
IAPP CIPT最新問題集[2024]高得点を掴み取れ
CIPT問題集Fast2test100%合格率保証
質問 # 92
What is the main benefit of using a private cloud?
- A. The ability to outsource data support to a third party.
- B. The ability to use a backup system for personal files.
- C. The ability to restrict data access to employees and contractors.
- D. The ability to cut costs for storing, maintaining, and accessing data.
正解:C
解説:
Explanation/Reference:
質問 # 93
SCENARIO
Please use the following to answer the next question:
Jordan just joined a fitness-tracker start-up based in California, USA, as its first Information Privacy and Security Officer. The company is quickly growing its business but does not sell any of the fitness trackers itself. Instead, it relies on a distribution network of third-party retailers in all major countries. Despite not having any stores, the company has a 78% market share in the EU. It has a website presenting the company and products, and a member section where customers can access their information. Only the email address and physical address need to be provided as part of the registration process in order to customize the site to the user's region and country. There is also a newsletter sent every month to all members featuring fitness tips, nutrition advice, product spotlights from partner companies based on user behavior and preferences.
Jordan says the General Data Protection Regulation (GDPR) does not apply to the company. He says the company is not established in the EU, nor does it have a processor in the region. Furthermore, it does not do any "offering goods or services" in the EU since it does not do any marketing there, nor sell to consumers directly. Jordan argues that it is the customers who chose to buy the products on their own initiative and there is no "offering" from the company.
The fitness trackers incorporate advanced features such as sleep tracking, GPS tracking, heart rate monitoring.
wireless syncing, calorie-counting and step-tracking. The watch must be paired with either a smartphone or a computer in order to collect data on sleep levels, heart rates, etc. All information from the device must be sent to the company's servers in order to be processed, and then the results are sent to the smartphone or computer.
Jordan argues that there is no personal information involved since the company does not collect banking or social security information.
Why is Jordan's claim that the company does not collect personal information as identified by the GDPR inaccurate?
- A. The fitness trackers capture sleep and heart rate data to monitor an individual's behavior.
- B. The potential customers must browse for products online.
- C. The website collects the customers' and users' region and country information.
- D. The customers must pair their fitness trackers to either smartphones or computers.
正解:A
解説:
Under the GDPR, personal data includes any information relating to an identified or identifiable natural person. The fitness trackers collect detailed health-related data, such as sleep patterns and heart rates, which are considered sensitive personal data under the GDPR. This type of data directly relates to an individual's health and behavior, making it subject to GDPR protections regardless of whether financial information is collected. Jordan's claim that the company does not collect personal information is inaccurate because health data is a core category of personal data under the GDPR.
質問 # 94
What is the main benefit of using a private cloud?
- A. The ability to use a backup system for personal files.
- B. The ability to outsource data support to a third party.
- C. The ability to restrict data access to employees and contractors.
- D. The ability to cut costs for storing, maintaining, and accessing data.
正解:A
質問 # 95
What is the main reason the Do Not Track (DNT) header is not acknowledged by more companies?
- A. Most web browsers incorporate the DNT feature.
- B. It has been difficult to solve the technological challenges surrounding DNT.
- C. There is a lack of consensus about what the DNT header should mean.
- D. The financial penalties for violating DNT guidelines are too high.
正解:C
解説:
The main reason the Do Not Track (DNT) header is not acknowledged by more companies is:
* Lack of consensus about what the DNT header should mean (Option C): There has been significant debate and no clear agreement on how companies should interpret and respond to the DNT header. This lack of standardization and enforceable regulations has led to its limited adoption.
Option A is incorrect because most web browsers do support the DNT feature.Option B is incorrect; there are no high financial penalties for violating DNT guidelines.Option D is also incorrect as the technological challenges are not the primary reason for non-acknowledgment.
References:
* IAPP Information Privacy Technologist (CIPT) training materials
* W3C Tracking Protection Working Group reports
質問 # 96
SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
Which cryptographic standard would be most appropriate for protecting patient credit card information in the records system?
