PDFを無料でダウンロードにはCIPM有効な練習テスト問題があります [Q37-Q59]

Share

PDFを無料でダウンロードにはCIPM有効な練習テスト問題があります

CIPMテストエンジンお試しセット、CIPM問題集PDF


CIPM認定は、データプライバシーの分野で高く評価されており、世界中の組織によって認識されています。雇用主とクライアントに、保有者がプライバシー法と規制を包括的に理解しており、効果的なプライバシープログラムを開発および実施できることを実証しています。さらに、この認定は、プライバシー管理のキャリアを促進しようとしている専門家にとって貴重な資産です。


CIPM認定は、プライバシープログラムの管理とプライバシー法および規制の順守を確保する責任を負う専門家向けに設計されたグローバルに認められた認定プログラムです。この認定は、幅広いプライバシー管理のトピックをカバーしており、雇用主によって世界的に認識されています。 CIPM認定を保持することで、収益の可能性を高め、プライバシー管理の分野で新しいキャリアの機会を開くことができます。


国際プライバシープロフェッショナル協会(IAPP)は、世界中のプライバシーの実践を促進・推進することを目的とした専門団体です。IAPPは、Certified Information Privacy Manager(CIPM)試験を含む、多数のプライバシー認定プログラムを提供しています。

 

質問 # 37
SCENARIO
Please use the following to answer the next QUESTION:
For 15 years, Albert has worked at Treasure Box - a mail order company in the United States (U.S.) that used to sell decorative candles around the world, but has recently decided to limit its shipments to customers in the
48 contiguous states. Despite his years of experience, Albert is often overlooked for managerial positions. His frustration about not being promoted, coupled with his recent interest in issues of privacy protection, have motivated Albert to be an agent of positive change.
He will soon interview for a newly advertised position, and during the interview, Albert plans on making executives aware of lapses in the company's privacy program. He feels certain he will be rewarded with a promotion for preventing negative consequences resulting from the company's outdated policies and procedures.
For example, Albert has learned about the AICPA (American Institute of Certified Public Accountans)/CICA (Canadian Institute of Chartered Accountants) Privacy Maturity Model (PMM). Albert thinks the model is a useful way to measure Treasure Box's ability to protect personal data. Albert has noticed that Treasure Box fails to meet the requirements of the highest level of maturity of this model; at his interview, Albert will pledge to assist the company with meeting this level in order to provide customers with the most rigorous security available.
Albert does want to show a positive outlook during his interview. He intends to praise the company's commitment to the security of customer and employee personal data against external threats. However, Albert worries about the high turnover rate within the company, particularly in the area of direct phone marketing. He sees many unfamiliar faces every day who are hired to do the marketing, and he often hears complaints in the lunch room regarding long hours and low pay, as well as what seems to be flagrant disregard for company procedures.
In addition, Treasure Box has had two recent security incidents. The company has responded to the incidents with internal audits and updates to security safeguards. However, profits still seem to be affected and anecdotal evidence indicates that many people still harbor mistrust. Albert wants to help the company recover.
He knows there is at least one incident the public in unaware of, although Albert does not know the details. He believes the company's insistence on keeping the incident a secret could be a further detriment to its reputation. One further way that Albert wants to help Treasure Box regain its stature is by creating a toll-free number for customers, as well as a more efficient procedure for responding to customer concerns by postal mail.
In addition to his suggestions for improvement, Albert believes that his knowledge of the company's recent business maneuvers will also impress the interviewers. For example, Albert is aware of the company's intention to acquire a medical supply company in the coming weeks.
With his forward thinking, Albert hopes to convince the managers who will be interviewing him that he is right for the job.
On which of the following topics does Albert most likely need additional knowledge?

  • A. The role of privacy in retail companies
  • B. The necessary maturity level of privacy programs
  • C. The possibility of delegating responsibilities related to privacy
  • D. The requirements for a managerial position with privacy protection duties

