Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

CIPM Exam Flashcards |90 Questions with 100% Correct Answers, Exams of Company Secretarial Practice

90 questions with 100% correct answers related to privacy programs, data protection, and privacy policies. The questions cover topics such as metrics, internal audit, privacy by design, privacy notice, privacy maturity model, data assessment, data inventory, and data breaches. The document also includes scenarios and examples to illustrate the concepts. The questions are useful for students preparing for the CIPM exam or anyone interested in privacy and data protection.

Typology: Exams

2022/2023

Available from 06/21/2023

doctorate01
doctorate01 🇺🇸

3.8

(9)

1.5K documents

1 / 14

Toggle sidebar

Related documents


Partial preview of the text

Download CIPM Exam Flashcards |90 Questions with 100% Correct Answers and more Exams Company Secretarial Practice in PDF only on Docsity!

CIPM Exam Flashcards |90 Questions with 100%

Correct Answers

  1. Which of the following is not a metric an organization would use? - ✔️✔️ Minimize security threats
  2. Which of the following is least likely a goal of an organization's privacy program? - ✔️✔️ Hiring a privacy officer or manager
  3. In which of the following ways can internal audit most likely help a privacy program? - ✔️✔️ Providing consultancy services
  4. What can be considered to be the essence of an organization's privacy notice communicated to the outside world? - ✔️✔️ A promise on handling
  5. Which of the following is most true about privacy by design? - ✔️✔️ Results, partly, in compliance with the General Data Protection Regulation
  6. Which of the following is the best description of an accountable organization? - ✔️✔️ An organization with the necessary policies and procedures
  7. Which step is likely not part of a privacy program with the goal to protect an organization's brand? - ✔️✔️ Prevent phishing e-mails using the company logo from being sent
  8. hat is "the authority aims to safeguard the balance between the right to privacy and other rights"? - ✔️✔️ A mission or vision
  9. A manufacturing company has placed computers all around the manufacturing area to help machine operators to relax during their lunch break and check their e-mails or social media. The company is doing so in an attempt to stop the machine operators from being distracted by their phones during their work and all the dangers that come with being distracted in a manufacturing area.
  1. All the computers are connected to both the intranet and the internet. This allows an internal news bulletin and all policies and procedures to be displayed easily. There are regular updates, for example on family events, updates of procedures, bonus-related information and news on the employee of the month.
  2. In addition to involving employees by sharing company news with them, all procedures are on the intranet. Anything from safe work practice guidelines to social media guidelines can be found on the intranet.
  3. To use the computer, no login is needed. All computers are configured to be accessible to anyone, with ease. A downside of this is a shared hard-drive, and the older employees do not know that whatever they open on the computer is stored (temporarily).
  4. In the scenario provided, where is the organization on the Privacy Maturity Model? - ✔️✔️ Managed
  5. A manufacturing company has placed computers all around the manufacturing area to help machine operators to relax during their lunch break and check their e-mails or social media. The company is doing so in an attempt to stop the machine operators from being distracted by their phones during their work and all the dangers that come with being distracted in a manufacturing area.
  6. All the computers are connected to both the intranet and the internet. This allows an internal news bulletin and all policies and procedures to be displayed easily. There are regular updates, for example on family events, updates of procedures, bonus-related information and news on the employee of the month.
  7. In addition to involving employees by sharing company news with them, all procedures are on the intranet. Anything from safe work practice guidelines to social media guidelines can be found on the intranet.
  8. To use the computer, no login is needed. All computers are configured to be accessible to anyone, with ease. A downside of this is a shared hard-drive, and the older employees do not know that whatever they open on the computer is stored (temporarily).
