or breaches. The contracts can also allow the organization to monitor, audit or inspect the vendor's performance and compliance with the contract terms and applicable laws and regulations. References: IAPP CIPM Study Guide, page 82; ISO/IEC
27002:2013, section 15.1.2
質問 # 135
Data retention and destruction policies should meet all of the following requirements EXCEPT?
- A. Data destruction triggers and methods should be documented.
- B. Documentation related to audit controls (third-party or internal) should be saved in a non-permanent format by default.
- C. The organization should be documenting and reviewing policies of its other functions to ensure alignment (e.g. HR, business development, finance, etc.).
- D. Personal information should be retained only for as long as necessary to perform its stated purpose.
正解:B
解説:
Explanation
Documentation related to audit controls (third-party or internal) should be saved in a permanent format by default, not a non-permanent one. This is to ensure that the organization can demonstrate its compliance with the applicable laws and regulations, as well as its own policies and procedures, in case of an audit or a legal challenge. The other options are valid requirements for data retention and destruction policies, as they help to minimize the risks and costs associated with storing personal information beyond its intended purpose. References: CIPM Body of Knowledge, Domain III: Privacy Program Management Activities, Task
3: Manage data retention and disposal.
質問 # 136
What is the main reason to begin with 3-5 key metrics during the program development process?
- A. To keep the focus on the main organizational objectives.
- B. To keep the process limited to as few people as possible.
- C. To minimize selective data use.
- D. To avoid undue financial costs.
正解:C
質問 # 137
SCENARIO
Please use the following to answer the next question:
Martin Briseno is the director of human resources at the Canyon City location of the U.S. hotel chain Pacific Suites. In 1998, Briseno decided to change the hotel's on-the-job mentoring model to a standardized training program for employees who were progressing from line positions into supervisory positions. He developed a curriculum comprising a series of lessons, scenarios, and assessments, which was delivered in-person to small groups. Interest in the training increased, leading Briseno to work with corporate HR specialists and software engineers to offer the program in an online format. The online program saved the cost of a trainer and allowed participants to work through the material at their own pace.
Upon hearing about the success of Briseno's program, Pacific Suites corporate Vice President Maryanne Silva-Hayes expanded the training and offered it company-wide. Employees who completed the program received certification as a Pacific Suites Hospitality Supervisor. By 2001, the program had grown to provide industry-wide training. Personnel at hotels across the country could sign up and pay to take the course online.
As the program became increasingly profitable, Pacific Suites developed an offshoot business, Pacific Hospitality Training (PHT). The sole focus of PHT was developing and marketing a variety of online courses and course progressions providing a number of professional certifications in the hospitality industry.
By setting up a user account with PHT, course participants could access an information library, sign up for courses, and take end-of-course certification tests. When a user opened a new account, all information was saved by default, including the user's name, date of birth, contact information, credit card information, employer, and job title. The registration page offered an opt-out choice that users could click to not have their credit card numbers saved. Once a user name and password were established, users could return to check their course status, review and reprint their certifications, and sign up and pay for new courses. Between 2002 and
2008, PHT issued more than 700,000 professional certifications.
PHT's profits declined in 2009 and 2010, the victim of industry downsizing and increased competition from e- learning providers. By 2011, Pacific Suites was out of the online certification business and PHT was dissolved.
The training program's systems and records remained in Pacific Suites' digital archives, un-accessed and unused. Briseno and Silva-Hayes moved on to work for other companies, and there was no plan for handling the archived data after the program ended. After PHT was dissolved, Pacific Suites executives turned their attention to crucial day-to-day operations. They planned to deal with the PHT materials once resources allowed.
In 2012, the Pacific Suites computer network was hacked. Malware installed on the online reservation system exposed the credit card information of hundreds of hotel guests. While targeting the financial data on the reservation site, hackers also discovered the archived training course data and registration accounts of Pacific Hospitality Training's customers. The result of the hack was the exfiltration of the credit card numbers of recent hotel guests and the exfiltration of the PHT database with all its contents.
A Pacific Suites systems analyst discovered the information security breach in a routine scan of activity reports. Pacific Suites quickly notified credit card companies and recent hotel guests of the breach, attempting to prevent serious harm. Technical security engineers faced a challenge in dealing with the PHT data.
