Question No : 1
SCENARIO
Please use the following to answer the next QUESTION:
John is the new privacy officer at the prestigious international law firm C A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe.
During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor C MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution. Furthermore, the off- premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is a TRUE statement about the relationship among the organizations?

• A.Cloud Inc. must notify A&M LLP of a data breach immediately.
• B.MessageSafe is liable if Cloud Inc. fails to protect data from A&M LL
• C.Cloud Inc. should enter into a data processor agreement with A&M LL
• D.A&M LLP's service contract must be amended to list Cloud Inc. as a sub-processor.

Show Answers

Answer:

Question No : 2
Rationalizing requirements in order to comply with the various privacy requirements required by applicable law and regulation does NOT include which of the following?

• A.Harmonizing shared obligations and privacy rights across varying legislation and/or regulators.
• B.Implementing a solution that significantly addresses shared obligations and privacy rights.
• C.Applying the strictest standard for obligations and privacy rights that doesn't violate privacy laws elsewhere.
• D.Addressing requirements that fall outside the common obligations and rights (outliers) on a case-by-case basis.

Show Answers

Answer:

Question No : 3
Which of the following controls does the PCI DSS framework NOT require?

• A.Implement strong asset control protocols.
• B.Implement strong access control measures.
• C.Maintain an information security policy.
• D.Maintain a vulnerability management program.

Show Answers

Answer:

Question No : 4
Under the General Data Protection Regulation (GDPR), which situation would be LEAST likely to require a Data Protection Impact Assessment (DPIA)?

• A.A health clinic processing its patients’ genetic and health data
• B.The use of a camera system to monitor driving behavior on highways
• C.A Human Resources department using a tool to monitor its employees’ internet activity
• D.An online magazine using a mailing list to send a generic daily digest to marketing emails

Show Answers

Answer:

Question No : 5
What is most critical when outsourcing data destruction service?

• A.Obtain a certificate of data destruction.
• B.Confirm data destruction must be done on-site.
• C.Conduct an annual in-person audit of the provider’s facilities.
• D.Ensure that they keep an asset inventory of the original data.

Show Answers

Answer:

Question No : 6
Which of the following helps build trust with customers and stakeholders?

• A.Only publish what is legally necessary to reduce your liability.
• B.Enable customers to view and change their own personal information within a dedicated portal.
• C.Publish your privacy policy using broad language to ensure all of your organization’s activities are captured.
• D.Provide a dedicated privacy space with the privacy policy, explanatory documents and operation frameworks.

Show Answers

Answer:

Question No : 7
SCENARIO
Please use the following to answer the next QUESTION:
Paul Daniels, with years of experience as a CEO, is worried about his son Carlton's successful venture, Gadgo. A technological innovator in the communication industry that quickly became profitable, Gadgo has moved beyond its startup phase. While it has retained its vibrant energy, Paul fears that under Carlton's direction, the company may not be taking its risks or obligations as seriously as it needs to. Paul has hired you, a Privacy Consultant, to assess the company and report to both father and son. "Carlton won't listen to me," Paul says, "but he may pay attention to an expert."
Gadgo's workplace is a clubhouse for innovation, with games, toys, snacks. espresso machines, giant fish tanks and even an iguana who regards you with little interest. Carlton, too, seems bored as he describes to you the company's procedures and technologies for data protection. It's a loose assemblage of controls, lacking consistency and with plenty of weaknesses. "This is a technology company," Carlton says. "We create. We innovate. I don't want unnecessary measures that will only slow people down and clutter their thoughts."
The meeting lasts until early evening. Upon leaving, you walk through the office it looks as if a strong windstorm has recently blown through, with papers scattered across desks and tables and even the floor. A "cleaning crew" of one teenager is emptying the trash bins. A few computers have been left on for the night, others are missing. Carlton takes note of your attention to this: "Most of my people take their laptops home with them, or use their own tablets or phones. I want them to use whatever helps them to think and be ready day or night for that great insight. It may only come once!"
What phase in the Privacy Maturity Model (PMM) does Gadgo's privacy program best exhibit?

• A.Ad hoc.
• B.Defined.
• C.Repeatable.
• D.Managed.

Show Answers

Answer:
Explanation:
Reference: https://vvena.nl/wp-
content/uploads/2018/04/aicpa_cica_privacy_maturity_model.pdf (page 2)

Question No : 8
What is the function of the privacy operational life cycle?

• A.It establishes initial plans for privacy protection and implementation
• B.It allows the organization to respond to ever-changing privacy demands
• C.It ensures that outdated privacy policies are retired on a set schedule
• D.It allows privacy policies to mature to a fixed form

Show Answers

Answer:
Explanation:
Reference: https://www.bdo.com/blogs/nonprofit-standard/august-2018/guide-to-implementing-a-holistic- privacy-program

Question No : 9
SCENARIO
Please use the following to answer the next QUESTION:
Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with her long-time business partner Sadie, Amira has watched the company grow into a major competitor in the green energy market. The current line of products includes wind turbines, solar energy panels, and equipment for geothermal systems. A talented team of developers means that NatGen's line of products will only continue to grow.
With the expansion, Amira and Sadie have received advice from new senior staff members brought on to help manage the company's growth. One recent suggestion has been to combine the legal and security functions of the company to ensure observance of privacy laws and the company's own privacy policy. This sounds overly complicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data in ways that will best suit their needs. She does not want administrative oversight and complex structuring to get in the way of people doing innovative work.
Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is an unnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will use the best possible equipment for electronic storage of customer and employee data. She simply needs a list of equipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider before the company gets to that stage.
Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust the monitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers can adjust the company privacy policy according to what works best for their particular departments. NatGen's CEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would be highly unlikely to raise any concerns with their customer base, as long as the data is always used in course of normal business activities.
Perhaps what has been most perplexing to Sadie and Amira has been the CIO's recommendation to institute a privacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise by allowing employees to take turns handling reports of privacy policy violations. The implementation will be easy because the employees need no special preparation. They will simply have to document any concerns they hear.
Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporate culture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying a unique approach.
If Amira and Sadie's ideas about adherence to the company's privacy policy go unchecked, the Federal Communications Commission (FCC) could potentially take action against NatGen for what?

• A.Deceptive practices.
• B.Failing to institute the hotline.
• C.Failure to notify of processing.
• D.Negligence in consistent training.

Show Answers

Answer:

Question No : 10
Charge your company 20% of the cost of any credit restoration.
You execute the contract and the enrollment invitations are emailed to the 2000 individuals. Three days later you sit down and document all that went well and all that could have gone better. You put it in a file to reference the next time an incident occurs.
What is the most concerning limitation of the incident-response council?

• A.You convened it to diffuse blame
• B.The council has an overabundance of attorneys
• C.It takes eight hours of emails to come to a decision
• D.The leader just joined the company as a consultant

Show Answers

Answer: