IAPP IAPP Certifications CIPT Questions & Answers

• Question 131:

  How should the sharing of information within an organization be documented?

  A. With a binding contract.

  B. With a data flow diagram.

  C. With a disclosure statement.

  D. With a memorandum of agreement.

  Correct Answer: B

  A data flow diagram (DFD) is an effective tool for documenting how information is shared within an organization. It visually represents the flow of data between processes, data stores, and entities, making it easier to understand and manage the internal sharing of information.

• Question 132:

  SCENARIO

  Please use the following to answer the next questions:

  Your company is launching a new track and trace health app during the outbreak of a virus pandemic in the US. The developers claim the app is based on privacy by design because personal data collected was considered to ensure only necessary data is captured, users are presented with a privacy notice, and they are asked to give consent before data is shared. Users can update their consent after logging into an account, through a dedicated privacy and consent hub. This is accessible through the 'Settings' icon from any app page, then clicking 'My Preferences', and selecting 'Information Sharing and Consent' where the following choices are displayed:

  1.

  "I consent to receive notifications and infection alerts";

  2.

  "I consent to receive information on additional features or services, and new products";

  3.

  "I consent to sharing only my risk result and location information, for exposure and contact tracing purposes";

  4.

  "I consent to share my data for medical research purposes"; and

  5.

  "I consent to share my data with healthcare providers affiliated to the company".

  For each choice, an ON* or OFF tab is available The default setting is ON for all

  Users purchase a virus screening service for USS29 99 for themselves or others using the app The virus screening service works as follows:

  1.

  Step 1 A photo of the user's face is taken.

  2.

  Step 2 The user measures their temperature and adds the reading in the app

  3.

  Step 3 The user is asked to read sentences so that a voice analysis can detect symptoms

  4.

  Step 4 The user is asked to answer questions on known symptoms

  5.

  Step 5 The user can input information on family members (name date of birth, citizenship, home address, phone number, email and relationship).)

  The results are displayed as one of the following risk status "Low. "Medium" or "High" if the user is deemed at "Medium " or "High" risk an alert may be sent to other users and the user is Invited to seek a medical consultation and diagnostic from a healthcare provider.

  A user's risk status also feeds a world map for contact tracing purposes, where users are able to check if they have been or are in dose proximity of an infected person If a user has come in contact with another individual classified as "medium' or 'high' risk an instant notification also alerts the user of this. The app collects location trails of every user to monitor locations visited by an infected individual Location is collected using the phone's GPS functionary, whether the app is in use or not however, the exact location of the user is "blurred' for privacy reasons Users can only see on the map circles

  Which of the following pieces of information collected is the LEAST likely to be justified tor the purposes of the app?

  A. Relationship of family member

  B. Phone number

  C. Dale of birth

  D. Citizenship

  Correct Answer: D

  Of the pieces of information collected by the app described in the scenario provided in the exhibit you shared, citizenship (option D) is LEAST likely to be justified for the purposes of the app. Citizenship may not be necessary for providing health recommendations or contact tracing services. Collecting this type of personal information could raise privacy concerns if it is not necessary for fulfilling the primary purpose of the app.

• Question 133:

  When writing security policies, the most important consideration is to?

  A. Require all employees to read and acknowledge their understanding.

  B. Ensure they are based on the organization's risk profile.

  C. Ensure they cover enough details for common situations.

  D. Follow industry best practices.

  Correct Answer: B

  the most important consideration when writing security policies is to ensure they are based on the organization's risk profile. This means that the policies should be tailored to address the specific risks faced by the organization.

• Question 134:

  SCENARIO

  Please use the following to answer next question:

  EnsureClaim is developing a mobile app platform for managing data used for assessing car accident insurance claims. Individuals use the app to take pictures at the crash site, eliminating the need for a built-in vehicle camera. EnsureClaim uses a third-party hosting provider to store data collected by the app. EnsureClaim customer service employees also receive and review app data before sharing with insurance claim adjusters.

  The app collects the following information:

  1.

  First and last name

  2.

  Date of birth (DOB)

  3.

  Mailing address

  4.

  Email address

  5.

  Car VIN number

  6.

  Car model

  7.

  License plate

  8.

  Insurance card number

  9.

  Photo 10.Vehicle diagnostics 11.Geolocation

  The app is designed to collect and transmit geolocation data. How can data collection best be limited to the necessary minimum?

  A. Allow user to opt-out geolocation data collection at any time.

  B. Allow access and sharing of geolocation data only after an accident occurs.

  C. Present a clear and explicit explanation about need for the geolocation data.

  D. Obtain consent and capture geolocation data at all times after consent is received.

  Correct Answer: B

• Question 135:

  When analyzing user data, how is differential privacy applied?