PHT course administrators and the IT engineers did not have a system for tracking, cataloguing, and storing information. Pacific Suites has procedures in place for data access and storage, but those procedures were not implemented when PHT was formed. When the PHT database was acquired by Pacific Suites, it had no owner or oversight. By the time technical security engineers determined what private information was compromised, at least 8,000 credit card holders were potential victims of fraudulent activity.
How was Pacific Suites responsible for protecting the sensitive information of its offshoot, PHT?
- A. As the parent company, it should have performed an assessment of PHT's infrastructure and confirmed complete separation of the two networks.
- B. As the parent company, it should have transferred personnel to oversee the secure handling of PHT's data.
- C. As the parent company, it should have replaced PHT's electronic files with hard-copy documents stored securely on site.
- D. As the parent company, it should have ensured its existing data access and storage procedures were integrated into PHT's system.
正解:D
質問 # 138
Which of the following is NOT an important factor to consider when developing a data retention policy?
- A. Business requirement.
- B. Technology resource.
- C. Organizational culture.
- D. Compliance requirement
正解:C
解説:
Explanation
Organizational culture is not an important factor to consider when developing a data retention policy. A data retention policy is a document that defines how long an organization retains personal information for various purposes and how it disposes of it securely when it is no longer needed. A data retention policy should be based on factors such as: business requirements, such as operational needs, customer expectations, contractual obligations, or industry standards; compliance requirements, such as legal obligations, regulatory mandates, or audit recommendations; and technology resources, such as storage capacity, backup systems, encryption methods, or disposal tools. Organizational culture, which refers to the values, beliefs, norms, and behaviors that shape how an organization operates and interacts with its stakeholders, is not a relevant factor for determining data retention periods or disposal methods.
References:
* CIPM Body of Knowledge (2021), Domain IV: Privacy Program Operational Life Cycle, Section B:
Protecting Personal Information, Subsection 4: Data Retention
* CIPM Study Guide (2021), Chapter 8: Protecting Personal Information, Section 8.4: Data Retention
* CIPM Textbook (2019), Chapter 8: Protecting Personal Information, Section 8.4: Data Retention
* CIPM Practice Exam (2021), Question 141
質問 # 139
SCENARIO
Please use the following to answer the next QUESTION:
Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.
Spencer - a former CEO and currently a senior advisor - said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.
One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason.
"Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company - not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month." Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.
What is the most realistic step the organization can take to help diminish liability in the event of another incident?
- A. Specifying mandatory data protection practices in vendor contracts.
- B. Requiring the vendor to perform periodic internal audits.
- C. Keeping the majority of processing activities within the organization.
- D. Obtaining customer consent for any third-party processing of personal data.
正解:A
解説:
This answer is the most realistic step the organization can take to help diminish liability in the event of another incident, as it can ensure that the vendor complies with the same standards and obligations as the organization regarding data protection. Vendor contracts should include clauses that specify the scope, purpose, duration and type of data processing, as well as the rights and responsibilities of both parties. The contracts should also require the vendor to implement appropriate technical and organizational measures to protect the data from unauthorized or unlawful access, use, disclosure, alteration or destruction, and to notify the organization of any security incidents or breaches. The contracts should also allow the organization to monitor, audit or inspect the vendor's performance and compliance with the contract terms and applicable laws and regulations. References: IAPP CIPM Study Guide, page 82; ISO/IEC 27002:2013, section 15.1.2
質問 # 140
Under the General Data Protection Regulation (GDPR), which situation would be LEAST likely to require a Data Protection Impact Assessment (DPIA)?
- A. A Human Resources department using a tool to monitor its employees' internet activity
- B. The use of a camera system to monitor driving behavior on highways
- C. A health clinic processing its patients' genetic and health data
- D. An online magazine using a mailing list to send a generic daily digest to marketing emails
正解:D
解説:
A Data Protection Impact Assessment (DPIA) is a process to help identify and minimize the data protection risks of a project. Under the GDPR, a DPIA is required when the processing is likely to result in a high risk to the rights and freedoms of individuals, especially when using new technologies. The GDPR provides some examples of high-risk processing activities, such as systematic and extensive evaluation of personal aspects, large-scale processing of special categories of data, or systematic monitoring of public areas. The other options are more likely to require a DPIA than the online magazine using a mailing list to send a generic daily digest to marketing emails, as they involve more sensitive or intrusive types of processing. Reference:
[Data protection impact assessments | ICO]
[Art. 35 GDPR - Data protection impact assessment - GDPR.eu]
質問 # 141
SCENARIO
Please use the following to answer the next QUESTION:
Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with her long-time business partner Sadie, Amira has watched the company grow into a major competitor in the green energy market. The current line of products includes wind turbines, solar energy panels, and equipment for geothermal systems. A talented team of developers means that NatGen's line of products will only continue to grow.
