How to get CIPT Certification easily?

Jonnie Karnath2023-06-12T09:05:06+00:00

The CIPT certification is a valuable credential for individuals seeking a career in privacy and data protection. However, passing the certification exam can be challenging. Fortunately, Certspots provides free online CIPT certification exam questions to help you prepare for the real exam. By practicing with Certspots’ CIPT exam questions, you can gain a better understanding of the exam format and types of questions that will be asked. This will allow you to focus your study efforts and increase your chances of passing the exam on your first attempt. In addition to providing free exam questions, Certspots also offers study materials and resources to help you prepare for the CIPT certification exam. With Certspots, you can be confident in your ability to pass the CIPT certification exam and advance your career in privacy and data protection.

So, if you want to get CIPT certified easily, start practicing with Certspots’ free online exam questions today!

Page 1 of 7

1. SCENARIO

Please use the following to answer next question:

EnsureClaim is developing a mobile app platform for managing data used for assessing car accident insurance claims. Individuals use the app to take pictures at the crash site, eliminating the need for a built-in vehicle camera. EnsureClaim uses a third-party hosting provider to store data collected by the app. EnsureClaim customer service employees also receive and review app data before sharing with insurance claim adjusters.

The app collects the following information:

First and last name

Date of birth (DOB)

Mailing address

Email address

Car VIN number

Car model

License plate

Insurance card number

Photo

Vehicle diagnostics

Geolocation

What IT architecture would be most appropriate for this mobile platform?

Peer-to-peer architecture.

Client-server architecture.

Plug-in-based architecture.

Service-oriented architecture.

2. Which of the following is considered a records management best practice?

Archiving expired data records and files.

Storing decryption keys with their associated backup systems.

Implementing consistent handling practices across all record types.

Using classification to determine access rules and retention policy.

3. What is the main privacy threat posed by Radio Frequency Identification (RFID)?

An individual with an RFID receiver can track people or consumer products.

An individual can scramble computer transmissions in weapons systems.

An individual can use an RFID receiver to engage in video surveillance.

An individual can tap mobile phone communications.

4. Which of the following is a privacy consideration for NOT sending large-scale SPAM type emails to a database of email addresses?

Poor user experience.

Emails are unsolicited.

Data breach notification.

Reduction in email deliverability score.

5. What is the main privacy threat posed by Radio Frequency Identification (RFID)?

RFID can be utilized to track people or consumer products

RFID can be utilized to gam unauthorized access to an individual's device

RFID can be utilized to spoof identification details

RFID can be utilized to read information from a device without the user's knowledge

6. What is the term for information provided to a social network by a member?

Profile data.

Declared data.

Personal choice data.

Identifier information.

7. Which is NOT a drawback to using a biometric recognition system?

It can require more maintenance and support.

It can be more expensive than other systems

It has limited compatibility across systems.

It is difficult for people to use.

8. What is true of providers of wireless technology?

They have the legal right in most countries to control and use any data on their systems.

They can see all unencrypted data that crosses the system.

They are typically exempt from data security regulations.

They routinely backup data that crosses their system.

9. A user who owns a resource wants to give other individuals access to the resource.

What control would apply?

Mandatory access control.

Role-based access controls.

Discretionary access control.

Context of authority controls.

10. SCENARIO

Please use the following to answer the next question:

Jordan just joined a fitness-tracker start-up based in California, USA, as its first Information Privacy and Security Officer. The company is quickly growing its business but does not sell any of the fitness trackers itself. Instead, it relies on a distribution network of third-party retailers in all major countries. Despite not having any stores, the company has a 78% market share in the EU. It has a website presenting the company and products, and a member section where customers can access their information. Only the email address and physical address need to be provided as part of the registration process in order to customize the site to the user’s region and country. There is also a newsletter sent every month to all members featuring fitness tips, nutrition advice, product spotlights from partner companies based on user behavior and preferences.

Jordan says the General Data Protection Regulation (GDPR) does not apply to the company. He says the company is not established in the EU, nor does it have a processor in the region. Furthermore, it does not do any “offering goods or services” in the EU since it does not do any marketing there, nor sell to consumers directly. Jordan argues that it is the customers who chose to buy the products on their own initiative and there is no “offering” from the company.