正解:B

解説:
Explanation
The topic that Albert most likely needs additional knowledge on is the necessary maturity level of privacy programs. Albert thinks that the AICPA/CICA Privacy Maturity Model (PMM) is a useful way to measure Treasure Box's ability to protect personal data, and that the company should aim to meet the highest level of maturity of this model. However, Albert may not realize that the PMM is not a prescriptive or definitive standard for privacy programs, but rather a descriptive and flexible tool for self-assessment and improvement.
The PMM does not require or expect organizations to achieve the highest level of maturity for all privacy practices, as this may not be feasible, realistic, or appropriate for their specific context, objectives, and risks.
The PMM recognizes that different levels of maturity may be suitable for different organizations or different aspects of their privacy programs, depending on their needs and circumstances. Therefore, Albert should not assume that the highest level of maturity is always the best or the most rigorous option for privacy protection.
Albert should learn more about how to use the PMM effectively and appropriately, and how to determine the optimal level of maturity for Treasure Box's privacy program.
The other options are not topics that Albert most likely needs additional knowledge on. Albert seems to have a good understanding of the role of privacy in retail companies, as he is aware of the importance of protecting customer and employee personal data, as well as complying with relevant laws and regulations. Albert also seems to have a good understanding of the possibility of delegating responsibilities related to privacy, as he plans to assist the company with meeting its privacy obligations and goals. Albert also seems to have a good understanding of the requirements for a managerial position with privacy protection duties, as he intends to demonstrate his knowledge, skills, and experience in this area during his interview. References:
[AICPA/CICA Privacy Maturity Model]; [Privacy Maturity Model: How Mature Is Your Privacy Program?]


質問 # 38
SCENARIO
Please use the following to answer the next question:
As they company's new chief executive officer, Thomas Goddard wants to be known as a leader in data protection. Goddard recently served as the chief financial officer of Hoopy.com, a pioneer in online video viewing with millions of users around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically questionable practices, including unauthorized sales of personal data to marketers.
Hoopy also was the target of credit card data theft that made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the company's claims that "appropriate" data protection safeguards were in place. The scandal affected the company's business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard's mentor, was forced to step down.
Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Medialite, which is just emerging from its start-up phase. He sold the company's board and investors on his vision of Medialite building its brand partly on the basis of industry-leading data protection standards and procedures.
He may have been a key part of a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job, he calls you into his office and explains that your primary work responsibility is to bring his vision for privacy to life. But you also detect some reservations. "We want Medialite to have absolutely the highest standards," he says. "In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company's finances. So, while I want the best solutions across the board, they also need to be cost effective." You are told to report back in a week's time with your recommendations. Charged with this ambiguous mission, you depart the executive suite, already considering your next steps.
The CEO likes what he's seen of the company's improved privacy program, but wants additional assurance that it is fully compliant with industry standards and reflects emerging best practices. What would best help accomplish this goal?

  • A. Revision of the strategic plan to provide a system of technical controls
  • B. An internal audit team accountable to upper management
  • C. Creation of a self-certification framework based on company policies
  • D. An external audit conducted by a panel of industry experts

正解:A


質問 # 39
SCENARIO
Please use the following to answer the next QUESTION:
John is the new privacy officer at the prestigious international law firm - A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.
During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor - MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime.
Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution.
Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is NOT an obligation of MessageSafe as the email continuity service provider for A&M LLP?

  • A. Privacy compliance.
  • B. Certifications to relevant frameworks.
  • C. Data breach notification to A&M LLP.
  • D. Security commitment.

正解:B


質問 # 40
SCENARIO
Please use the following to answer the next question:
Your organization, the Chicago (U.S.)-based Society for Urban Greenspace, has used the same vendor to operate all aspects of an online store for several years. As a small nonprofit, the Society cannot afford the higher-priced options, but you have been relatively satisfied with this budget vendor, Shopping Cart Saver (SCS). Yes, there have been some issues. Twice, people who purchased items from the store have had their credit card information used fraudulently subsequent to transactions on your site, but in neither case did the investigation reveal with certainty that the Society's store had been hacked. The thefts could have been employee-related.
Just as disconcerting was an incident where the organization discovered that SCS had sold information it had collected from customers to third parties. However, as Jason Roland, your SCS account representative, points out, it took only a phone call from you to clarify expectations and the "misunderstanding" has not occurred again.
As an information-technology program manager with the Society, the role of the privacy professional is only one of many you play. In all matters, however, you must consider the financial bottom line. While these problems with privacy protection have been significant, the additional revenues of sales of items such as shirts and coffee cups from the store have been significant. The Society's operating budget is slim, and all sources of revenue are essential.
Now a new challenge has arisen. Jason called to say that starting in two weeks, the customer data from the store would now be stored on a data cloud. "The good news," he says, "is that we have found a low-cost provider in Finland, where the data would also be held. So, while there may be a small charge to pass through to you, it won't be exorbitant, especially considering the advantages of a cloud." Lately, you have been hearing about cloud computing and you know it's fast becoming the new paradigm for various applications. However, you have heard mixed reviews about the potential impacts on privacy protection. You begin to research and discover that a number of the leading cloud service providers have signed a letter of intent to work together on shared conventions and technologies for privacy protection. You make a note to find out if Jason's Finnish provider is signing on.
What is the best way for your vendor to be clear about the Society's breach notification expectations?

