最新の2023年11月24日 CIPT問題集は学習ガイドは試験合格するための秘訣 [Q10-Q33]

Share

最新の2023年11月24日 CIPT問題集は学習ガイドは試験合格するための秘訣

CIPT問題集の無料PDFをゲットせよ!最近更新された問題


IAPP CIPT(Certified Information Privacy Technologist)試験は、プライバシー分野のITプロフェッショナルの技術スキルと知識を検証するために設計された、世界的に認知された認定プログラムです。この試験は、データ保護規制、プライバシー原則、コンプライアンスフレームワーク、プライバシー向上技術など、幅広いトピックをカバーしています。この認定プログラムは、世界最大かつ最も尊敬されるプライバシー組織である国際プライバシー専門家協会(IAPP)によって提供されています。


CIPT認定は、機密データを処理する組織で働く情報技術の分野の専門家に最適です。これには、ITマネージャー、セキュリティ専門家、ソフトウェア開発者、プライバシー担当者が含まれます。この認定は、プライバシーリスクを管理し、組織内で効果的なプライバシーポリシーを実施するために必要なスキルを個人に提供します。

 

質問 # 10
SCENARIO
Please use the following to answer the next question:
Jordan just joined a fitness-tracker start-up based in California, USA, as its first Information Privacy and Security Officer. The company is quickly growing its business but does not sell any of the fitness trackers itself. Instead, it relies on a distribution network of third-party retailers in all major countries. Despite not having any stores, the company has a 78% market share in the EU. It has a website presenting the company and products, and a member section where customers can access their information. Only the email address and physical address need to be provided as part of the registration process in order to customize the site to the user's region and country. There is also a newsletter sent every month to all members featuring fitness tips, nutrition advice, product spotlights from partner companies based on user behavior and preferences.
Jordan says the General Data Protection Regulation (GDPR) does not apply to the company. He says the company is not established in the EU, nor does it have a processor in the region. Furthermore, it does not do any "offering goods or services" in the EU since it does not do any marketing there, nor sell to consumers directly. Jordan argues that it is the customers who chose to buy the products on their own initiative and there is no "offering" from the company.
The fitness trackers incorporate advanced features such as sleep tracking, GPS tracking, heart rate monitoring. wireless syncing, calorie-counting and step-tracking. The watch must be paired with either a smartphone or a computer in order to collect data on sleep levels, heart rates, etc. All information from the device must be sent to the company's servers in order to be processed, and then the results are sent to the smartphone or computer. Jordan argues that there is no personal information involved since the company does not collect banking or social security information.
Why is Jordan's claim that the company does not collect personal information as identified by the GDPR inaccurate?

  • A. The potential customers must browse for products online.
  • B. The fitness trackers capture sleep and heart rate data to monitor an individual's behavior.
  • C. The customers must pair their fitness trackers to either smartphones or computers.
  • D. The website collects the customers' and users' region and country information.

正解:A


質問 # 11
SCENARIO
Please use the following to answer the next question:
Light Blue Health (LBH) is a healthcare technology company developing a new web and mobile application that collects personal health information from electronic patient health records. The application will use machine learning to recommend potential medical treatments and medications based on information collected from anonymized electronic health records. Patient users may also share health data collected from other mobile apps with the LBH app.
The application requires consent from the patient before importing electronic health records into the application and sharing it with their authorized physicians or healthcare provider. The patient can then review and share the recommended treatments with their physicians securely through the app. The patient user may also share location data and upload photos in the app. The patient user may also share location data and upload photos in the app for a healthcare provider to review along with the health record. The patient may also delegate access to the app.
LBH's privacy team meets with the Application development and Security teams, as well as key business stakeholders on a periodic basis. LBH also implements Privacy by Design (PbD) into the application development process.
The Privacy Team is conducting a Privacy Impact Assessment (PIA) to evaluate privacy risks during development of the application. The team must assess whether the application is collecting descriptive, demographic or any other user related data from the electronic health records that are not needed for the purposes of the application. The team is also reviewing whether the application may collect additional personal data for purposes for which the user did not provide consent.
The Privacy Team is conducting a Privacy Impact Assessment (PIA) for the new Light Blue Health application currently in development. Which of the following best describes a risk that is likely to result in a privacy breach?