  A. By injecting noise into aggregated datasets.

  B. By assessing differences between datasets.

  C. By applying asymmetric encryption to datasets.

  D. By removing personal identifiers from datasets.

  Correct Answer: A

• Question 136:

  What risk is mitigated when routing video traffic through a company's application servers, rather than sending the video traffic directly from one user to another?

  A. The user is protected against phishing attacks.

  B. The user's identity is protected from the other user.

  C. The user's approximate physical location is hidden from the other user.

  D. The user is assured that stronger authentication methods have been used.

  Correct Answer: B

• Question 137:

  Which is NOT a drawback to using a biometric recognition system?

  A. It can require more maintenance and support.

  B. It can be more expensive than other systems

  C. It has limited compatibility across systems.

  D. It is difficult for people to use.

  Correct Answer: D

• Question 138:

  SCENARIO

  Clean-Q is a company that offers house-hold and office cleaning services. The company receives requests from consumers via their website and telephone, to book cleaning services. Based on the type and size of service, Clean-Q then contracts individuals that are registered on its resource database - currently managed in-house by Clean-Q IT Support. Because of Clean-Q's business model, resources are contracted as needed instead of permanently employed. The table below indicates some of the personal information Clean-Q requires as part of its business operations:

  

  Clean-Q has an internal employee base of about 30 people. A recent privacy compliance exercise has been conducted to align employee data management and human resource functions with applicable data protection regulation. Therefore,

  the Clean-Q permanent employee base is not included as part of this scenario.

  With an increase in construction work and housing developments, Clean-Q has had an influx of requests for cleaning services. The demand has overwhelmed Clean-Q's traditional supply and demand system that has caused some

  overlapping bookings.

  Ina business strategy session held by senior management recently, Clear-Q invited vendors to present potential solutions to their current operational issues. These vendors included Application developers and Cloud-Q's solution providers,

  presenting their proposed solutions and platforms.

  The Managing Director opted to initiate the process to integrate Clean-Q's operations with a cloud solution (LeadOps) that will provide the following solution one single online platform: A web interface that Clean-Q accesses for the purposes

  of resource and customer management. This would entail uploading resource and customer information.

  A customer facing web interface that enables customers to register, manage and submit cleaning service requests online.

  A resource facing web interface that enables resources to apply and manage their assigned jobs.

  An online payment facility for customers to pay for services.

  What is a key consideration for assessing external service providers like LeadOps, which will conduct personal information processing operations on Clean-Q's behalf?

  A. Understanding LeadOps' costing model.

  B. Establishing a relationship with the Managing Director of LeadOps.

  C. Recognizing the value of LeadOps' website holding a verified security certificate.

  D. Obtaining knowledge of LeadOps' information handling practices and information security environment.

  Correct Answer: D

  When engaging an external service provider to process personal information on its behalf, it is important for Clean-Q to have a good understanding of the service provider's information handling practices and information security environment. This will help Clean-Q assess whether or not the service provider has appropriate measures in place to protect the personal information it entrusts to them.

• Question 139:

  An organization has recently experienced a data breach where large amounts of personal data were compromised. As part of a post-incident review, the privacy technologist wants to analyze available data to understand what vulnerabilities may have contributed to the incident occurring. He learns that a key vulnerability had been flagged by the system but that detective controls were not operating effectively. Which type of web application security risk does this finding most likely point to?

  A. Insecure Design.

  B. Misconfiguration.

  C. Vulnerable and Outdated Components.

  D. Logging and Monitoring Failures.

  Correct Answer: D

  if an organization has recently experienced a data breach where large amounts of personal data were compromised and a post-incident review reveals that a key vulnerability had been flagged by the system but that detective controls were not operating effectively, this finding most likely points to logging and monitoring failures as a type of web application security risk. Effective logging and monitoring can help detect and respond to security incidents in a timely manner.

• Question 140:

  An organization is launching a smart watch which, in addition to alerts, will notify the the wearer of incoming calls allowing them to answer on the device. This convenience also comes with privacy concerns and is an example of?

  A. Value-Sensitive Design.

  B. Ubiquitous computing.

  C. Anthropomorphism.

  D. Coupling

  Correct Answer: B

  An organization launching a smart watch which notifies wearers of incoming calls allowing them to answer on the device would be an example of ubiquitous computing rather than coupling. Ubiquitous computing refers to technology that is seamlessly integrated into everyday life and allows for constant connectivity and interaction.