  • A. Email the regulations that require breach notifications
  • B. Send a memorandum of understanding on breach notification
  • C. Include notification provisions in the vendor contract
  • D. Arrange regular telephone check-ins reviewing expectations

正解:C


質問 # 41
SCENARIO
Please use the following to answer the next QUESTION:
It's just what you were afraid of. Without consulting you, the information technology director at your organization launched a new initiative to encourage employees to use personal devices for conducting business. The initiative made purchasing a new, high-specification laptop computer an attractive option, with discounted laptops paid for as a payroll deduction spread over a year of paychecks. The organization is also paying the sales taxes. It's a great deal, and after a month, more than half the organization's employees have signed on and acquired new laptops. Walking through the facility, you see them happily customizing and comparing notes on their new computers, and at the end of the day, most take their laptops with them, potentially carrying personal data to their homes or other unknown locations. It's enough to give you data- protection nightmares, and you've pointed out to the information technology Director and many others in the organization the potential hazards of this new practice, including the inevitability of eventual data loss or theft.
Today you have in your office a representative of the organization's marketing department who shares with you, reluctantly, a story with potentially serious consequences. The night before, straight from work, with laptop in hand, he went to the Bull and Horn Pub to play billiards with his friends. A fine night of sport and socializing began, with the laptop "safely" tucked on a bench, beneath his jacket. Later that night, when it was time to depart, he retrieved the jacket, but the laptop was gone. It was not beneath the bench or on another bench nearby. The waitstaff had not seen it. His friends were not playing a joke on him. After a sleepless night, he confirmed it this morning, stopping by the pub to talk to the cleanup crew. They had not found it. The laptop was missing. Stolen, it seems. He looks at you, embarrassed and upset.
You ask him if the laptop contains any personal data from clients, and, sadly, he nods his head, yes. He believes it contains files on about 100 clients, including names, addresses and governmental identification numbers. He sighs and places his head in his hands in despair.
Which is the best way to ensure that data on personal equipment is protected?

  • A. Biometric security.
  • B. Frequent data backups.
  • C. Encryption of the data.
  • D. User risk training.

正解:C

解説:
Explanation
Encryption of the data is the best way to ensure that data on personal equipment is protected, as it prevents unauthorized access to the data even if the equipment is lost or stolen. Encryption is the process of transforming data into an unreadable format that can only be decrypted with a valid key or password.
Encryption can be applied to the entire device, a specific folder or file, or a removable storage media. Encryption is one of the most effective technical safeguards for data protection and is recommended by many privacy laws and standards. References: IAPP CIPM Study Guide, page 831; ISO/IEC 27002:2013, section 10.1.1


質問 # 42
SCENARIO
Please use the following to answer the next question:
As they company's new chief executive officer, Thomas Goddard wants to be known as a leader in data protection. Goddard recently served as the chief financial officer of Hoopy.com, a pioneer in online video viewing with millions of users around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically questionable practices, including unauthorized sales of personal data to marketers.
Hoopy also was the target of credit card data theft that made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the company's claims that "appropriate" data protection safeguards were in place. The scandal affected the company's business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard's mentor, was forced to step down.
Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Medialite, which is just emerging from its start-up phase. He sold the company's board and investors on his vision of Medialite building its brand partly on the basis of industry-leading data protection standards and procedures.
He may have been a key part of a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job, he calls you into his office and explains that your primary work responsibility is to bring his vision for privacy to life. But you also detect some reservations. "We want Medialite to have absolutely the highest standards," he says. "In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company's finances. So, while I want the best solutions across the board, they also need to be cost effective." You are told to report back in a week's time with your recommendations. Charged with this ambiguous mission, you depart the executive suite, already considering your next steps.
You are charged with making sure that privacy safeguards are in place for new products and initiatives. What is the best way to do this?

  • A. Institute Privacy by Design principles and practices across the organization
  • B. Develop a plan for introducing privacy protections into the product development stage
  • C. Conduct a gap analysis after deployment of new products, then mend any gaps that are revealed
  • D. Hold a meeting with stakeholders to create an interdepartmental protocol for new initiatives

正解:B


質問 # 43
SCENARIO
Please use the following to answer the next QUESTION:
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company's flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Questions about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Questions as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user's sensitive medical information for the medical appointment scheduler. In fact, all of the user's information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO's philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called Eurek a. Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What administrative safeguards should be implemented to protect the collected data while in use by Manasa and her product management team?

