IAPP CIPT Exam Questions Instant Access - No Installation Required

Question 1

SCENARIO

Please use the following to answer the next question:

Chuck, a compliance auditor for a consulting firm focusing on healthcare clients, was required to travel to the client's office to perform an onsite review of the client's operations. He rented a car from Finley Motors upon arrival at the airport as so he could commute to and from the client's office. The car rental agreement was electronically signed by Chuck and included his name, address, driver's license, make/model of the car, billing rate, and additional details describing the rental transaction. On the second night, Chuck was caught by a red light camera not stopping at an intersection on his way to dinner. Chuck returned the car back to the car rental agency at the end week without mentioning the infraction and Finley Motors emailed a copy of the final receipt to the address on file.

Local law enforcement later reviewed the red light camera footage. As Finley Motors is the registered owner of the car, a notice was sent to them indicating the infraction and fine incurred. This notice included the license plate number, occurrence date and time, a photograph of the driver, and a web portal link to a video clip of the violation for further review. Finley Motors, however, was not responsible for the violation as they were not driving the car at the time and transferred the incident to AMP Payment Resources for further review. AMP Payment Resources identified Chuck as the driver based on the rental agreement he signed when picking up the car and then contacted Chuck directly through a written letter regarding the infraction to collect the fine.

After reviewing the incident through the AMP Payment Resources' web portal, Chuck paid the fine using his personal credit card. Two weeks later, Finley Motors sent Chuck an email promotion offering 10% off a future rental.

What should Finley Motors have done to incorporate the transparency principle of Privacy by Design (PbD)?

ASigned a data sharing agreement with AMP Payment Resources.

BDocumented that Finley Motors has a legitimate interest to share Chuck's information.

CObtained verbal consent from Chuck and recorded it within internal systems.

DProvided notice of data sharing practices within the electronically signed rental agreement.

Answer : D

Privacy by Design (PbD) principles emphasize transparency, meaning that organizations should inform individuals about their data processing practices. In this scenario, Finley Motors should have provided notice within the rental agreement about their data sharing practices with third parties like AMP Payment Resources. This transparency would ensure that Chuck was aware that his personal information could be shared for purposes such as managing infractions. According to the IAPP, incorporating such notices in agreements is a best practice for maintaining transparency and upholding data protection principles.

IAPP Certification Textbooks, especially the sections on Privacy by Design and transparency principles.

'Privacy by Design: The 7 Foundational Principles,' Information and Privacy Commissioner of Ontario, Canada.

Question 2

SCENARIO

WebTracker Limited is a cloud-based online marketing service located in London. Last year, WebTracker migrated its IT infrastructure to the cloud provider AmaZure, which provides SQL Databases and Artificial Intelligence services to WebTracker. The roles and responsibilities between the two companies have been formalized in a standard contract, which includes allocating the role of data controller to WebTracker.

The CEO of WebTracker, Mr. Bond, would like to assess the effectiveness of AmaZure's privacy controls, and he recently decided to hire you as an independent auditor. The scope of the engagement is limited only to the marketing services provided by WebTracker, you will not be evaluating any internal data processing activity, such as HR or Payroll.

This ad-hoc audit was triggered due to a future partnership between WebTracker and SmartHome --- a partnership that will not require any data sharing. SmartHome is based in the USA, and most recently has dedicated substantial resources to developing smart refrigerators that can suggest the recommended daily calorie intake based on DNA information. This and other personal data is collected by WebTracker.

To get an idea of the scope of work involved, you have decided to start reviewing the company's documentation and interviewing key staff to understand potential privacy risks.

The results of this initial work include the following notes:

There are several typos in the current privacy notice of WebTracker, and you were not able to find the privacy notice for SmartHome.

You were unable to identify all the sub-processors working for SmartHome. No subcontractor is indicated in the cloud agreement with AmaZure, which is responsible for the support and maintenance of the cloud infrastructure.

There are data flows representing personal data being collected from the internal employees of WebTracker, including an interface from the HR system.

Part of the DNA data collected by WebTracker was from employees, as this was a prototype approved by the CEO of WebTracker.

All the WebTracker and SmartHome customers are based in USA and Canada.

Based on the initial assessment and review of the available data flows, which of the following would be the most important privacy risk you should investigate first?

AVerify that WebTracker's HR and Payroll systems implement the current privacy notice (after the typos are fixed).

BReview the list of subcontractors employed by AmaZure and ensure these are included in the formal agreement with WebTracker.

CEvaluate and review the basis for processing employees' personal data in the context of the prototype created by WebTracker and approved by the CEO.

