Download CIPT Exam Questions with 100% Correct Answers | Verified | Updated 2024 and more Exams Advanced Education in PDF only on Docsity! CIPT Exam Questions with 100% Correct Answers | Verified | Updated 2024 Which of the following may pose a "client side" privacy risk? A. An employee loading personal data on a company laptop B. Failure of a firewall that is protecting the company's network C. A distributed denial of service (DDoS) attack on the org D. A remote employee placing communication software on a company server - Correct Answer-A. An employee loading personal data on a company laptop You are browsing the web and shopping for new furniture. You then open your favorite social media to scroll through the posts. While doing so, you start noticing ads for furniture. This is an example of what? A. Direct Marketing B. Individual advertising C. Behavioral advertising pg. 1 professoraxe l D. Indirect Marketing - Correct Answer-C. Behavioral advertising Which of the following privacy practices would be most useful to users who are not knowledgeable about protecting their personal information? A. Choice B. Control C. Notice D. Consent - Correct Answer-C. Notice Which of the following privacy-related principles would be the main concern during the data usage stage of the data life cycle? A. Transparency B. Data Minimization C. Storage Limitation D. Purpose Limitation - Correct Answer-D. Purpose Limitation pg. 2 professoraxe l D. Selective Use - Correct Answer-A. Secondary Use Which of the following explains why it is difficult to regulate what individually identifiable data is? A. Many people mistakenly expose personal information online B. Personal information means different things to different people C. Most legislative bodies are hesitant to enact laws about identifiable data D. Data that is not overly identifiable can be combined to identify individuals - Correct Answer-D. Data that is not overly identifiable can be combined to identify individuals Ubiquitous computing can raise significant concerns about the sheer volume of data that can be collected by a system. Each of the following are necessary considerations when utilizing a data collection process that falls into this category EXCEPT which? A. The system should provide end-users with both feedback and control pg. 5 professoraxe l B. The system should have obvious value C. The retention of data by the system should be limited D. The data collected by system should be aggregated and made available to all users - Correct Answer-D. The data collected by system should be aggregated and made available to all users In creating a registration form for a mobile app directed at grade school children, what privacy engineering objective is addressed by asking for grade level instead of data of birth? A. Disassociability B. Manageability C. Security D. Predictability - Correct Answer-A. Disassociability Which of the following is NOT an example of automated decision making? A. Receiving an answer to a support question utilizing a chat bot pg. 6 professoraxe l B. Obtaining approval for insurance through an online application C. Requesting an emailed catalog from an online retailer D. Setting airfare based on browser history and date of purchase - Correct Answer-C. Requesting an emailed catalog from an online retailer Which of the following circumstances would best be addressed by utilizing radio frequency identification (RFID) technology? A. An org has a high error rate for entering credit card data into POS system B. An org requires two-way communication between its discoverable devices C. An org needs to develop an encryption-supported network D. An org's inventory process is taking too long - Correct Answer-D. An org's inventory process is taking too long What type of interference occurs when false or inaccurate information on a credit application results in denial of credit? pg. 7 professoraxe l When creating a data inventory, it is important to include a range of detailed information on the company's data assets. This information should include how the data is accessed and by whom, how the data is managed, who owns it, where the data is stored, and the ____ that defines the individual data records and what they contain A. Structured data B. Schema C. Metadata D. Dictionary - Correct Answer-C. Metadata Testing during software development generally consists of which two sets of activities? A. Implementation and deployment B. Alpha and beta testing C. Validation and verification D. Runtime monitoring and auditing - Correct Answer-C. Validation and verification pg. 10 professoraxe l A marketing lead has collected a large data set of personal information and stored it in a shared folder. The marketing lead controls who has access to the shared folder. The type of access control being used is: A. Discretionary B. Mandatory C. Attribute-based D. Rule-based - Correct Answer-A. Discretionary Vulnerability is determined by what two factors? A. Probability and confidentiality B. Capability and portability C. Confidentiality and integrity D. Capability and probability - Correct Answer-D. Capability and probability Low-level design concerns the details of the overall design of the system and focuses on improving the quality of programming practices through each of the following