Welcome to ExamTopics
ExamTopics Logo
- Expert Verified, Online, Free.
exam questions

Exam CIPM All Questions

View all questions & answers for the CIPM exam

Exam CIPM topic 1 question 214 discussion

Actual exam question from IAPP's CIPM
Question #: 214
Topic #: 1
[All CIPM Questions]

SCENARIO -
Please use the following to answer the next question:

Liam is the newly appointed IT Compliance Manager at Mesa, a US-based outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company's IT Audit Manager, who informs him that the auditing team will be conducting a review of Mesa's privacy compliance risk in a month.

A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant's report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card Industry's Data Security Standard (PCI DSS).

Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.

The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could not understand the point since their office was not located in California or Europe. The Marketing Director touted his department's success with purchasing email lists and taking a shotgun approach to direct marketing. Both Directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.

With three weeks before the audit, Liam updated Mesa’s Privacy Notice himself, which was taken and revised from a competitor's website. He also wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he knew of with access to personal information.

During this time, Liam also filled the backlog of data subject requests for deletion that had been sent to him by the Customer Service Manager. Liam worked with application owners to remove these individual's information and order history from the Customer Relationship Management (CRM) tool, the Enterprise Resource Planning (ERP), the data warehouse, and the email server.

At the audit kick-off meeting, Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk had been mitigated to an appropriate level based on the work he had done thus far.

After the audit had been completed, the Audit Manager and Liam met to discuss her team's findings, and much to his dismay, Liam was told that none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened the company up to additional risk and scrutiny. Based on these findings, Liam worked with external counsel and an established privacy consultant to develop a remediation plan.

What maturity level should the internal audit assign to Mesa’s privacy policies and procedures if they use the Privacy Maturity Model (PMM)?

  • A. Ad-hoc.
  • B. Defined.
  • C. Managed.
  • D. Repeatable.
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Cock
1 year, 1 month ago
Selected Answer: A
Considering these factors, the most appropriate maturity level for Mesa's privacy policies and procedures based on the PMM would be "Ad-hoc," indicating that the organization lacks a formalized and structured approach to privacy management. This level suggests that privacy-related activities are inconsistent, reactive, and not aligned with best practices or industry standards.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...