The fitness trackers incorporate advanced features such as sleep tracking, GPS tracking, heart rate monitoring. wireless syncing, calorie-counting and step-tracking. The watch must be paired with either a smartphone or a computer in order to collect data on sleep levels, heart rates, etc. All information from the device must be sent to the company’s servers in order to be processed, and then the results are sent to the smartphone or computer. Jordan argues that there is no personal information involved since the company does not collect banking or social security information.

Based on the current features of the fitness watch, what would you recommend be implemented into each device in order to most effectively ensure privacy?

Hashing.

A2DP Bluetooth profile.

Persistent unique identifier.

Randomized MAC address.

Page 2 of 7

11. Properly configured databases and well-written website codes are the best protection against what online threat?

Pharming.

SQL injection.

Malware execution.

System modification.

12. To meet data protection and privacy legal requirements that may require personal data to be disposed of or deleted when no longer necessary for the use it was collected, what is the best privacy-enhancing solution a privacy technologist should recommend be implemented in application design to meet this requirement?

Implement a process to delete personal data on demand and maintain records on deletion requests.

Implement automated deletion of off-site backup of personal data based on annual risk assessments.

Develop application logic to validate and purge personal data according to legal hold status or retention schedule.

Securely archive personal data not accessed or used in the last 6 months. Automate a quarterly review to delete data from archive once no longer needed.

13. Aadhaar is a unique-identity number of 12 digits issued to all Indian residents based on their biometric and demographic data. The data is collected by the Unique Identification Authority of India. The Aadhaar database contains the Aadhaar number, name, date of birth, gender and address of over 1 billion individuals.

Which of the following datasets derived from that data would be considered the most de-identified?

A count of the years of birth and hash of the person’ s gender.

A count of the month of birth and hash of the person's first name.

A count of the day of birth and hash of the person’s first initial of their first name.

Account of the century of birth and hash of the last 3 digits of the person's Aadhaar number.

14. Which of the following is NOT a workplace surveillance best practice?

Check local privacy laws before putting surveillance in place.

Ensure surveillance is discreet so employees do not alter their behavior.

Once surveillance data has been gathered, limit exposure of the content.

Ensure the minimal amount of surveillance is performed to meet the objective.

15. What is the best way to protect privacy on a geographic information system (GIS)?

Limiting the data provided to the system.

Using a wireless encryption protocol.

Scrambling location information.

Using a firewall.

16. Which of the following would be an example of an "objective" privacy harm to an individual?

Receiving spam following the sale an of email address.

Negative feelings derived from government surveillance.

Social media profile views indicating unexpected interest in a person.

Inaccuracies in personal data.

17. Which of the following entities would most likely be exempt from complying with the General Data Protection Regulation (GDPR)?

A South American company that regularly collects European customers’ personal data.

A company that stores all customer data in Australia and is headquartered in a European Union (EU) member state.

A Chinese company that has opened a satellite office in a European Union (EU) member state to service European customers.

A North American company servicing customers in South Africa that uses a cloud storage system made by a European company.

18. Which of the following is NOT a valid basis for data retention?

Size of the data.

Type of the data.

Location of the data.

Last time the data was accessed.

19. Organizations understand there are aggregation risks associated with the way the process their customer’s data. They typically include the details of this aggregation risk in a privacy notice and ask that all customers acknowledge they understand these risks and consent to the processing.

What type of risk response does this notice and consent represent?

Risk transfer.

Risk mitigation.

Risk avoidance.

Risk acceptance.

20. A computer user navigates to a page on the Internet. The privacy notice pops up and the

user clicks the box to accept cookies, then continues to scroll the page to read the Information displayed. This is an example of which type of consent?

Explicit.

Implicit.

Specific

Valid.

Page 3 of 7

21. Which activity best supports the principle of data quality from a privacy perspective?

Ensuring the data is classified.

Protecting the data against unauthorized access.

Ensuring the data is available for use.

Protecting the data against unauthorized changes.

22. What is the potential advantage of homomorphic encryption?

Encrypted information can be analyzed without decrypting it first.

Ciphertext size decreases as the security level increases.

It allows greater security and faster processing times.

It makes data impenetrable to attacks.

