CIPT問題集でリアル試験問題でテストエンジン問題集でトレーニング [Q89-Q113]

Share

CIPT問題集でリアル試験問題でテストエンジン問題集でトレーニング

IAPP CIPTテスト問題集とオンライン試験エンジン

質問 # 89
Which of the following suggests the greatest degree of transparency?

  • A. A privacy notice accommodates broadly defined future collections for new products.
  • B. After reading the privacy notice, a data subject confidently infers how her information will be used.
  • C. The data subject has multiple opportunities to opt-out after collection has occurred.
  • D. A privacy disclosure statement clearly articulates general purposes for collection

正解:B

解説:
After reading the privacy notice, a data subject confidently infers how her information will be used suggests the greatest degree of transparency3
https://www.informatica.com/resources/articles/what-is-data-quality.html


質問 # 90
A privacy engineer has been asked to review an online account login page. He finds there is no limitation on the number of invalid login attempts a user can make when logging into their online account.
What would be the best recommendation to minimize the potential privacy risk from this weakness?

  • A. Develop server-side input validation checks.
  • B. Implement strong Transport Layer Security (TLS) to ensure an encrypted link.
  • C. Enforce strong password and account credentials.
  • D. Implement a CAPTCHA system.

正解:A


質問 # 91
What has been identified as a significant privacy concern with chatbots?

  • A. Chatbot technology providers may be able to read chatbot conversations with users.
  • B. Most chatbot providers do not agree to code audits.
  • C. Chatbots can easily verify the identity of the contact.
  • D. Users conversations with chatbots are not encrypted in transit.

正解:A


質問 # 92
If you are asked to advise on privacy concerns regarding paid advertisements, which is the most important aspect to cover?

  • A. Latent keys that trigger malware when an advertisement is selected.
  • B. Unseen web beacons that combine information on multiple users.
  • C. Sensitive information from Structured Query Language (SQL) commands that may be exposed.
  • D. Personal information collected by cookies linked to the advertising network.

正解:B


質問 # 93
Combining multiple pieces of information about an individual to produce a whole that is greater than the sum of its parts is called?

  • A. Aggregation.
  • B. Exclusion.
  • C. Identification.
  • D. Insecurity.

正解:A

解説:
combining multiple pieces of information about an individual to produce a whole that is greater than the sum of its parts is called aggregation. Aggregation can be used to create more detailed profiles of individuals by combining data from multiple sources.


質問 # 94
An organization is launching a new smart speaker to the market. The device will have the capability to play music and provide news and weather updates. Which of the following would be a concern from a privacy perspective?

  • A. Browser Fingerprinting.
  • B. Context aware computing.
  • C. Appropriation.
  • D. Context of authority.

正解:B

解説:
An organization launching a new smart speaker to the market that has the capability to play music and provide news and weather updates would have concerns about context aware computing rather than browser fingerprinting from a privacy perspective. Context aware computing involves using information about an individual's location or behavior to tailor their experience with technology. This can raise concerns about how personal data is collected and used without individuals' knowledge or consent.


質問 # 95
SCENARIO
Looking back at your first two years as the Director of Personal Information Protection and Compliance for the Berry Country Regional Medical Center in Thorn Bay, Ontario, Canada, you see a parade of accomplishments, from developing state-of-the-art simulation based training for employees on privacy protection to establishing an interactive medical records system that is accessible by patients as well as by the medical personnel. Now, however, a question you have put off looms large: how do we manage all the data-not only records produced recently, but those still on hand from years ago? A data flow diagram generated last year shows multiple servers, databases, and work stations, many of which hold files that have not yet been incorporated into the new records system. While most of this data is encrypted, its persistence may pose security and compliance concerns. The situation is further complicated by several long-term studies being conducted by the medical staff using patient information. Having recently reviewed the major Canadian privacy regulations, you want to make certain that the medical center is observing them.
You also recall a recent visit to the Records Storage Section, often termed "The Dungeon" in the basement of the old hospital next to the modern facility, where you noticed a multitude of paper records. Some of these were in crates marked by years, medical condition or alphabetically by patient name, while others were in undifferentiated bundles on shelves and on the floor. The back shelves of the section housed data tapes and old hard drives that were often unlabeled but appeared to be years old. On your way out of the dungeon, you noticed just ahead of you a small man in a lab coat who you did not recognize. He carried a batch of folders under his arm, apparently records he had removed from storage.
Which data lifecycle phase needs the most attention at this Ontario medical center?