  • A. Limiting access to the app to authorized personnel.
  • B. Insufficiently deleting personal data after an account reaches its retention period.
  • C. Not encrypting the health record when it is transferred to the Light Blue Health servers.
  • D. Including non-transparent policies, terms and conditions in the app.

正解:C

解説:
Not encrypting health records when they are transferred to Light Blue Health servers can leave sensitive personal information vulnerable to interception and unauthorized access. This could result in a privacy breach if an attacker were able to access this unencrypted data.


質問 # 12
A company configures their information system to have the following capabilities:
Allow for selective disclosure of attributes to certain parties, but not to others.
Permit the sharing of attribute references instead of attribute values - such as "I am over 21" instead of birthday date.
Allow for information to be altered or deleted as needed.
These capabilities help to achieve which privacy engineering objective?

  • A. Disassociability.
  • B. Integrity.
  • C. Manageability.
  • D. Predictability.

正解:A


質問 # 13
SCENARIO
WebTracker Limited is a cloud-based online marketing service located in London. Last year, WebTracker migrated its IT infrastructure to the cloud provider AmaZure, which provides SQL Databases and Artificial Intelligence services to WebTracker. The roles and responsibilities between the two companies have been formalized in a standard contract, which includes allocating the role of data controller to WebTracker.
The CEO of WebTracker, Mr. Bond, would like to assess the effectiveness of AmaZure's privacy controls, and he recently decided to hire you as an independent auditor. The scope of the engagement is limited only to the marketing services provided by WebTracker, you will not be evaluating any internal data processing activity, such as HR or Payroll.
This ad-hoc audit was triggered due to a future partnership between WebTracker and SmartHome - a partnership that will not require any data sharing. SmartHome is based in the USA, and most recently has dedicated substantial resources to developing smart refrigerators that can suggest the recommended daily calorie intake based on DNA information. This and other personal data is collected by WebTracker.
To get an idea of the scope of work involved, you have decided to start reviewing the company's documentation and interviewing key staff to understand potential privacy risks.
The results of this initial work include the following notes:
* There are several typos in the current privacy notice of WebTracker, and you were not able to find the privacy notice for SmartHome.
* You were unable to identify all the sub-processors working for SmartHome. No subcontractor is indicated in the cloud agreement with AmaZure, which is responsible for the support and maintenance of the cloud infrastructure.
* There are data flows representing personal data being collected from the internal employees of WebTracker, including an interface from the HR system.
* Part of the DNA data collected by WebTracker was from employees, as this was a prototype approved by the CEO of WebTracker.
* All the WebTracker and SmartHome customers are based in USA and Canada.
Based on the initial assessment and review of the available data flows, which of the following would be the most important privacy risk you should investigate first?

  • A. Review the list of subcontractors employed by AmaZure and ensure these are included in the formal agreement with WebTracker.
  • B. Confirm whether the data transfer from London to the USA has been fully approved by AmaZure and the appropriate institutions in the USA and the European Union.
  • C. Evaluate and review the basis for processing employees' personal data in the context of the prototype created by WebTracker and approved by the CEO.
  • D. Verify that WebTracker's HR and Payroll systems implement the current privacy notice (after the typos are fixed).

正解:C


質問 # 14
Which of the following is most important to provide to the data subject before the collection phase of the data lifecycle?

  • A. Consent Request.
  • B. Data Protection Policy.
  • C. Privacy Notice.
  • D. Disclosure Policy.

正解:C

解説:
A Privacy Notice is important to provide to data subjects before collecting their personal data because it informs them about how their data will be used, who it will be shared with, how long it will be kept for, etc.