23. SCENARIO

It should be the most secure location housing data in all of Europe, if not the world. The Global Finance Data Collective (GFDC) stores financial information and other types of client data from large banks, insurance companies, multinational corporations and governmental agencies. After a long climb on a mountain road that leads only to the facility, you arrive at the security booth. Your credentials are checked and checked again by the guard to visually verify that you are the person pictured on your passport and national identification card. You are led down a long corridor with server rooms on each side, secured by combination locks built into the doors. You climb a flight of stairs and are led into an office that is lighted brilliantly by skylights where the GFDC Director of Security, Dr. Monique Batch, greets you. On the far wall you notice a bank of video screens showing different rooms in the facility. At the far end, several screens show different sections of the road up the mountain Dr. Batch explains once again your mission. As a data security auditor and consultant, it is a dream assignment: The GFDC does not want simply adequate controls, but the best and most effective security that current technologies allow.

“We were hacked twice last year,” Dr. Batch says, “and although only a small number of records were stolen, the bad press impacted our business. Our clients count on us to provide security that is nothing short of impenetrable and to do so quietly. We hope to never make the news again.” She notes that it is also essential that the facility is in compliance with all relevant security regulations and standards.

You have been asked to verify compliance as well as to evaluate all current security controls and security measures, including data encryption methods, authentication controls and the safest methods for transferring data into and out of the facility. As you prepare to begin your analysis, you find yourself considering an intriguing question:

Can these people be sure that I am who I say I am?

You are shown to the office made available to you and are provided with system login information, including the name of the wireless network and a wireless key. Still pondering, you attempt to pull up the facility's wireless network, but no networks appear in the wireless list. When you search for the wireless network by name, however it is readily found.

What type of wireless network does GFDC seem to employ?

A hidden network.

A reluctant network.

A user verified network.

A wireless mesh network.

24. What is an example of a just-in-time notice?

A warning that a website may be unsafe.

A full organizational privacy notice publicly available on a website

A credit card company calling a user to verify a purchase before itis authorized

Privacy information given to a user when he attempts to comment on an online article.

25. SCENARIO

Clean-Q is a company that offers house-hold and office cleaning services. The company receives requests from consumers via their website and telephone, to book cleaning services. Based on the type and size of service, Clean-Q then contracts individuals that are registered on its resource database - currently managed in-house by Clean-Q IT Support. Because of Clean-Q's business model, resources are contracted as needed instead of permanently employed.

The table below indicates some of the personal information Clean-Q requires as part of its business operations:

Clean-Q has an internal employee base of about 30 people. A recent privacy compliance exercise has been conducted to align employee data management and human resource functions with applicable data protection regulation. Therefore, the Clean-Q permanent employee base is not included as part of this scenario.

With an increase in construction work and housing developments, Clean-Q has had an influx of requests for cleaning services. The demand has overwhelmed Clean-Q's traditional supply and demand system that has caused some overlapping bookings.

Ina business strategy session held by senior management recently, Clear-Q invited vendors to present potential solutions to their current operational issues. These vendors included Application developers and Cloud-Q’s solution providers, presenting their proposed solutions and platforms.

The Managing Director opted to initiate the process to integrate Clean-Q's operations with a cloud solution (LeadOps) that will provide the following solution one single online platform: A web interface that Clean-Q accesses for the purposes of resource and customer management. This would entail uploading resource and customer information.

✑ A customer facing web interface that enables customers to register, manage and submit cleaning service requests online.

✑ A resource facing web interface that enables resources to apply and manage their assigned jobs.

✑ An online payment facility for customers to pay for services.

Which question would you most likely ask to gain more insight about LeadOps and provide practical privacy recommendations?

What is LeadOps’ annual turnover?

How big is LeadOps’ employee base?

Where are LeadOps' operations and hosting services located?

Does LeadOps practice agile development and maintenance of their system?

26. How should the sharing of information within an organization be documented?

With a binding contract.

With a data flow diagram.

With a disclosure statement.

With a memorandum of agreement.

27. Value Sensitive Design (VSD) focuses on which of the following?

Quality and benefit.

Ethics and morality.

Principles and standards.

Privacy and human rights.

