CIPT Online Practice Questions and Answers
Which of the following CANNOT be effectively determined during a code audit?
A. Whether access control logic is recommended in all cases.
B. Whether data is being incorrectly shared with a third-party.
C. Whether consent is durably recorded in the case of a server crash.
D. Whether the differential privacy implementation correctly anonymizes data.
Granting data subjects the right to have data corrected, amended, or deleted describes?
A. Use limitation.
B. Accountability.
C. A security safeguard
D. Individual participation
An organization's customers have suffered a number of data breaches through successful social engineering attacks. One potential solution to remediate and prevent future occurrences would be to implement which of the following?
A. Differential identifiability.
B. Multi-factor authentication.
C. Greater password complexity.
D. Attribute-based access control.
A privacy engineer has been asked to review an online account login page. He finds there is no limitation on the number of invalid login attempts a user can make when logging into their online account. What would be the best recommendation to minimize the potential privacy risk from this weakness?
A. Implement a CAPTCHA system.
B. Develop server-side input validation checks.
C. Enforce strong password and account credentials.
D. Implement strong Transport Layer Security (TLS) to ensure an encrypted link.
What is an example of a just-in-time notice?
A. A warning that a website may be unsafe.
B. A full organizational privacy notice publicly available on a website
C. A credit card company calling a user to verify a purchase before itis authorized
D. Privacy information given to a user when he attempts to comment on an online article.
SCENARIO
Please use the following to answer next question:
EnsureClaim is developing a mobile app platform for managing data used for assessing car accident insurance claims. Individuals use the app to take pictures at the crash site, eliminating the need for a built-in vehicle camera. EnsureClaim uses a third-party hosting provider to store data collected by the app. EnsureClaim customer service employees also receive and review app data before sharing with insurance claim adjusters.
The app collects the following information:
1.
First and last name
2.
Date of birth (DOB)
3.
Mailing address
4.
Email address
5.
Car VIN number
6.
Car model
7.
License plate
8.
Insurance card number
9.
Photo 10.Vehicle diagnostics 11.Geolocation
What IT architecture would be most appropriate for this mobile platform?
A. Peer-to-peer architecture.
B. Client-server architecture.
C. Plug-in-based architecture.
D. Service-oriented architecture.
A company is looking to adopt new technology which the privacy technologist on the project believes may be unethical from a privacy standpoint. How should the privacy technologist respond?
A. Stop the project by exercising veto rights.
B. Implement privacy technical measures to help mitigate the identified privacy risks.
C. Advise the project team about legal mechanisms it could adopt to manage the ethical considerations.
D. Perform an audit of privacy controls post implementation to show leadership how unethical the project actually was.
Failing to update software for a system that processes human resources data with the latest security patches may create what?
A. Data breaches.
B. Discrimination risks.
C. Privacy vulnerabilities
D. Increased threat sources
SCENARIO
Please use the following to answer the next questions:
Your company is launching a new track and trace health app during the outbreak of a virus pandemic in the US. The developers claim the app is based on privacy by design because personal data collected was considered to ensure only necessary data is captured, users are presented with a privacy notice, and they are asked to give consent before data is shared. Users can update their consent after logging into an account, through a dedicated privacy and consent hub. This is accessible through the `Settings' icon from any app page then clicking `My Preferences', and selecting `Information Sharing and Consent' where the following choices are displayed:
1.
"I consent to receive notifications and infection alerts";
2.
"I consent to receive information on additional features or services and new products";
3.
"I consent to sharing only my risk result and location information for exposure and contact tracing purposes";
4.
"I consent to share my data for medical research purposes"; and
5.
"I consent to share my data with healthcare providers affiliated to the company".
For each choice, an `ON' or `OFF' tab is available The default setting is `ON' for all. Users purchase a virus screening service for US$29.99 for themselves or others using the app. The virus screening service works as follows:
1.
Step 1: A photo of the user's face is taken
2.
Step 2: The user measures their temperature and adds the reading in the app
3.
Step 3: The user is asked to read sentences so that a voice analysis can detect symptoms
4.
Step 4: The user is asked to answer questions on known symptoms
5.
Step 5: The user can input information on family members (name, date of birth, citizenship, home address, phone number, email and relationship).
The results are displayed as one of the following risk status "Low", "Medium" or "High". If the user is deemed at "Medium" or "High" risk an alert may be sent to other users, and the user is invited to seek a medical consultation and diagnostic from a healthcare provider.
A user's risk status also feeds a world map for contact tracing purposes, where users are able to check if they have been or are in close proximity of an infected person. If a user has come in contact with another individual classified as `medium' or `high' risk, an instant notification also alerts the user of this. The app collects location trails of every user to monitor locations visited by an infected individual. Location is collected using the phone's GPS functionality, whether the app is in use or not however the exact location of the user is "blurred' for privacy reasons. Users can only see on the map circles with a 12-feet radius (approximately 4 meters wide), which is double the recommended distance for social distancing.
A. The ON or OFF default setting for each item.
B. The navigation needed in the app to get to the consent page.
C. The collection of the user's location via the phone's GPS functionality.
D. The information-sharing with healthcare providers affiliated with the company.
Which of the following is the LEAST effective at meeting the Fair Information Practice Principles (FIPPs) in the Systems Development Life Cycle (SDLC)?
A. Defining requirements to manage end user content
B. Conducting privacy threat modeling for the use-case
C. Developing data flow modeling to help the purpose, protection, and retention of sensitive data
D. Reviewing the code against Open Web Application Security Project (OWASP) Top 10 Security Risks