質問 # 15
A BaaS provider backs up the corporate data and stores it in an outsider provider under contract with the organization. A researcher notifies the organization that he found unsecured data in the cloud. The organization looked into the issue and realized $ne of its backups was misconfigured on the outside provider's cloud and the data fully exposed to the open internet. They quickly secured the backup. Which is the best next step the organization should take?

  • A. Investigate how the researcher discovered the unsecured data.
  • B. Investigate using alternate BaaS providers or on-premise backup systems.
  • C. Review its contract with the outside provider.
  • D. Review the content of the data exposed.

正解:C

解説:
The best next step the organization should take is to review its contract with the outside provider. This will help the organization to identify the responsibilities of the outside provider and the organization in the event of a data breach.


質問 # 16
Machine-learning based solutions present a privacy risk because?

  • A. The solution may contain inherent bias from the developers.
  • B. Machine-learning solutions introduce more vulnerabilities than other software.
  • C. The decision-making process used by the solution is not documented.
  • D. Training data used during the training phase is compromised.

正解:A

解説:
machine-learning based solutions present a privacy risk because they may contain inherent bias from the developers. Bias can be introduced into machine learning models through biased training data or through biased decision-making processes used by the solution.


質問 # 17
Under the Family Educational Rights and Privacy Act (FERPA), releasing personally identifiable information from a student's educational record requires written permission from the parent or eligible student in order for information to be?

  • A. Released to a prospective employer.
  • B. Released to specific individuals for audit or evaluation purposes.
  • C. Released to schools to which a student is transferring.
  • D. Released in response to a judicial order or lawfully ordered subpoena.

正解:B

解説:
Explanation/Reference: https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html


質問 # 18
SCENARIO
Carol was a U.S.-based glassmaker who sold her work at art festivals. She kept things simple by only accepting cash and personal checks.
As business grew, Carol couldn't keep up with demand, and traveling to festivals became burdensome. Carol opened a small boutique and hired Sam to run it while she worked in the studio. Sam was a natural salesperson, and business doubled. Carol told Sam, "I don't know what you are doing, but keep doing it!" But months later, the gift shop was in chaos. Carol realized that Sam needed help so she hired Jane, who had business expertise and could handle the back-office tasks. Sam would continue to focus on sales. Carol gave Jane a few weeks to get acquainted with the artisan craft business, and then scheduled a meeting for the three of them to discuss Jane's first impressions.
At the meeting, Carol could not wait to hear Jane's thoughts, but she was unprepared for what Jane had to say. "Carol, I know that he doesn't realize it, but some of Sam's efforts to increase sales have put you in a vulnerable position. You are not protecting customers' personal information like you should." Sam said, "I am protecting our information. I keep it in the safe with our bank deposit. It's only a list of customers' names, addresses and phone numbers that I get from their checks before I deposit them. I contact them when you finish a piece that I think they would like. That's the only information I have! The only other thing I do is post photos and information about your work on the photo sharing site that I use with family and friends. I provide my email address and people send me their information if they want to see more of your work. Posting online really helps sales, Carol. In fact, the only complaint I hear is about having to come into the shop to make a purchase." Carol replied, "Jane, that doesn't sound so bad. Could you just fix things and help us to post even more online?"
'I can," said Jane. "But it's not quite that simple. I need to set up a new program to make sure that we follow the best practices in data management. And I am concerned for our customers. They should be able to manage how we use their personal information. We also should develop a social media strategy." Sam and Jane worked hard during the following year. One of the decisions they made was to contract with an outside vendor to manage online sales. At the end of the year, Carol shared some exciting news. "Sam and Jane, you have done such a great job that one of the biggest names in the glass business wants to buy us out! And Jane, they want to talk to you about merging all of our customer and vendor information with theirs beforehand." What type of principles would be the best guide for Jane's ideas regarding a new data management program?