  • A. Implement a policy restricting data access on a "need to know" basis.
  • B. Limit data transfers to the US by keeping data collected in Europe within a local data center.
  • C. Conduct a Privacy Impact Assessment (PIA) to evaluate the risks involved.
  • D. Document the data flows for the collected data.

正解:D


質問 # 44
SCENARIO
Please use the following to answer the next question:
Natalia, CFO of the Nationwide Grill restaurant chain, had never seen her fellow executives so anxious. Last week, a data processing firm used by the company reported that its system may have been hacked, and customer data such as names, addresses, and birthdays may have been compromised. Although the attempt was proven unsuccessful, the scare has prompted several Nationwide Grill executives to question the company's privacy program at today's meeting.
Alice, a vice president, said that the incident could have opened the door to lawsuits, potentially damaging Nationwide Grill's market position. The Chief Information Officer (CIO), Brendan, tried to assure her that even if there had been an actual breach, the chances of a successful suit against the company were slim. But Alice remained unconvinced.
Spencer - a former CEO and currently a senior advisor - said that he had always warned against the use of contractors for data processing. At the very least, he argued, they should be held contractually liable for telling customers about any security incidents. In his view, Nationwide Grill should not be forced to soil the company name for a problem it did not cause.
One of the business development (BD) executives, Haley, then spoke, imploring everyone to see reason.
"Breaches can happen, despite organizations' best efforts," she remarked. "Reasonable preparedness is key." She reminded everyone of the incident seven years ago when the large grocery chain Tinkerton's had its financial information compromised after a large order of Nationwide Grill frozen dinners. As a long-time BD executive with a solid understanding of Tinkerton's's corporate culture, built up through many years of cultivating relationships, Haley was able to successfully manage the company's incident response.
Spencer replied that acting with reason means allowing security to be handled by the security functions within the company - not BD staff. In a similar way, he said, Human Resources (HR) needs to do a better job training employees to prevent incidents. He pointed out that Nationwide Grill employees are overwhelmed with posters, emails, and memos from both HR and the ethics department related to the company's privacy program. Both the volume and the duplication of information means that it is often ignored altogether.
Spencer said, "The company needs to dedicate itself to its privacy program and set regular in-person trainings for all staff once a month." Alice responded that the suggestion, while well-meaning, is not practical. With many locations, local HR departments need to have flexibility with their training schedules. Silently, Natalia agreed.
Based on the scenario, Nationwide Grill needs to create better employee awareness of the company's privacy program by doing what?

  • A. Improving inter-departmental cooperation.
  • B. Communicating to the staff more often.
  • C. Requiring acknowledgment of company memos.
  • D. Varying the modes of communication.

正解:C

解説:
Explanation/Reference:


質問 # 45
SCENARIO
Please use the following to answer the next question:
As they company's new chief executive officer, Thomas Goddard wants to be known as a leader in data protection. Goddard recently served as the chief financial officer of Hoopy.com, a pioneer in online video viewing with millions of users around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically Questionable practices, including unauthorized sales of personal data to marketers.
Hoopy also was the target of credit card data theft that made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the company's claims that
"appropriate" data protection safeguards were in place. The scandal affected the company's business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard's mentor, was forced to step down.
Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Medialite, which is just emerging from its start-up phase. He sold the company's board and investors on his vision of Medialite building its brand partly on the basis of industry-leading data protection standards and procedures.
He may have been a key part of a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job, he calls you into his office and explains that your primary work responsibility is to bring his vision for privacy to life. But you also detect some reservations. "We want Medialite to have absolutely the highest standards," he says. "In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company's finances. So, while I want the best solutions across the board, they also need to be cost effective." You are told to report back in a week's time with your recommendations. Charged with this ambiguous mission, you depart the executive suite, already considering your next steps.
The CEO likes what he's seen of the company's improved privacy program, but wants additional assurance that it is fully compliant with industry standards and reflects emerging best practices. What would best help accomplish this goal?

  • A. Revision of the strategic plan to provide a system of technical controls
  • B. An internal audit team accountable to upper management
  • C. Creation of a self-certification framework based on company policies
  • D. An external audit conducted by a panel of industry experts

正解:A


質問 # 46
If your organization has a recurring issue with colleagues not reporting personal data breaches, all of the following are advisable to do EXCEPT?