28. Which of the following statements describes an acceptable disclosure practice?

An organization’s privacy policy discloses how data will be used among groups within the organization itself.

With regard to limitation of use, internal disclosure policies override contractual agreements with third parties.

Intermediaries processing sensitive data on behalf of an organization require stricter disclosure oversight than vendors.

When an organization discloses data to a vendor, the terms of the vendor’ privacy notice prevail over the organization’ privacy notice.

29. Which of the following is NOT a step in the methodology of a privacy risk framework?

Assessment.

Monitoring.

Response.

Ranking.

30. After downloading and loading a mobile app, the user is presented with an account registration page requesting the user to provide certain personal details. Two statements are also displayed on the same page along with a box for the user to check to indicate their confirmation:

Statement 1 reads: “Please check this box to confirm you have read and accept the terms and conditions of the end user license agreement” and includes a hyperlink to the terms and conditions.

Statement 2 reads: “Please check this box to confirm you have read and understood the privacy notice” and includes a hyperlink to the privacy notice.

Under the General Data Protection Regulation (GDPR), what lawful basis would you primarily except the privacy notice to refer to?

Consent.

Vital interests.

Legal obligation.

Legitimate interests.

Page 4 of 7

31. Why is first-party web tracking very difficult to prevent?

The available tools to block tracking would break most sites’ functionality.

Consumers enjoy the many benefits they receive from targeted advertising.

Regulatory frameworks are not concerned with web tracking.

Most browsers do not support automatic blocking.

32. Which activity should the privacy technologist undertake to reduce potential privacy risk when evaluating options to process data in a country other than where it would be collected? ^

Review the Data Life Cycle.

Review data retention policies.

Create enterprise data flow diagrams.

Recommend controls for data transfers.

33. A developer is designing a new system that allows an organization's helpdesk to remotely connect into the device of the individual to provide support

Which of the following will be a privacy technologist's primary concern"?

Geofencing

Geo-tracking

Geo-tagging

Geolocation

34. Machine-learning based solutions present a privacy risk because?

Training data used during the training phase is compromised.

The solution may contain inherent bias from the developers.

The decision-making process used by the solution is not documented.

Machine-learning solutions introduce more vulnerabilities than other software.

35. SCENARIO

Please use the following to answer the next questions:

Your company is launching a new track and trace health app during the outbreak of a virus pandemic in the US. The developers claim the app is based on privacy by design because personal data collected was considered to ensure only necessary data is captured, users are presented with a privacy notice, and they are asked to give consent before data is shared. Users can update their consent after logging into an account, through a dedicated privacy and consent hub.

This is accessible through the 'Settings' icon from any app page, then clicking 'My Preferences', and selecting 'Information Sharing and Consent' where the following choices are displayed:

• "I consent to receive notifications and infection alerts";

• "I consent to receive information on additional features or services, and new products";

• "I consent to sharing only my risk result and location information, for exposure and contact tracing purposes";

• "I consent to share my data for medical research purposes"; and

• "I consent to share my data with healthcare providers affiliated to the company".

For each choice, an ON* or OFF tab is available The default setting is ON for all

Users purchase a virus screening service for USS29 99 for themselves or others using the app

The virus screening service works as follows:

• Step 1 A photo of the user's face is taken.

• Step 2 The user measures their temperature and adds the reading in the app

• Step 3 The user is asked to read sentences so that a voice analysis can detect symptoms

• Step 4 The user is asked to answer questions on known symptoms

• Step 5 The user can input information on family members (name date of birth, citizenship, home address, phone number, email and relationship).)

The results are displayed as one of the following risk status "Low. "Medium" or "High" if the user is deemed at "Medium " or "High" risk an alert may be sent to other users and the user is Invited to seek a medical consultation and diagnostic from a healthcare provider.

A user’s risk status also feeds a world map for contact tracing purposes, where users are able to check if they have been or are in dose proximity of an infected person If a user has come in contact with another individual classified as "medium’ or 'high' risk an instant notification also alerts the user of this. The app collects location trails of every user to monitor locations visited by an infected individual Location is collected using the phone's GPS functionary, whether the app is in use or not however, the exact location of the user is "blurred' for privacy reasons Users can only see on the map circles

What is likely to be the biggest privacy concern with the current 'Information Sharing and Consent' page?

