March Sale - Special 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70dumps

CIPT Questions and Answers

Question # 6

of the following best describes a network threat model and Its uses?

A.

It Is used in software development to detect programming errors. .

B.

It is a risk-based model used to calculate the probabilities of risks identified during vulnerability tests.

C.

It helps assess the probability, the potential harm, and the priority of attacks to help minimize or eradicate the threats.

D.

It combines the results of vulnerability and penetration tests to provide useful insights into the network's overall threat and security posture.

Full Access
Question # 7

What is the term for information provided to a social network by a member?

A.

Profile data.

B.

Declared data.

C.

Personal choice data.

D.

Identifier information.

Full Access
Question # 8

Which concept related to privacy choice is demonstrated by highlighting and bolding the "accept" button on a cookies notice while maintaining standard text format for other options?

A.

Illuminating

B.

Nudging

C.

Suppression

D.

Tagging

Full Access
Question # 9

Which of the following is the best method to minimize tracking through the use of cookies?

A.

Use ‘private browsing’ mode and delete checked files, clear cookies and cache once a day.

B.

Install a commercially available third-party application on top of the browser that is already installed.

C.

Install and use a web browser that is advertised as ‘built specifically to safeguard user privacy’.

D.

Manage settings in the browser to limit the use of cookies and remove them once the session completes.

Full Access
Question # 10

What is true of providers of wireless technology?

A.

They have the legal right in most countries to control and use any data on their systems.

B.

They can see all unencrypted data that crosses the system.

C.

They are typically exempt from data security regulations.

D.

They routinely backup data that crosses their system.

Full Access
Question # 11

Which of the following CANNOT be effectively determined during a code audit?

A.

Whether access control logic is recommended in all cases.

B.

Whether data is being incorrectly shared with a third-party.

C.

Whether consent is durably recorded in the case of a server crash.

D.

Whether the differential privacy implementation correctly anonymizes data.

Full Access
Question # 12

An organization is reliant on temporary contractors for performing data analytics and they require access to personal data via software-as-a-service to perform their job. When the temporary contractor completes their work assignment, what woul^.be the most effective way to safeguard privacy and access to personal data when they leave?

A.

Set a system-based expiry that requires management reauthorization for online access for accounts that have been active more than 6 months.

B.

Establish a predetermined automatic account expiration date based on contract timescales.

C.

Require temporary contractors to sign a non-disclosure agreement, security acceptable use policy, and online access authorizations by hiring managers.

D.

Mandate hiring managers to email IT or Security team when the contractor leaves.

Full Access
Question # 13

SCENARIO

Please use the following to answer the next question:

Light Blue Health (LBH) is a healthcare technology company developing a new web and mobile application that collects personal health information from electronic patient health records. The application will use machine learning to recommend potential medical treatments and medications based on information collected from anonymized electronic health records. Patient users may also share health data collected from other mobile apps with the LBH app.

The application requires consent from the patient before importing electronic health records into the application and sharing it with their authorized physicians or healthcare provider. The patient can then review and share the recommended treatments with their physicians securely through the app. The patient user may also share location data and upload photos in the app. The patient user may also share location data and upload photos in the app for a healthcare provider to review along with the health record. The patient may also delegate access to the app.

LBH’s privacy team meets with the Application development and Security teams, as well as key business stakeholders on a periodic basis. LBH also implements Privacy by Design (PbD) into the application development process.

The Privacy Team is conducting a Privacy Impact Assessment (PIA) to evaluate privacy risks during development of the application. The team must assess whether the application is collecting descriptive, demographic or any other user related data from the electronic health records that are not needed for the purposes of the application. The team is also reviewing whether the application may collect additional personal data for purposes for which the user did not provide consent.

What is the best way to minimize the risk of an exposure violation through the use of the app?

A.

Prevent the downloading of photos stored in the app.

B.

Dissociate the patient health data from the personal data.

C.

Exclude the collection of personal information from the health record.

D.

Create a policy to prevent combining data with external data sources.

Full Access
Question # 14

Which of the following is considered a client-side IT risk?

A.

Security policies focus solely on internal corporate obligations.

B.

An organization increases the number of applications on its server.

C.

An employee stores his personal information on his company laptop.

D.

IDs used to avoid the use of personal data map to personal data in another database.

Full Access
Question # 15

What logs should an application server retain in order to prevent phishing attacks while minimizing data retention?

A.

Limited-retention, de-identified logs including only metadata.

B.

Limited-retention, de-identified logs including the links clicked in messages as well as metadata.

C.

Limited-retention logs including the identity of parties sending and receiving messages as well as metadata.

D.

Limited-retention logs including the links clicked in messages, the identity of parties sending and receiving them, as well as metadata.

Full Access
Question # 16

What is the best way to protect privacy on a geographic information system (GIS)?

A.

Limiting the data provided to the system.

B.

Using a wireless encryption protocol.

C.

Scrambling location information.

D.

Using a firewall.

Full Access
Question # 17

SCENARIO

Looking back at your first two years as the Director of Personal Information Protection and Compliance for the St. Anne’s Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on-hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.