mechanisms EXCEPT: pg. 11 professoraxe l A. Information holding B. Threat Modeling C. Reusing existing standard API libraries D. Loose coupling - Correct Answer-B. Threat Modeling You have been tasked with developing an incident response process for your employer, BrandEnt Company, a media entertainment company. As the senior manager of information privacy, you have been creating privacy-related procedures for the company. There has been an uptick in the number of privacy-related questions being sent to customer service through the website's generic portal, and the customer service reps are unsure of what to do with the questions. This has led to the director of privacy asking that you work with the IT department to identify, track and resolve privacy-related incidents, as well as with the Information Security team to leverage their existing incident- management process. As you review the questions, you notice that many customers are asking what personal information BrandEnt has collected pg. 12 professoraxe l A. Retention B. Recycling C. Repurposing D. Reuse - Correct Answer-C. Repurposing What is the primary purpose of a privacy by design framework? A. To outline the legal and ethical expectation of a robust privacy program B. To provide a framework of steps that should be incorporated into the creation of any new design C. To specify the technology and procedures that should be used to ensure personal information is protected D. To provide guidance for proactively incorporating privacy from the beginning to the end of the design process - Correct Answer-D. To provide guidance for proactively incorporating privacy from the beginning to the end of the design process What is the difference between objective harms and subjective harms? pg. 15 professoraxe l A. Objective harms are measurable and observable; subjective harms are only expected or perceived by the individual B. Only objective harms impact an individual's decision to use a software program C. Objective harms are the primary type of harm that should be considered when determining whether a privacy harm has occurred D. Objective harms impact individuals on a psychological and behavioral level while subjective harms can result in loss of business opportunities or consumer trust - Correct Answer-A. Objective harms are measurable and observable; subjective harms are only expected or perceived by the individual Which privacy risk model or framework is described as maintaining personal information in alignment with the informational norms that apply to a particular context? A. Nissenbaum's Contextual Integrity B. Calo's harm dimensions C. Privacy by design D. Value-sensitive design - Correct Answer-A. Nissenbaum's Contextual Integrity pg. 16 professoraxe l What is value-sensitive design? A. An investigative process intended to establish the ROI for each potential design option B. An iterative design process in which designers focus on the users and their needs in each phase of the design process C. A design process with a focus on the potential return on investment (monetary value) of each design feature D. An iterative investigative approach to design that takes human values into account during the design process - Correct Answer-D. An iterative investigative approach to design that takes human values into account during the design process An incident response plan for a privacy breach includes notification of affected individuals, law enforcement, and other agencies. What is the first step an organization should take when approaching notification? A. Consult with your org's legal team B. Notify individuals affiliated with the org C. Alert local media that a breach has occurred pg. 17 professoraxe l identifiers must be the individual's name - Correct Answer- False What type of interference occurs when advertisers track a user's online behavior to design personalized ads that represents the user's interests? A. Decisional interference B. Intrusion C. Disclosure D. Self-representation - Correct Answer-B. Intrusion Vulnerability is determined by what two factors? A. Detection and prevention B. Governance and oversight C. Capability and probability D. Operation and maintenance - Correct Answer-C. Capability and probability pg. 20 professoraxe l In what ways can privacy technologists mitigate risk of interrogation? Choose all that apply A. Implement controls that allow users to opt in to providing information B. Limit the collection of data to only that which is necessary C. Implement controls that flag for explicit language D. Use encryption when collecting sensitive personal information - Correct Answer-A. Implement controls that allow users to opt in to providing information B. Limit the collection of data to only that which is necessary True or False: Although hackers cannot readily access closed- source software, it should not be considered more resistant to attacks than open-source software - Correct Answer-True Examine statements below and choose all those that are examples of appropriation A. Using a celebrity's image to endorse a product without their permission pg. 21 professoraxe l B. Revealing the security code to a home alarm system to a source outside the family without permission C. A politician distorting facts about their opponent to make them appear less