IAPP CIPT Exam Practice Test Instant Access

Question 1

Which of the following would best improve an organization' s system of limiting data use?

AImplementing digital rights management technology.

BConfirming implied consent for any secondary use of data.

CApplying audit trails to resources to monitor company personnel.

DInstituting a system of user authentication for company personnel.

Answer : A

Implementing digital rights management (DRM) technology would best improve an organization's system of limiting data use. DRM technology helps control how data is used, shared, and accessed within and outside the organization by enforcing policies and permissions. This ensures that data is only used in ways that comply with organizational policies and legal requirements, thereby limiting unauthorized or inappropriate use of data.

IAPP CIPT Study Guide: The role of DRM in controlling data use.

GDPR, Article 25: Data protection by design and by default, which includes using technologies like DRM to enforce data usage policies.

Question 2

Which activity would best support the principle of data quality?

AProviding notice to the data subject regarding any change in the purpose for collecting such data.

BEnsuring that the number of teams processing personal information is limited.

CDelivering information in a format that the data subject understands.

DEnsuring that information remains accurate.

Answer : D

Ensuring that information remains accurate is the activity that best supports the principle of data quality. Data quality principles emphasize the importance of keeping personal information correct, complete, and up-to-date to prevent harm and ensure reliability. Maintaining accuracy involves regular updates, validation, and correction processes to avoid using outdated or incorrect data (IAPP, Certified Information Privacy Technologist (CIPT) materials).

Question 3

A clinical research organization is processing highly sensitive personal data, including numerical attributes, from medical trial results. The organization needs to manipulate the data without revealing the contents to data users. This can be achieved by utilizing?

Ak-anonymity.

BMicrodata sets.

CPolymorphic encryption.

DHomomorphic encryption.

Answer : D

Homomorphic encryption allows computation on encrypted data without needing to decrypt it, thereby preserving privacy. This means that sensitive data, such as numerical attributes from medical trial results, can be processed and analyzed while remaining encrypted. The results of the computations are still in an encrypted form and can be decrypted only by authorized parties. This method is particularly valuable in scenarios requiring privacy-preserving computations.

NISTIR 8105, Report on Post-Quantum Cryptography.

Craig Gentry's Ph.D. thesis on fully homomorphic encryption, Stanford University.

Question 4

What is true of providers of wireless technology?

AThey have the legal right in most countries to control and use any data on their systems.

BThey can see all unencrypted data that crosses the system.

CThey are typically exempt from data security regulations.

DThey routinely backup data that crosses their system.

Answer : B

Providers of wireless technology have specific capabilities and responsibilities regarding the data that crosses their systems. Here's why option B is true:

Data Visibility: Wireless providers can see all unencrypted data that passes through their networks. This capability allows them to manage and monitor traffic effectively but also raises privacy concerns.

Encryption Importance: The visibility of unencrypted data underscores the importance of using encryption to protect sensitive information from unauthorized access.

Regulatory Compliance: Wireless providers are subject to data security regulations and must implement measures to protect data privacy and security, contrary to option C.

Data Control: Providers do not have the legal right to control and use any data on their systems without consent, as suggested in option A. Data control and usage are regulated by privacy laws and user agreements.

Backup Practices: While some providers may backup data, it is not a routine practice for all data that crosses their system, as implied in option D.

Question 5

SCENARIO

It should be the most secure location housing data in all of Europe, if not the world. The Global Finance Data Collective (GFDC) stores financial information and other types of client data from large banks, insurance companies, multinational corporations and governmental agencies. After a long climb on a mountain road that leads only to the facility, you arrive at the security booth. Your credentials are checked and checked again by the guard to visually verify that you are the person pictured on your passport and national identification card. You are led down a long corridor with server rooms on each side, secured by combination locks built into the doors. You climb a flight of stairs and are led into an office that is lighted brilliantly by skylights where the GFDC Director of Security, Dr. Monique Batch, greets you. On the far wall you notice a bank of video screens showing different rooms in the facility. At the far end, several screens show different sections of the road up the mountain

Dr. Batch explains once again your mission. As a data security auditor and consultant, it is a dream assignment: The GFDC does not want simply adequate controls, but the best and most effective security that current technologies allow.