The ON or OFF default setting for each item.

The navigation needed in the app to get to the consent page.

The option to consent to receive potential marketing information.

The information sharing with healthcare providers affiliated with the company.

36. CORRECT TEXT

Ivan is a nurse for a home healthcare service provider in the US. The company has implemented a mobile application which Ivan uses to record a patient's vital statistics and access a patient's health care records during home visits. During one visitj^van is unable to access the health care application to record the patient's vitals. He instead records the information on his mobile phone's note-taking application to enter the data in the health care application the next time it is accessible.

What would be the best course of action by the IT department to ensure the data is protected on his device?

A Provide all healthcare employees with mandatory annual security awareness training with a focus on the health information protection.

B. Complete a SWOT analysis exercise on the mobile application to identify what caused the application to be inaccessible and remediate any issues.

C. Adopt mobile platform standards to ensure that only mobile devices that support encryption capabilities are used.

D. Implement Mobile Device Management (MDM) to enforce company security policies and configuration settings.

37. SCENARIO

Clean-Q is a company that offers house-hold and office cleaning services. The company receives requests from consumers via their website and telephone, to book cleaning services. Based on the type and size of service, Clean-Q then contracts individuals that are registered on its resource database - currently managed in-house by Clean-Q IT Support. Because of Clean-Q's business model, resources are contracted as needed instead of permanently employed.

The table below indicates some of the personal information Clean-Q requires as part of its business operations:

Clean-Q has an internal employee base of about 30 people. A recent privacy compliance exercise has been conducted to align employee data management and human resource functions with applicable data protection regulation. Therefore, the Clean-Q permanent employee base is not included as part of this scenario.

With an increase in construction work and housing developments, Clean-Q has had an influx of requests for cleaning services. The demand has overwhelmed Clean-Q's traditional supply and demand system that has caused some overlapping bookings.

Ina business strategy session held by senior management recently, Clear-Q invited vendors to present potential solutions to their current operational issues. These vendors included Application developers and Cloud-Q’s solution providers, presenting their proposed solutions and platforms.

The Managing Director opted to initiate the process to integrate Clean-Q's operations with a cloud solution (LeadOps) that will provide the following solution one single online platform: A web interface that Clean-Q accesses for the purposes of resource and customer management. This would entail uploading resource and customer information.

✑ A customer facing web interface that enables customers to register, manage and submit cleaning service requests online.

✑ A resource facing web interface that enables resources to apply and manage their assigned jobs.

✑ An online payment facility for customers to pay for services.

What is a key consideration for assessing external service providers like LeadOps, which will conduct personal information processing operations on Clean-Q's behalf?

Understanding LeadOps’ costing model.

Establishing a relationship with the Managing Director of LeadOps.

Recognizing the value of LeadOps’ website holding a verified security certificate.

Obtaining knowledge of LeadOps' information handling practices and information security environment.

38. An individual drives to the grocery store for dinner. When she arrives at the store, she receives several unsolicited notifications on her phone about discounts on items at the grocery store she is about to shop at.

Which type of privacy problem does the represent?

Intrusion.

Surveillance.

Decisional Interference.

Exposure.

39. What is the main function of the Amnesic Incognito Live System or TAILS device?

It allows the user to run a self-contained computer from a USB device.

It accesses systems with a credential that leaves no discernable tracks.

It encrypts data stored on any computer on a network.

It causes a system to suspend its security protocols.

40. An organization is deciding between building a solution in-house versus purchasing a solution for a new customer facing application.

When security threat are taken into consideration, a key advantage of purchasing a solution would be the availability of?

Outsourcing.

Persistent VP

Patching and updates.

Digital Rights Management.

Page 5 of 7

41. Which of the following CANNOT be effectively determined during a code audit?

Whether access control logic is recommended in all cases.

Whether data is being incorrectly shared with a third-party.

Whether consent is durably recorded in the case of a server crash.

Whether the differential privacy implementation correctly anonymizes data.

42. What is the main issue pertaining to data protection with the use of 'deep fakes'?

Misinformation.

Non-conformity with the accuracy principle.

Issues with establishing non-repudiation.

