exam questions

Exam CIPM All Questions

View all questions & answers for the CIPM exam

Exam CIPM topic 1 question 20 discussion

Actual exam question from IAPP's CIPM
Question #: 20
Topic #: 1
[All CIPM Questions]

SCENARIO -
Please use the following to answer the next question:
John is the new privacy officer at the prestigious international law firm – A&M LLP. A&M LLP is very proud of its reputation in the practice areas of Trusts & Estates and Merger & Acquisition in both U.S. and Europe. During lunch with a colleague from the Information Technology department, John heard that the Head of IT, Derrick, is about to outsource the firm's email continuity service to their existing email security vendor – MessageSafe. Being successful as an email hygiene vendor, MessageSafe is expanding its business by leasing cloud infrastructure from Cloud Inc. to host email continuity service for A&M LLP.
John is very concerned about this initiative. He recalled that MessageSafe was in the news six months ago due to a security breach. Immediately, John did a quick research of MessageSafe's previous breach and learned that the breach was caused by an unintentional mistake by an IT administrator. He scheduled a meeting with Derrick to address his concerns.
At the meeting, Derrick emphasized that email is the primary method for the firm's lawyers to communicate with clients, thus it is critical to have the email continuity service to avoid any possible email downtime. Derrick has been using the anti-spam service provided by MessageSafe for five years and is very happy with the quality of service provided by MessageSafe. In addition to the significant discount offered by MessageSafe, Derrick emphasized that he can also speed up the onboarding process since the firm already has a service contract in place with MessageSafe. The existing on-premises email continuity solution is about to reach its end of life very soon and he doesn't have the time or resource to look for another solution. Furthermore, the off-premises email continuity service will only be turned on when the email service at A&M LLP's primary and secondary data centers are both down, and the email messages stored at MessageSafe site for continuity service will be automatically deleted after 30 days.
Which of the following is the most effective control to enforce MessageSafe's implementation of appropriate technical countermeasures to protect the personal data received from A&M LLP?

  • A. MessageSafe must apply due diligence before trusting Cloud Inc. with the personal data received from A&M LLP.
  • B. MessageSafe must flow-down its data protection contract terms with A&M LLP to Cloud Inc.
  • C. MessageSafe must apply appropriate security controls on the cloud infrastructure.
  • D. MessageSafe must notify A&M LLP of a data breach.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Rocketly
5 months ago
Selected Answer: B
The question is not about security measures themselves, but how best to 'enforce' security measures in this relationship. This is always via the data processing contract terms, which need to flow down through subcontractors
upvoted 1 times
...
Habeeb007
6 months ago
C - The questions is about technical countermeasures and not administrative or physical controls
upvoted 1 times
...
thecheaterz
6 months, 2 weeks ago
Selected Answer: B
Message safe needs to flow down its obligations to the sub processor
upvoted 2 times
...
MaritzTee
6 months, 3 weeks ago
Selected Answer: C
This option directly addresses the need for MessageSafe to implement and maintain technical security measures on the cloud infrastructure. Given that the previous breach was due to a technical error, focusing on robust security controls is crucial to prevent similar incidents.
upvoted 2 times
...
DPRamone
9 months, 2 weeks ago
Selected Answer: B
Cloud Inc. needs to comply with the same requirements MessageSafe has in its contract with the controller.
upvoted 2 times
...
humhain
10 months, 1 week ago
Selected Answer: D
MessageSafe must notify A&M LLP of a data breach.
upvoted 1 times
...
katizeti
11 months, 1 week ago
I would say C
upvoted 3 times
...
baranikumar_v
1 year, 4 months ago
B. Requirement shall flow from A to B. Then B shall ensure that the contractor/partner C abides to the same requirements.
upvoted 2 times
...
_sleepless770
1 year, 5 months ago
B is the correct answer. The sub-processor must be held to the same standards and instructions as the processor which is MessageSafe
upvoted 2 times
...
szopenowa
1 year, 7 months ago
maybe C?
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago