Practice Free CIPT Exam Online Questions
An organization is deciding between building a solution in-house versus purchasing a solution for a new customer facing application. When security threat are taken into consideration, a key advantage of purchasing a solution would be the availability of?
- A . Outsourcing.
- B . Persistent VPN.
- C . Patching and updates.
- D . Digital Rights Management.
C
Explanation:
When an organization considers whether to build a solution in-house or purchase it, one key advantage of purchasing a solution is the availability of regular patching and updates. Purchased solutions typically come with vendor support that includes security patches and updates. This ensures that the software remains protected against newly discovered vulnerabilities and threats. In contrast, in-house solutions require the organization to manage and implement these patches and updates on their own, which can be resource-intensive and may lead to delays in addressing security threats. (Reference: IAPP CIPT Study Guide, Chapter on Security Controls and Enhancements)
Which of the following provides a mechanism that allows an end-user to use a single sign-on (SSO) for multiple services?
- A . The Open ID Federation.
- B . PCI Data Security Standards Council
- C . International Organization for Standardization.
- D . Personal Information Protection and Electronic Documents Act.
Users of a web-based email service have their accounts breached through compromised login credentials.
Which possible consequences of the breach illustrate the two categories of Calo’s Harm Dimensions?
- A . Financial loss and blackmail.
- B . Financial loss and solicitation.
- C . Identity theft and embarrassment.
- D . Identity theft and the leaking of information.
SCENARIO
Tom looked forward to starting his new position with a U.S `"based automobile leasing company (New Company), now operating in 32 states. New Company was recently formed through the merger of two prominent players, one from the eastern region (East Company) and one from the western region (West Company).
Tom, a Certified Information Privacy Technologist (CIPT), is New Company’s first Information Privacy and Security officer. He met today with Dick from East
Company, and Harry, from West Company. Dick and Harry are veteran senior information privacy and security professionals at their respective companies, and continue to lead the east and west divisions of New Company. The purpose of the meeting was to conduct a SWOT (strengths/weaknesses/opportunities/threats) analysis for New Company. Their SWOT analysis conclusions are summarized below.
Dick was enthusiastic about an opportunity for the New Company to reduce costs and increase computing power and flexibility through cloud services. East
Company had been contemplating moving to the cloud, but West Company already had a vendor that was providing it with software-as-a-service (SaaS). Dick was looking forward to extending this service to the eastern region. Harry noted that this was a threat as well, because West Company had to rely on the third party to protect its data.
Tom mentioned that neither of the legacy companies had sufficient data storage space to meet the projected growth of New Company, which he saw as a weakness. Tom stated that one of the team’s first projects would be to construct a consolidated New Company data warehouse. Tom would personally lead this project and would be held accountable if information was modified during transmission to or during storage in the new data warehouse.
Tom, Dick and Harry agreed that employee network access could be considered both a strength and a weakness. East Company and West Company had strong performance records in this regard; both had robust network access controls that were working as designed. However, during a projected year-long transition period, New Company employees would need to be able to connect to a New Company network while retaining access to the East Company and West Company networks.
When employees are working remotely, they usually connect to a Wi-Fi network.
What should Harry advise for maintaining company security in this situation?
- A . Hiding wireless service set identifiers (SSID).
- B . Retaining the password assigned by the network.
- C . Employing Wired Equivalent Privacy (WEP) encryption.
- D . Using tokens sent through HTTP sites to verify user identity.
Which Organization for Economic Co-operation and Development (OECD) privacy protection principle encourages an organization to obtain an individual s consent before transferring personal information?
- A . Individual participation.
- B . Purpose specification.
- C . Collection limitation.
- D . Accountability.
SCENARIO
WebTracker Limited is a cloud-based online marketing service located in London. Last year, WebTracker migrated its IT infrastructure to the cloud provider AmaZure, which provides SQL Databases and Artificial Intelligence services to WebTracker. The roles and responsibilities between the two companies have been formalized in a standard contract, which includes allocating the role of data controller to WebTracker.
