IAPP CIPT Practice Test - Questions Answers, Page 18
Question list
List of questions
Related questions
Which of the following is a privacy consideration for NOT sending large-scale SPAM type emails to a database of email addresses?
Poor user experience.
Emails are unsolicited.
Data breach notification.
Reduction in email deliverability score.
Which of the following can be used to bypass even the best physical and logical security mechanisms to gain access to a system?
Phishing emails.
Denial of service.
Brute-force attacks.
Social engineering.
An organization is deciding between building a solution in-house versus purchasing a solution for a new customer facing application. When security threat are taken into consideration, a key advantage of purchasing a solution would be the availability of?
Outsourcing.
Persistent VPN.
Patching and updates.
Digital Rights Management.
An organization is concerned that its aging IT infrastructure will lead to Increased security and privacy risks. Which of the following would help mitigate these risks?
Vulnerability management.
Data Loss Prevention.
Code audits.
Network Centricity.
An organization has recently experienced a data breach where large amounts of personal data were compromised. As part of a post-incident review, the privacy technologist wants to analyze available data to understand what vulnerabilities may have contributed to the incident occurring. He learns that a key vulnerability had been flagged by the system but that detective controls were not operating effectively. Which type of web application security risk does this finding most likely point to?
Insecure Design.
Misconfiguration.
Vulnerable and Outdated Components.
Logging and Monitoring Failures.
Data oriented strategies Include which of the following?
Minimize. Separate, Abstract, Hide.
Inform, Control, Enforce, Demonstrate.
Encryption, Hashing, Obfuscation, Randomization.
Consent. Contract, Legal Obligation, Legitimate interests.
There are two groups of users. In a company, where one group Is allowed to see credit card numbers, while the other group Is not. Both are accessing the data through the same application. The most effective and efficient way to achieve this would be?
Have two copies of the data, one copy where the credit card numbers are obfuscated, while the other copy has them in the clear. Serve up from the appropriate copy depending on the user accessing it.
Have the data encrypted at rest, and selectively decrypt It for the users who have the rights to see it.
Obfuscate the credit card numbers whenever a user who does not have the right to see them accesses the data.
Drop credit card numbers altogether whenever a user who does not have the right to see them accesses the data.
Which of the following is NOT a valid basis for data retention?
Size of the data.
Type of the data.
Location of the data.
Last time the data was accessed.
Which of the following techniques describes the use of encryption where encryption keys are divided into parts that can then be used to recover a full encryption key?
Homomorphic encryption.
Asymmetric cryptography.
Cryptographic hashing.
Secret sharing.
SCENARIO
Please use the following to answer the next questions:
Your company is launching a new track and trace health app during the outbreak of a virus pandemic in the US. The developers claim the app is based on privacy by design because personal data collected was considered to ensure only necessary data is captured, users are presented with a privacy notice, and they are asked to give consent before data is shared. Users can update their consent after logging into an account, through a dedicated privacy and consent hub.
This is accessible through the 'Settings' icon from any app page, then clicking 'My Preferences', and selecting 'Information Sharing and Consent' where the following choices are displayed:
• "I consent to receive notifications and infection alerts";
• "I consent to receive information on additional features or services, and new products";
• "I consent to sharing only my risk result and location information, for exposure and contact tracing purposes";
• "I consent to share my data for medical research purposes"; and
• "I consent to share my data with healthcare providers affiliated to the company".
For each choice, an ON* or OFF tab is available The default setting is ON for all Users purchase a virus screening service for USS29 99 for themselves or others using the app The virus screening service works as follows:
• Step 1 A photo of the user's face is taken.
• Step 2 The user measures their temperature and adds the reading in the app
• Step 3 The user is asked to read sentences so that a voice analysis can detect symptoms
• Step 4 The user is asked to answer questions on known symptoms
• Step 5 The user can input information on family members (name date of birth, citizenship, home address, phone number, email and relationship).) The results are displayed as one of the following risk status "Low. "Medium" or "High" if the user is deemed at "Medium " or "High" risk an alert may be sent to other users and the user is Invited to seek a medical consultation and diagnostic from a healthcare provider.
A user's risk status also feeds a world map for contact tracing purposes, where users are able to check if they have been or are in dose proximity of an infected person If a user has come in contact with another individual classified as "medium' or 'high' risk an instant notification also alerts the user of this. The app collects location trails of every user to monitor locations visited by an infected individual Location is collected using the phone's GPS functionary, whether the app is in use or not however, the exact location of the user is "blurred' for privacy reasons Users can only see on the map circles What is likely to be the biggest privacy concern with the current 'Information Sharing and Consent' page?
The ON or OFF default setting for each item.
The navigation needed in the app to get to the consent page.
The option to consent to receive potential marketing information.
The information sharing with healthcare providers affiliated with the company.
Question