  9. What is likely the biggest danger of a shared computer without user accounts? - ✔️✔️ Employees can access each other's personal data
  1. A manufacturing company has placed computers all around the manufacturing area to help machine operators to relax during their lunch break and check their e-mails or social media. The company is doing so in an attempt to stop the machine operators from being distracted by their phones during their work and all the dangers that come with being distracted in a manufacturing area.
  2. All the computers are connected to both the intranet and the internet. This allows an internal news bulletin and all policies and procedures to be displayed easily. There are regular updates, for example on family events, updates of procedures, bonus-related information and news on the employee of the month.
  3. In addition to involving employees by sharing company news with them, all procedures are on the intranet. Anything from safe work practice guidelines to social media guidelines can be found on the intranet.
  4. To use the computer, no login is needed. All computers are configured to be accessible to anyone, with ease. A downside of this is a shared hard-drive, and the older employees do not know that whatever they open on the computer is stored (temporarily).
  5. Given that the employees potentially see each other's data, a notice is visible on a piece of paper next to the computer. What can this be called? - ✔️✔️ A just-in-time notice
  6. How can you best describe metadata? - ✔️✔️ Information about data
  7. Which of the following countries is least likely or latest to implement a comprehensive privacy law? - ✔️✔️ The United States
  8. A group of petrochemical companies set up guidelines and audit each other on its compliance and individual companies report their findings to the authorities if they find a law broken, what is this most likely? - ✔️✔️ Self-regulation
  9. How can a privacy standard that an organization uses be most appropriately described?
    • ✔️✔️ An approach to getting the organization to handle personal information correctly
  10. A company is subject to a certain law and assigned employees responsibility for compliance and developed Excel sheets for monitoring and reporting. What could this be called? - ✔️✔️ A framework
  1. Which type of organization has loose policies and managers that control small groups of employees? - ✔️✔️ Decentralized
  2. When is a data protection Officer not necessarily required in the European Union? - ✔️✔️ When processing the data of 10 000 employees
  3. A popular music venue hosts an event at least twice a week. It sells a certain amount of tickets for each event, so the number of people that can enter is limited. At the events photographs are taken, which is indicated at the entrance of the venue (after the ticket check).
  4. One day, an angry visitor shows up, demanding to speak to the manager. It turned out his wife saw him on the photos that were published on the internet, and he had told her that he was working overtime whilst instead he went to see his favorite band.
  5. The manager assured the visitor that they have every right to take photos and publish them, as it is their venue and there was a sign before entering, so the visitor could have known and could have chosen to leave. In return the visitor responds that he did not see the sign, and when checking the sign he notices that there is no warning that the photos will be published on the internet.
  6. When should the photo notice ideally have been provided? - ✔️✔️ Before the purchase of the ticket
  7. A popular music venue hosts an event at least twice a week. It sells a certain amount of tickets for each event, so the number of people that can enter is limited. At the events photographs are taken, which is indicated at the entrance of the venue (after the ticket check).
  8. One day, an angry visitor shows up, demanding to speak to the manager. It turned out his wife saw him on the photos that were published on the internet, and he had told her that he was working overtime whilst instead he went to see his favorite band.
  9. The manager assured the visitor that they have every right to take photos and publish them, as it is their venue and there was a sign before entering, so the visitor could have known and could have chosen to leave. In return the visitor responds that he did not see