  • A. Vendor management principles.
  • B. Collection limitation principles.
  • C. Incident preparedness principles.
  • D. Fair Information Practice Principles

正解:D


質問 # 19
Which of the following is considered a records management best practice?

  • A. Implementing consistent handling practices across all record types.
  • B. Storing decryption keys with their associated backup systems.
  • C. Using classification to determine access rules and retention policy.
  • D. Archiving expired data records and files.

正解:C

解説:
Explanation/Reference: https://www.archive-vault.co.uk/best-practice-for-records-management


質問 # 20
SCENARIO
Please use the following to answer the next question:
Light Blue Health (LBH) is a healthcare technology company developing a new web and mobile application that collects personal health information from electronic patient health records. The application will use machine learning to recommend potential medical treatments and medications based on information collected from anonymized electronic health records. Patient users may also share health data collected from other mobile apps with the LBH app.
The application requires consent from the patient before importing electronic health records into the application and sharing it with their authorized physicians or healthcare provider. The patient can then review and share the recommended treatments with their physicians securely through the app. The patient user may also share location data and upload photos in the app. The patient user may also share location data and upload photos in the app for a healthcare provider to review along with the health record. The patient may also delegate access to the app.
LBH's privacy team meets with the Application development and Security teams, as well as key business stakeholders on a periodic basis. LBH also implements Privacy by Design (PbD) into the application development process.
The Privacy Team is conducting a Privacy Impact Assessment (PIA) to evaluate privacy risks during development of the application. The team must assess whether the application is collecting descriptive, demographic or any other user related data from the electronic health records that are not needed for the purposes of the application. The team is also reviewing whether the application may collect additional personal data for purposes for which the user did not provide consent.
Regarding the app, which action is an example of a decisional interference violation?

  • A. The app asks questions during account set-up to disclose family medical history that is not necessary for the treatment of the individual's symptoms.
  • B. The app sells aggregated data to an advertising company without prior consent.
  • C. The app asks income level to determine the treatment of care.
  • D. The app has a pop-up ad requesting sign-up for a pharmaceutical company newsletter.

正解:C

解説:
Asking for income level to determine treatment of care could be considered decisional interference because it could influence or interfere with an individual's ability to make decisions about their own healthcare. This type of information may not be necessary for providing medical recommendations and could potentially lead to discrimination or unequal treatment.


質問 # 21
During a transport layer security (TLS) session, what happens immediately after the web browser creates a random PreMasterSecret?

  • A. The web browser encrypts the PremasterSecret with the server's public key.
  • B. The web browser opens a TLS connection to the PremasterSecret.
  • C. The server decrypts the PremasterSecret.
  • D. The server and client use the same algorithm to convert the PremasterSecret into an encryption key.

正解:A

解説:
Explanation/Reference: https://books.google.com.pk/books?id=OaXise4B-p8C&pg=PA175&lpg=PA175&dq=iapp+During+a
+transport+layer+security+(TLS)+session,+what+happens+immediately+after+the+web+browser+creates+a
+random
+PreMasterSecret&source=bl&ots=zR0RCfnx3c&sig=ACfU3U0bTOeOfPfcoq_Y95SZs6imKKilug&hl=en&sa=X
&ved=2ahUKEwjkscDHpcbnAhUJuRoKHU5iC9cQ6AEwCnoECAkQAQ#v=onepage&q=iapp%20During%20a
%20transport%20layer%20security%20(TLS)%20session%2C%20what%20happens%20immediately%20after
%20the%20web%20browser%20creates%20a%20random%20PreMasterSecret&f=false


質問 # 22
SCENARIO
Clean-Q is a company that offers house-hold and office cleaning services. The company receives requests from consumers via their website and telephone, to book cleaning services. Based on the type and size of service, Clean-Q then contracts individuals that are registered on its resource database - currently managed in- house by Clean-Q IT Support. Because of Clean-Q's business model, resources are contracted as needed instead of permanently employed.
The table below indicates some of the personal information Clean-Q requires as part of its business operations:

