CIPT Online Practice Questions and Answers

Which concept related to privacy choice is demonstrated by highlighting and bolding the "accept" button on a cookies notice while maintaining standard text format for other options?

A. Illuminating

B. Nudging

C. Suppression

D. Tagging

Which of the following best describes the basic concept of "Privacy by Design?"

A. The adoption of privacy enhancing technologies.

B. The integration of a privacy program with all lines of business.

C. The implementation of privacy protection through system architecture.

D. The introduction of business process to identify and assess privacy gaps.

SCENARIO

Tom looked forward to starting his new position with a U.S --based automobile leasing company (New Company), now operating in 32 states. New Company was recently formed through the merger of two prominent players, one from the eastern region (East Company) and one from the western region (West Company). Tom, a Certified Information Privacy Technologist (CIPT), is New Company's first Information Privacy and Security Officer. He met today with Dick from East Company, and Harry, from West Company. Dick and Harry are veteran senior information privacy and security professionals at their respective companies, and continue to lead the east and west divisions of New Company. The purpose of the meeting was to conduct a SWOT (strengths/weaknesses/opportunities/threats) analysis for New Company. Their SWOT analysis conclusions are summarized below. Dick was enthusiastic about an opportunity for the New Company to reduce costs and increase computing power and flexibility through cloud services. East Company had been contemplating moving to the cloud, but West Company already had a vendor that was providing it with software-as-a-service (SaaS). Dick was looking forward to extending this service to the eastern region. Harry noted that this was a threat as well, because West Company had to rely on the third party to protect its data.

Tom mentioned that neither of the legacy companies had sufficient data storage space to meet the projected growth of New Company, which he saw as a weakness. Tom stated that one of the team's first projects would be to construct a consolidated New Company data warehouse. Tom would personally lead this project and would be held accountable if information was modified during transmission to or during storage in the new data warehouse.

Tom, Dick and Harry agreed that employee network access could be considered both a strength and a weakness. East Company and West Company had strong performance records in this regard; both had robust network access controls that were working as designed. However, during a projected year-long transition period, New Company employees would need to be able to connect to a New Company network while retaining access to the East Company and West Company networks.

Which statement is correct about addressing New Company stakeholders' expectations for privacy?

A. New Company should expect consumers to read the company's privacy policy.

B. New Company should manage stakeholder expectations for privacy even when the stakeholders` data is not held by New Company.

C. New Company would best meet consumer expectations for privacy by adhering to legal requirements.

D. New Company's commitment to stakeholders ends when the stakeholders' data leaves New Company.

A developer is designing a new system that allows an organization's helpdesk to remotely connect into the device of the individual to provide support Which of the following will be a privacy technologist's primary concern"?

A. Geofencing

B. Geo-tracking

C. Geo-tagging

D. Geolocation

Ivan is a nurse for a home healthcare service provider in the US. The company has implemented a mobile application which Ivan uses to record a patient's vital statistics and access a patient's health care records during home visits. During one visitj^van is unable to access the health care application to record the patient's vitals. He instead records the information on his mobile phone's note-taking application to enter the data in the health care application the next time it is accessible. What would be the best course of action by the IT department to ensure the data is protected on his device?

A. Provide all healthcare employees with mandatory annual security awareness training with a focus on the health information protection.

B. Complete a SWOT analysis exercise on the mobile application to identify what caused the application to be inaccessible and remediate any issues.

C. Adopt mobile platform standards to ensure that only mobile devices that support encryption capabilities are used.

D. Implement Mobile Device Management (MDM) to enforce company security policies and configuration settings.

Which privacy engineering objective proposed by the US National Institute of Science and Technology (NIST) decreases privacy risk by ensuring that connections between individuals and their personal data are reduced?

A. Disassoc lability

B. Manageability

C. Minimization

D. Predictability

When designing a new system, which of the following is a privacy threat that the privacy technologist should consider?

A. Encryption.

B. Social distancing.

C. Social engineering.

D. Identity and Access Management.

Which of the following is the best control to apply to personally identifiable data when the retention period ends?

A. De-identification.

B. Anonymization.

C. Archiving.

D. Deletion.

When designing a new system, which of the following is a privacy threat that the privacy technologist should consider?

A. Caching.

B. Dark patterns.

C. Social engineering.

D. Identity and Access Management.

One difference between privacy threat modeling and information security threat modeling is?

A. Privacy threat modeling looks at threats to the individual while security threat modeling looks at threats to the organization.

B. Security threat modeling is required by regulations such as the HIPAA Privacy Rule, but privacy threat modeling is not.

C. Privacy threat modeling does not consider technical defects such as software vulnerabilities.

D. Privacy threat modeling must consider insider threats, but security threat modeling does not.