  • A. Disclosure
  • B. Collection
  • C. Use
  • D. Retention

正解:D


質問 # 96
SCENARIO
Carol was a U.S.-based glassmaker who sold her work at art festivals. She kept things simple by only accepting cash and personal checks.
As business grew, Carol couldn't keep up with demand, and traveling to festivals became burdensome. Carol opened a small boutique and hired Sam to run it while she worked in the studio. Sam was a natural salesperson, and business doubled. Carol told Sam, "I don't know what you are doing, but keep doing it!" But months later, the gift shop was in chaos. Carol realized that Sam needed help so she hired Jane, who had business expertise and could handle the back-office tasks. Sam would continue to focus on sales. Carol gave Jane a few weeks to get acquainted with the artisan craft business, and then scheduled a meeting for the three of them to discuss Jane's first impressions.
At the meeting, Carol could not wait to hear Jane's thoughts, but she was unprepared for what Jane had to say.
"Carol, I know that he doesn't realize it, but some of Sam's efforts to increase sales have put you in a vulnerable position. You are not protecting customers' personal information like you should." Sam said, "I am protecting our information. I keep it in the safe with our bank deposit. It's only a list of customers' names, addresses and phone numbers that I get from their checks before I deposit them. I contact them when you finish a piece that I think they would like. That's the only information I have! The only other thing I do is post photos and information about your work on the photo sharing site that I use with family and friends. I provide my email address and people send me their information if they want to see more of your work. Posting online really helps sales, Carol. In fact, the only complaint I hear is about having to come into the shop to make a purchase." Carol replied, "Jane, that doesn't sound so bad. Could you just fix things and help us to post even more online?"
'I can," said Jane. "But it's not quite that simple. I need to set up a new program to make sure that we follow the best practices in data management. And I am concerned for our customers. They should be able to manage how we use their personal information. We also should develop a social media strategy." Sam and Jane worked hard during the following year. One of the decisions they made was to contract with an outside vendor to manage online sales. At the end of the year, Carol shared some exciting news. "Sam and Jane, you have done such a great job that one of the biggest names in the glass business wants to buy us out!
And Jane, they want to talk to you about merging all of our customer and vendor information with theirs beforehand." Which regulator has jurisdiction over the shop's data management practices?

  • A. The Data Protection Authority.
  • B. The Federal Trade Commission.
  • C. The Federal Communications Commission.
  • D. The Department of Commerce.

正解:B

解説:
Explanation/Reference: https://fas.org/sgp/crs/misc/R45631.pdf


質問 # 97
SCENARIO
WebTracker Limited is a cloud-based online marketing service located in London. Last year, WebTracker migrated its IT infrastructure to the cloud provider AmaZure, which provides SQL Databases and Artificial Intelligence services to WebTracker. The roles and responsibilities between the two companies have been formalized in a standard contract, which includes allocating the role of data controller to WebTracker.
The CEO of WebTracker, Mr. Bond, would like to assess the effectiveness of AmaZure's privacy controls, and he recently decided to hire you as an independent auditor. The scope of the engagement is limited only to the marketing services provided by WebTracker, you will not be evaluating any internal data processing activity, such as HR or Payroll.
This ad-hoc audit was triggered due to a future partnership between WebTracker and SmartHome - a partnership that will not require any data sharing. SmartHome is based in the USA, and most recently has dedicated substantial resources to developing smart refrigerators that can suggest the recommended daily calorie intake based on DNA information. This and other personal data is collected by WebTracker.
To get an idea of the scope of work involved, you have decided to start reviewing the company's documentation and interviewing key staff to understand potential privacy risks.
The results of this initial work include the following notes:
* There are several typos in the current privacy notice of WebTracker, and you were not able to find the privacy notice for SmartHome.
* You were unable to identify all the sub-processors working for SmartHome. No subcontractor is indicated in the cloud agreement with AmaZure, which is responsible for the support and maintenance of the cloud infrastructure.
* There are data flows representing personal data being collected from the internal employees of WebTracker, including an interface from the HR system.
* Part of the DNA data collected by WebTracker was from employees, as this was a prototype approved by the CEO of WebTracker.
* All the WebTracker and SmartHome customers are based in USA and Canada.
Which of the following issues is most likely to require an investigation by the Chief Privacy Officer (CPO) of WebTracker?