- A. Obfuscation
- B. Symmetric Encryption
- C. Asymmetric Encryption
- D. Hashing
正解:B
解説:
To protect patient credit card information in the records system at Berry Country Regional Medical Center, an appropriate cryptographic standard to use would be option B: Symmetric Encryption.
Symmetric encryption uses a single secret key to encrypt and decrypt data. It is a fast and efficient method of encryption that can provide strong protection for sensitive data such as credit card information when implemented correctly.
質問 # 97
A company configures their information system to have the following capabilities:
Allow for selective disclosure of attributes to certain parties, but not to others.
Permit the sharing of attribute references instead of attribute values - such as "I am over 21" instead of birthday date.
Allow for information to be altered or deleted as needed.
These capabilities help to achieve which privacy engineering objective?
- A. Manageability.
- B. Integrity.
- C. Disassociability.
- D. Predictability.
正解:C
質問 # 98
What is the potential advantage of homomorphic encryption?
- A. Encrypted information can be analyzed without decrypting it first.
- B. Ciphertext size decreases as the security level increases.
- C. It makes data impenetrable to attacks.
- D. It allows greater security and faster processing times.
正解:D
質問 # 99
What has been found to undermine the public key infrastructure system?
- A. Man-in-the-middle attacks.
- B. Inability to track abandoned keys.
- C. Browsers missing a copy of the certificate authority's public key.
- D. Disreputable certificate authorities.
正解:A
質問 # 100
SCENARIO
WebTracker Limited is a cloud-based online marketing service located in London. Last year, WebTracker migrated its IT infrastructure to the cloud provider AmaZure, which provides SQL Databases and Artificial Intelligence services to WebTracker. The roles and responsibilities between the two companies have been formalized in a standard contract, which includes allocating the role of data controller to WebTracker.
The CEO of WebTracker, Mr. Bond, would like to assess the effectiveness of AmaZure's privacy controls, and he recently decided to hire you as an independent auditor. The scope of the engagement is limited only to the marketing services provided by WebTracker, you will not be evaluating any internal data processing activity, such as HR or Payroll.
This ad-hoc audit was triggered due to a future partnership between WebTracker and SmartHome - a partnership that will not require any data sharing. SmartHome is based in the USA, and most recently has dedicated substantial resources to developing smart refrigerators that can suggest the recommended daily calorie intake based on DNA information. This and other personal data is collected by WebTracker.
To get an idea of the scope of work involved, you have decided to start reviewing the company's documentation and interviewing key staff to understand potential privacy risks.
The results of this initial work include the following notes:
* There are several typos in the current privacy notice of WebTracker, and you were not able to find the privacy notice for SmartHome.
* You were unable to identify all the sub-processors working for SmartHome. No subcontractor is indicated in the cloud agreement with AmaZure, which is responsible for the support and maintenance of the cloud infrastructure.
* There are data flows representing personal data being collected from the internal employees of WebTracker, including an interface from the HR system.
* Part of the DNA data collected by WebTracker was from employees, as this was a prototype approved by the CEO of WebTracker.
* All the WebTracker and SmartHome customers are based in USA and Canada.
Which of the following issues is most likely to require an investigation by the Chief Privacy Officer (CPO) of WebTracker?
- A. Employees' personal data are being stored in a cloud HR system, as approved by the HR Manager.
- B. File Integrity Monitoring is being deployed in SQL servers, as indicated by the IT Architect Manager.
- C. AmaZure sends newsletter to WebTracker customers, as approved by the Marketing Manager.
- D. Data flows use encryption for data at rest, as defined by the IT manager.
正解:C
解説:
In the given scenario, WebTracker Limited is migrating its IT infrastructure to the cloud provider AmaZure.
As part of this, it is crucial to understand the privacy and security implications associated with AmaZure's role as the data processor while WebTracker remains the data controller. The issues highlighted in the scenario provide a comprehensive understanding of the privacy risks and responsibilities involved.
The key issues identified include:
* Typos in the privacy notice of WebTracker.
* Missing privacy notice for SmartHome.
* Unidentified sub-processors working for SmartHome.
* Internal data flows from HR systems collecting employee data.