The CEO of WebTracker, Mr. Bond, would like to assess the effectiveness of AmaZure’s privacy controls, and he recently decided to hire you as an independent auditor. The scope of the engagement is limited only to the marketing services provided by WebTracker, you will not be evaluating any internal data processing activity, such as HR or Payroll.
This ad-hoc audit was triggered due to a future partnership between WebTracker and SmartHome ― a partnership that will not require any data sharing. SmartHome is based in the USA, and most recently has dedicated substantial resources to developing smart refrigerators that can suggest the recommended daily calorie intake based on DNA information. This and other personal data is collected by WebTracker.
To get an idea of the scope of work involved, you have decided to start reviewing the company’s documentation and interviewing key staff to understand potential privacy risks.
The results of this initial work include the following notes:
There are several typos in the current privacy notice of WebTracker, and you were not able to find the privacy notice for SmartHome.
You were unable to identify all the sub-processors working for SmartHome. No subcontractor is indicated in the cloud agreement with AmaZure, which is responsible for the support and maintenance of the cloud infrastructure.
There are data flows representing personal data being collected from the internal employees of WebTracker, including an interface from the HR system.
Part of the DNA data collected by WebTracker was from employees, as this was a prototype approved by the CEO of WebTracker.
All the WebTracker and SmartHome customers are based in USA and Canada.
Based on the initial assessment and review of the available data flows, which of the following would be the most important privacy risk you should investigate first?
- A . Verify that WebTracker’s HR and Payroll systems implement the current privacy notice (after the typos are fixed).
- B . Review the list of subcontractors employed by AmaZure and ensure these are included in the formal agreement with WebTracker.
- C . Evaluate and review the basis for processing employees’ personal data in the context of the prototype created by WebTracker and approved by the CEO.
- D . Confirm whether the data transfer from London to the USA has been fully approved by AmaZure and the appropriate institutions in the USA and the European Union.
What is typically NOT performed by sophisticated Access Management (AM) techniques?
- A . Restricting access to data based on location.
- B . Restricting access to data based on user role.
- C . Preventing certain types of devices from accessing data.
- D . Preventing data from being placed in unprotected storage.
What risk is mitigated when routing video traffic through a company’s application servers, rather than sending the video traffic directly from one user to another?
- A . The user is protected against phishing attacks.
- B . The user’s identity is protected from the other user.
- C . The user’s approximate physical location is hidden from the other user.
- D . The user is assured that stronger authentication methods have been used.
Implementation of privacy controls for compliance with the requirements of the Children’s Online Privacy Protection Act (COPPA) is necessary for all the following situations EXCEPT?
- A . A virtual jigsaw puzzle game marketed for ages 5-9 displays pieces of the puzzle on a handheld screen. Once the child completes a certain level, it flashes a message about new themes released that day.
- B . An interactive toy copies a child’s behavior through gestures and kid-friendly sounds. It runs on battery power and automatically connects to a base station at home to charge itself.
- C . A math tutoring service commissioned an advertisement on a bulletin board inside a charter school. The service makes it simple to reach out to tutors through a QR-code shaped like a cartoon character.
- D . A note-taking application converts hard copies of kids’ class notes into audio books in seconds. It does so by using the processing power of idle server farms.
Combining multiple pieces of information about an individual to produce a whole that is greater than the sum of its parts is called?
- A . Identification.
- B . Insecurity.
- C . Aggregation.
- D . Exclusion.
C
Explanation:
Aggregation involves the combination of various data points to create a more comprehensive profile or dataset that provides greater insight than the individual pieces alone. This technique can pose privacy risks because it may reveal patterns and personal information that were not apparent when the data points were viewed separately. This practice is often discussed in privacy and data protection contexts where it can lead to inadvertent breaches of privacy if not managed properly.
Reference: NIST Special Publication 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII).