CIPM Exam: Absolutely Free Online Practice

Free IAPP CIPM Exam Questions

Please use the following to answer the next question:

Martin Briseño is the director of human resources at the Canyon City location of the U.S. hotel chain Pacific

Suites. In 1998, Briseño decided to change the hotel’s on-the-job mentoring model to a standardized training

program for employees who were progressing from line positions into supervisory positions. He developed a

curriculum comprising a series of lessons, scenarios, and assessments, which was delivered in-person to small

groups. Interest in the training increased, leading Briseño to work with corporate HR specialists and software

engineers to offer the program in an online format. The online program saved the cost of a trainer and allowed

participants to work through the material at their own pace.

Upon hearing about the success of Briseño’s program, Pacific Suites corporate Vice President Maryanne SilvaHayes expanded the training and offered it company-wide. Employees who completed the program received

certification as a Pacific Suites Hospitality Supervisor. By 2001, the program had grown to provide industry-wide

training. Personnel at hotels across the country could sign up and pay to take the course online. As the program

became increasingly profitable, Pacific Suites developed an offshoot business, Pacific Hospitality Training

(PHT). The sole focus of PHT was developing and marketing a variety of online courses and course

progressions providing a number of professional certifications in the hospitality industry.

By setting up a user account with PHT, course participants could access an information library, sign up for

courses, and take end-of-course certification tests. When a user opened a new account, all information was

saved by default, including the user’s name, date of birth, contact information, credit card information,

employer, and job title. The registration page offered an opt-out choice that users could click to not have their

credit card numbers saved. Once a user name and password were established, users could return to check

their course status, review and reprint their certifications, and sign up and pay for new courses. Between 2002

and 2008, PHT issued more than 700,000 professional certifications.

PHT’s profits declined in 2009 and 2010, the victim of industry downsizing and increased competition from elearning providers. By 2011, Pacific Suites was out of the online certification business and PHT was dissolved.

The training program’s systems and records remained in Pacific Suites’ digital archives, un-accessed and

unused. Briseño and Silva-Hayes moved on to work for other companies, and there was no plan for handling

the archived data after the program ended. After PHT was dissolved, Pacific Suites executives turned their

attention to crucial day-to-day operations. They planned to deal with the PHT materials once resources allowed.

In 2012, the Pacific Suites computer network was hacked. Malware installed on the online reservation system

exposed the credit card information of hundreds of hotel guests. While targeting the financial data on the

reservation site, hackers also discovered the archived training course data and registration accounts of Pacific

Hospitality Training’s customers. The result of the hack was the exfiltration of the credit card numbers of recent

hotel guests and the exfiltration of the PHT database with all its contents.

A Pacific Suites systems analyst discovered the information security breach in a routine scan of activity reports.

Pacific Suites quickly notified credit card companies and recent hotel guests of the breach, attempting to

prevent serious harm. Technical security engineers faced a challenge in dealing with the PHT data.

PHT course administrators and the IT engineers did not have a system for tracking, cataloguing, and storing

information. Pacific Suites has procedures in place for data access and storage, but those procedures were not

implemented when PHT was formed. When the PHT database was acquired by Pacific Suites, it had no owner

or oversight. By the time technical security engineers determined what private information was compromised, at

least 8,000 credit card holders were potential victims of fraudulent activity.

In the Information Technology engineers had originally set the default for customer credit card information to

“Do Not Save,” this action would have been in line with what concept?

Please use the following to answer the next question.

Manasa is a product manager at Omnipresent Omnimedia, where she is responsible for leading the

development of the company’s flagship product, the Handy Helper. The Handy Helper is an application that can

be used in the home to manage family calendars, do online shopping, and schedule doctor appointments. After

having had a successful launch in the United States, the Handy Helper is about to be made available for

The packaging and user guide for the Handy Helper indicate that it is a “privacy friendly” product suitable for the

whole family, including children, but does not provide any further detail or privacy notice. In order to use the

application, a family creates a single account, and the primary user has access to all information about the

other users. Upon start up, the primary user must check a box consenting to receive marketing emails from

Omnipresent Omnimedia and selected marketing partners in order to be able to use the application.

Sanjay, the head of privacy at Omnipresent Omnimedia, was working on an agreement with a European

distributor of Handy Helper when he fielded many questions about the product from the distributor. Sanjay

needed to look more closely at the product in order to be able to answer the questions as he was not involved

in the product development process.

In speaking with the product team, he learned that the Handy Helper collected and stored all of a user’s

sensitive medical information for the medical appointment scheduler. In fact, all of the user’s information is

stored by Handy Helper for the additional purpose of creating additional products and to analyze usage of the

product. This data is all stored in the cloud and is encrypted both during transmission and at rest.

Consistent with the CEO’s philosophy that great new product ideas can come from anyone, all Omnipresent

Omnimedia employees have access to user data under a program called “Eureka.” Omnipresent Omnimedia is

hoping that at some point in the future, the data will reveal insights that could be used to create a fully

automated application that runs on artificial intelligence, but as of yet, Eureka is not well-defined and is

considered a long-term goal.

What security controls are missing from the Eureka program?

Free IAPP CIPM Exam Questions

Absolute Free CIPM Exam Practice for Comprehensive Preparation