* DNA data collected from employees for prototyping.
Among these issues, the most likely to require an investigation by the Chief Privacy Officer (CPO) of WebTracker is the one involving AmaZure sending newsletters to WebTracker customers (Option B). This activity directly involves customer data and could indicate potential unauthorized processing or misuse of personal data, which is a significant privacy concern.
Detailed Explanation:
* Option A (Encryption for Data at Rest): While ensuring data is encrypted at rest is critical, it does not directly indicate a breach of privacy or misuse of personal data. It is more about data security and less about privacy controls.
* Option B (AmaZure Sends Newsletter): This involves direct interaction with customer data. If AmaZure is sending newsletters to WebTracker's customers, it implies that customer data is being processed and possibly used for marketing purposes. This requires explicit consent from the data subjects and appropriate contractual agreements between WebTracker and AmaZure. Without proper oversight, this could lead to unauthorized data processing and potential violations of privacy regulations.
* Option C (Employees' Personal Data in Cloud HR System): Storing employee personal data in a cloud HR system, while significant, is typically within the scope of internal data processing. This issue is more about ensuring internal compliance with privacy policies rather than an immediate risk requiring CPO investigation.
* Option D (File Integrity Monitoring in SQL Servers): File integrity monitoring is a security measure to ensure data integrity and does not directly indicate any privacy risks or misuse of personal data.
References:
* GDPR Articles 28 and 29 on the responsibilities of data controllers and processors.
* The necessity for explicit consent for data processing (GDPR Article 7).
* Contractual obligations for data processors to protect personal data (GDPR Article 28).
Conclusion: The scenario of AmaZure sending newsletters to WebTracker customers (Option B) poses the most immediate and significant risk that requires an investigation by the CPO to ensure compliance with privacy regulations and avoid unauthorized use of customer data.
質問 # 101
A valid argument against data minimization is that it?
- A. Decreases the speed of data transfers.
- B. Can limit business opportunities.
- C. Can have an adverse effect on data quality.
- D. Increases the chance that someone can be identified from data.
正解:B
解説:
A valid argument against data minimization is that it Can limit business opportunities. Data minimization is the principle that data collected should be limited to what is necessary for the purposes for which it is processed. While this principle supports privacy and data protection, it can also restrict the amount of data available to businesses for analysis and innovation, potentially limiting their ability to develop new products, improve services, or identify new market opportunities.
質問 # 102
SCENARIO
Kyle is a new security compliance manager who will be responsible for coordinating and executing controls to ensure compliance with the company's information security policy and industry standards. Kyle is also new to the company, where collaboration is a core value. On his first day of new-hire orientation, Kyle's schedule included participating in meetings and observing work in the IT and compliance departments.
Kyle spent the morning in the IT department, where the CIO welcomed him and explained that her department was responsible for IT governance. The CIO and Kyle engaged in a conversation about the importance of identifying meaningful IT governance metrics. Following their conversation, the CIO introduced Kyle to Ted and Barney. Ted is implementing a plan to encrypt data at the transportation level of the organization's wireless network. Kyle would need to get up to speed on the project and suggest ways to monitor effectiveness once the implementation was complete. Barney explained that his short-term goals are to establish rules governing where data can be placed and to minimize the use of offline data storage.
Kyle spent the afternoon with Jill, a compliance specialist, and learned that she was exploring an initiative for a compliance program to follow self-regulatory privacy principles. Thanks to a recent internship, Kyle had some experience in this area and knew where Jill could find some support. Jill also shared results of the company's privacy risk assessment, noting that the secondary use of personal information was considered a high risk.
By the end of the day, Kyle was very excited about his new job and his new company. In fact, he learned about an open position for someone with strong qualifications and experience with access privileges, project standards board approval processes, and application-level obligations, and couldn't wait to recommend his friend Ben who would be perfect for the job.
Which data practice is Barney most likely focused on improving?
- A. Sharing
- B. Retention.
- C. Deletion
- D. Inventory.