''We were hacked twice last year,'' Dr. Batch says, ''and although only a small number of records were stolen, the bad press impacted our business. Our clients count on us to provide security that is nothing short of impenetrable and to do so quietly. We hope to never make the news again.'' She notes that it is also essential that the facility is in compliance with all relevant security regulations and standards.

You have been asked to verify compliance as well as to evaluate all current security controls and security measures, including data encryption methods, authentication controls and the safest methods for transferring data into and out of the facility. As you prepare to begin your analysis, you find yourself considering an intriguing question: Can these people be sure that I am who I say I am?

You are shown to the office made available to you and are provided with system login information, including the name of the wireless network and a wireless key. Still pondering, you attempt to pull up the facility's wireless network, but no networks appear in the wireless list. When you search for the wireless network by name, however it is readily found.

What measures can protect client information stored at GFDC?

ADe-linking of data into client-specific packets.

BCloud-based applications.

CServer-side controls.

DData pruning

Answer : C

Server-side controls are essential measures to protect client information stored at GFDC. These controls include various security mechanisms such as encryption, access controls, intrusion detection systems, and regular security audits. Implementing robust server-side controls ensures that data is securely managed, accessed, and stored on the servers, protecting it from unauthorized access and potential breaches. While other measures like de-linking data and cloud-based applications can also play a role, server-side controls provide a comprehensive security framework that addresses multiple aspects of data protection and regulatory compliance.

Question 6

SCENARIO

Wesley Energy has finally made its move, acquiring the venerable oil and gas exploration firm Lancelot from its long-time owner David Wilson. As a member of the transition team, you have come to realize that Wilson's quirky nature affected even Lancelot's data practices, which are maddeningly inconsistent. ''The old man hired and fired IT people like he was changing his necktie,'' one of Wilson's seasoned lieutenants tells you, as you identify the traces of initiatives left half complete.

For instance, while some proprietary data and personal information on clients and employees is encrypted, other sensitive information, including health information from surveillance testing of employees for toxic exposures, remains unencrypted, particularly when included within longer records with less-sensitive data. You also find that data is scattered across applications, servers and facilities in a manner that at first glance seems almost random.

Among your preliminary findings of the condition of data at Lancelot are the following:

Cloud technology is supplied by vendors around the world, including firms that you have not heard of. You are told by a former Lancelot employee that these vendors operate with divergent security requirements and protocols.

The company's proprietary recovery process for shale oil is stored on servers among a variety of less-sensitive information that can be accessed not only by scientists, but by personnel of all types at most company locations.

DES is the strongest encryption algorithm currently used for any file.

Several company facilities lack physical security controls, beyond visitor check-in, which familiar vendors often bypass.

Fixing all of this will take work, but first you need to grasp the scope of the mess and formulate a plan of action to address it.

Which is true regarding the type of encryption Lancelot uses?

AIt employs the data scrambling technique known as obfuscation.

BIts decryption key is derived from its encryption key.

CIt uses a single key for encryption and decryption.

DIt is a data masking methodology.

Answer : C

Data Encryption Standard (DES) is a symmetric-key algorithm, which means it uses the same key for both encryption and decryption. This is a fundamental characteristic of symmetric encryption, distinguishing it from asymmetric encryption, where a pair of keys (public and private) are used. In the scenario described, DES is noted as the strongest encryption algorithm used, indicating that Lancelot's encryption method involves a single key for both processes.

Question 7

What logs should an application server retain in order to prevent phishing attacks while minimizing data retention?

ALimited-retention, de-identified logs including only metadata.

BLimited-retention, de-identified logs including the links clicked in messages as well as metadata.

CLimited-retention logs including the identity of parties sending and receiving messages as well as metadata.

DLimited-retention logs including the links clicked in messages, the identity of parties sending and receiving them, as well as metadata.

Answer : B

To effectively prevent phishing attacks while minimizing data retention, an application server should keep limited-retention logs that are de-identified and include critical metadata, such as the links clicked in messages. This approach helps in tracking potentially malicious activities (like phishing attempts) without retaining excessive personal information that could itself pose a privacy risk. By focusing on metadata and the behavior (links clicked), the server can monitor and mitigate phishing risks while adhering to privacy principles of data minimization and purpose limitation, as recommended by IAPP.

IAPP CIPT Certified Information Privacy Technologist Exam Practice Test