DConfirm whether the data transfer from London to the USA has been fully approved by AmaZure and the appropriate institutions in the USA and the European Union.

Answer : C

The most significant privacy risk identified in the scenario relates to the processing of employees' personal data, specifically DNA information, as part of a prototype approved by the CEO. This activity requires a careful assessment of the legal basis for processing such sensitive data, compliance with data protection principles, and ensuring adequate safeguards are in place. Given the sensitivity of DNA data and the potential impact on employees' privacy, this should be the first priority in the audit. Reference: IAPP Certification Textbooks, Section on Data Protection Impact Assessments (DPIAs) and Sensitive Data Processing.

Question 3

Which of the following is one of the fundamental principles of information security?

AAccountability.

BAccessibility.

CConfidentiality.

DConnectivity.

Answer : C

The fundamental principles of information security are often summarized by the CIA triad, which stands for Confidentiality, Integrity, and Availability. Confidentiality ensures that information is not disclosed to unauthorized individuals, entities, or processes. It is crucial in protecting personal and sensitive data from unauthorized access and breaches. This principle is widely recognized and referenced in various information security standards and frameworks, such as ISO/IEC 27001 and NIST SP 800-53.

ISO/IEC 27001:2013, Information technology --- Security techniques --- Information security management systems --- Requirements.

NIST Special Publication 800-53 (Rev. 5), Security and Privacy Controls for Information Systems and Organizations.

Question 4

Which of the following modes of interaction often target both people who personally know and are strangers to the attacker?

ASpam.

BPhishing.

CUnsolicited sexual imagery.

DConsensually-shared sexual imagery.

Answer : B

Phishing is a mode of interaction that can target both individuals who are known to the attacker and those who are strangers. Phishing attacks involve sending fraudulent messages (often via email) designed to trick recipients into revealing sensitive information or installing malware. This broad targeting method aims to reach as many people as possible, regardless of whether they have any prior relationship with the attacker. The IAPP documents highlight that phishing campaigns are often indiscriminate and wide-ranging, impacting both familiar and unfamiliar recipients.

Question 5

How can a hacker gain control of a smartphone to perform remote audio and video surveillance?

ABy performing cross-site scripting.

BBy installing a roving bug on the phone.

CBy manipulating geographic information systems.

DBy accessing a phone's global positioning system satellite signal.

Answer : B

Hackers can exploit various vulnerabilities to gain unauthorized access to smartphones and perform remote surveillance. Here's how a roving bug can be used:

Roving Bug Installation: A roving bug is a type of software that can be covertly installed on a smartphone to enable remote audio and video surveillance. This malicious software can activate the phone's microphone and camera without the user's knowledge.

Unauthorized Access: The installation of such software can occur through various means, including phishing attacks, malicious apps, or exploiting vulnerabilities in the phone's operating system.

Surveillance Capabilities: Once installed, the hacker can remotely control the phone to eavesdrop on conversations, capture video footage, and monitor the user's activities.

Privacy Breach: This type of intrusion represents a significant privacy breach, as it allows continuous monitoring and recording of the user's private moments and conversations.

Question 6

Which is NOT a drawback to using a biometric recognition system?

AIt can require more maintenance and support.

BIt can be more expensive than other systems

CIt has limited compatibility across systems.

DIt is difficult for people to use.

Answer : D

Biometric recognition systems can face several challenges, but user difficulty is not generally considered a significant drawback. The main drawbacks typically include higher costs, increased maintenance and support requirements, and limited compatibility across different systems. Biometrics can sometimes also raise privacy concerns and require substantial infrastructure to support effectively. However, ease of use is often seen as a benefit of biometric systems since they can be more intuitive than traditional passwords or PINs.

Question 7

Value sensitive design focuses on which of the following?

AQuality and benefit.

BEthics and morality.

CConfidentiality and integrity.

DConsent and human rights.

Answer : B

Option A: Quality and benefit are important in design but do not specifically capture the essence of value sensitive design, which is more about ethical considerations.

Option B: Value sensitive design integrates considerations of ethics and morality into the technology design process, ensuring that the resulting systems align with human values.

Option C: Confidentiality and integrity are key aspects of information security but are not the primary focus of value sensitive design.

Option D: Consent and human rights are related to privacy and data protection but are narrower than the broader focus of ethics and morality in value sensitive design.

IAPP CIPT Study Guide

Literature on Value Sensitive Design (VSD) principles and methodologies

IAPP Certified Information Privacy Technologist CIPT Exam Questions