the sign, and when checking the sign he notices that there is no warning that the photos will be published on the internet.

  1. In the European Union, if the processing of the photo was indeed illegal, what could the data subject have done? - ✔️✔️ Sue the company for damages
  2. A popular music venue hosts an event at least twice a week. It sells a certain amount of tickets for each event, so the number of people that can enter is limited. At the events photographs are taken, which is indicated at the entrance of the venue (after the ticket check).
  3. One day, an angry visitor shows up, demanding to speak to the manager. It turned out his wife saw him on the photos that were published on the internet, and he had told her that he was working overtime whilst instead he went to see his favorite band.
  4. The manager assured the visitor that they have every right to take photos and publish them, as it is their venue and there was a sign before entering, so the visitor could have known and could have chosen to leave. In return the visitor responds that he did not see the sign, and when checking the sign he notices that there is no warning that the photos will be published on the internet.
  5. If the photographer is an external party, what would the photographer most likely be in this context? - ✔️✔️ A data processor
  6. Which of the following is not an example of self-regulation? - ✔️✔️ Binding Corporate Rules
  7. When designing business processes, what is the most elaborate aspect to take into account? - ✔️✔️ Consent
  8. Which of the following is not a country with its regulatory authority? - ✔️✔️ Japan - Personal Information Protection Agency
  9. What is the most likely reason for an organization to perform a data assessment? - ✔️✔️ To determine how the organization needs to handle the data
  1. Which of the following is most likely not an element of a data inventory? - ✔️✔️ The requirement of contacting the Data Protection Authority in case of a data breach
  2. Once a data inventory has finished, how would you most likely use the results? - ✔️✔️ Determine privacy priorities
  3. Why can multiple departments most likely be involved in the process of creating a data inventory? - ✔️✔️ Because processes run through the entire organization
  4. Which of the following is most likely to trigger the need to update the data inventory? - ✔️✔️ A change in the organization
  5. What is most likely the biggest benefit for an organization of buying an online data inventory software package? - ✔️✔️ Updates with law changes
  6. When developing a process for handling data breaches, which of the following is least important? - ✔️✔️ The involvement of the Chief Information Security Officer
  7. Which of the following is most likely assigned to the Internal Audit department? - ✔️✔️ Privacy assessments
  8. When knowing there is a process that requires an in-depth risk assessment, which of the following is least advisable? - ✔️✔️ An express Privacy Impact Assessment
  9. Which of the following contains a set of guidelines for Privacy Impact Assessments? - ✔️✔️ ISO 29134
  10. Which of the following is most important for an organization in order to show compliance with the General Data Protection Regulation? - ✔️✔️ Data Protection Impact Assessments
  11. What is not the goal of a security control? - ✔️✔️ Administer
  1. What would be the most likely reason for an organization to audit a vendor that performs processing on its request? - ✔️✔️ To take responsibility for outsourcing
  2. When designing the process of obtaining consent, which of the following is least important? - ✔️✔️ To verify whether an alternative legal basis can be relied on
  3. What is the best description of a processor? - ✔️✔️ An organization acting only as instructed by another organization
  4. What is the biggest weakness of a Data Protection Impact Assessment? - ✔️✔️ It is subjective
  5. Which is most true about an organization's privacy policy? - ✔️✔️ A privacy policy provides guidance for decisions
  6. Which of the following is least likely required of an organization? - ✔️✔️ Regulate
  7. After or during a data breach, what will you most likely need the marketing department for? - ✔️✔️ Sending out a mailing
  8. What is something communicated by an organization to people about the organization's privacy practices? - ✔️✔️ A privacy notice
  9. What is an acceptable use policy? - ✔️✔️ Specifies how people should behave on a network
  10. Who is best to sign an organization's cloud computing agreements (if available)? - ✔️✔️ The Chief Information Officer
  11. Which of the following would most likely be considered a data subject? - ✔️✔️ A person linked to data
  12. If not responding quickly enough to a data subject's inquiry, which is not a likely consequence? - ✔️✔️ A data breach
  1. Which privacy notice is most inappropriate under the General Data Protection Regulation? - ✔️✔️ A one-click 20 page PDF
  2. What is an advantage of communicating an organization's privacy practices through a layered privacy notice? - ✔️✔️ Receiving relevant information only
  3. What would be the least inappropriate use of a just-in-time notice? - ✔️✔️ Asking to access the location of your phone before starting your navigator
  4. What is the most likely risk when deleting data too early? - ✔️✔️ Not complying with a legal requirement
  5. Which of the following regulates the use of icons on websites and mobile screens? - ✔️✔️ The Digital Advertising Alliance
  6. What is the difference between express and implicit consent? - ✔️✔️ Opt-in versus opt-out
  7. Of the following, which is a big reason privacy laws needed to address privacy notices? - ✔️✔️ They have become lengthy and complex
