CIPT Exam UPDATED Exam Questions and
CORRECT Answers
Under the Family Educational Rights and Privacy Act (FERPA), releasing personally identifiable
information from a student's educational record requires written permission from the parent or
eligible student in order for information to be?
A. Released to a prospective employer.
B. Released to schools to which a student is transferring.
C. Released to specific individuals for audit or evaluation purposes.
D. Released in response to a judicial order or lawfully ordered subpoena. - CORRECT
ANSWER - A. Released to a prospective employer.
https://www.cdc.gov/phlp/php/resources/family-educational-rights-and-privacy-act-
ferpa.html#:~:text=Schools%20need%20written%20permission%20from%20the%20parent%20
or,not%20comply%20with%20FERPA%20risk%20losing%20federal%20funding.
Revocation and reissuing of compromised credentials is impossible for which of the following
authentication techniques?
a) Personal identification number.
b) Picture passwords.
c) Biometric data.
d) Radio frequency identification. - CORRECT ANSWER - c) Biometric data, Biometric
recognition systems are generally user-friendly and designed for ease of use, as they rely on
inherent physical or behavioral traits like fingerprints or facial features. The other options, such
as requiring more maintenance and support (A), being expensive (B), and having limited
compatibility across systems (C), are well-documented drawbacks of biometric systems.
What is a main benefit of data aggregation?
A. It is a good way to perform analysis without needing a statistician.
B. It applies two or more layers of protection to a single data record.
C. It allows one to draw valid conclusions from small data samples.
D. It is a good way to achieve de-identification and unlinkabilty. - CORRECT ANSWER -
D. It is a good way to achieve de-identification and unlinkabilty. Data aggregation involves
,collecting and summarizing data from multiple sources, which can help protect individual
privacy by presenting information in a consolidated form. This process can effectively de-
identify data by removing or obscuring individual-level details, making it more difficult to link
specific information back to particular individuals35. By aggregating data, organizations can
preserve privacy and security while still gaining valuable insights from the summarized
information3.
After committing to a Privacy by Design program, which activity should take place first?
A. Create a privacy standard that applies to all projects and services.
B. Establish a retention policy for all data being collected.
C. Implement easy to use privacy settings for users.
D. Perform privacy reviews on new projects. - CORRECT ANSWER - A. Create a privacy
standard that applies to all projects and services. The first activity in a Privacy by Design
program should involve conducting a Privacy Impact Assessment (PIA) to identify existing
privacy practices, risks, and compliance gaps12. This foundational step allows the organization
to understand how personal data is handled and ensures privacy considerations are integrated
into the design of systems and processes from the outset. Creating a privacy standard (A) is
important but typically comes after assessing current practices and risks.
When releasing aggregates, what must be performed to magnitude data to ensure privacy?
A. Value swapping.
B. Noise addition.
C. Basic rounding.
D. Top coding. - CORRECT ANSWER - B. Noise addition
What term describes two re-identifiable data sets that both come from the same unidentified
individual?
A. Pseudonymous data.
B. Anonymous data.
C. Aggregated data.
D. Imprecise data. - CORRECT ANSWER - A. Pseudonymous data.Pseudonymous data
refers to information that does not directly identify an individual but can be linked back to them
through additional information or by combining multiple data sets5. This type of data retains a
,unique identifier that allows for re-identification when combined with other information, which
aligns with the scenario described in the question.
Which of the following most embodies the principle of Data Protection by Default?
A. A messaging app for high school students that uses HTTPS to communicate with the server.
B. An electronic teddy bear with built-in voice recognition that only responds to its owner's
voice.
C. An internet forum for victims of domestic violence that allows anonymous posts without
registration.
D. A website that has an opt-in form for marketing emails when registering to download a
whitepaper. - CORRECT ANSWER - C. An internet forum for victims of domestic
violence that allows anonymous posts without registration.This best embodies the principle of
Data Protection by Default because it prioritizes user privacy by minimizing data collection and
ensuring anonymity by default. Under this principle, only the necessary data for the intended
purpose should be processed, and privacy-friendly settings should be enabled automatically, as
seen in this example where no registration or personal data is required to participate.
Aadhaar is a unique-identity number of 12 digits issued to all Indian residents based on their
biometric and demographic data. The data is collected by the Unique Identification Authority of
India. The Aadhaar database contains the Aadhaar number, name, date of birth, gender and
address of over 1 billion individuals. Which of the following datasets derived from that data
would be considered the most de-identified? A. A count of the years of birth and hash of the
personג€™ s gender. B. A count of the month of birth and hash of the person's first name. C. A
count of the day of birth and hash of the personג€™s first initial of their first name. D. Account
of the century of birth and hash of the last 3 digits of the person's Aadhaar number. - CORRECT
ANSWER - A. A count of the years of birth and hash of the person's gender.This option
provides the highest level of de-identification among the given choices because:
It uses only aggregated data (count of years of birth) rather than individual birth dates, which
reduces the risk of identifying specific individuals.
The gender information is hashed, which further obscures the original data while still allowing
for some analysis.
It retains the least amount of potentially identifying information compared to the other options,
making it more difficult to link back to individuals in the original Aadhaar database.
Options B, C, and D all contain more granular or specific information (like month of birth, day
of birth, or parts of the Aadhaar number) that could potentially be used in combination with other
data to re-identify individuals, especially given the large scale of the Aadhaar database
, What has been identified as a significant privacy concern with chatbots?