正解:C
解説:
Barney is leading a project to improve the organization's data practices and has implemented a new policy that requires all employees to delete any data that is no longer needed for business purposes. This suggests that Barney is most likely focused on improving the organization's data deletion practices.
質問 # 103
What is an Access Control List?
- A. A list of steps necessary for an individual to access a resource.
- B. A list showing the resources that an individual has permission to access.
- C. A list of individuals who have had their access privileges to a resource revoked.
- D. A list that indicates the type of permission granted to each individual.
正解:B
質問 # 104
What must be done to destroy data stored on "write once read many" (WORM) media?
- A. The erase function must be used to remove all data.
- B. The data must be made inaccessible by encryption.
- C. The media must be reformatted.
- D. The media must be physically destroyed.
正解:D
質問 # 105
Which of the following is most important to provide to the data subject before the collection phase of the data lifecycle?
- A. Privacy Notice.
- B. Disclosure Policy.
- C. Consent Request.
- D. Data Protection Policy.
正解:A
解説:
* Option A: A privacy notice informs data subjects about how their data will be collected, used, and protected. It is crucial to provide this notice before data collection to ensure transparency and comply with legal requirements.
* Option B: A disclosure policy might detail how data will be shared, but it is generally part of a broader privacy notice.
* Option C: While obtaining consent is important, the privacy notice is the first step in informing the data subject about the data processing activities, enabling informed consent.
* Option D: A data protection policy outlines an organization's overall approach to protecting data but is typically internal rather than something provided directly to data subjects.
References:
* IAPP CIPT Study Guide
* GDPR Article 13 on Information to be provided where personal data are collected from the data subject
質問 # 106
SCENARIO
Kyle is a new security compliance manager who will be responsible for coordinating and executing controls to ensure compliance with the company's information security policy and industry standards. Kyle is also new to the company, where collaboration is a core value. On his first day of new-hire orientation, Kyle's schedule included participating in meetings and observing work in the IT and compliance departments.
Kyle spent the morning in the IT department, where the CIO welcomed him and explained that her department was responsible for IT governance. The CIO and Kyle engaged in a conversation about the importance of identifying meaningful IT governance metrics. Following their conversation, the CIO introduced Kyle to Ted and Barney. Ted is implementing a plan to encrypt data at the transportation level of the organization's wireless network. Kyle would need to get up to speed on the project and suggest ways to monitor effectiveness once the implementation was complete. Barney explained that his short-term goals are to establish rules governing where data can be placed and to minimize the use of offline data storage.
Kyle spent the afternoon with Jill, a compliance specialist, and learned that she was exploring an initiative for a compliance program to follow self-regulatory privacy principles. Thanks to a recent internship, Kyle had some experience in this area and knew where Jill could find some support. Jill also shared results of the company's privacy risk assessment, noting that the secondary use of personal information was considered a high risk.
By the end of the day, Kyle was very excited about his new job and his new company. In fact, he learned about an open position for someone with strong qualifications and experience with access privileges, project standards board approval processes, and application-level obligations, and couldn't wait to recommend his friend Ben who would be perfect for the job.
Which of the following should Kyle recommend to Jill as the best source of support for her initiative?
- A. Regulators.
- B. Industry groups.
- C. Investors.
- D. Corporate researchers.
正解:B
解説:
Industry groups are an excellent source of support for initiatives involving self-regulatory privacy principles because they offer best practices, guidelines, and resources specific to the industry. These groups often provide frameworks and standards that help organizations comply with privacy regulations while also offering networking opportunities with other professionals facing similar challenges.
References:
* IAPP CIPT Study Guide: Privacy Frameworks and Self-Regulation.
* IAPP Certified Information Privacy Technologist (CIPT) Handbook: Section on Industry Standards and Best Practices.
質問 # 107
Which of the following modes of interaction often target both people who personally know and are strangers to the attacker?
- A. Unsolicited sexual imagery.
- B. Spam.
- C. Phishing.
- D. Consensually-shared sexual imagery.