credible D. Social media page using the names of friends to tempt users to follow a specific page - Correct Answer-A. Using a celebrity's image to endorse a product without their permission D. Social media page using the names of friends to tempt users to follow a specific page What is NOT a data-based technique used to protect privacy? A. Encryption B. Aggregation C. Process Documentation D. Deidentification - Correct Answer-C. Process Documentation What is an example of a federated identity? A. National ID number pg. 22 professoraxe l operators to implement innovative changes to a system to provide better services D. It helps stakeholders adequately describe what is happening with the personal information in their possession from a value statement on transparency to a requirements- based program that explains how personal information is managed True or False: Dark patterns are schemes used in decisional interference - Correct Answer-True Privacy engineering addresses the challenges of translating privacy principles and harms into engineering requirements. What key concepts within an organization help realize this? Choose all that apply A. Engineering development life cycle B. Privacy design patterns C. Manageability D. Technological controls E. Data governance - Correct Answer-A. Engineering development life cycle D. Technological controls pg. 25 professoraxe l E. Data governance What elements of a design pattern describes the components of the design, their relationships, their roles, and how they interact? A. Solution B. Consequence C. Problem description D. Pattern name - Correct Answer-A. Solution True or False: Manageability includes allowing individuals to have access to their information to make changes to inaccurate information - Correct Answer-False, manageability assigns appropriate stakeholders to administer changes to an individual's information to ensure security and mitigate fraud True or False: While monitoring and analyzing data during runtime leads to the risk of inadvertent collection of personal information, privacy technologists cannot reduce this issue - Correct Answer-False, programmers can reduce the risk through analysis, defect-tracking, and API pg. 26 professoraxe l What activity includes an evaluation of some aspect of the system or component? A. Testing B. Supervision C. Integration D. Obfuscation - Correct Answer-A. Testing In the event of an incident, what privacy attribute allows personal information to be accessed if an individual is not able to consent? A. Integrity B. Network centricity C. Availability D. Mobility - Correct Answer-C. Availability Low-level design focuses on improving the quality of programming practices through which of the following? Choose all that apply pg. 27 professoraxe l repeatedly, adjusting along the way to deepen and improve the outcome A. Chatbots B. Context-aware computing C. Deep learning - Correct Answer-C. Deep learning True or False: It is illegal across all 50 states for law enforcement to use drones for search or surveillance without obtaining a search warrant prior - Correct Answer-False What term is used when individuals share information such as location, emotions, opinions, and experiences via their mobile devices, which enables a better understanding of human behaviors and activities, meaningful patterns and detectable trends? A. Web tracking B. Geo tagging C. Geo social patterns D. Natural language generation - Correct Answer-Geo social patterns pg. 30 professoraxe l Maintaining personal information in alignment with the informational norms that apply to a particular context - Correct Answer-Nissenbaum's Contextual Integrity Contextual Integrity: Actors, Transmission principles, Attributes - Correct Answer-Actors: The senders and receivers of personal information Transmission principles: Those that govern the flow of information Attributes: The types of information being shared List objective harms - Correct Answer-Loss of business opportunity, loss of consumer trust, social detriment Statutory and regulatory mandates systems that handle personal information -Type of data collected -What the system does with that data -How the data is protected, stored, and disposed of - Correct Answer-Legal compliance pg. 31 professoraxe l Works alongside compliance models to mandate notice choice and consent, access to information, controls on information, and how information is managed. High level abstractions of privacy, interpretation is necessary to determine application - Correct Answer-FIPPS Fair Information Privacy Principles Four things to do with risk: - Correct Answer-Accept, transfer, mitigate, and avoid Data life cycle: - Correct Answer-Collection -> Use -> Disclosure -> Retention -> Destruction Examples of values for value sensitive design: - Correct Answer--Context specific -user specific -Malleable -Difficult to define Direct versus Indirect design affecting users - Correct Answer- Direct: Interact with system Indirect: How stakeholders configure, use, or are otherwise affected by the technology pg. 32 professoraxe l Components of back end - Correct Answer-Web service Misdirected emails, denial of service, unauthorized disclosure, hacking attempts, lost devices are all examples of .......? - Correct Answer-Privacy incidents -Discovery -Containment -Analyze and notify -Repercussions -Prevention -Third parties - Correct Answer-Incident Response Plan The management of access to and use of digital content and devices after sale. DRM is often associated with the set of access control (denial) technologies. These technologies are utilized under the premise of defending copyrights and intellectual property but are considered controversial because they may often restrict users from utilizing digital content or devices in a manner allowable by law - Correct Answer-Digital rights management pg. 35 professoraxe l Recognizes that data has different value, and requires approaches, as it moves through an organization from collection to deletion. The stages are generally considered to be: Collection, processing, use, disclosure, retention, and destruction. - Correct Answer-The information life cycle Disclosure of specific information practices posted, usually accompanied by a consent request, at the point of information collection. - Correct Answer-Just-in-time- Notification Three types of interference: - Correct Answer-Decisional, Intrusion, Self-representation Action by an external party, such as govt entity, that interferes w/ an individual's decision making regarding their personal affairs. Inaccurate data can lead to decisional interference - Correct Answer-Decisional interference Setting parameters that limits the confidence that any particular individual has contributed to an aggregated value. - Correct Answer-Differential identifiability pg. 36 professoraxe l Disturb an individual's solitude or tranquility. Can be physical, psychological, or informational. Does not need personal information for this interference type, as you do not need someone's name to knock on their door to try to sell them something - Correct Answer-Intrusion interference Occurs when another alters how an individual is represented or regarded. - Correct Answer-Self representation Four techniques of deidentification - Correct Answer-1. Tokens 2. Anonymization 3. Pseudonymization 4. K-anonymity, l-diversity, t-closeness Deidentification: Tokens - Correct Answer-Uses random tokens as stand-ins for meaningful data Deidentification: Anonymization - Correct Answer-Direct and indirect identifiers have been removed, and mechanisms have been put in place to prevent reidentification pg. 37 professoraxe l Write Once Read Many (WORM) - Correct Answer-A data storage device in which information, once written, cannot be modified. This protection offers assurance that the data originally written to the device has not been tampered with. The only way to remove data written to a WORM device is to physically destroy the device. Web Beacon - Correct Answer-Also known as a web bug, pixel tag or clear GIF, a web beacon is a clear graphic image (typically one pixel in size) that is delivered through a web browser or HTML e-mail. The web beacon operates as a tag that records an end user's visit to a particular web page or viewing of a particular e-mail. It is also often used in conjunction with a web cookie and provided as part of a third- party tracking service. Web beacons provide an ability to produce specific profiles of user behavior in combination with web server logs. Common usage scenarios for web beacons include online ad impression counting, file download monitoring, and ad campaign performance management. Web beacons also can report to the sender about which e-mails are read by recipients. Privacy considerations for web beacons are similar to those for cookies. Some sort of notice is important because the clear pixel of a web beacon is quite literally invisible to the end user. pg. 40 professoraxe l OWASP Top 10 - Correct Answer-1. Broken Access Control moves up from the fifth 2. Cryptographic Failures 3. Injection. 4. Insecure Design 5. Security Misconfiguration 6. Vulnerable and Outdated Components 7. Identification and Authentication Failures 8. Software and Data Integrity Failures 9. Security Logging and Monitoring Failures 10. Server-Side Request Forgery Cross-border data transfers in compliance with the law - Correct Answer--the recipient is subject to a law, binding corporate rules, or binding agreement that provides an adequate level of protection; -the data subject consents to their personal data being transferred to a third party in a foreign country; -the transfer is necessary for the performance of a contract between the data subject and the controller; pg. 41 professoraxe l -the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; -the transfer is for the benefit of the data subject, subject to certain restrictions. Distortion - Correct Answer-Spreading false and inaccurate information about an individual. Differential identifiability - Correct Answer-Setting parameters that limits the confidence that any particular individual has contributed to an aggregated value. Two types of privacy by design strategies: - Correct Answer- Data-oriented and process-oriented Data-oriented strategies - Correct Answer-- Separate - Minimize - Abstract - Hide Process-oriented strategies - Correct Answer-- Enforce pg. 42 professoraxe l -Group: Aggregate data over groups of individuals instead of processing data of each person separetely (those who bought hammers also bought nails) -Summarize: Summarize detailed