Free CIPM Mock Exam – Practice Online Confidently

SCENARIOPlease use the following to answer the next question:Henry Home Furnishings has built high-end furniture for nearly forty years. However, the new owner, Anton, hasfound some degree of disorganization after touring the company headquarters. His uncle Henry had alwaysfocused on production – not data processing – and Anton is concerned. In several storage rooms, he has foundpaper files, disks, and old computers that appear to contain the personal data of current and former employeesand customers. Anton knows that a single break-in could irrevocably damage the company's relationship withits loyal customers. He intends to set a goal of guaranteed zero loss of personal information.To this end, Anton originally planned to place restrictions on who was admitted to the physical premises of thecompany. However, Kenneth – his uncle's vice president and longtime confidante – wants to hold off on Anton'sidea in favor of converting any paper records held at the company to electronic storage. Kenneth believes thisprocess would only take one or two years. Anton likes this idea; he envisions a password-protected system thatonly he and Kenneth can access.Anton also plans to divest the company of most of its subsidiaries. Not only will this make his job easier, but itwill simplify the management of the stored data. The heads of subsidiaries like the art gallery and kitchenwarestore down the street will be responsible for their own information management. Then, any unneeded subsidiarydata still in Anton's possession can be destroyed within the next few years.After learning of a recent security incident, Anton realizes that another crucial step will be notifying customers.Kenneth insists that two lost hard drives in question are not cause for concern; all of the data was encryptedand not sensitive in nature. Anton does not want to take any chances, however. He intends on sending noticeletters to all employees and customers to be safe.Anton must also check for compliance with all legislative, regulatory, and market requirements related toprivacy protection. Kenneth oversaw the development of the company's online presence about ten years ago,but Anton is not confident about his understanding of recent online marketing laws. Anton is assigning anothertrusted employee with a law background the task of the compliance assessment. After a thorough analysis,Anton knows the company should be safe for another five years, at which time he can order another check.Documentation of this analysis will show auditors due diligence.Anton has started down a long road toward improved management of the company, but he knows the effort isworth it. Anton wants his uncle's legacy to continue for many years to come.In terms of compliance with regulatory and legislative changes, Anton has a misconception regarding?

SCENARIOPlease use the following to answer the next question:Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with herlong-time business partner Sadie, Amira has watched the company grow into a major competitor in the greenenergy market. The current line of products includes wind turbines, solar energy panels, and equipment forgeothermal systems. A talented team of developers means that NatGen's line of products will only continue togrow.With the expansion, Amira and Sadie have received advice from new senior staff members brought on to helpmanage the company's growth. One recent suggestion has been to combine the legal and security functions ofthe company to ensure observance of privacy laws and the company's own privacy policy. This sounds overlycomplicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data inways that will best suit their needs. She does not want administrative oversight and complex structuring to getin the way of people doing innovative work.Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is anunnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will usethe best possible equipment for electronic storage of customer and employee data. She simply needs a list ofequipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider beforethe company gets to that stage.Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust themonitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers canadjust the company privacy policy according to what works best for their particular departments. NatGen'sCEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would behighly unlikely to raise any concerns with their customer base, as long as the data is always used in course ofnormal business activities.Perhaps what has been most perplexing to Sadie and Amira has been the CIO's recommendation to institute aprivacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise byallowing employees to take turns handling reports of privacy policy violations. The implementation will be easybecause the employees need no special preparation. They will simply have to document any concerns theyhear.Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporateculture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying aunique approach. What Data Lifecycle Management (DLM) principle should the company follow if they end up allowingdepartments to interpret the privacy policy differently?

SCENARIOPlease use the following to answer the next question.Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading thedevelopment of the company’s flagship product, the Handy Helper. The Handy Helper is an application that canbe used in the home to manage family calendars, do online shopping, and schedule doctor appointments. Afterhaving had a successful launch in the United States, the Handy Helper is about to be made available forpurchase worldwide.The packaging and user guide for the Handy Helper indicate that it is a “privacy friendly” product suitable for thewhole family, including children, but does not provide any further detail or privacy notice. In order to use theapplication, a family creates a single account, and the primary user has access to all information about theother users. Upon start up, the primary user must check a box consenting to receive marketing emails fromOmnipresent Omnimedia and selected marketing partners in order to be able to use the application.Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a Europeandistributor of Handy Helper when he fielded many questions about the product from the distributor. Sanjayneeded to look more closely at the product in order to be able to answer the questions as he was not involvedin the product development process.In speaking with the product team, he learned that the Handy Helper collected and stored all of a user’ssensitive medical information for the medical appointment scheduler. In fact, all of the user’s information isstored by Handy Helper for the additional purpose of creating additional products and to analyze usage of theproduct. This data is all stored in the cloud and is encrypted both during transmission and at rest.Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all OmnipresentOmnimedia employees have access to user data under a program called “Eureka.” Omnipresent Omnimedia ishoping that at some point in the future, the data will reveal insights that could be used to create a fullyautomated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and isconsidered a long-term goal.What security controls are missing from the Eureka program?

Which of the following controls does the PCI DSS framework NOT require?  

Which of the following is NOT typically a function of a Privacy Officer?