CIPM Certified Information Privacy Manager All-in-One Exam Guide by Peter H. Gregory

Author:Peter H. Gregory
Language: eng
Format: epub
Publisher: McGraw-Hill Education
Published: 2021-12-15T00:00:00+00:00

Questions

1. A privacy leader is documenting the current state of an organization’s privacy program so that progress over time can be better understood. The documentation of the current state is known as a(n):

A. Gap analysis

B. Risk assessment

C. Baseline

D. Audit

2. What is the purpose of the cloud services shared responsibility model?

A. Defines responsibilities when assigned to a project team

B. Defines which parties are responsible for which aspects of privacy

C. Defines which parties are responsible for which aspects of security and privacy

D. Defines which parties are responsible for which aspects of security

3. An organization that receives and transforms information on behalf of another organization is known as a:

A. Vendor

B. Fourth party

C. Controller

D. Processor

4. An organization retained a service provider for low-risk services, and the provider was classified at the lowest risk tier in the organization’s TPRM program. Later, the organization expanded its use of the service provider, which now collects personal information from customers. What, if any, change is required in the organization’s TPRM program?

A. No change is needed if the vendor’s contacts are unchanged.

B. Inform accounts payable of changes in payment levels.

C. Issue the questionnaire more frequently.

D. Reclassify the vendor’s risk tier and reassess accordingly.

5. An organization is negotiating a contract with a service provider classified at the highest vendor risk tier. The organization’s attorney is contemplating language in the right-to-audit section of the legal agreement. Which of the following is the best term to use?

A. Right to audit in the event of a new privacy law

B. Right to audit in the event of a confirmed breach

C. Right to audit in any circumstance

D. Right to audit in the event of a suspected breach

6. When assessing a third-party service provider that has been classified at a high-risk tier, which of the following is the best method for confirming the answers provided in a privacy assessment questionnaire?

A. Require that the service provider attest that the questionnaire is accurate.

B. Require that the service provider provide specific program artifacts.

C. Perform a site visit to observe controls.

D. Require that the service provider be certified to ISO/IEC 27701.

7. A new privacy leader wants to baseline the existing program to help identify improvements over time. Which of the following is NOT required for a baseline?

A. Format of privacy records

B. List of applicable regulations

C. Privacy program metrics

D. Size and competence of staff

8. An organization has sent a questionnaire to a selected vendor for performing expense management services. The vendor stated in the questionnaire that it does not perform security awareness training. What is the organization’s best response?

A. Accept the risk and proceed.

B. Contractually require the vendor to begin performing security awareness training.

C. Select a different service provider.

D. Create an entry in the risk register.

9. An organization wants to limit the use of USB external storage for the storage of personal information. What is the best first step to accomplish this?

A. Implement software to detect uses of USB storage of personal information.

B. Implement software to block uses of USB storage of personal information.

C. Create a policy that defines the limitations of USB storage.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.