You recall a recent visit to the Records Storage Section in the basement of the old hospital next to the modern facility, where you noticed paper records sitting in crates labeled by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. On the back shelves of the section sat data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the records storage section, you noticed a man leaving whom you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.

You quickly realize that you need a plan of action on the maintenance, secure storage and disposal of data.

Which cryptographic standard would be most appropriate for protecting patient credit card information in the records system at St. Anne’s Regional Medical Center?

A.

Symmetric Encryption

B.

Tokenization

C.

Obfuscation

D.

Certificates

Full Access
Question # 18

A company seeking to hire engineers in Silicon Valley ran an ad campaign targeting women in a specific age range who live in the San Francisco Bay Area.

Which Calo objective privacy harm is likely to result from this campaign?

A.

Lost opportunity.

B.

Economic loss.

C.

Loss of liberty.

D.

Social detriment.

Full Access
Question # 19

SCENARIO

Carol was a U.S.-based glassmaker who sold her work at art festivals. She kept things simple by only accepting cash and personal checks.

As business grew, Carol couldn't keep up with demand, and traveling to festivals became burdensome. Carol opened a small boutique and hired Sam to run it while she worked in the studio. Sam was a natural salesperson, and business doubled. Carol told Sam, “I don't know what you are doing, but keep doing it!"

But months later, the gift shop was in chaos. Carol realized that Sam needed help so she hired Jane, who had business expertise and could handle the back-office tasks. Sam would continue to focus on sales. Carol gave Jane a few weeks to get acquainted with the artisan craft business, and then scheduled a meeting for the three of them to discuss Jane's first impressions.

At the meeting, Carol could not wait to hear Jane's thoughts, but she was unprepared for what Jane had to say. “Carol, I know that he doesn't realize it, but some of Sam’s efforts to increase sales have put you in a vulnerable position. You are not protecting customers’ personal information like you should.”

Sam said, “I am protecting our information. I keep it in the safe with our bank deposit. It's only a list of customers’ names, addresses and phone numbers that I get from their checks before I deposit them. I contact them when you finish a piece that I think they would like. That's the only information I have! The only other thing I do is post photos and information about your work on the photo sharing site that I use with family and friends. I provide my email address and people send me their information if they want to see more of your work. Posting online really helps sales, Carol. In fact, the only complaint I hear is about having to come into the shop to make a purchase.”

Carol replied, “Jane, that doesn’t sound so bad. Could you just fix things and help us to post even more online?"

‘I can," said Jane. “But it's not quite that simple. I need to set up a new program to make sure that we follow the best practices in data management. And I am concerned for our customers. They should be able to manage how we use their personal information. We also should develop a social media strategy.”

Sam and Jane worked hard during the following year. One of the decisions they made was to contract with an outside vendor to manage online sales. At the end of the year, Carol shared some exciting news. “Sam and Jane, you have done such a great job that one of the biggest names in the glass business wants to buy us out! And Jane, they want to talk to you about merging all of our customer and vendor information with theirs beforehand."

Which regulator has jurisdiction over the shop's data management practices?

A.

The Federal Trade Commission.

B.

The Department of Commerce.

C.

The Data Protection Authority.

D.

The Federal Communications Commission.

Full Access
Question # 20

An organization is launching a smart watch which, in addition to alerts, will notify the the wearer of incoming calls allowing them to answer on the device. This convenience also comes with privacy concerns and is an example of?

A.

Value-Sensitive Design.

B.

Ubiquitous computing.

C.

Anthropomorphism.

D.

Coupling

Full Access
Question # 21

What risk is mitigated when routing video traffic through a company’s application servers, rather than sending the video traffic directly from one user to another?

A.

The user is protected against phishing attacks.

B.

The user’s identity is protected from the other user.

C.

The user’s approximate physical location is hidden from the other user.

D.

The user is assured that stronger authentication methods have been used.

Full Access
Question # 22

SCENARIO

Please use the following to answer the next question:

Jordan just joined a fitness-tracker start-up based in California, USA, as its first Information Privacy and Security Officer. The company is quickly growing its business but does not sell any of the fitness trackers itself. Instead, it relies on a distribution network of third-party retailers in all major countries. Despite not having any stores, the company has a 78% market share in the EU. It has a website presenting the company and products, and a member section where customers can access their information. Only the email address and physical address need to be provided as part of the registration process in order to customize the site to the user’s region and country. There is also a newsletter sent every month to all members featuring fitness tips, nutrition advice, product spotlights from partner companies based on user behavior and preferences.

Jordan says the General Data Protection Regulation (GDPR) does not apply to the company. He says the company is not established in the EU, nor does it have a processor in the region. Furthermore, it does not do any “offering goods or services” in the EU since it does not do any marketing there, nor sell to consumers directly. Jordan argues that it is the customers who chose to buy the products on their own initiative and there is no “offering” from the company.