  • A. File Integrity Monitoring is being deployed in SQL servers, as indicated by the IT Architect Manager.
  • B. Employees' personal data are being stored in a cloud HR system, as approved by the HR Manager.
  • C. AmaZure sends newsletter to WebTracker customers, as approved by the Marketing Manager.
  • D. Data flows use encryption for data at rest, as defined by the IT manager.

正解:C


質問 # 98
A sensitive biometrics authentication system is particularly susceptible to?

  • A. Slow recognition speeds.
  • B. False negatives.
  • C. Theft of finely individualized personal data.
  • D. False positives.

正解:D


質問 # 99
How does k-anonymity help to protect privacy in micro data sets?

  • A. By ensuring that every record in a set is part of a group of "k" records having similar identifying information.
  • B. By adding sufficient noise to the data in order to hide the impact of any one individual.
  • C. By switching values between records in order to preserve most statistics while still maintaining privacy.
  • D. By top-coding all age data above a value of "k."

正解:A


質問 # 100
SCENARIO
Please use the following to answer the next question:
Chuck, a compliance auditor for a consulting firm focusing on healthcare clients, was required to travel to the client's office to perform an onsite review of the client's operations. He rented a car from Finley Motors upon arrival at the airport as so he could commute to and from the client's office. The car rental agreement was electronically signed by Chuck and included his name, address, driver's license, make/model of the car, billing rate, and additional details describing the rental transaction. On the second night, Chuck was caught by a red light camera not stopping at an intersection on his way to dinner. Chuck returned the car back to the car rental agency at the end week without mentioning the infraction and Finley Motors emailed a copy of the final receipt to the address on file.
Local law enforcement later reviewed the red light camera footage. As Finley Motors is the registered owner of the car, a notice was sent to them indicating the infraction and fine incurred. This notice included the license plate number, occurrence date and time, a photograph of the driver, and a web portal link to a video clip of the violation for further review. Finley Motors, however, was not responsible for the violation as they were not driving the car at the time and transferred the incident to AMP Payment Resources for further review. AMP Payment Resources identified Chuck as the driver based on the rental agreement he signed when picking up the car and then contacted Chuck directly through a written letter regarding the infraction to collect the fine.
After reviewing the incident through the AMP Payment Resources' web portal, Chuck paid the fine using his personal credit card. Two weeks later, Finley Motors sent Chuck an email promotion offering 10% off a future rental.
How can Finley Motors reduce the risk associated with transferring Chuck's personal information to AMP Payment Resources?

  • A. By requesting AMP Payment Resources delete unnecessary datasets and only utilize what is necessary to process the violation notice.
  • B. By providing only the minimum necessary data to process the violation notice and masking all other information prior to transfer.
  • C. By transferring all information to separate datafiles and requiring AMP Payment Resources to combine the datasets during processing of the violation notice.
  • D. By obfuscating the minimum necessary data to process the violation notice and require AMP Payment Resources to secure store the personal information.

正解:B


質問 # 101
SCENARIO
You have just been hired by Ancillary.com, a seller of accessories for everything under the sun, including waterproof stickers for pool floats and decorative bands and cases for sunglasses. The company sells cell phone cases, e-cigarette cases, wine spouts, hanging air fresheners for homes and automobiles, book ends, kitchen implements, visors and shields for computer screens, passport holders, gardening tools and lawn ornaments, and catalogs full of health and beauty products. The list seems endless. As the CEO likes to say, Ancillary offers, without doubt, the widest assortment of low-price consumer products from a single company anywhere.
Ancillary's operations are similarly diverse. The company originated with a team of sales consultants selling home and beauty products at small parties in the homes of customers, and this base business is still thriving.
However, the company now sells online through retail sites designated for industries and demographics, sites such as "My Cool Ride" for automobile-related products or "Zoomer" for gear aimed toward young adults.
The company organization includes a plethora of divisions, units and outrigger operations, as Ancillary has been built along a decentered model rewarding individual initiative and flexibility, while also acquiring key assets. The retail sites seem to all function differently, and you wonder about their compliance with regulations and industry standards. Providing tech support to these sites is also a challenge, partly due to a variety of logins and authentication protocols.
You have been asked to lead three important new projects at Ancillary:
The first is the personal data management and security component of a multi-faceted initiative to unify the company's culture. For this project, you are considering using a series of third- party servers to provide company data and approved applications to employees.
The second project involves providing point of sales technology for the home sales force, allowing them to move beyond paper checks and manual credit card imprinting.
Finally, you are charged with developing privacy protections for a single web store housing all the company's product lines as well as products from affiliates. This new omnibus site will be known, aptly, as "Under the Sun." The Director of Marketing wants the site not only to sell Ancillary's products, but to link to additional products from other retailers through paid advertisements. You need to brief the executive team of security concerns posed by this approach.
If you are asked to advise on privacy concerns regarding paid advertisements, which is the most important aspect to cover?

  • A. Latent keys that trigger malware when an advertisement is selected.
  • B. Personal information collected by cookies linked to the advertising network.
  • C. Unseen web beacons that combine information on multiple users.
  • D. Sensitive information from Structured Query Language (SQL) commands that may be exposed.

正解:B


質問 # 102
Which activity would best support the principle of data quality?

  • A. Ensuring that information remains accurate.
  • B. Ensuring that the number of teams processing personal information is limited.
  • C. Delivering information in a format that the data subject understands.
  • D. Providing notice to the data subject regarding any change in the purpose for collecting such data.

正解:A


質問 # 103
SCENARIO
It should be the most secure location housing data in all of Europe, if not the world. The Global Finance Data Collective (GFDC) stores financial information and other types of client data from large banks, insurance companies, multinational corporations and governmental agencies. After a long climb on a mountain road that leads only to the facility, you arrive at the security booth. Your credentials are checked and checked again by the guard to visually verify that you are the person pictured on your passport and national identification card. You are led down a long corridor with server rooms on each side, secured by combination locks built into the doors. You climb a flight of stairs and are led into an office that is lighted brilliantly by skylights where the GFDC Director of Security, Dr. Monique Batch, greets you. On the far wall you notice a bank of video screens showing different rooms in the facility. At the far end, several screens show different sections of the road up the mountain Dr. Batch explains once again your mission. As a data security auditor and consultant, it is a dream assignment: The GFDC does not want simply adequate controls, but the best and most effective security that current technologies allow.
"We were hacked twice last year," Dr. Batch says, "and although only a small number of records were stolen, the bad press impacted our business. Our clients count on us to provide security that is nothing short of impenetrable and to do so quietly. We hope to never make the news again." She notes that it is also essential that the facility is in compliance with all relevant security regulations and standards.
You have been asked to verify compliance as well as to evaluate all current security controls and security measures, including data encryption methods, authentication controls and the safest methods for transferring data into and out of the facility. As you prepare to begin your analysis, you find yourself considering an intriguing question: Can these people be sure that I am who I say I am?
You are shown to the office made available to you and are provided with system login information, including the name of the wireless network and a wireless key. Still pondering, you attempt to pull up the facility's wireless network, but no networks appear in the wireless list. When you search for the wireless network by name, however it is readily found.
Why would you recommend that GFC use record encryption rather than disk, file or table encryption?

  • A. Record encryption is asymmetric, a stronger control measure.
  • B. Record encryption allows for encryption of personal data only.
  • C. Record encryption is granular, limiting the damage of potential breaches.
  • D. Record encryption involves tag masking, so its metadata cannot be decrypted

正解:C


質問 # 104
A developer is designing a new system that allows an organization's helpdesk to remotely connect into the device of the individual to provide support Which of the following will be a privacy technologist's primary concern"?

  • A. Geofencing
  • B. Geo-tagging
  • C. Geolocation
  • D. Geo-tracking

正解:C

解説:
a privacy technologist's primary concern when designing a new system that allows an organization's helpdesk to remotely connect into the device of the individual to provide support would be geolocation.


質問 # 105
Which of the following is considered a client-side IT risk?