Issues with confidentiality of the information.

43. Truncating the last octet of an IP address because it is NOT needed is an example of which privacy principle?

Use Limitation

Data Minimization

Purpose Limitation

Security Safeguards

44. A privacy technologist has been asked to aid in a forensic investigation on the darknet following the compromise of a company's personal data.

This will primarily involve an understanding of which of the following privacy-preserving techniques?

Encryption

Do Not Track

Masking

Tokenization

45. When releasing aggregates, what must be performed to magnitude data to ensure privacy?

Value swapping.

Noise addition.

Basic rounding.

Top coding.

46. Which concept related to privacy choice is demonstrated by highlighting and bolding the "accept" button on a cookies notice while maintaining standard text format for other options?

Illuminating

Nudging

Suppression

Tagging

47. SCENARIO

Carol was a U.S.-based glassmaker who sold her work at art festivals. She kept things simple by only accepting cash and personal checks.

As business grew, Carol couldn't keep up with demand, and traveling to festivals became burdensome. Carol opened a small boutique and hired Sam to run it while she worked in

the studio. Sam was a natural salesperson, and business doubled. Carol told Sam, “I don't know what you are doing, but keep doing it!"

But months later, the gift shop was in chaos. Carol realized that Sam needed help so she hired Jane, who had business expertise and could handle the back-office tasks. Sam would continue to focus on sales. Carol gave Jane a few weeks to get acquainted with the artisan craft business, and then scheduled a meeting for the three of them to discuss Jane's first impressions.

At the meeting, Carol could not wait to hear Jane's thoughts, but she was unprepared for what Jane had to say. “Carol, I know that he doesn't realize it, but some of Sam’s efforts to increase sales have put you in a vulnerable position. You are not protecting customers’ personal information like you should.”

Sam said, “I am protecting our information. I keep it in the safe with our bank deposit. It's only a list of customers’ names, addresses and phone numbers that I get from their checks before I deposit them. I contact them when you finish a piece that I think they would like.

That's the only information I have! The only other thing I do is post photos and information about your work on the photo sharing site that I use with family and friends. I provide my email address and people send me their information if they want to see more of your work. Posting online really helps sales, Carol. In fact, the only complaint I hear is about having to come into the shop to make a purchase.”

Carol replied, “Jane, that doesn’t sound so bad. Could you just fix things and help us to post even more online?"

‘I can," said Jane. “But it's not quite that simple. I need to set up a new program to make sure that we follow the best practices in data management. And I am concerned for our customers. They should be able to manage how we use their personal information. We also should develop a social media strategy.”

Sam and Jane worked hard during the following year. One of the decisions they made was to contract with an outside vendor to manage online sales. At the end of the year, Carol shared some exciting news. “Sam and Jane, you have done such a great job that one of the biggest names in the glass business wants to buy us out! And Jane, they want to talk to you about merging all of our customer and vendor information with theirs beforehand."

Which regulator has jurisdiction over the shop's data management practices?

The Federal Trade Commission.

The Department of Commerce.

The Data Protection Authority.

The Federal Communications Commission.

48. Which of the following suggests the greatest degree of transparency?

A privacy disclosure statement clearly articulates general purposes for collection

The data subject has multiple opportunities to opt-out after collection has occurred.

A privacy notice accommodates broadly defined future collections for new products.

After reading the privacy notice, a data subject confidently infers how her information will be used.

49. 1.An organization is launching a new online subscription-based publication. As the service is not aimed at children, users are asked for their date of birth as part of the of the sign-up process. The privacy technologist suggests it may be more appropriate ask if an individual is over 18 rather than requiring they provide a date of birth.

What kind of threat is the privacy technologist concerned about?

Identification.

Insecurity.

Interference.

Minimization.

50. Revocation and reissuing of compromised credentials is impossible for which of the following authentication techniques?

Biometric data.

Picture passwords.

Personal identification number.

Radio frequency identification.

Page 6 of 7

51. How can a hacker gain control of a smartphone to perform remote audio and video surveillance?

By performing cross-site scripting.

By installing a roving bug on the phone.

By manipulating geographic information systems.

By accessing a phone's global positioning system satellite signal.

52. Which of the following is one of the fundamental principles of information security?

Accountability.