  • A. Provide role-specific training to areas where breaches are happening so they are more aware.
  • B. Carry out a root cause analysis on each breach to understand why the incident happened.
  • C. Communicate to everyone that breaches must be reported and how they should be reported.
  • D. Distribute a phishing exercise to all employees to test their ability to recognize a threat attempt.

正解:D

解説:
Explanation
Distributing a phishing exercise to all employees is not advisable to do if your organization has a recurring issue with colleagues not reporting personal data breaches. A phishing exercise is a simulated attack that tests the awareness and response of employees to malicious emails that attempt to obtain sensitive information or compromise systems. While phishing exercises can be useful to train employees on how to recognize and avoid phishing attacks, they are not directly related to the issue of reporting personal data breaches. The other options are more appropriate to address the root cause of the issue, communicate the expectations and procedures for reporting breaches, and provide specific training to areas where breaches are happening1, 2. References: CIPM - International Association of Privacy Professionals, Free CIPM Study Guide - International Association of Privacy Professionals


質問 # 47
SCENARIO
Please use the following to answer the next question:
Martin Briseno is the director of human resources at the Canyon City location of the U.S. hotel chain Pacific Suites. In 1998, Briseno decided to change the hotel's on-the-job mentoring model to a standardized training program for employees who were progressing from line positions into supervisory positions. He developed a curriculum comprising a series of lessons, scenarios, and assessments, which was delivered in-person to small groups. Interest in the training increased, leading Briseno to work with corporate HR specialists and software engineers to offer the program in an online format. The online program saved the cost of a trainer and allowed participants to work through the material at their own pace.
Upon hearing about the success of Briseno's program, Pacific Suites corporate Vice President Maryanne Silva-Hayes expanded the training and offered it company-wide. Employees who completed the program received certification as a Pacific Suites Hospitality Supervisor. By 2001, the program had grown to provide industry-wide training. Personnel at hotels across the country could sign up and pay to take the course online.
As the program became increasingly profitable, Pacific Suites developed an offshoot business, Pacific Hospitality Training (PHT). The sole focus of PHT was developing and marketing a variety of online courses and course progressions providing a number of professional certifications in the hospitality industry.
By setting up a user account with PHT, course participants could access an information library, sign up for courses, and take end-of-course certification tests. When a user opened a new account, all information was saved by default, including the user's name, date of birth, contact information, credit card information, employer, and job title. The registration page offered an opt-out choice that users could click to not have their credit card numbers saved. Once a user name and password were established, users could return to check their course status, review and reprint their certifications, and sign up and pay for new courses. Between 2002 and
2008, PHT issued more than 700,000 professional certifications.
PHT's profits declined in 2009 and 2010, the victim of industry downsizing and increased competition from e- learning providers. By 2011, Pacific Suites was out of the online certification business and PHT was dissolved.
The training program's systems and records remained in Pacific Suites' digital archives, un-accessed and unused. Briseno and Silva-Hayes moved on to work for other companies, and there was no plan for handling the archived data after the program ended. After PHT was dissolved, Pacific Suites executives turned their attention to crucial day-to-day operations. They planned to deal with the PHT materials once resources allowed.
In 2012, the Pacific Suites computer network was hacked. Malware installed on the online reservation system exposed the credit card information of hundreds of hotel guests. While targeting the financial data on the reservation site, hackers also discovered the archived training course data and registration accounts of Pacific Hospitality Training's customers. The result of the hack was the exfiltration of the credit card numbers of recent hotel guests and the exfiltration of the PHT database with all its contents.
A Pacific Suites systems analyst discovered the information security breach in a routine scan of activity reports. Pacific Suites quickly notified credit card companies and recent hotel guests of the breach, attempting to prevent serious harm. Technical security engineers faced a challenge in dealing with the PHT data.
PHT course administrators and the IT engineers did not have a system for tracking, cataloguing, and storing information. Pacific Suites has procedures in place for data access and storage, but those procedures were not implemented when PHT was formed. When the PHT database was acquired by Pacific Suites, it had no owner or oversight. By the time technical security engineers determined what private information was compromised, at least 8,000 credit card holders were potential victims of fraudulent activity.
What must Pacific Suite's primary focus be as it manages this security breach?