  • A. An organization increases the number of applications on its server.
  • B. Security policies focus solely on internal corporate obligations.
  • C. An employee stores his personal information on his company laptop.
  • D. IDs used to avoid the use of personal data map to personal data in another database.

正解:C

解説:
An employee stores his personal information on his company laptop. This is considered a client-side IT risk because it involves the actions of an employee who has control over the use of their individual device.
Client-side IT risk refers to the potential threats that arise from devices or applications that are used by end-users or customers3. An employee storing his personal information on his company laptop is an example of client-side IT risk, as it exposes sensitive data to unauthorized access, theft or loss. The other options are examples of server-side IT risk, which involves threats that originate from systems or networks that host applications or services3.


質問 # 106
What is an Access Control List?

  • A. A list of individuals who have had their access privileges to a resource revoked.
  • B. A list of steps necessary for an individual to access a resource.
  • C. A list showing the resources that an individual has permission to access.
  • D. A list that indicates the type of permission granted to each individual.

正解:C


質問 # 107
What term describes two re-identifiable data sets that both come from the same unidentified individual?

  • A. Imprecise data.
  • B. Pseudonymous data.
  • C. Anonymous data.
  • D. Aggregated data.

正解:D


質問 # 108
Which of the following is a stage in the data life cycle?

  • A. Data masking.
  • B. Data retention.
  • C. Data inventory.
  • D. Data classification.

正解:B

解説:
The stages in a typical data lifecycle include creation/collection, processing, storage/retention, usage/access/sharing/distribution, archival/preservation and destruction/deletion/disposition 3. Among these options provided here only "Data retention" is a stage in this cycle.


質問 # 109
SCENARIO
Clean-Q is a company that offers house-hold and office cleaning services. The company receives requests from consumers via their website and telephone, to book cleaning services. Based on the type and size of service, Clean-Q then contracts individuals that are registered on its resource database - currently managed in-house by Clean-Q IT Support. Because of Clean-Q's business model, resources are contracted as needed instead of permanently employed.
The table below indicates some of the personal information Clean-Q requires as part of its business operations:

Clean-Q has an internal employee base of about 30 people. A recent privacy compliance exercise has been conducted to align employee data management and human resource functions with applicable data protection regulation. Therefore, the Clean-Q permanent employee base is not included as part of this scenario.
With an increase in construction work and housing developments, Clean-Q has had an influx of requests for cleaning services. The demand has overwhelmed Clean-Q's traditional supply and demand system that has caused some overlapping bookings.
Ina business strategy session held by senior management recently, Clear-Q invited vendors to present potential solutions to their current operational issues. These vendors included Application developers and Cloud-Q's solution providers, presenting their proposed solutions and platforms.
The Managing Director opted to initiate the process to integrate Clean-Q's operations with a cloud solution (LeadOps) that will provide the following solution one single online platform: A web interface that Clean-Q accesses for the purposes of resource and customer management. This would entail uploading resource and customer information.
A customer facing web interface that enables customers to register, manage and submit cleaning service requests online.
A resource facing web interface that enables resources to apply and manage their assigned jobs.
An online payment facility for customers to pay for services.
If Clean-Q were to utilize LeadOps' services, what is a contract clause that may be included in the agreement entered into with LeadOps?

  • A. A provision prescribing technical and organizational controls that LeadOps must implement.
  • B. A provision that holds LeadOps liable for a data breach involving Clean-Q's information.
  • C. A provision that allows Clean-Q to conduct audits of LeadOps' information processing and information security environment, at LeadOps' cost and at any time that Clean-Q requires.
  • D. A provision that requires LeadOps to notify Clean-Q of any suspected breaches of information that involves customer or resource information managed on behalf of Clean-Q.

正解:C


質問 # 110
An EU marketing company is planning to make use of personal data captured to make automated decisions based on profiling. In some cases, processing and automated decisions may have a legal effect on individuals, such as credit worthiness.
When evaluating the implementation of systems making automated decisions, in which situation would the company have to accommodate an individual's right NOT to be subject to such processing to ensure compliance under the General Data Protection Regulation (GDPR)?

  • A. When the individual has given explicit consent to such processing and suitable safeguards exist.
  • B. When there is no human intervention or influence in the decision-making process.
  • C. When an individual's legal status or rights are not affected by the decision.
  • D. When the decision is necessary for entering into a contract and the individual can contest the decision.