  8. What is most important to do, if possible, when further processing personal data beyond the scope of collection? - ✔️✔️ Aggregate to an appropriate level
  9. When sending e-mails to data subjects, what can most likely cause an issue? - ✔️✔️ Improper encryption
  10. When setting up an automated mailing system, which is likely most important? - ✔️✔️ Ensuring the commercial message is not unsolicited
  11. Which US state was the first to require a conspicuously posted privacy notice? - ✔️✔️ California
  1. What is important to do before providing someone access to their data? - ✔️✔️ Verifying their identity
  2. What will companies in the public eye relying on data most likely realize at some point? - ✔️✔️ Customer trust is needed
  3. When someone wants the data an organization processes of him/her corrected, what is the most likely point to pay attention to? - ✔️✔️ The connection of data elements and locations
  4. Why is it important to recognize an Article 15 General Data Protection Regulation request when someone sends a complaint to your organization? - ✔️✔️ Because of the legal deadline
  5. In the case of the data breach at Uber in 2016, how did Uber attempt to solve the situation? - ✔️✔️ Pay hackers
  6. An internet reseller buys up cheap products and sells them for a slightly higher price. The company has a high turnover, and business is going well. There are only three employees working for the company, which is all that is needed as most is automatically shipped from a third party warehouse, with an online order that triggers an automated process.
  7. Since the company is small, it does not standardize its work practices. Each employee has its own way of getting things done, and if needed they will ask the boss, who is generally in the same office and happy to assist.
  8. One day, the server where all orders are stored is without password protection due to an accidental password reset. The cloud provider calls the company's boss to ask why they performed the reset, and after finding out that it was an accident, offers to check whether any external party has accessed the company's data in the hours it was freely accessible. This offer is refused, as the boss of the company regards the data not to be sensitive, as it only concerns customer orders.
  9. In the scenario provided, where is the organization on the Privacy Maturity Model? - ✔️✔️ Ad hoc
  1. An internet reseller buys up cheap products and sells them for a slightly higher price. The company has a high turnover, and business is going well. There are only three employees working for the company, which is all that is needed as most is automatically shipped from a third party warehouse, with an online order that triggers an automated process.
  2. Since the company is small, it does not standardize its work practices. Each employee has its own way of getting things done, and if needed they will ask the boss, who is generally in the same office and happy to assist.
  3. One day, the server where all orders are stored is without password protection due to an accidental password reset. The cloud provider calls the company's boss to ask why they performed the reset, and after finding out that it was an accident, offers to check whether any external party has accessed the company's data in the hours it was freely accessible. This offer is refused, as the boss of the company regards the data not to be sensitive, as it only concerns customer orders.
  4. What should the company have done in light of the password reset? - ✔️✔️ The company should have accepted the offer in order to determine whether a data breach took place
  5. An internet reseller buys up cheap products and sells them for a slightly higher price. The company has a high turnover, and business is going well. There are only three employees working for the company, which is all that is needed as most is automatically shipped from a third party warehouse, with an online order that triggers an automated process.
  6. Since the company is small, it does not standardize its work practices. Each employee has its own way of getting things done, and if needed they will ask the boss, who is generally in the same office and happy to assist.
  7. One day, the server where all orders are stored is without password protection due to an accidental password reset. The cloud provider calls the company's boss to ask why they performed the reset, and after finding out that it was an accident, offers to check whether any external party has accessed the company's data in the hours it was freely accessible. This offer is refused, as the boss of the company regards the data not to be sensitive, as it only concerns customer orders.
  1. What would have been the case if an external person accessed the data? - ✔️✔️ It would likely have been a data breach
  2. Which of the following is a likely consequence of not knowing how and what your organization is processing? - ✔️✔️ Unaware of consequences of mishandling
  3. Development of your privacy awareness program can most likely be shared with which of the following? - ✔️✔️ The ethics and integrity department
  4. Why do Chief Executive Officers not always give priority to privacy program implementation? - ✔️✔️ It does not generate revenue
  5. Which of the following is the least common way to describe data about someone? - ✔️✔️ Private data
  6. Where was Privacy by Design most likely developed? - ✔️✔️ Canada
  7. A mobile phone application that will not function without an "unnecessary" connection to the internet at some point, is most likely not following which of the Privacy by Design principles? - ✔️✔️ End-to-end security
  8. Which of the following is not Privacy by Design? - ✔️✔️ Being reactive
  9. When during the design of a process you consider making use of a third-party, which would be most exemplary of Privacy by Design? - ✔️✔️ Determining whether a third-party is needed
