Higher Test Marks with Free Online CIPM Exam Practice

SCENARIO

Please use the following to answer the next question:

Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia

to help run his aging grandfather's law practice. The elder McAdams desired a limited, lighter role in the

practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring

Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who

handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and

assesses the office's strategies for growth.

Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to

modernize the office, mostly in regard to the handling of clients' personal data. His first goal is to digitize all the

records kept in file cabinets, as many of the documents contain personally identifiable financial and medical

data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the

day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues

unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/

printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the

same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that

personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing

policy by the year's end.

Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and

an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams

granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but

also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following

day, to get insight into how the office computer system is currently set-up and managed.

Richard believes that a transition from the use of fax machine to Internet faxing provides all of the following

security benefits EXCEPT? 

Please use the following to answer the next question:

As they company’s new chief executive officer, Thomas Goddard wants to be known as a leader in data protection. Goddard recently served as the chief financial officer of Hoopy.com, a pioneer in online video viewing with millions of users around the world. Unfortunately, Hoopy is infamous within privacy protection circles for its ethically questionable practices, including unauthorized sales of personal data to marketers. Hoopy also was the target of credit card data theft that made headlines around the world, as at least two million credit card numbers were thought to have been pilfered despite the company’s claims that “appropriate” data protection safeguards were in place. The scandal affected the company’s business as competitors were quick to market an increased level of protection while offering similar entertainment and media content. Within three weeks after the scandal broke, Hoopy founder and CEO Maxwell Martin, Goddard’s mentor, was forced to step down.

Goddard, however, seems to have landed on his feet, securing the CEO position at your company, Medialite, which is just emerging from its start-up phase. He sold the company’s board and investors on his vision of Medialite building its brand partly on the basis of industry-leading data protection standards and procedures. He may have been a key part of a lapsed or even rogue organization in matters of privacy but now he claims to be reformed and a true believer in privacy protection. In his first week on the job, he calls you into his office and explains that your primary work responsibility is to bring his vision for privacy to life. But you also detect some reservations. “We want Medialite to have absolutely the highest standards,” he says. “In fact, I want us to be able to say that we are the clear industry leader in privacy and data protection. However, I also need to be a responsible steward of the company’s finances. So, while I want the best solutions across the board, they also need to be cost effective.”

You are told to report back in a week’s time with your recommendations. Charged with this ambiguous mission, you depart the executive suite, already considering your next steps.

You give a presentation to your CEO about privacy program maturity. What does it mean to have a “managed” privacy program, according to the AICPA/CICA Privacy Maturity Model?

SCENARIO

Please use the following to answer the next question:

As the Director of data protection for Consolidated Records Corporation, you are justifiably pleased with your

accomplishments so far. Your hiring was precipitated by warnings from regulatory agencies following a series of

relatively minor data breaches that could easily have been worse. However, you have not had a reportable

incident for the three years that you have been with the company. In fact, you consider your program a model

that others in the data storage industry may note in their own program development.

You started the program at Consolidated from a jumbled mix of policies and procedures and worked toward

coherence across departments and throughout operations. You were aided along the way by the program's

sponsor, the vice president of operations, as well as by a Privacy Team that started from a clear understanding

of the need for change.

Initially, your work was greeted with little confidence or enthusiasm by the company's "old guard" among both

the executive team and frontline personnel working with data and interfacing with clients. Through the use of

metrics that showed the costs not only of the breaches that had occurred, but also projections of the costs that

easily could occur given the current state of operations, you soon had the leaders and key decision-makers

largely on your side. Many of the other employees were more resistant, but face-to-face meetings with each

department and the development of a baseline privacy training program achieved sufficient "buy-in" to begin

putting the proper procedures into place.

Now, privacy protection is an accepted component of all current operations involving personal or protected data

and must be part of the end product of any process of technological development. While your approach is not

systematic, it is fairly effective.

You are left contemplating:

What must be done to maintain the program and develop it beyond just a data breach prevention program?

How can you build on your success?

What are the next action steps?

What stage of the privacy operational life cycle best describes the company's current privacy program?