正解:C
質問 # 108
SCENARIO
Please use the following to answer next question:
EnsureClaim is developing a mobile app platform for managing data used for assessing car accident insurance claims. Individuals use the app to take pictures at the crash site, eliminating the need for a built-in vehicle camer a. EnsureClaim uses a third-party hosting provider to store data collected by the app. EnsureClaim customer service employees also receive and review app data before sharing with insurance claim adjusters.
The app collects the following information:
First and last name
Date of birth (DOB)
Mailing address
Email address
Car VIN number
Car model
License plate
Insurance card number
Photo
Vehicle diagnostics
Geolocation
What would be the best way to supervise the third-party systems the EnsureClaim App will share data with?
- A. Review the privacy notices for each third-party that the app will share personal data with to determine adequate privacy and data protection controls are in place.
- B. Conduct a security and privacy review before onboarding new vendors that collect personal data from the app.
- C. Anonymize all personal data collected by the app before sharing any data with third-parties.
- D. Develop policies and procedures that outline how data is shared with third-party apps.
正解:C
質問 # 109
What has been found to undermine the public key infrastructure system?
- A. Man-in-the-middle attacks.
- B. Inability to track abandoned keys.
- C. Browsers missing a copy of the certificate authority's public key.
- D. Disreputable certificate authorities.
正解:C
質問 # 110
What is the main reason a company relies on implied consent instead of explicit consent from a user to process her data?
- A. The implied consent model provides the user with more detailed data collection information.
- B. Regulators prefer the implied consent model.
- C. An explicit consent model is more expensive to implement.
- D. To secure explicit consent, a user s website browsing would be significantly disrupted.
正解:C
質問 # 111
Which of the following would be the best method of ensuring that Information Technology projects follow Privacy by Design (PbD) principles?
- A. Develop training programs that aid the developers in understanding how to turn privacy requirements into actionable code and design level specifications.
- B. Identify the privacy requirements as a part of the Privacy Impact Assessment (PIA) process during development and evaluation stages.
- C. Develop a technical privacy framework that integrates with the development lifecycle.
- D. Utilize Privacy Enhancing Technologies (PETs) as a part of product risk assessment and management.
正解:A
質問 # 112
Which is the most accurate type of biometrics?
- A. DNA
- B. Voiceprint.
- C. Facial recognition.
- D. Fingerprint.
正解:B
解説:
Explanation/Reference: https://www.bayometric.com/biometrics-face-finger-iris-palm-voice/
質問 # 113
Which of the following would be the most appropriate solution for preventing privacy violations related to information exposure through an error message?
- A. Creating default error pages or error messages which do not include variable data.
- B. Configuring the environment to use shorter error messages.
- C. Handing exceptions internally and not displaying errors to the user.
- D. Logging the session name and necessary parameters once the error occurs to enable trouble shooting.
正解:A
質問 # 114
Granting data subjects the right to have data corrected, amended, or deleted describes?
- A. A security safeguard.
- B. Use limitation.
- C. Individual participation.
- D. Accountability.
正解:A
質問 # 115
You are a wine collector who uses the web to do research about your hobby. You navigate to a news site and an ad for wine pops up. What kind of advertising is this?
- A. Demographic.
- B. Behavioral.
- C. Contextual.
- D. Remnant.
正解:C
解説:
The type of advertising described in the scenario where a wine ad pops up while the user is researching about wine is:
* Contextual Advertising (Option C): This is when ads are shown based on the content of the web page the user is currently viewing. Since the user is on a news site and sees an ad related to wine, it fits the definition of contextual advertising.
Option A (Remnant) refers to unsold ad inventory that is sold at a discount.Option B (Behavioral) refers to ads based on the user's past behavior or browsing history.Option D (Demographic) targets users based on demographic information like age, gender, or location.
References:
* IAPP Information Privacy Technologist (CIPT) training materials
* "Internet Advertising: Theory and Research" by Ducoffe, Halavais
質問 # 116
......
100%合格率リアルCIPT試験成功を掴み取れ:https://jp.fast2test.com/CIPT-premium-file.html
プレミアム良質なIAPP CIPTオンライン問題集:https://drive.google.com/open?id=1VCFc77BN1I8goFJkw9MEgdAU55svmt5O