  10. When password protection is too strict, which of the following is most likely negatively impacted? - ✔️✔️ Availability
  11. If you are looking for guidance on the security management system implementation, where would you look? - ✔️✔️ ISO/IEC 27003
  1. When implementing a privacy program, what is important regarding access to files? - ✔️✔️ Roles should determine access
  2. Where would you most likely not find guidance on data breach reporting in the United States? - ✔️✔️ Comprehensive federal privacy law
  3. What would most likely help you get executives on your side regarding data breach prevention? - ✔️✔️ Showing the monetary impact of a data breach
  4. Which of the following is the most common cause of a data breach? - ✔️✔️ Malicious actors
  5. What is an informal readiness testing activity? - ✔️✔️ A tabletop exercise
  6. What is likely the most important goal of metrics for an organization? - ✔️✔️ Inform the organization
  7. A clinic has just hired you as a privacy program manager. The clinic specializes in surgeries that reverse decisions taken by parents, such as circumcision, which patients wish to reverse due to disagreement with the decisions their parents took regarding their child's body. Your team consists of the privacy officer, which is close to the age of retirement and has been assigned the privacy officer job because nobody else wanted to do it, and the security officer who will start the same day as you.
  8. On your first day you familiarize yourself with the staff and the procedures that are in place. You do so in an effort to determine the best approach towards compliance and optimal privacy practices. The task proves somewhat difficult, as it seems every doctor in the clinic maintains different procedures. The procedures are written down though, so that helps, but there is no data on compliance with the policies.
  9. Besides the need to identify how the current situation needs to be changed in order to be compliant with the privacy legislation, the management board has purchased software that automatically sends data about the patients' treatment to their health insurance provider, saving the administrative staff a lot of work.
  1. In the provided scenario, where is the organization on the Privacy Maturity Model? - ✔️✔️ Repeatable
  2. A clinic has just hired you as a privacy program manager. The clinic specializes in surgeries that reverse decisions taken by parents, such as circumcision, which patients wish to reverse due to disagreement with the decisions their parents took regarding their child's body. Your team consists of the privacy officer, which is close to the age of retirement and has been assigned the privacy officer job because nobody else wanted to do it, and the security officer who will start the same day as you.
  3. On your first day you familiarize yourself with the staff and the procedures that are in place. You do so in an effort to determine the best approach towards compliance and optimal privacy practices. The task proves somewhat difficult, as it seems every doctor in the clinic maintains different procedures. The procedures are written down though, so that helps, but there is no data on compliance with the policies.
  4. Besides the need to identify how the current situation needs to be changed in order to be compliant with the privacy legislation, the management board has purchased software that automatically sends data about the patients' treatment to their health insurance provider, saving the administrative staff a lot of work.
  5. If a patient named Achmet comes in for a reverse-circumcision, which of the following elements would least likely be considered sensitive personal data in the European Union? - ✔️✔️ Bank account and insurance number
  6. A clinic has just hired you as a privacy program manager. The clinic specializes in surgeries that reverse decisions taken by parents, such as circumcision, which patients wish to reverse due to disagreement with the decisions their parents took regarding their child's body. Your team consists of the privacy officer, which is close to the age of retirement and has been assigned the privacy officer job because nobody else wanted to do it, and the security officer who will start the same day as you.
  7. On your first day you familiarize yourself with the staff and the procedures that are in place. You do so in an effort to determine the best approach towards compliance and optimal privacy practices. The task proves somewhat difficult, as it seems every doctor in the clinic maintains different procedures. The procedures are written down though, so that helps, but there is no data on compliance with the policies.
  1. Besides the need to identify how the current situation needs to be changed in order to be compliant with the privacy legislation, the management board has purchased software that automatically sends data about the patients' treatment to their health insurance provider, saving the administrative staff a lot of work.
  2. Since it is unclear whether the procedures that are already in place are effective and/or followed, what is the best approach to find out? - ✔️✔️ The use of metrics
  3. What could be a possible advantage of implementing a market leader's privacy metrics software as opposed to your own? - ✔️✔️ Benchmarking with other organizations
  4. What right is granted under the Federal Credit Reporting Act? - ✔️✔️ Access to all information a consumer reporting agency has on them
  5. To whom/what should the Data Protection Officer report in an organization in the European Union? - ✔️✔️ The Chief Executive Officer 129.What is a regular, ad hoc or on demand process of checking control elements? - ✔️✔️ An audit