1. Home
  2. CIPM Exam

Smartly Prepare Exam with Free Online CIPM Practice Test

We offer the latest CIPM practice test designed for free and effective online Certified Information Privacy Manager certification preparation. It's a simulation of the real CIPM exam experience, built to help you understand the structure, complexity, and topics you'll face on exam day.

Exam Code: CIPM
Exam Questions: 278
Certified Information Privacy Manager
Updated: 25 Aug, 2025
Viewing Page : 1 - 28
Practicing : 1 - 5 of 278 Questions
Question 1

SCENARIO
Please use the following to answer the next question:
Richard McAdams recently graduated law school and decided to return to the small town of Lexington, Virginia
to help run his aging grandfather's law practice. The elder McAdams desired a limited, lighter role in the
practice, with the hope that his grandson would eventually take over when he fully retires. In addition to hiring
Richard, Mr. McAdams employs two paralegals, an administrative assistant, and a part-time IT specialist who
handles all of their basic networking needs. He plans to hire more employees once Richard gets settled and
assesses the office's strategies for growth.
Immediately upon arrival, Richard was amazed at the amount of work that needed to done in order to
modernize the office, mostly in regard to the handling of clients' personal data. His first goal is to digitize all the
records kept in file cabinets, as many of the documents contain personally identifiable financial and medical
data. Also, Richard has noticed the massive amount of copying by the administrative assistant throughout the
day, a practice that not only adds daily to the number of files in the file cabinets, but may create security issues
unless a formal policy is firmly in place Richard is also concerned with the overuse of the communal copier/
printer located in plain view of clients who frequent the building. Yet another area of concern is the use of the
same fax machine by all of the employees. Richard hopes to reduce its use dramatically in order to ensure that
personal data receives the utmost security and protection, and eventually move toward a strict Internet faxing
policy by the year's end.
Richard expressed his concerns to his grandfather, who agreed, that updating data storage, data security, and
an overall approach to increasing the protection of personal data in all facets is necessary Mr. McAdams
granted him the freedom and authority to do so. Now Richard is not only beginning a career as an attorney, but
also functioning as the privacy officer of the small firm. Richard plans to meet with the IT employee the following
day, to get insight into how the office computer system is currently set-up and managed.
Which of the following policy statements needs additional instructions in order to further protect the personal
data of their clients? 

Options :
Answer: B
Question 2

SCENARIO
Please use the following to answer the next question:
Amira is thrilled about the sudden expansion of NatGen. As the joint Chief Executive Officer (CEO) with her
long-time business partner Sadie, Amira has watched the company grow into a major competitor in the green
energy market. The current line of products includes wind turbines, solar energy panels, and equipment for
geothermal systems. A talented team of developers means that NatGen's line of products will only continue to
grow.
With the expansion, Amira and Sadie have received advice from new senior staff members brought on to help
manage the company's growth. One recent suggestion has been to combine the legal and security functions of
the company to ensure observance of privacy laws and the company's own privacy policy. This sounds overly
complicated to Amira, who wants departments to be able to use, collect, store, and dispose of customer data in
ways that will best suit their needs. She does not want administrative oversight and complex structuring to get
in the way of people doing innovative work.
Sadie has a similar outlook. The new Chief Information Officer (CIO) has proposed what Sadie believes is an
unnecessarily long timetable for designing a new privacy program. She has assured him that NatGen will use
the best possible equipment for electronic storage of customer and employee data. She simply needs a list of
equipment and an estimate of its cost. But the CIO insists that many issues are necessary to consider before
the company gets to that stage.
Regardless, Sadie and Amira insist on giving employees space to do their jobs. Both CEOs want to entrust the
monitoring of employee policy compliance to low-level managers. Amira and Sadie believe these managers can
adjust the company privacy policy according to what works best for their particular departments. NatGen's
CEOs know that flexible interpretations of the privacy policy in the name of promoting green energy would be
highly unlikely to raise any concerns with their customer base, as long as the data is always used in course of
normal business activities.
Perhaps what has been most perplexing to Sadie and Amira has been the CIO's recommendation to institute a
privacy compliance hotline. Sadie and Amira have relented on this point, but they hope to compromise by
allowing employees to take turns handling reports of privacy policy violations. The implementation will be easy
because the employees need no special preparation. They will simply have to document any concerns they
hear.
Sadie and Amira are aware that it will be challenging to stay true to their principles and guard against corporate
culture strangling creativity and employee morale. They hope that all senior staff will see the benefit of trying a
unique approach. 
What Data Lifecycle Management (DLM) principle should the company follow if they end up allowing
departments to interpret the privacy policy differently?