Accessibility.

Confidentiality.

Connectivity.

53. Which of the following is the least effective privacy preserving practice in the Systems Development Life Cycle (SDLC)?

Conducting privacy threat modeling for the use-case.

Following secure and privacy coding standards in the development.

Developing data flow modeling to identify sources and destinations of sensitive data.

Reviewing the code against Open Web Application Security Project (OWASP) Top 10 Security Risks.

54. What is the main reason a company relies on implied consent instead of explicit consent from a user to process her data?

The implied consent model provides the user with more detailed data collection information.

To secure explicit consent, a user's website browsing would be significantly disrupted.

An explicit consent model is more expensive to implement.

Regulators prefer the implied consent model.

55. Which of the following is an example of the privacy risks associated with the Internet of Things (loT)?

A group of hackers infiltrate a power grid and cause a major blackout.

An insurance company raises a person’s rates based on driving habits gathered from a connected car.

A website stores a cookie on a user's hard drive so the website can recognize the user on subsequent visits.

A water district fines an individual after a meter reading reveals excess water use during drought conditions.

56. Which of the following is NOT relevant to a user exercising their data portability rights?

Notice and consent for the downloading of data.

Detection of phishing attacks against the portability interface.

Re-authentication of an account, including two-factor authentication as appropriate.

Validation of users with unauthenticated identifiers (e.g. IP address, physical address).

57. Which of the following is considered a client-side IT risk?

Security policies focus solely on internal corporate obligations.

An organization increases the number of applications on its server.

An employee stores his personal information on his company laptop.

IDs used to avoid the use of personal data map to personal data in another database.

58. SCENARIO

Kyle is a new security compliance manager who will be responsible for coordinating and executing controls to ensure compliance with the company's information security policy and industry standards. Kyle is also new to the company, where collaboration is a core value. On his first day of new-hire orientation, Kyle's schedule included participating in meetings and observing work in the IT and compliance departments.

Kyle spent the morning in the IT department, where the CIO welcomed him and explained that her department was responsible for IT governance. The CIO and Kyle engaged in a conversation about the importance of identifying meaningful IT governance metrics. Following their conversation, the CIO introduced Kyle to Ted and Barney. Ted is implementing a plan to encrypt data at the transportation level of the organization's wireless network. Kyle would need to get up to speed on the project and suggest ways to monitor effectiveness once the implementation was complete. Barney explained that his short-term goals are to establish rules governing where data can be placed and to minimize the use of offline data storage.

Kyle spent the afternoon with Jill, a compliance specialist, and learned that she was exploring an initiative for a compliance program to follow self-regulatory privacy principles. Thanks to a recent internship, Kyle had some experience in this area and knew where Jill could find some support. Jill also shared results of the company’s privacy risk assessment, noting that the secondary use of personal information was considered a high risk.

By the end of the day, Kyle was very excited about his new job and his new company. In fact, he learned about an open position for someone with strong qualifications and experience with access privileges, project standards board approval processes, and application-level obligations, and couldn’t wait to recommend his friend Ben who would be perfect for the job.

Which of the following should Kyle recommend to Jill as the best source of support for her initiative?

Investors.

Regulators.

Industry groups.

Corporate researchers.

59. An organization is reliant on temporary contractors for performing data analytics and they require access to personal data via software-as-a-service to perform their job.

When the temporary contractor completes their work assignment, what woul^.be the most effective way to safeguard privacy and access to personal data when they leave?

Set a system-based expiry that requires management reauthorization for online access for accounts that have been active more than 6 months.

Establish a predetermined automatic account expiration date based on contract timescales.

Require temporary contractors to sign a non-disclosure agreement, security acceptable use policy, and online access authorizations by hiring managers.

Mandate hiring managers to email IT or Security team when the contractor leaves.

60. SCENARIO

Please use the following to answer next question:

EnsureClaim is developing a mobile app platform for managing data used for assessing car accident insurance claims. Individuals use the app to take pictures at the crash site, eliminating the need for a built-in vehicle camera. EnsureClaim uses a third-party hosting provider to store data collected by the app. EnsureClaim customer service employees also receive and review app data before sharing with insurance claim adjusters.