  • A. Investigating the cause and assigning responsibility
  • B. Maintaining operations and preventing publicity
  • C. Determining whether the affected individuals should be notified
  • D. Minimizing the amount of harm to the affected individuals

正解:D


質問 # 48
Which of the following actions is NOT required during a data privacy diligence process for Merger & Acquisition (M&A) deals?

  • A. Perform a privacy readiness assessment before the deal.
  • B. Update business processes to handle Data Subject Requests (DSRs).
  • C. Compare the original use of personal data to post-merger use.
  • D. Revise inventory of applications that house personal data and data mapping.

正解:A


質問 # 49
"Respond" in the privacy operational lifecycle includes which of the following?

  • A. Information requests and privacy rights requests.
  • B. Communication to stakeholders and alignment to laws.
  • C. Privacy awareness training and compliance monitoring.
  • D. Information security practices and functional area integration.

正解:A

解説:
Explanation
"Respond" in the privacy operational lifecycle includes information requests and privacy rights requests, which are requests from individuals or authorities to access, correct, delete, or restrict the processing of personal data. The privacy program must have processes and procedures to handle such requests in a timely and compliant manner. The other options are not part of the "respond" phase, but rather belong to other phases such as "protect", "aware", or "align". References: CIPM Body of Knowledge, Domain III: Privacy Program Operational Life Cycle, Section D: Respond.


質問 # 50
Which of the following controls does the PCI DSS framework NOT require?

  • A. Maintain an information security policy.
  • B. Implement strong access control measures.
  • C. Implement strong asset control protocols.
  • D. Maintain a vulnerability management program.

正解:C


質問 # 51
What are you doing if you succumb to "overgeneralization" when analyzing data from metrics?

  • A. Using limited data in an attempt to support broad conclusions.
  • B. Using data that is too broad to capture specific meanings.
  • C. Trying to use several measurements to gauge one aspect of a program.
  • D. Possessing too many types of data to perform a valid analysis.

正解:B

解説:
Explanation
If you succumb to "overgeneralization" when analyzing data from metrics, you are using data that is too broad to capture specific meanings. For example, if you use a single metric such as "number of complaints" to measure customer satisfaction, you are ignoring other factors that may affect customer satisfaction such as quality of service, responsiveness, or loyalty. You are also assuming that all complaints are equally valid and important, which may not be the case. To avoid overgeneralization, you should use multiple metrics that are relevant, specific, and measurable for your objectives. References: [IAPP CIPM Study Guide], page 59-60;
[Avoiding Overgeneralization in Data Analysis]


質問 # 52
SCENARIO
Please use the following to answer the next question:
Edufox has hosted an annual convention of users of its famous e-learning software platform, and over time, it has become a grand event. It fills one of the large downtown conference hotels and overflows into the others, with several thousand attendees enjoying three days of presentations, panel discussions and networking. The convention is the centerpiece of the company's product rollout schedule and a great training opportunity for current users. The sales force also encourages prospective clients to attend to get a better sense of the ways in which the system can be customized to meet diverse needs and understand that when they buy into this system, they are joining a community that feels like family.
This year's conference is only three weeks away, and you have just heard news of a new initiative supporting it: a smartphone app for attendees. The app will support late registration, highlight the featured presentations and provide a mobile version of the conference program. It also links to a restaurant reservation system with the best cuisine in the areas featured. "It's going to be great," the developer, Deidre Hoffman, tells you, "if, that is, we actually get it working!" She laughs nervously but explains that because of the tight time frame she'd been given to build the app, she outsourced the job to a local firm. "It's just three young people," she says, "but they do great work." She describes some of the other apps they have built. When asked how they were selected for this job, Deidre shrugs. "They do good work, so I chose them." Deidre is a terrific employee with a strong track record. That's why she's been charged to deliver this rushed project. You're sure she has the best interests of the company at heart, and you don't doubt that she's under pressure to meet a deadline that cannot be pushed back. However, you have concerns about the app's handling of personal data and its security safeguards. Over lunch in the break room, you start to talk to her about it, but she quickly tries to reassure you, "I'm sure with your help we can fix any security issues if we have to, but I doubt there'll be any. These people build apps for a living, and they know what they're doing. You worry too much, but that's why you're so good at your job!" What safeguard can most efficiently ensure that privacy protection is a dimension of relationships with vendors?

  • A. Include appropriate language about privacy protection in vendor contracts
  • B. Do business only with vendors who are members of privacy trade associations
  • C. Require that a person trained in privacy protection be part of all vendor selection teams
  • D. Perform a privacy audit on any vendor under consideration

正解:C


質問 # 53
Under the GDPR. when the applicable lawful basis for the processing of personal data is a legal obligation with which the controller must comply. which right can the data subject exercise?