information into more abstract attributes(age range 20-28) -Perturb: Add noise or approximate the real value of a data item ie -> pothole app, delay in sending information/reports Process-oriented strategy: Enforce - Correct Answer-Commit to processing personal data in a privacy friendly way and enforce this -Create: Decide on a privacy policy that describes how you wish to protect personal data -Maintain: Maintain the privacy policy created -Uphold: Ensure that policies are adhered to by treating personal data as an asset and privacy as a goal to incentivize as a critical feature Process-oriented strategy: Demonstrate - Correct Answer- Show you are processing personal data in a privacy-friendly way -Log: Track all processing of data and reviewing this information gathered for any risks pg. 45 professoraxe l -Audit: Audit processing of personal data regularly -Report: Analyze collected information on tests, audits, and logs periodically, and report to the people responsible Process-oriented strategy: Inform - Correct Answer-Inform data subjects about the processing of their personal data -Supply: Inform users when personal data is processed, including policies, processes, and potential risks -Notify: Alert data subjects whenever their personal data is being used or breached -Explain: Provide information in a concise and understandable form, and explain why processing is necessary Process-oriented strategy: Control - Correct Answer-Provide data subjects control over the processing of their personal data Privacy-enhancing technology (PET) - Correct Answer--Mix networks -Secure multiparty computation -Differential privacy -Anonymous digital credentials pg. 46 professoraxe l -Private information retrieval -Homorphic encryption Even when a user has indicated a decision, _____ is an attempt to get them to reconsider to an alternative that may be less privacy friendly - Correct Answer-Nudging Objective harm - Correct Answer-External to individual: lost opportunity, lost liberty/life, Social detriment Subjective harm - Correct Answer-Internal to individual: Psychological, behavioral Subjective Psychological loss - Correct Answer-Loss of trust, embarrassment, anxiety, suicide Subjective Behavioral - Correct Answer-Changed behavior, reclusion Objective Lost opportunity - Correct Answer-Employment, insurance, housing, education pg. 47 professoraxe l Unit testing - Correct Answer-Individual functions and system components. This determines whether a unit, with a predefined input, will yield an expected output Integration testing - Correct Answer-How components interact between other groups of components. Ensures the function of one unit interacts correctly with other components System testing - Correct Answer-Completed portions of the whole system. This ensures that an individual's information was not exposed throughout the network traffic, files, or any part of the system Technology Architecture Front end - Correct Answer- Notification, Consent, Tutorials Technology architecture Back end - Correct Answer-Collection, Use, Disclosure, retention Internet monitoring types: - Correct Answer-Authoritative, Behavioral, Wi-fi eavesdropping pg. 50 professoraxe l Internet Monitoring - Authoritative - Correct Answer-Some countries, employers, and schools monitor network traffic to enforce policies for security and appropriate behavior. Certain keywords or addresses could be monitored for and added to a blacklist or access control list to block access to websites that may be considered inappropriate Internet Monitoring - Behavioral - Correct Answer-Companies may monitor browsing history and behavior for targeted advertising. History relates to the types of sites users are visiting or purchases they are making, while behavior relates to how long a user stays on a page or hovers over links before clicking Internet Monitoring - Wi-fi Eavedropping - Correct Answer- Unsecured communication that is sent over or shared wireless networks can be easily intercepted via packet sniffing and analysis tool At setup interfaces - Correct Answer-Often shown on initial use. However, only info and choices that are truly essential before use should be communicated at setup because users' attention is typically focused on the primary UX at this point pg. 51 professoraxe l Context-dependent interfaces - Correct Answer-Triggered by certain aspects of the user's context. Example: Proximity to IoT device Periodic reminders - Correct Answer-Useful to remind users about data practices that they agreed to previously and renew consent Persistent privacy indicators - Correct Answer-Shown whenever a data practice is active. Ex: A visible light when camera is on Availability heuristic - Correct Answer-Due to uncertainty about privacy risks, people may look for other available cues to judge probability of risk and guide their behavior. Ex: Rather than read the privacy policy, people rely on readily available clues, such as store's visual design, presence of a privacy policy, vendor's reputation, or even just company name Representative heiristic - Correct Answer-People may perceive privacy intrusions as low-probability events bc they rarely encounter privacy intrusions online. However, privacy intrusions, such as behavioral tracking and targeting, may pg. 52 professoraxe l