Options :
Answer: C
Question 3

How do privacy audits differ from privacy assessments?

Options :
Answer: B
Question 4

Which of the following is a common disadvantage of a third-party audit?

Options :
Answer: C
Question 5

SCENARIO
Please use the following to answer the next question:
Martin Briseño is the director of human resources at the Canyon City location of the U.S. hotel chain Pacific
Suites. In 1998, Briseño decided to change the hotel’s on-the-job mentoring model to a standardized training
program for employees who were progressing from line positions into supervisory positions. He developed a
curriculum comprising a series of lessons, scenarios, and assessments, which was delivered in-person to small
groups. Interest in the training increased, leading Briseño to work with corporate HR specialists and software
engineers to offer the program in an online format. The online program saved the cost of a trainer and allowed
participants to work through the material at their own pace.
Upon hearing about the success of Briseño’s program, Pacific Suites corporate Vice President Maryanne SilvaHayes expanded the training and offered it company-wide. Employees who completed the program received
certification as a Pacific Suites Hospitality Supervisor. By 2001, the program had grown to provide industry-wide
training. Personnel at hotels across the country could sign up and pay to take the course online. As the program
became increasingly profitable, Pacific Suites developed an offshoot business, Pacific Hospitality Training
(PHT). The sole focus of PHT was developing and marketing a variety of online courses and course
progressions providing a number of professional certifications in the hospitality industry.
By setting up a user account with PHT, course participants could access an information library, sign up for
courses, and take end-of-course certification tests. When a user opened a new account, all information was
saved by default, including the user’s name, date of birth, contact information, credit card information,
employer, and job title. The registration page offered an opt-out choice that users could click to not have their
credit card numbers saved. Once a user name and password were established, users could return to check
their course status, review and reprint their certifications, and sign up and pay for new courses. Between 2002
and 2008, PHT issued more than 700,000 professional certifications.
PHT’s profits declined in 2009 and 2010, the victim of industry downsizing and increased competition from elearning providers. By 2011, Pacific Suites was out of the online certification business and PHT was dissolved.
The training program’s systems and records remained in Pacific Suites’ digital archives, un-accessed and
unused. Briseño and Silva-Hayes moved on to work for other companies, and there was no plan for handling
the archived data after the program ended. After PHT was dissolved, Pacific Suites executives turned their
attention to crucial day-to-day operations. They planned to deal with the PHT materials once resources allowed.
In 2012, the Pacific Suites computer network was hacked. Malware installed on the online reservation system
exposed the credit card information of hundreds of hotel guests. While targeting the financial data on the
reservation site, hackers also discovered the archived training course data and registration accounts of Pacific
Hospitality Training’s customers. The result of the hack was the exfiltration of the credit card numbers of recent
hotel guests and the exfiltration of the PHT database with all its contents.
A Pacific Suites systems analyst discovered the information security breach in a routine scan of activity reports.
Pacific Suites quickly notified credit card companies and recent hotel guests of the breach, attempting to
prevent serious harm. Technical security engineers faced a challenge in dealing with the PHT data.
PHT course administrators and the IT engineers did not have a system for tracking, cataloguing, and storing
information. Pacific Suites has procedures in place for data access and storage, but those procedures were not
implemented when PHT was formed. When the PHT database was acquired by Pacific Suites, it had no owner
or oversight. By the time technical security engineers determined what private information was compromised, at
least 8,000 credit card holders were potential victims of fraudulent activity.
In the Information Technology engineers had originally set the default for customer credit card information to
“Do Not Save,” this action would have been in line with what concept?

Options :
Answer: B
Viewing Page : 1 - 28
Practicing : 1 - 5 of 278 Questions

© Copyrights FreePDFQuestions 2025. All Rights Reserved

We use cookies to ensure that we give you the best experience on our website (FreePDFQuestions). If you continue without changing your settings, we'll assume that you are happy to receive all cookies on the FreePDFQuestions.