IAPP cipt practice test

Certified Information Privacy Technologist Exam

Last exam update: Dec 23 ,2024
Page 1 out of 10. Viewing questions 1-15 out of 146

Question 1

What privacy risk is NOT mitigated by the use of encrypted computation to target and serve online
ads?

  • A. The ad being served to the user may not be relevant.
  • B. The user’s sensitive personal information is used to display targeted ads.
  • C. The personal information used to target ads can be discerned by the server.
  • D. The user’s information can be leaked to an advertiser through weak de-identification techniques.
Answer:

D

User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 2

When analyzing user data, how is differential privacy applied?

  • A. By injecting noise into aggregated datasets.
  • B. By assessing differences between datasets.
  • C. By applying asymmetric encryption to datasets.
  • D. By removing personal identifiers from datasets.
Answer:

A

User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

Between November 30th and December 2nd, 2013, cybercriminals successfully infected the credit
card payment systems and bypassed security controls of a United States-based retailer with malware
that exfiltrated 40 million credit card numbers. Six months prior, the retailer had malware detection
software installed to prevent against such an attack.
Which of the following would best explain why the retailers consumer data was still exfiltrated?

  • A. The detection software alerted the retailers security operations center per protocol, but the information security personnel failed to act upon the alerts.
  • B. The U.S Department of Justice informed the retailer of the security breach on Dec. 12th, but the retailer took three days to confirm the breach and eradicate the malware.
  • C. The IT systems and security measures utilized by the retailers third-party vendors were in compliance with industry standards, but their credentials were stolen by black hat hackers who then entered the retailers system.
  • D. The retailers network that transferred personal data and customer payments was separate from the rest of the corporate network, but the malware code was disguised with the name of software that is supposed to protect this information.
Answer:

B

User Votes:
A
50%
B
50%
C
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

Which of the following is the least effective privacy preserving practice in the Systems Development
Life Cycle (SDLC)?

  • A. Conducting privacy threat modeling for the use-case.
  • B. Following secure and privacy coding standards in the development.
  • C. Developing data flow modeling to identify sources and destinations of sensitive data.
  • D. Reviewing the code against Open Web Application Security Project (OWASP) Top 10 Security Risks.
Answer:

C

User Votes:
A
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

Which of the following functionalities can meet some of the General Data Protection Regulation’s
(GDPR’s) Data Portability requirements for a social networking app designed for users in the EU?

  • A. Allow users to modify the data they provided the app.
  • B. Allow users to delete the content they provided the app.
  • C. Allow users to download the content they have provided the app.
  • D. Allow users to get a time-stamped list of what they have provided the app.
Answer:

C

User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

A company configures their information system to have the following capabilities:
Allow for selective disclosure of attributes to certain parties, but not to others.
Permit the sharing of attribute references instead of attribute values - such as I am over 21 instead
of birthday date.
Allow for information to be altered or deleted as needed.
These capabilities help to achieve which privacy engineering objective?

  • A. Predictability.
  • B. Manageability.
  • C. Disassociability.
  • D. Integrity.
Answer:

C

User Votes:
A
50%
B 1 votes
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

When should code audits be concluded?

  • A. At code check-in time.
  • B. At engineering design time.
  • C. While code is being sent to production.
  • D. Before launch after all code for a feature is complete.
Answer:

D

User Votes:
A
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

Not updating software for a system that processes human resources data with the latest security
patches may create what?

  • A. Authentication issues.
  • B. Privacy vulnerabilities.
  • C. Privacy threat vectors.
  • D. Reportable privacy violations.
Answer:

B

User Votes:
A
50%
B 1 votes
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

SCENARIO
Please use the following to answer the next question:
Light Blue Health (LBH) is a healthcare technology company developing a new web and mobile
application that collects personal health information from electronic patient health records. The
application will use machine learning to recommend potential medical treatments and medications
based on information collected from anonymized electronic health records. Patient users may also
share health data collected from other mobile apps with the LBH app.
The application requires consent from the patient before importing electronic health records into the
application and sharing it with their authorized physicians or healthcare provider. The patient can
then review and share the recommended treatments with their physicians securely through the app.
The patient user may also share location data and upload photos in the app. The patient user may
also share location data and upload photos in the app for a healthcare provider to review along with
the health record. The patient may also delegate access to the app.
LBHs privacy team meets with the Application development and Security teams, as well as key
business stakeholders on a periodic basis. LBH also implements Privacy by Design (PbD) into the
application development process.
The Privacy Team is conducting a Privacy Impact Assessment (PIA) to evaluate privacy risks during
development of the application. The team must assess whether the application is collecting
descriptive, demographic or any other user related data from the electronic health records that are
not needed for the purposes of the application. The team is also reviewing whether the application
may collect additional personal data for purposes for which the user did not provide consent.
What is the best way to minimize the risk of an exposure violation through the use of the app?

  • A. Prevent the downloading of photos stored in the app.
  • B. Dissociate the patient health data from the personal data.
  • C. Exclude the collection of personal information from the health record.
  • D. Create a policy to prevent combining data with external data sources.
Answer:

D

User Votes:
A 1 votes
50%
B 1 votes
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

SCENARIO
Please use the following to answer the next question:
Light Blue Health (LBH) is a healthcare technology company developing a new web and mobile
application that collects personal health information from electronic patient health records. The
application will use machine learning to recommend potential medical treatments and medications
based on information collected from anonymized electronic health records. Patient users may also
share health data collected from other mobile apps with the LBH app.
The application requires consent from the patient before importing electronic health records into the
application and sharing it with their authorized physicians or healthcare provider. The patient can
then review and share the recommended treatments with their physicians securely through the app.
The patient user may also share location data and upload photos in the app. The patient user may
also share location data and upload photos in the app for a healthcare provider to review along with
the health record. The patient may also delegate access to the app.
LBHs privacy team meets with the Application development and Security teams, as well as key
business stakeholders on a periodic basis. LBH also implements Privacy by Design (PbD) into the
application development process.
The Privacy Team is conducting a Privacy Impact Assessment (PIA) to evaluate privacy risks during
development of the application. The team must assess whether the application is collecting
descriptive, demographic or any other user related data from the electronic health records that are
not needed for the purposes of the application. The team is also reviewing whether the application
may collect additional personal data for purposes for which the user did not provide consent.
Regarding the app, which action is an example of a decisional interference violation?