The app collects the following information:

First and last name

Date of birth (DOB)

Mailing address

Email address

Car VIN number

Car model

License plate

Insurance card number

Photo

Vehicle diagnostics

Geolocation

What would be the best way to supervise the third-party systems the EnsureClaim App will share data with?

Review the privacy notices for each third-party that the app will share personal data with to determine adequate privacy and data protection controls are in place.

Conduct a security and privacy review before onboarding new vendors that collect personal data from the app.

Anonymize all personal data collected by the app before sharing any data with third-parties.

Develop policies and procedures that outline how data is shared with third-party apps.

Page 7 of 7

61. SCENARIO

Please use the following to answer the next questions:

Your company is launching a new track and trace health app during the outbreak of a virus pandemic in the US. The developers claim the app is based on privacy by design because personal data collected was considered to ensure only necessary data is captured, users are presented with a privacy notice, and they are asked to give consent before data is shared. Users can update their consent after logging into an account, through a dedicated privacy and consent hub.

This is accessible through the 'Settings' icon from any app page, then clicking 'My Preferences', and selecting 'Information Sharing and Consent' where the following choices are displayed:

• "I consent to receive notifications and infection alerts";

• "I consent to receive information on additional features or services, and new products";

• "I consent to sharing only my risk result and location information, for exposure and contact tracing purposes";

• "I consent to share my data for medical research purposes"; and

• "I consent to share my data with healthcare providers affiliated to the company".

For each choice, an ON* or OFF tab is available The default setting is ON for all

Users purchase a virus screening service for USS29 99 for themselves or others using the app.

The virus screening service works as follows:

• Step 1 A photo of the user's face is taken.

• Step 2 The user measures their temperature and adds the reading in the app

• Step 3 The user is asked to read sentences so that a voice analysis can detect symptoms

• Step 4 The user is asked to answer questions on known symptoms

• Step 5 The user can input information on family members (name date of birth, citizenship, home address, phone number, email and relationship).)

The results are displayed as one of the following risk status "Low. "Medium" or "High" if the user is deemed at "Medium " or "High" risk an alert may be sent to other users and the user is Invited to seek a medical consultation and diagnostic from a healthcare provider.

A user’s risk status also feeds a world map for contact tracing purposes, where users are

able to check if they have been or are in dose proximity of an infected person If a user has come in contact with another individual classified as "medium’ or 'high' risk an instant notification also alerts the user of this. The app collects location trails of every user to monitor locations visited by an infected individual Location is collected using the phone's GPS functionary, whether the app is in use or not however, the exact location of the user is "blurred' for privacy reasons Users can only see on the map circles

Which of the following is likely to be the most important issue with the choices presented in the 'Information Sharing and Consent' pages?

The data and recipients for medical research are not specified

Insufficient information is provided on notifications and infection alerts

The sharing of information with an affiliated healthcare provider is too risky

Allowing users to share risk result information for exposure and contact tracing purposes

62. Which of the following is a stage in the data life cycle?

Data classification.

Data inventory.

Data masking.

Data retention.

63. Which of the following would be the most appropriate solution for preventing privacy violations related to information exposure through an error message?

Configuring the environment to use shorter error messages.

Handing exceptions internally and not displaying errors to the user.

Creating default error pages or error messages which do not include variable data.

Logging the session name and necessary parameters once the error occurs to enable trouble shooting.

64. How does k-anonymity help to protect privacy in micro data sets?

By ensuring that every record in a set is part of a group of "k" records having similar identifying information.

By switching values between records in order to preserve most statistics while still maintaining privacy.

By adding sufficient noise to the data in order to hide the impact of any one individual.

By top-coding all age data above a value of "k."

65. Which of the following is an example of drone “swarming”?

A drone filming a cyclist from above as he rides.

A drone flying over a building site to gather data.

Drones delivering retailers’ packages to private homes.

Drones communicating with each other to perform a search and rescue.

Facebook Twitter LinkedIn Google + Email

How to get CIPT Certification easily?

How to get CIPT Certification easily?

Author

LEAVE A COMMENT Cancel reply

Related Posts

IAPP CIPP-E Certification Free Dumps 2023

IAPP CPACC Certification Exam Sample Questions