With the expansion, Amira and Sadie have received advice from new senior staff members brought on to help manage the company's growth. One recent suggestion has been to combine the legal and security functions of the company to ensure observance of privacy laws and the company's own privacy policy. This sounds overly complicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data in ways that will best suit their needs. She does not want administrative oversight and complex structuring to get in the way of people doing innovative work.
Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is an unnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will use the best possible equipment for electronic storage of customer and employee data. She simply needs a list of equipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider before the company gets to that stage.
Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust the monitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers can adjust the company privacy policy according to what works best for their particular departments.
NatGen's CEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would be highly unlikely to raise any concerns with their customer base, as long as the data is always used in course of normal business activities.
Perhaps what has been most perplexing to Sadie and Amira has been the CIO's recommendation to institute a privacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise by allowing employees to take turns handling reports of privacy policy violations. The implementation will be easy because the employees need no special preparation. They will simply have to document any concerns they hear.
Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporate culture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying a unique approach.
Based on the scenario, what additional change will increase the effectiveness of the privacy compliance hotline?
- A. A system for staff education.
- B. Strict communication channels.
- C. An ethics complaint department.
- D. Outsourcing the hotline.
正解:A
解説:
Based on the scenario, an additional change that will increase the effectiveness of the privacy compliance hotline is a system for staff education. A privacy compliance hotline is a mechanism for employees, customers, or other stakeholders to report any concerns or violations of the company's privacy policy or applicable laws. However, a hotline alone is not sufficient to ensure a robust and compliant privacy program.
Employees also need to be educated and trained on the importance of privacy, the company's privacy policy and procedures, their roles and responsibilities, and the consequences of non-compliance. A system for staff education can help raise awareness, foster a culture of privacy, and prevent or mitigate potential risks. References: [Privacy Compliance Hotline], [Staff Education]
質問 # 142
What is the main purpose in notifying data subjects of a data breach?
- A. To ensure organizations have accountability for the sufficiency of their security measures
- B. To allow individuals to take any actions required to protect themselves from possible consequences
- C. To avoid financial penalties and legal liability
- D. To enable regulators to understand trends and developments that may shape the law
正解:A
質問 # 143
SCENARIO
Please use the following to answer the next question:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it:
a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!" What safeguard can most efficiently ensure that privacy protection is a dimension of relationships with vendors?
- A. Include appropriate language about privacy protection in vendor contracts
- B. Do business only with vendors who are members of privacy trade associations
- C. Require that a person trained in privacy protection be part of all vendor selection teams
- D. Perform a privacy audit on any vendor under consideration
正解:C
質問 # 144
SCENARIO
Please use the following lo answer the next question:
You are the privacy manager within the privacy office of a National Forest Parks and Recreation Department.
While having lunch with a colleague from the IT division, you learn that the IT director has put out a request for proposal (RFP) which calls for a system that collects the personal data of park attendees.
You consult with a few other colleagues in IT and learn that the RFP is worded such that it leaves it to the vendors to demonstrate what information they would collect from people who enter parks anywhere in the country, either in a vehicle or on foot. A partial list of the information collected includes:
* personal identifiers such as name, address, age, gender;
* vehicle registration information:
* facial images of park attendees;
* health information (e.g.. physical disabilities, use of mobility devices) The stated purpose of the RFP is to:
"Improve the National Forest. Parks, and Recreation Department's ability to track and monitor service usage thereby Increasing the robustness of our customer data and to improve service offerings.'' Companies have already started submitting proposals for software solutions that address these information gathering practices. There is only one week left before the RFP closes.
