Spring Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: sntaclus

examout.co

(A business resiliency metric measures an organization's ability to?)

A.

Reform policies after negative audit outcomes.

B.

Gain new business through privacy initiatives.

C.

Maintain continuous operations during crises.

D.

Adhere to changes in privacy legislation.

(All of the following are the responsibilities of the privacy professional EXCEPT?)

A.

Monitoring compliance with data protection laws and regulations.

B.

Conducting privacy impact assessments (PIA).

C.

Defining the organization's data strategy.

D.

Ensuring privacy audits are regularly conducted.

Your marketing team wants to know why they need a check box for their SMS opt-in. You explain it is part of the consumer's right to?

A.

Request correction.

B.

Raise complaints.

C.

Have access.

D.

Be informed.

When implementing an organization's privacy program, what right should be granted to the data subject?

A.

To have their data amended or erased if errors are found.

B.

To limit or refuse the disclosure of their data for any reason.

C.

To provide feedback regarding an organization's privacy policy.

D.

To verify that an organization uses the highest level of privacy protection available.

A marketing team regularly exports spreadsheets to use (or analysis including customer name, birthdate and home address. These spreadsheets are routinely shared between members of various teams via email even with employees that do not need such granular data.

What is the best way to lower overall risk?

A.

Set up security measures in the company's email client to prevent spreadsheets with customer information from accidentally being sent to external recipients.

B.

Anonymize exportable data by creating categories of information, like age range and geographic region.

C.

Allow the free exchange of information to continue but require spreadsheets be password protected.

D.

Allow only certain users to export customer data from the database.

An organization can use Privacy-Enhancing Technologies (PETs) to?

A.

Replace current technical controls.

B.

Strengthen existing privacy controls.

C.

Ensure compliance with local privacy regulations.

D.

Produce data for the privacy professional to interpret.

When developing a privacy program and selecting a program sponsor or "champion" the least important consideration should be that they?

A.

Are a part of the organization's top management

B.

Have the authority to approve policy and provide funding.

C.

Will be an effective advocate and understand the importance of privacy.

D.

Have accountability for the organization's privacy and/or information security, risk, compliance or legal decisions.

Which of the following is NOT typically a function of a Privacy Officer?

A.

Managing an organization's information security infrastructure.

B.

Serving as an interdepartmental liaison for privacy concerns.

C.

Monitoring an organization's compliance with privacy laws.

D.

Responding to information access requests from the public.

SCENARIO

Please use the following to answer the next QUESTION:

Ben works in the IT department of IgNight, Inc., a company that designs lighting solutions for its clients. Although IgNight's customer base consists primarily of offices in the US, some individuals have been so impressed by the unique aesthetic and energy-saving design of the light fixtures that they have requested IgNight's installations in their homes across the globe.

One Sunday morning, while using his work laptop to purchase tickets for an upcoming music festival, Ben happens to notice some unusual user activity on company files. From a cursory review, all the data still appears to be where it is meant to be but he can't shake off the feeling that something is not right. He knows that it is a possibility that this could be a colleague performing unscheduled maintenance, but he recalls an email from his company's security team reminding employees to be on alert for attacks from a known group of malicious actors specifically targeting the industry.

Ben is a diligent employee and wants to make sure that he protects the company but he does not want to bother his hard-working colleagues on the weekend. He is going to discuss the matter with this manager first thing in the morning but wants to be prepared so he can demonstrate his knowledge in this area and plead his case for a promotion.

Going forward, what is the best way for IgNight to prepare its IT team to manage these kind of security events?

A.

Tabletop exercises.

B.

Update its data inventory.

C.

IT security awareness training.

D.

Share communications relating to scheduled maintenance.

SCENARIO

Please use the following to answer the next QUESTION:

Martin Briseño is the director of human resources at the Canyon City location of the U.S. hotel chain Pacific Suites. In 1998, Briseño decided to change the hotel’s on-the-job mentoring model to a standardized training program for employees who were progressing from line positions into supervisory positions. He developed a curriculum comprising a series of lessons, scenarios, and assessments, which was delivered in-person to small groups. Interest in the training increased, leading Briseño to work with corporate HR specialists and software engineers to offer the program in an online format. The online program saved the cost of a trainer and allowed participants to work through the material at their own pace.

Upon hearing about the success of Briseño’s program, Pacific Suites corporate Vice President Maryanne Silva-Hayes expanded the training and offered it company-wide. Employees who completed the program received certification as a Pacific Suites Hospitality Supervisor. By 2001, the program had grown to provide industry-wide training. Personnel at hotels across the country could sign up and pay to take the course online. As the program became increasingly profitable, Pacific Suites developed an offshoot business, Pacific Hospitality Training (PHT). The sole focus of PHT was developing and marketing a variety of online courses and course progressions providing a number of professional certifications in the hospitality industry.

By setting up a user account with PHT, course participants could access an information library, sign up for courses, and take end-of-course certification tests. When a user opened a new account, all information was saved by default, including the user’s name, date of birth, contact information, credit card information, employer, and job title. The registration page offered an opt-out choice that users could click to not have their credit card numbers saved. Once a user name and password were established, users could return to check their course status, review and reprint their certifications, and sign up and pay for new courses. Between 2002 and 2008, PHT issued more than 700,000 professional certifications.

PHT’s profits declined in 2009 and 2010, the victim of industry downsizing and increased competition from e- learning providers. By 2011, Pacific Suites was out of the online certification business and PHT was dissolved. The training program’s systems and records remained in Pacific Suites’ digital archives, un-accessed and unused. Briseño and Silva-Hayes moved on to work for other companies, and there was no plan for handling the archived data after the program ended. After PHT was dissolved, Pacific Suites executives turned their attention to crucial day-to-day operations. They planned to deal with the PHT materials once resources allowed.

In 2012, the Pacific Suites computer network was hacked. Malware installed on the online reservation system exposed the credit card information of hundreds of hotel guests. While targeting the financial data on the reservation site, hackers also discovered the archived training course data and registration accounts of Pacific Hospitality Training’s customers. The result of the hack was the exfiltration of the credit card numbers of recent hotel guests and the exfiltration of the PHT database with all its contents.

A Pacific Suites systems analyst discovered the information security breach in a routine scan of activity reports. Pacific Suites quickly notified credit card companies and recent hotel guests of the breach, attempting to prevent serious harm. Technical security engineers faced a challenge in dealing with the PHT data.

PHT course administrators and the IT engineers did not have a system for tracking, cataloguing, and storing information. Pacific Suites has procedures in place for data access and storage, but those procedures were not implemented when PHT was formed. When the PHT database was acquired by Pacific Suites, it had no owner or oversight. By the time technical security engineers determined what private information was compromised, at least 8,000 credit card holders were potential victims of fraudulent activity.

How was Pacific Suites responsible for protecting the sensitive information of its offshoot, PHT?

A.

As the parent company, it should have transferred personnel to oversee the secure handling of PHT’s data.

B.

As the parent company, it should have performed an assessment of PHT’s infrastructure and confirmed complete separation of the two networks.

C.

As the parent company, it should have ensured its existing data access and storage procedures were integrated into PHT’s system.

D.

As the parent company, it should have replaced PHT’s electronic files with hard-copy documents stored securely on site.