正解:B


質問 # 111
SCENARIO
Clean-Q is a company that offers house-hold and office cleaning services. The company receives requests from consumers via their website and telephone, to book cleaning services. Based on the type and size of service, Clean-Q then contracts individuals that are registered on its resource database - currently managed in- house by Clean-Q IT Support. Because of Clean-Q's business model, resources are contracted as needed instead of permanently employed.
The table below indicates some of the personal information Clean-Q requires as part of its business operations:

Clean-Q has an internal employee base of about 30 people. A recent privacy compliance exercise has been conducted to align employee data management and human resource functions with applicable data protection regulation. Therefore, the Clean-Q permanent employee base is not included as part of this scenario.
With an increase in construction work and housing developments, Clean-Q has had an influx of requests for cleaning services. The demand has overwhelmed Clean-Q's traditional supply and demand system that has caused some overlapping bookings.
Ina business strategy session held by senior management recently, Clear-Q invited vendors to present potential solutions to their current operational issues. These vendors included Application developers and Cloud-Q's solution providers, presenting their proposed solutions and platforms.
The Managing Director opted to initiate the process to integrate Clean-Q's operations with a cloud solution (LeadOps) that will provide the following solution one single online platform: A web interface that Clean-Q accesses for the purposes of resource and customer management. This would entail uploading resource and customer information.
* A customer facing web interface that enables customers to register, manage and submit cleaning service requests online.
* A resource facing web interface that enables resources to apply and manage their assigned jobs.
* An online payment facility for customers to pay for services.
What is a key consideration for assessing external service providers like LeadOps, which will conduct personal information processing operations on Clean-Q's behalf?

  • A. Obtaining knowledge of LeadOps' information handling practices and information security environment.
  • B. Recognizing the value of LeadOps' website holding a verified security certificate.
  • C. Establishing a relationship with the Managing Director of LeadOps.
  • D. Understanding LeadOps' costing model.

正解:A

解説:
Explanation/Reference:


質問 # 112
SCENARIO
It should be the most secure location housing data in all of Europe, if not the world. The Global Finance Data Collective (GFDC) stores financial information and other types of client data from large banks, insurance companies, multinational corporations and governmental agencies. After a long climb on a mountain road that leads only to the facility, you arrive at the security booth. Your credentials are checked and checked again by the guard to visually verify that you are the person pictured on your passport and national identification card.
You are led down a long corridor with server rooms on each side, secured by combination locks built into the doors. You climb a flight of stairs and are led into an office that is lighted brilliantly by skylights where the GFDC Director of Security, Dr. Monique Batch, greets you. On the far wall you notice a bank of video screens showing different rooms in the facility. At the far end, several screens show different sections of the road up the mountain Dr. Batch explains once again your mission. As a data security auditor and consultant, it is a dream assignment: The GFDC does not want simply adequate controls, but the best and most effective security that current technologies allow.
"We were hacked twice last year," Dr. Batch says, "and although only a small number of records were stolen, the bad press impacted our business. Our clients count on us to provide security that is nothing short of impenetrable and to do so quietly. We hope to never make the news again." She notes that it is also essential that the facility is in compliance with all relevant security regulations and standards.
You have been asked to verify compliance as well as to evaluate all current security controls and security measures, including data encryption methods, authentication controls and the safest methods for transferring data into and out of the facility. As you prepare to begin your analysis, you find yourself considering an intriguing question: Can these people be sure that I am who I say I am?
You are shown to the office made available to you and are provided with system login information, including the name of the wireless network and a wireless key. Still pondering, you attempt to pull up the facility's wireless network, but no networks appear in the wireless list. When you search for the wireless network by name, however it is readily found.
What type of wireless network does GFDC seem to employ?

  • A. A hidden network.
  • B. A reluctant network.
  • C. A wireless mesh network.
  • D. A user verified network.

正解:A


質問 # 113
......

IAPP CIPT問題を提供していますInformation Privacy Technologist問題集と完璧な解答付き:https://www.passtest.jp/IAPP/CIPT-shiken.html

信頼され続けるCIPT試験のコツとPDF試験材料:https://drive.google.com/open?id=1IBlX8f-Q3vrW5qZ5o8keHziYcAQUnAct