The IT department has put together an RFP evaluation team but no one from the privacy office has been a Dart of the RFP ud to this point. This occurred deposite the fact....
Which of the following is the least important privacy consideration associated with assessing data when implementing a large-scale project like this?
- A. Third-party vendor assessment to determine how well privacy practices of vendors align with your organization's practices.
- B. Standardization of privacy safeguards on a national scale.
- C. Classification of the types of personal information collected by the system
- D. Identifying operational risks associated with data storage, access and disposal.
正解:C
質問 # 145
Under the General Data Protection Regulation (GDPR), when would a data subject have the right to require the erasure of his or her data without undue delay?
- A. When the data subject is a public authority
- B. When the data is no longer necessary for its original purpose
- C. When the processing is carried out by automated means
- D. When the erasure is in the public interest
正解:A
質問 # 146
SCENARIO
Please use the following to answer the next QUESTION:
As they company's new chief executive officer, Thomas Goddard wants to be known as a leader in data protection. Goddard recently served as the chief financial officer of Hoopy.com, a pioneer in online video viewing with millions of users around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically Questionable practices, including unauthorized sales of personal data to marketers.
Hoopy also was the target of credit card data theft that made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the company's claims that
"appropriate" data protection safeguards were in place. The scandal affected the company's business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard's mentor, was forced to step down.
Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Medialite, which is just emerging from its start-up phase. He sold the company's board and investors on his vision of Medialite building its brand partly on the basis of industry-leading data protection standards and procedures.
He may have been a key part of a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job, he calls you into his office and explains that your primary work responsibility is to bring his vision for privacy to life. But you also detect some reservations. "We want Medialite to have absolutely the highest standards," he says. "In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company's finances. So, while I want the best solutions across the board, they also need to be cost effective." You are told to report back in a week's time with your recommendations. Charged with this ambiguous mission, you depart the executive suite, already considering your next steps.
What metric can Goddard use to assess whether costs associated with implementing new privacy protections are justified?
- A. Implementation measure
- B. Compliance ratio
- C. Cost-effective mean
- D. Return on investment
正解:D
解説:
Explanation
This answer is the best metric that Goddard can use to assess whether the costs associated with implementing new privacy protections are justified, as it can measure the financial benefits or value that the privacy protections generate for the company in relation to the costs or expenses that they incur. Return on investment (ROI) is a ratio that compares the net income or profit from an investment to the initial or total cost of the investment. ROI can help to evaluate the efficiency and effectiveness of an investment, as well as to compare different investments or alternatives. ROI can also help to support decision making and budget allocation for privacy protection initiatives.
質問 # 147
The first step an organization should take when considering the use of a third-party's AI-based resume ranking tool is to?
- A. Secure stakeholder buy-in and approval to ensure the tool meets the organization's requirements.
- B. Secure appropriate contractual concessions to ensure that the developer is primarily responsible for any violation of applicable privacy law.
- C. Conduct an assessment of the tool's impact both on privacy and on conformity with applicable AI regulation.
- D. Distribute a notice to the candidates whose resumes the tool will assess to ensure they understand and consent to the use of the tool.
正解:C
解説:
Comprehensive and Detailed Explanation:
Before adopting an AI-based resume ranking tool, the organization must assess the tool's privacy impact and legal compliance. This ensures the company understands how the tool processes personal data and whether it introduces risks such as bias, discrimination, or non-compliance with AI and privacy regulations (e.g., GDPR, CCPA, AI Act).
Option A (Stakeholder buy-in) is important, but privacy and regulatory assessments must come first.
Option C (Notifying candidates) is a later step after ensuring compliance and assessing risks.
Option D (Contractual concessions) helps mitigate risk but does not replace due diligence in assessing compliance.
A Privacy Impact Assessment (PIA) and AI Impact Assessment should be conducted before implementation.
質問 # 148
SCENARIO
Please use the following to answer the next QUESTION:
Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to Question the company's privacy program at today's meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.
Spencer - a former CEO and currently a senior advisor - said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.
One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason. "Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company - not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month." Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.
How could the objection to Spencer's training suggestion be addressed?
- A. By offering alternative delivery methods for trainings.
- B. By customizing training based on length of employee tenure.
- C. By introducing a system of periodic refresher trainings.
- D. By requiring training only on an as-needed basis.