  • A. Right to erasure.
  • B. Right to restriction.
  • C. Right to data portability.
  • D. Right to withdraw consent.

正解:B

解説:
Explanation
Under the GDPR, when the applicable lawful basis for the processing of personal data is a legal obligation with which the controller must comply, the data subject can exercise the right to restriction. This means that the data subject can request the controller to limit the processing of their personal data in certain circumstances, such as when they contest the accuracy or lawfulness of the processing. The other rights are not applicable in this case, as they are either dependent on consent (right to withdraw consent and right to data portability) or subject to exceptions (right to erasure). References: GDPR, Articles 6(1), 18, 21(1).


質問 # 54
SCENARIO
Please use the following to answer the next QUESTION:
John is the new privacy officer at the prestigious international law firm - A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.
During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor - MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution. Furthermore, the off-premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is the most effective control to enforce MessageSafe's implementation of appropriate technical countermeasures to protect the personal data received from A&M LLP?

  • A. MessageSafe must apply due diligence before trusting Cloud Inc. with the personal data received from A&M LLP.
  • B. MessageSafe must notify A&M LLP of a data breach.
  • C. MessageSafe must flow-down its data protection contract terms with A&M LLP to Cloud Inc.
  • D. MessageSafe must apply appropriate security controls on the cloud infrastructure.

正解:B


質問 # 55
SCENARIO
Please use the following to answer the next question:
Perhaps Jack Kelly should have stayed in the U.S. He enjoys a formidable reputation inside the company, Special Handling Shipping, for his work in reforming certain "rogue" offices. Last year, news broke that a police sting operation had revealed a drug ring operating in the Providence, Rhode Island office in the United States.
Video from the office's video surveillance cameras leaked to news operations showed a drug exchange between Special Handling staff and undercover officers.
In the wake of this incident, Kelly had been sent to Providence to change the "hands off" culture that upper management believed had let the criminal elements conduct their illicit transactions. After a few weeks under Kelly's direction, the office became a model of efficiency and customer service. Kelly monitored his workers' activities using the same cameras that had recorded the illegal conduct of their former co-workers.
Now Kelly has been charged with turning around the office in Cork, Ireland, another trouble spot. The company has received numerous reports of the staff leaving the office unattended. When Kelly arrived, he found that even when present, the staff often spent their days socializing or conducting personal business on their mobile phones. Again, he observed their behaviors using surveillance cameras. He issued written reprimands to six staff members based on the first day of video alone.
Much to Kelly's surprise and chagrin, he and the company are now under investigation by the Data Protection Commissioner of Ireland for allegedly violating the privacy rights of employees. Kelly was told that the company's license for the cameras listed facility security as their main use, but he does not know why this matters. He has pointed out to his superiors that the company's training programs on privacy protection and data collection mention nothing about surveillance video.
You are a privacy protection consultant, hired by the company to assess this incident, report on the legal and compliance issues, and recommend next steps.
Knowing that the regulator is now investigating, what would be the best step to take?

  • A. Consult an attorney experienced in privacy law and litigation.
  • B. Negotiate the terms of a settlement before formal legal action takes place.
  • C. If you know the organization is guilty, advise it to accept the punishment.
  • D. Use your background and knowledge to set a course of action.

正解:A


質問 # 56
Which of the following actions is NOT required during a data privacy diligence process for Merger & Acquisition (M&A) deals?

  • A. Perform a privacy readiness assessment before the deal.
  • B. Update business processes to handle Data Subject Requests (DSRs).
  • C. Compare the original use of personal data to post-merger use.
  • D. Revise inventory of applications that house personal data and data mapping.

正解:A

解説:
Explanation
A privacy readiness assessment is not required during a data privacy diligence process for Merger & Acquisition (M&A) deals, as it is usually done before the deal to evaluate the privacy maturity and compliance level of the target organization. The other options are required during the data privacy diligence process to ensure that the personal data of both organizations are handled in accordance with the applicable laws and regulations, as well as the expectations of the data subjects and stakeholders. References: CIPM Body of Knowledge, Domain III: Privacy Program Management Activities, Task 4: Manage data transfers.