Clean-Q has an internal employee base of about 30 people. A recent privacy compliance exercise has been conducted to align employee data management and human resource functions with applicable data protection regulation. Therefore, the Clean-Q permanent employee base is not included as part of this scenario.
With an increase in construction work and housing developments, Clean-Q has had an influx of requests for cleaning services. The demand has overwhelmed Clean-Q's traditional supply and demand system that has caused some overlapping bookings.
Ina business strategy session held by senior management recently, Clear-Q invited vendors to present potential solutions to their current operational issues. These vendors included Application developers and Cloud-Q's solution providers, presenting their proposed solutions and platforms.
The Managing Director opted to initiate the process to integrate Clean-Q's operations with a cloud solution (LeadOps) that will provide the following solution one single online platform: A web interface that Clean-Q accesses for the purposes of resource and customer management. This would entail uploading resource and customer information.
* A customer facing web interface that enables customers to register, manage and submit cleaning service requests online.
* A resource facing web interface that enables resources to apply and manage their assigned jobs.
* An online payment facility for customers to pay for services.
If Clean-Q were to utilize LeadOps' services, what is a contract clause that may be included in the agreement entered into with LeadOps?

  • A. A provision prescribing technical and organizational controls that LeadOps must implement.
  • B. A provision that holds LeadOps liable for a data breach involving Clean-Q's information.
  • C. A provision that requires LeadOps to notify Clean-Q of any suspected breaches of information that involves customer or resource information managed on behalf of Clean-Q.
  • D. A provision that allows Clean-Q to conduct audits of LeadOps' information processing and information security environment, at LeadOps' cost and at any time that Clean-Q requires.

正解:D


質問 # 23
SCENARIO
Clean-Q is a company that offers house-hold and office cleaning services. The company receives requests from consumers via their website and telephone, to book cleaning services. Based on the type and size of service, Clean-Q then contracts individuals that are registered on its resource database - currently managed in-house by Clean-Q IT Support. Because of Clean-Q's business model, resources are contracted as needed instead of permanently employed.
The table below indicates some of the personal information Clean-Q requires as part of its business operations:

Clean-Q has an internal employee base of about 30 people. A recent privacy compliance exercise has been conducted to align employee data management and human resource functions with applicable data protection regulation. Therefore, the Clean-Q permanent employee base is not included as part of this scenario.
With an increase in construction work and housing developments, Clean-Q has had an influx of requests for cleaning services. The demand has overwhelmed Clean-Q's traditional supply and demand system that has caused some overlapping bookings.
Ina business strategy session held by senior management recently, Clear-Q invited vendors to present potential solutions to their current operational issues. These vendors included Application developers and Cloud-Q's solution providers, presenting their proposed solutions and platforms.
The Managing Director opted to initiate the process to integrate Clean-Q's operations with a cloud solution (LeadOps) that will provide the following solution one single online platform: A web interface that Clean-Q accesses for the purposes of resource and customer management. This would entail uploading resource and customer information.
A customer facing web interface that enables customers to register, manage and submit cleaning service requests online.
A resource facing web interface that enables resources to apply and manage their assigned jobs.
An online payment facility for customers to pay for services.
Considering that LeadOps will host/process personal information on behalf of Clean-Q remotely, what is an appropriate next step for Clean-Q senior management to assess LeadOps' appropriateness?

  • A. Nothing at this stage as the Managing Director has made a decision.
  • B. Obtain a legal opinion from an external law firm on contracts management.
  • C. Involve the Information Security team to understand in more detail the types of services and solutions LeadOps is proposing.
  • D. Determine if any Clean-Q competitors currently use LeadOps as a solution.

正解:C


質問 # 24
What is the best way to protect privacy on a geographic information system?