  • A. The app asks income level to determine the treatment of care.
  • B. The app sells aggregated data to an advertising company without prior consent.
  • C. The app has a pop-up ad requesting sign-up for a pharmaceutical company newsletter.
  • D. The app asks questions during account set-up to disclose family medical history that is not necessary for the treatment of the individuals symptoms.
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

SCENARIO
Please use the following to answer the next question:
Light Blue Health (LBH) is a healthcare technology company developing a new web and mobile
application that collects personal health information from electronic patient health records. The
application will use machine learning to recommend potential medical treatments and medications
based on information collected from anonymized electronic health records. Patient users may also
share health data collected from other mobile apps with the LBH app.
The application requires consent from the patient before importing electronic health records into the
application and sharing it with their authorized physicians or healthcare provider. The patient can
then review and share the recommended treatments with their physicians securely through the app.
The patient user may also share location data and upload photos in the app. The patient user may
also share location data and upload photos in the app for a healthcare provider to review along with
the health record. The patient may also delegate access to the app.
LBHs privacy team meets with the Application development and Security teams, as well as key
business stakeholders on a periodic basis. LBH also implements Privacy by Design (PbD) into the
application development process.
The Privacy Team is conducting a Privacy Impact Assessment (PIA) to evaluate privacy risks during
development of the application. The team must assess whether the application is collecting
descriptive, demographic or any other user related data from the electronic health records that are
not needed for the purposes of the application. The team is also reviewing whether the application
may collect additional personal data for purposes for which the user did not provide consent.
The Privacy Team is conducting a Privacy Impact Assessment (PIA) for the new Light Blue Health
application currently in development. Which of the following best describes a risk that is likely to
result in a privacy breach?

  • A. Limiting access to the app to authorized personnel.
  • B. Including non-transparent policies, terms and conditions in the app.
  • C. Insufficiently deleting personal data after an account reaches its retention period.
  • D. Not encrypting the health record when it is transferred to the Light Blue Health servers.
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

SCENARIO
Please use the following to answer the next question:
Light Blue Health (LBH) is a healthcare technology company developing a new web and mobile
application that collects personal health information from electronic patient health records. The
application will use machine learning to recommend potential medical treatments and medications
based on information collected from anonymized electronic health records. Patient users may also
share health data collected from other mobile apps with the LBH app.
The application requires consent from the patient before importing electronic health records into the
application and sharing it with their authorized physicians or healthcare provider. The patient can
then review and share the recommended treatments with their physicians securely through the app.
The patient user may also share location data and upload photos in the app. The patient user may
also share location data and upload photos in the app for a healthcare provider to review along with
the health record. The patient may also delegate access to the app.
LBHs privacy team meets with the Application development and Security teams, as well as key
business stakeholders on a periodic basis. LBH also implements Privacy by Design (PbD) into the
application development process.
The Privacy Team is conducting a Privacy Impact Assessment (PIA) to evaluate privacy risks during
development of the application. The team must assess whether the application is collecting
descriptive, demographic or any other user related data from the electronic health records that are
not needed for the purposes of the application. The team is also reviewing whether the application
may collect additional personal data for purposes for which the user did not provide consent.
What is the best way to ensure that the application only collects personal data that is needed to fulfill
its primary purpose of providing potential medical and healthcare recommendations?

  • A. Obtain consent before using personal health information for data analytics purposes.
  • B. Provide the user with an option to select which personal data the application may collect.
  • C. Disclose what personal data the application the collecting in the company Privacy Policy posted online.
  • D. Document each personal category collected by the app and ensure it maps to an app function or feature.
Answer:

C

User Votes:
A
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

Which of the following would be the best method of ensuring that Information Technology projects
follow Privacy by Design (PbD) principles?

  • A. Develop a technical privacy framework that integrates with the development lifecycle.
  • B. Utilize Privacy Enhancing Technologies (PETs) as a part of product risk assessment and management.
  • C. Identify the privacy requirements as a part of the Privacy Impact Assessment (PIA) process during development and evaluation stages.
  • D. Develop training programs that aid the developers in understanding how to turn privacy requirements into actionable code and design level specifications.
Answer:

D

User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

What Privacy by Design (PbD) element should include a de-identification or deletion plan?

  • A. Categorization.
  • B. Remediation.
  • C. Retention.
  • D. Security
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

A privacy engineer reviews a newly developed on-line registration page on a companys website. The
purpose of the page is to enable corporate customers to submit a returns / refund request for
physical goods. The page displays the following data capture fields: company name, account
reference, company address, contact name, email address, contact phone number, product name,
quantity, issue description and company bank account details.
After her review, the privacy engineer recommends setting certain capture fields as non-
mandatory. Setting which of the following fields as non-mandatory would be the best example of
the principle of data minimization?

  • A. The contact phone number field.
  • B. The company address and name.
  • C. The contact name and email address.
  • D. The company bank account detail field.
Answer:

B

User Votes:
A
50%
B 1 votes
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2