質問 # 57
SCENARIO
Please use the following to answer the next question:
Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the development of the company's flagship product, the Handy Helper. The Handy Helper is an application that can be used in the home to manage family calendars, do online shopping, and schedule doctor appointments.
After having had a successful launch in the United States, the Handy Helper is about to be made available for purchase worldwide.
The packaging and user guide for the Handy Helper indicate that it is a "privacy friendly" product suitable for the whole family, including children, but does not provide any further detail or privacy notice. In order to use the application, a family creates a single account, and the primary user has access to all information about the other users. Upon start up, the primary user must check a box consenting to receive marketing emails from Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.
Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European distributor of Handy Helper when he fielded many Question about the product from the distributor. Sanjay needed to look more closely at the product in order to be able to answer the Question as he was not involved in the product development process.
In speaking with the product team, he learned that the Handy Helper collected and stored all of a user's sensitive medical information for the medical appointment scheduler. In fact, all of the user's information is stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the product. This data is all stored in the cloud and is encrypted both during transmission and at rest.
Consistent with the CEO's philosophy that great new product ideas can come from anyone, all Omnipresent Omnimedia employees have access to user data under a program called "Eureka." Omnipresent Omnimedia is hoping that at some point in the future, the data will reveal insights that could be used to create a fully automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is considered a long-term goal.
What security controls are missing from the Eureka program?

  • A. Encryption of the data at rest prevents European users from having the right of access and the right of portability of their data
  • B. Data access is not limited to those who "need to know" for their role
  • C. Storage of medical data in the cloud is not permissible under the General Data Protection Regulation (GDPR)
  • D. Collection of data without a defined purpose might violate the fairness principle

正解:B


質問 # 58
SCENARIO
Please use the following to answer the next question:
For 15 years, Albert has worked at Treasure Box - a mail order company in the United States (U.S.) that used to sell decorative candles around the world, but has recently decided to limit its shipments to customers in the
48 contiguous states. Despite his years of experience, Albert is often overlooked for managerial positions. His frustration about not being promoted, coupled with his recent interest in issues of privacy protection, have motivated Albert to be an agent of positive change.
He will soon interview for a newly advertised position, and during the interview, Albert plans on making executives aware of lapses in the company's privacy program. He feels certain he will be rewarded with a promotion for preventing negative consequences resulting from the company's outdated policies and procedures.
For example, Albert has learned about the AICPA (American Institute of Certified Public Accountans)/CICA (Canadian Institute of Chartered Accountants) Privacy Maturity Model (PMM). Albert thinks the model is a useful way to measure Treasure Box's ability to protect personal data. Albert has noticed that Treasure Box fails to meet the requirements of the highest level of maturity of this model; at his interview, Albert will pledge to assist the company with meeting this level in order to provide customers with the most rigorous security available.
Albert does want to show a positive outlook during his interview. He intends to praise the company's commitment to the security of customer and employee personal data against external threats. However, Albert worries about the high turnover rate within the company, particularly in the area of direct phone marketing. He sees many unfamiliar faces every day who are hired to do the marketing, and he often hears complaints in the lunch room regarding long hours and low pay, as well as what seems to be flagrant disregard for company procedures.
In addition, Treasure Box has had two recent security incidents. The company has responded to the incidents with internal audits and updates to security safeguards. However, profits still seem to be affected and anecdotal evidence indicates that many people still harbor mistrust. Albert wants to help the company recover.
He knows there is at least one incident the public in unaware of, although Albert does not know the details. He believes the company's insistence on keeping the incident a secret could be a further detriment to its reputation. One further way that Albert wants to help Treasure Box regain its stature is by creating a toll-free number for customers, as well as a more efficient procedure for responding to customer concerns by postal mail.
In addition to his suggestions for improvement, Albert believes that his knowledge of the company's recent business maneuvers will also impress the interviewers. For example, Albert is aware of the company's intention to acquire a medical supply company in the coming weeks.
With his forward thinking, Albert hopes to convince the managers who will be interviewing him that he is right for the job.
What is one important factor that Albert fails to consider regarding Treasure Box's response to their recent security incident?

  • A. How data at the company is collected
  • B. How long data at the company is kept
  • C. What the nature of the data is
  • D. Who has access to the data

正解:B


質問 # 59
......

あなたを合格させるCertified Information Privacy Manager CIPM試験問題集で2024年06月21日には182問あります:https://jp.fast2test.com/CIPM-premium-file.html

最新のIAPP CIPMのPDFと問題集で(2024)無料試験問題解答:https://drive.google.com/open?id=1TkIk5IwASOdKWqzr8PdpeAbKSN6e6IrB


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어