  • A. Using a firewall.
  • B. Using a wireless encryption protocol.
  • C. Scrambling location information.
  • D. Limiting the data provided to the system.

正解:D

解説:
Explanation/Reference: https://www.researchgate.net/
publication/2873114_Protecting_Personal_Privacy_in_Using_Geographic_Information_Systems


質問 # 25
How does k-anonymity help to protect privacy in micro data sets?

  • A. By adding sufficient noise to the data in order to hide the impact of any one individual.
  • B. By top-coding all age data above a value of "k."
  • C. By switching values between records in order to preserve most statistics while still maintaining privacy.
  • D. By ensuring that every record in a set is part of a group of "k" records having similar identifying information.

正解:D


質問 # 26
How can a hacker gain control of a smartphone to perform remote audio and video surveillance?

  • A. By accessing a phone's global positioning system satellite signal.
  • B. By manipulating geographic information systems.
  • C. By installing a roving bug on the phone.
  • D. By performing cross-site scripting.

正解:C


質問 # 27
A jurisdiction requiring an organization to place a link on the website that allows a consumer to opt-out of sharing is an example of what type of requirement?

  • A. Technical
  • B. Functional
  • C. Use case
  • D. Operational

正解:D

解説:
a jurisdiction requiring an organization to place a link on their website that allows consumers to opt-out of sharing their personal data is an example of an operational requirement. Operational requirements involve implementing specific processes or procedures in order to comply with legal or regulatory obligations.


質問 # 28
What is a main benefit of data aggregation?

  • A. It is a good way to perform analysis without needing a statistician.
  • B. It allows one to draw valid conclusions from small data samples.
  • C. It is a good way to achieve de-identification and unlinkabilty.
  • D. It applies two or more layers of protection to a single data record.

正解:B


質問 # 29
What is the main privacy threat posed by Radio Frequency Identification (RFID)?

  • A. An individual can use an RFID receiver to engage in video surveillance.
  • B. An individual with an RFID receiver can track people or consumer products.
  • C. An individual can tap mobile phone communications.
  • D. An individual can scramble computer transmissions in weapons systems.

正解:C


質問 # 30
SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
Which data lifecycle phase needs the most attention at this Ontario medical center?

  • A. Retention
  • B. Use
  • C. Collection
  • D. Disclosure

正解:A

解説:
Explanation/Reference:


質問 # 31
After committing to a Privacy by Design program, which activity should take place first?

  • A. Perform privacy reviews on new projects.
  • B. Establish a retention policy for all data being collected.
  • C. Create a privacy standard that applies to all projects and services.
  • D. Implement easy to use privacy settings for users.

正解:B


質問 # 32
What is the name of an alternative technique to counter the reduction in use of third-party cookies, where web publishers may consider utilizing data cached by a browser and returned with a subsequent request from the same resource to track unique users?

  • A. Canvas fingerprinting.
  • B. Web beacon tracking.
  • C. Entity tagging.
  • D. Browser fingerprinting.

正解:D

解説:
an alternative technique to counter the reduction in use of third-party cookies, where web publishers may consider utilizing data cached by a browser and returned with a subsequent request from the same resource to track unique users is called browser fingerprinting.


質問 # 33
......


CIPT認定は、プライバシーコンプライアンス、データセキュリティ、リスク管理、およびITガバナンスに関与している専門家に最適です。この認定は、ソフトウェア開発、データベース管理、クラウドコンピューティング、およびその他のテクノロジー関連の分野に関与している専門家にとっても有益です。 CIPT認定は、プライバシーテクノロジーに関する候補者の専門知識を示しています。これは、世界中で雇用主によって高く評価されています。

 

最新CIPT試験問題集には高得点で一発合格:https://jp.fast2test.com/CIPT-premium-file.html

CIPT認定試験問題集には216練習テスト問題はこちら:https://drive.google.com/open?id=1YOUWI6RuDsbXa4iU0jphhxdylCYaYKXV


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어