Questions for the CIPM were updated on : Dec 29 ,2025
Last year Ecosoft 8150 was hacked and a number of servers and programs were affected. Since the
incident, the company started collecting metrics on data privacy and system outages to try to stop it
from happening in the future.
What analysis would be most helpful based on the data they have collected?
D
PbD is the framework that?
C
You are the privacy officer at a university. Recently, the police have contacted you as they suspect
that one of your students is using a library computer to commit financial fraud. The police would like
your assistance in investigating this individual and are requesting computer logs and usage data of
the student.
What Is your first step in responding to the request?
C
After an incident, all of the following are potential objectives for improvements to the way an
organization handles breach management EXCEPT?
A
Under the European Data Protection Board (EDPB). which processing operation would require a
DPIA?
C
Which of the following controls are generally NOT part of a PIA review?
B
A Privacy Threshold Analysis (PTA), Privacy Impact Assessment (PIA) and Data Protection Impact
Assessment (DPIA) are conducted during what phase of a System Development Life Cycle (SDLC)?
B
SCENARIO
Please use the following lo answer the next QUESTIO N:
The board risk committee of your organization is particularly concerned not only by the number and
frequency of data breaches reported to it over the past 12 months, but also the inconsistency in
responses and poor incident response turnaround times.
Upon reviewing the current incident response plan (IRP), it was discovered that while the business
continuity plan (BCP) had been updated on time, the IRP, linked to BCP. was last updated over three
years ago.
The board risk committee has noted this as high risk especially since company policy is to review and
update policies and plans annually. Consequently, the newly appointed data protection officer (DPO)
was requested to provide a paper on how she would remediate the situation.
As a seasoned data privacy professional, you have been requested to assist the new DPO.
Which additional proactive step listed below would best mitigate these risks in the future?
A
SCENARIO
Please use the following lo answer the next QUESTIO N:
The board risk committee of your organization is particularly concerned not only by the number and
frequency of data breaches reported to it over the past 12 months, but also the inconsistency in
responses and poor incident response turnaround times.
Upon reviewing the current incident response plan (IRP), it was discovered that while the business
continuity plan (BCP> had been updated on time, the IRP, linked to BCP. was last updated over three
years ago.
The board risk committee has noted this as high risk especially since company policy is to review and
update policies and plans annually. Consequently, the newly appointed data protection officer (DPO)
was requested to provide a paper on how she would remediate the situation.
As a seasoned data privacy professional, you have been requested to assist the new DPO.
Your first recommendation in addressing the board risk committee's concerns is to?
D
A marketing team regularly exports spreadsheets to use (or analysis including customer name,
birthdate and home address. These spreadsheets are routinely shared between members of various
teams via email even with employees that do not need such granular data.
What is the best way to lower overall risk?
B
Which of the following methods analyzes data collected based the scale and not the endpoint of the
privacy program?
D
Protection from threats to facilities, systems that process and store electronic copies and IT
work/equipment locations best describes which category of security control?
A
Creating a privacy governance model for an organization that is required to appoint data protection
officers under the GDPR poses what additional challenge?
C
Under the GDPR, what obligation does a data controller or processor have after appointing a data
protection officer (DPO)?
B
SCENARIO
Please use the following lo answer the next QUESTIO N:
You are the privacy manager within the privacy office of a National Forest Parks and Recreation
Department. While having lunch with a colleague from the IT division, you learn that the IT director
has put out a request for proposal (RFP) which calls for a system that collects the personal data of
park attendees.
You consult with a few other colleagues in IT and learn that the RFP is worded such that it leaves it to
the vendors to demonstrate what information they would collect from people who enter parks
anywhere in the country, either in a vehicle or on foot. A partial list of the information collected
includes:
• personal identifiers such as name, address, age, gender;
• vehicle registration information:
• facial images of park attendees;
• health information (e.g.. physical disabilities, use of mobility devices)
The stated purpose of the RFP is to:
"Improve the National Forest. Parks, and Recreation Department's ability to track and monitor
service usage thereby Increasing the robustness of our customer data and to improve service
offerings.''
Companies have already started submitting proposals for software solutions that address these
information gathering practices. There is only one week left before the RFP closes.
The IT department has put together an RFP evaluation team but no one from the privacy office has
been a Dart of the RFP ud to this point. This occurred deposite the fact….
Which of the following is the least important privacy consideration associated with assessing data
when implementing a large-scale project like this?
B