正解:A
解説:
This answer is the best way to address the objection to Spencer's training suggestion, as it can provide flexibility and convenience for employees who work in different locations or have different schedules. Alternative delivery methods for trainings can include online courses, webinars, podcasts, videos or self-paced modules that can be accessed anytime and anywhere by employees. Alternative delivery methods can also reduce the cost and time required for in-person trainings, while still ensuring that employees receive consistent and relevant information on the company's privacy program. Reference: IAPP CIPM Study Guide, page 90; ISO/IEC 27002:2013, section 7.2.2
質問 # 149
While trying to e-mail her manager, an employee has e-mailed a list of all the company's customers, including their bank details, to an employee with the same name at a different company. Which of the following would be the first stage in the incident response plan under the General Data Protection Regulation (GDPR)?
- A. Containment of impact of breach.
- B. Remediation offers to data subjects.
- C. Notification to data subjects.
- D. Notification to the Information Commissioner's Office (ICO).
正解:A
解説:
Explanation
The first stage in the incident response plan under the General Data Protection Regulation (GDPR) for this scenario would be to contain the impact of the breach. This means taking immediate action to stop the unauthorized access or disclosure of personal data, and to prevent it from happening again in the future. This could involve revoking access to the data, notifying the employee who mistakenly sent the data, and implementing security measures to prevent similar breaches from occurring in the future.
References:
* https://gdpr-info.eu/art-33-gdpr/
* https://gdpr-info.eu/art-34-gdpr/
質問 # 150
Formosa International operates in 20 different countries including the United States and France. What organizational approach would make complying with a number of different regulations easier?
- A. Rationalizing requirements.
- B. Decentralized privacy management.
- C. Fair Information Practices.
- D. Data mapping.
正解:A
解説:
Rationalizing requirements is an organizational approach that involves identifying and harmonizing the common elements of different privacy regulations and standards. This can make compliance easier and more efficient, as well as reduce the risk of conflicts or gaps in privacy protection. Rationalizing requirements can also help to create a consistent privacy policy and culture across different jurisdictions and business units. References: CIPM Study Guide, page 23.
質問 # 151
Your marketing team wants to know why they need a check box for their SMS opt-in. You explain it is part of the consumer's right to?
- A. Raise complaints.
- B. Have access.
- C. Be informed.
- D. Request correction.
正解:C
解説:
The marketing team needs a check box for their SMS opt-in because it is part of the consumer's right to be informed. This right means that consumers have the right to know how their personal data is collected, used, shared, and protected by the organization. The check box allows consumers to give their consent and opt-in to receive SMS messages from the organization, and also informs them of the purpose and scope of such messages. The other rights are not relevant in this case, as they are related to other aspects of data processing, such as correction, complaints, and access. References: CIPM Body of Knowledge, Domain IV: Privacy Program Communication, Section A: Communicating to Stakeholders, Subsection 1: Consumer Rights.
質問 # 152
Under which circumstances would people who work in human resources be considered a secondary audience for privacy metrics?
- A. They do not interface with the financial office
- B. They do not have privacy policy as their main task
- C. They do not receive training on privacy issues
- D. They do not have frequent interactions with the public
正解:B
質問 # 153
SCENARIO
Please use the following to answer the next QUESTION:
Paul Daniels, with years of experience as a CEO, is worried about his son Carlton's successful venture, Gadgo. A technological innovator in the communication industry that quickly became profitable, Gadgo has moved beyond its startup phase. While it has retained its vibrant energy, Paul fears that under Carlton's direction, the company may not be taking its risks or obligations as seriously as it needs to. Paul has hired you, a Privacy Consultant, to assess the company and report to both father and son. "Carlton won't listen to me," Paul says, "but he may pay attention to an expert." Gadgo's workplace is a clubhouse for innovation, with games, toys, snacks. espresso machines, giant fish tanks and even an iguana who regards you with little interest. Carlton, too, seems bored as he describes to you the company's procedures and technologies for data protection. It's a loose assemblage of controls, lacking consistency and with plenty of weaknesses. "This is a technology company," Carlton says. "We create. We innovate. I don't want unnecessary measures that will only slow people down and clutter their thoughts." The meeting lasts until early evening. Upon leaving, you walk through the office it looks as if a strong windstorm has recently blown through, with papers scattered across desks and tables and even the floor. A "cleaning crew" of one teenager is emptying the trash bins. A few computers have been left on for the night, others are missing. Carlton takes note of your attention to this: "Most of my people take their laptops home with them, or use their own tablets or phones. I want them to use whatever helps them to think and be ready day or night for that great insight. It may only come once!" What would be the best kind of audit to recommend for Gadgo?
- A. A supplier audit.
- B. A third-party audit.
- C. A self-certification.
- D. An internal audit.
正解:B
解説:
This answer is the best kind of audit to recommend for Gadgo, as it can provide an independent and objective assessment of the company's privacy program and practices, as well as identify any gaps, weaknesses or risks that need to be addressed or improved. A third-party audit is conducted by an external auditor who has the necessary expertise, experience and credentials to evaluate the company's compliance with the applicable laws, regulations, standards and best practices for data protection. A third-party audit can also help to enhance the company's reputation and trust among its customers, partners and stakeholders, as well as demonstrate its commitment and accountability for privacy protection. Reference: IAPP CIPM Study Guide, page 881; ISO/IEC 27002:2013, section 18.2.1
質問 # 154
SCENARIO
Please use the following to answer the next QUESTION:
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company's flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Questions about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Questions as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user's sensitive medical information for the medical appointment scheduler. In fact, all of the user's information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO's philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called Eurek a. Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What step in the system development process did Manasa skip?
- A. Work with Sanjay to review any necessary privacy requirements to be built into the product.
- B. Obtain express written consent from users of the Handy Helper regarding marketing.
- C. Certify that the Handy Helper meets the requirements of the EU-US Privacy Shield Framework.
- D. Build the artificial intelligence feature so that users would not have to input sensitive information into the Handy Helper.
正解:A
解説:
Manasa skipped the step of working with Sanjay to review any necessary privacy requirements to be built into the product. This step is part of the system analysis phase, which is less theoretical and focuses more on practical application1 By working with Sanjay, Manasa could have identified the legal and ethical obligations that Omnipresent Omnimedia has to protect the privacy of its users, especially in different jurisdictions. She could have also incorporated privacy by design principles, such as data minimization, purpose limitation, and user consent, into the product development process2 This would have helped to avoid potential privacy risks and violations that could harm the reputation and trust of the company and its customers. Reference: 1: 7 Phases of the System Development Life Cycle (With Tips); 2: [Privacy by Design: The 7 Foundational Principles]
質問 # 155
SCENARIO
Please use the following to answer the next QUESTION:
As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of relatively minor data breaches that could easily have been worse. However, you have not had a reportable incident for the three years that you have been with the company. In fact, you consider your program a model that others in the data storage industry may note in their own program development.
You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward coherence across departments and throughout operations. You were aided along the way by the program's sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding of the need for change.
Initially, your work was greeted with little confidence or enthusiasm by the company's "old guard" among both the executive team and frontline personnel working with data and interfacing with clients. Through the use of metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that easily could occur given the current state of operations, you soon had the leaders and key decision- makers largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin putting the proper procedures into place.
Now, privacy protection is an accepted component of all current operations involving personal or protected data and must be part of the end product of any process of technological development. While your approach is not systematic, it is fairly effective.
You are left contemplating:
What must be done to maintain the program and develop it beyond just a data breach prevention program?
How can you build on your success?
What are the next action steps?
What process could most effectively be used to add privacy protections to a new, comprehensive program being developed at Consolidated?
- A. Innovation Privacy Standards.
- B. Information Security Planning.
- C. Privacy by Design.
- D. Privacy Step Assessment.
正解:C
解説:
This is a process that embeds privacy protections into the design and development of new technologies, systems, products or services that involve personal data. It ensures that privacy is considered at every stage of the development process, from conception to completion, and that the privacy principles are integrated into the core functionality of the program.
質問 # 156
......
IAPP CIPMリアル2025年最新のブレーン問題集で模擬試験問題集:https://jp.fast2test.com/CIPM-premium-file.html
CIPM試験問題リアルCIPM練習問題集:https://drive.google.com/open?id=1Zp73pkCX4MvtHrNp_UTV81RxywAqLbwE