CIPM Exam Questions & Answers

SCENARIO

Please use the following to answer the next QUESTION:

Martin Briseno is the director of human resources at the Canyon City location of the U.S. hotel chain Pacific Suites. In 1998, Briseno decided to change the hotel's on-the-job mentoring model to a standardized training program for employees

who were progressing from line positions into supervisory positions. He developed a curriculum comprising a series of lessons, scenarios, and assessments, which was delivered in-person to small groups. Interest in the training increased,

leading Briseno to work with corporate HR specialists and software engineers to offer the program in an online format. The online program saved the cost of a trainer and allowed participants to work through the material at their own pace.

Upon hearing about the success of Briseno's program, Pacific Suites corporate Vice President Maryanne Silva-Hayes expanded the training and offered it company-wide. Employees who completed the program received certification as a

Pacific Suites Hospitality Supervisor. By 2001, the program had grown to provide industry-wide training. Personnel at hotels across the country could sign up and pay to take the course online. As the program became increasingly profitable,

Pacific Suites developed an offshoot business, Pacific Hospitality Training (PHT). The sole focus of PHT was developing and marketing a variety of online courses and course progressions providing a number of professional certifications in

the hospitality industry.

By setting up a user account with PHT, course participants could access an information library, sign up for courses, and take end-of-course certification tests. When a user opened a new account, all information was saved by default, including

the user's name, date of birth, contact information, credit card information, employer, and job title. The registration page offered an opt-out choice that users could click to not have their credit card numbers saved. Once a user name and

password were established, users could return to check their course status, review and reprint their certifications, and sign up and pay for new courses. Between 2002 and 2008, PHT issued more than 700,000 professional certifications.

PHT's profits declined in 2009 and 2010, the victim of industry downsizing and increased competition from e- learning providers. By 2011, Pacific Suites was out of the online certification business and PHT was dissolved. The training

program's systems and records remained in Pacific Suites' digital archives, un-accessed and unused. Briseno and Silva- Hayes moved on to work for other companies, and there was no plan for handling the archived data after the program

ended. After PHT was dissolved, Pacific Suites executives turned their attention to crucial day-to-day operations. They planned to deal with the PHT materials once resources allowed.

In 2012, the Pacific Suites computer network was hacked. Malware installed on the online reservation system exposed the credit card information of hundreds of hotel guests. While targeting the financial data on the reservation site, hackers

also discovered the archived training course data and registration accounts of Pacific Hospitality Training's customers. The result of the hack was the exfiltration of the credit card numbers of recent hotel guests and the exfiltration of the PHT

database with all its contents.

A Pacific Suites systems analyst discovered the information security breach in a routine scan of activity reports. Pacific Suites quickly notified credit card companies and recent hotel guests of the breach, attempting to prevent serious harm.

Technical security engineers faced a challenge in dealing with the PHT data.

PHT course administrators and the IT engineers did not have a system for tracking, cataloguing, and storing information. Pacific Suites has procedures in place for data access and storage, but those procedures were not implemented when

PHT was formed. When the PHT database was acquired by Pacific Suites, it had no owner or oversight. By the time technical security engineers determined what private information was compromised, at least 8,000 credit card holders were

potential victims of fraudulent activity.

How would a strong data life cycle management policy have helped prevent the breach?

A. Information would have been ranked according to importance and stored in separate locations

B. The most sensitive information would have been immediately erased and destroyed

C. The most important information would have been regularly assessed and tested for security

D. Information would have been categorized and assigned a deadline for destruction

SCENARIO

Please use the following to answer the next QUESTION:

Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia to help run his aging grandfather's law practice. The elder McAdams desired a limited, lighter role in the practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and assesses the office's strategies for growth.

Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to modernize the office, mostly in regard to the handling of clients' personal data. His first goal is to digitize all the records kept in file cabinets, as many of the documents contain personally identifiable financial and medical data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/ printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing policy by the year's end.

Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following day, to get insight into how the office computer system is currently set-up and managed. As Richard begins to research more about Data Lifecycle Management (DLM), he discovers that the law office can lower the risk of a data breach by doing what?

A. Prioritizing the data by order of importance.

B. Minimizing the time it takes to retrieve the sensitive data.

C. Reducing the volume and the type of data that is stored in its system.

D. Increasing the number of experienced staff to code and categorize the incoming data.

SCENARIO

Please use the following to answer the next question:

Felicity is the Chief Executive Officer (CEO) of an international clothing company that does business in several countries, including the United States (U.S.), the United Kingdom (UK), and Canada. For the first five years under Felicity's

leadership, the company was highly successful due its higher profile on the Internet via target advertising and the use of social media. However, business has dropped in recent months, and Felicity is looking to cut costs across all

departments.

She has prepared to meet with the Chief Information Officer (CIO), Jin, who is also head of the company's privacy program.

After reviewing many of Jin's decisions, Felicity firmly believes that, although well-intentioned, Jin overspends company resources. Felicity has taken several notes on ways she believes the company can spend less money trying to uphold its

privacy mission. First, Felicity intends to discuss the size of the company's information security budget with Jin. Felicity proposes to streamline information security by putting it solely within the purview of the company's Information Technology

(IT) experts, since personal data within the company is stored electronically.

She is also perplexed by the Privacy Impact Assessments (PIAs) Jin facilitated at some of the company's locations. Jin carefully documented the approximate amount of man-hours the PIAs took to complete, and Felicity is astounded at the

amount. She cannot understand why so much time has been spent on sporadic PIAs.

Felicity has also recently received complaints from employees, including mid-level managers, about the great burden of paperwork necessary for documenting employee compliance with the company's privacy policy. She hopes Jin can propose cheaper, more efficient ways of monitoring compliance. In Felicity's view, further evidence of Jin's overzealousness is his insistence on monitoring third-party processors for their observance of the company's privacy policy. New staff members seem especially overwhelmed. Despite the consistent monitoring, two years ago the company had to pay remediation costs after a security breach of a processor's data system. Felicity wonders whether processors can be held contractually liable for the costs of any future breaches.

Last in Felicity's notes is a reminder to discuss Jin's previous praise for the company's independent ethics function within the Human Resources (HR) department. Felicity believes that much company time could be saved if the Ethics Officer position were done away with, and that any ethical concerns were simply brought directly to the executive leadership of the company.

Although Felicity questions many of Jin's decisions, she hopes that their meeting will be productive and that Jin, who is widely respected throughout the company, will help the company save money. Felicity believes that austerity is the only way forward.

How could Jin address Felicity's desire to update the privacy program without increasing organizational risk?

A. By merging selected departments.

B. By easing penalties for employees.

C. By enacting fewer privacy program rules.

D. By automating some privacy program processes.