The fitness trackers incorporate advanced features such as sleep tracking, GPS tracking, heart rate monitoring. wireless syncing, calorie-counting and step-tracking. The watch must be paired with either a smartphone or a computer in order to collect data on sleep levels, heart rates, etc. All information from the device must be sent to the company’s servers in order to be processed, and then the results are sent to the smartphone or computer. Jordan argues that there is no personal information involved since the company does not collect banking or social security information.

Based on the current features of the fitness watch, what would you recommend be implemented into each device in order to most effectively ensure privacy?

A.

Hashing.

B.

A2DP Bluetooth profile.

C.

Persistent unique identifier.

D.

Randomized MAC address.

Full Access
Question # 23

Which of the following methods does NOT contribute to keeping the data confidential?

A.

Differential privacy.

B.

Homomorphic encryption.

C.

K-anonymity.

D.

Referential integrity.

Full Access
Question # 24

What is typically NOT performed by sophisticated Access Management (AM) techniques?

A.

Restricting access to data based on location.

B.

Restricting access to data based on user role.

C.

Preventing certain types of devices from accessing data.

D.

Preventing data from being placed in unprotected storage.

Full Access
Question # 25

it Is Important for a privacy technologist to understand dark patterns In order to reduce the risk of which of the following?

A.

Breaches of an individual's data.

B.

Illicit collection of personal data.

C.

Manipulation of a user's choice.

D.

Discrimination from profiling.

Full Access
Question # 26

Which of the following is NOT a step in the methodology of a privacy risk framework?

A.

Assessment.

B.

Monitoring.

C.

Response.

D.

Ranking.

Full Access
Question # 27

Which privacy engineering objective proposed by the US National Institute of Science and Technology (NIST) decreases privacy risk by ensuring that connections between individuals and their personal data are reduced?

A.

Disassoc lability

B.

Manageability

C.

Minimization

D.

Predictability

Full Access
Question # 28

Which of the following is NOT a workplace surveillance best practice?

A.

Check local privacy laws before putting surveillance in place.

B.

Ensure surveillance is discreet so employees do not alter their behavior.

C.

Once surveillance data has been gathered, limit exposure of the content.

D.

Ensure the minimal amount of surveillance is performed to meet the objective.

Full Access
Question # 29

SCENARIO

Please use the following to answer the next question:

Chuck, a compliance auditor for a consulting firm focusing on healthcare clients, was required to travel to the client’s office to perform an onsite review of the client’s operations. He rented a car from Finley Motors upon arrival at the airport as so he could commute to and from the client’s office. The car rental agreement was electronically signed by Chuck and included his name, address, driver’s license, make/model of the car, billing rate, and additional details describing the rental transaction. On the second night, Chuck was caught by a red light camera not stopping at an intersection on his way to dinner. Chuck returned the car back to the car rental agency at the end week without mentioning the infraction and Finley Motors emailed a copy of the final receipt to the address on file.

Local law enforcement later reviewed the red light camera footage. As Finley Motors is the registered owner of the car, a notice was sent to them indicating the infraction and fine incurred. This notice included the license plate number, occurrence date and time, a photograph of the driver, and a web portal link to a video clip of the violation for further review. Finley Motors, however, was not responsible for the violation as they were not driving the car at the time and transferred the incident to AMP Payment Resources for further review. AMP Payment Resources identified Chuck as the driver based on the rental agreement he signed when picking up the car and then contacted Chuck directly through a written letter regarding the infraction to collect the fine.

After reviewing the incident through the AMP Payment Resources’ web portal, Chuck paid the fine using his personal credit card. Two weeks later, Finley Motors sent Chuck an email promotion offering 10% off a future rental.

What should Finley Motors have done to incorporate the transparency principle of Privacy by Design (PbD)?

A.

Signed a data sharing agreement with AMP Payment Resources.

B.

Documented that Finley Motors has a legitimate interest to share Chuck’s information.

C.

Obtained verbal consent from Chuck and recorded it within internal systems.

D.

Provided notice of data sharing practices within the electronically signed rental agreement.

Full Access
Question # 30

What is the main benefit of using dummy data during software testing?

A.

The data comes in a format convenient for testing.

B.

Statistical disclosure controls are applied to the data.

C.

The data enables the suppression of particular values in a set.

D.

Developers do not need special privacy training to test the software.

Full Access
Question # 31

Which is NOT a suitable action to apply to data when the retention period ends?

A.

Aggregation.

B.

De-identification.

C.

Deletion.

D.

Retagging.

Full Access
Question # 32

Aadhaar is a unique-identity number of 12 digits issued to all Indian residents based on their biometric and demographic data. The data is collected by the Unique Identification Authority of India. The Aadhaar database contains the Aadhaar number, name, date of birth, gender and address of over 1 billion individuals.

Which of the following datasets derived from that data would be considered the most de-identified?

A.

A count of the years of birth and hash of the person’ s gender.

B.

A count of the month of birth and hash of the person's first name.

C.

A count of the day of birth and hash of the person’s first initial of their first name.

D.

Account of the century of birth and hash of the last 3 digits of the person's Aadhaar number.

Full Access