A. Most chatbot providers do not agree to code audits
B. Chatbots can easily verify the identity of the contact.
C. Usersג€™ conversations with chatbots are not encrypted in transit.
D. Chatbot technology providers may be able to read chatbot conversations with users. -
CORRECT ANSWER - D. Chatbot technology providers may be able to read chatbot
conversations with users.
What is the term for information provided to a social network by a member?
A. Profile data.
B. Declared data.
C. Personal choice data.
D. Identifier information. - CORRECT ANSWER - B. Declared data.Declared data refers
to information that a user voluntarily provides to a platform, such as a social network. This
includes details like name, age, interests, and other personal information shared during
registration or profile creation.
What tactic does pharming use to achieve its goal?
A. It modifies the user's Hosts file.
B. It encrypts files on a user's computer.
C. It creates a false display advertisement.
D. It generates a malicious instant message. - CORRECT ANSWER - C. It creates a false
display advertisement
All of the following can be indications of a ransomware attack EXCEPT?
A. The inability to access certain files.
B. An increased amount of spam email in an individual's inbox.
C. An increase in activity of the CPU of a computer for no apparent reason.
CORRECT Answers
Under the Family Educational Rights and Privacy Act (FERPA), releasing personally identifiable
information from a student's educational record requires written permission from the parent or
eligible student in order for information to be?
A. Released to a prospective employer.
B. Released to schools to which a student is transferring.
C. Released to specific individuals for audit or evaluation purposes.
D. Released in response to a judicial order or lawfully ordered subpoena. - CORRECT
ANSWER - A. Released to a prospective employer.
https://www.cdc.gov/phlp/php/resources/family-educational-rights-and-privacy-act-
ferpa.html#:~:text=Schools%20need%20written%20permission%20from%20the%20parent%20
or,not%20comply%20with%20FERPA%20risk%20losing%20federal%20funding.
Revocation and reissuing of compromised credentials is impossible for which of the following
authentication techniques?
a) Personal identification number.
b) Picture passwords.
c) Biometric data.
d) Radio frequency identification. - CORRECT ANSWER - c) Biometric data, Biometric
recognition systems are generally user-friendly and designed for ease of use, as they rely on
inherent physical or behavioral traits like fingerprints or facial features. The other options, such
as requiring more maintenance and support (A), being expensive (B), and having limited
compatibility across systems (C), are well-documented drawbacks of biometric systems.
What is a main benefit of data aggregation?
A. It is a good way to perform analysis without needing a statistician.
B. It applies two or more layers of protection to a single data record.
C. It allows one to draw valid conclusions from small data samples.
D. It is a good way to achieve de-identification and unlinkabilty. - CORRECT ANSWER -
D. It is a good way to achieve de-identification and unlinkabilty. Data aggregation involves
,collecting and summarizing data from multiple sources, which can help protect individual
privacy by presenting information in a consolidated form. This process can effectively de-
identify data by removing or obscuring individual-level details, making it more difficult to link
specific information back to particular individuals35. By aggregating data, organizations can
preserve privacy and security while still gaining valuable insights from the summarized
information3.
After committing to a Privacy by Design program, which activity should take place first?
A. Create a privacy standard that applies to all projects and services.
B. Establish a retention policy for all data being collected.
C. Implement easy to use privacy settings for users.
D. Perform privacy reviews on new projects. - CORRECT ANSWER - A. Create a privacy
standard that applies to all projects and services. The first activity in a Privacy by Design
program should involve conducting a Privacy Impact Assessment (PIA) to identify existing
privacy practices, risks, and compliance gaps12. This foundational step allows the organization
to understand how personal data is handled and ensures privacy considerations are integrated
into the design of systems and processes from the outset. Creating a privacy standard (A) is
important but typically comes after assessing current practices and risks.
When releasing aggregates, what must be performed to magnitude data to ensure privacy?
A. Value swapping.
B. Noise addition.
C. Basic rounding.
D. Top coding. - CORRECT ANSWER - B. Noise addition
What term describes two re-identifiable data sets that both come from the same unidentified
individual?
A. Pseudonymous data.
B. Anonymous data.
C. Aggregated data.
D. Imprecise data. - CORRECT ANSWER - A. Pseudonymous data.Pseudonymous data
refers to information that does not directly identify an individual but can be linked back to them
through additional information or by combining multiple data sets5. This type of data retains a
,unique identifier that allows for re-identification when combined with other information, which
aligns with the scenario described in the question.
Which of the following most embodies the principle of Data Protection by Default?
A. A messaging app for high school students that uses HTTPS to communicate with the server.
B. An electronic teddy bear with built-in voice recognition that only responds to its owner's
voice.
C. An internet forum for victims of domestic violence that allows anonymous posts without
registration.
D. A website that has an opt-in form for marketing emails when registering to download a
whitepaper. - CORRECT ANSWER - C. An internet forum for victims of domestic
violence that allows anonymous posts without registration.This best embodies the principle of
Data Protection by Default because it prioritizes user privacy by minimizing data collection and
ensuring anonymity by default. Under this principle, only the necessary data for the intended
purpose should be processed, and privacy-friendly settings should be enabled automatically, as
seen in this example where no registration or personal data is required to participate.
Aadhaar is a unique-identity number of 12 digits issued to all Indian residents based on their
biometric and demographic data. The data is collected by the Unique Identification Authority of
India. The Aadhaar database contains the Aadhaar number, name, date of birth, gender and
address of over 1 billion individuals. Which of the following datasets derived from that data
would be considered the most de-identified? A. A count of the years of birth and hash of the
personג€™ s gender. B. A count of the month of birth and hash of the person's first name. C. A
count of the day of birth and hash of the personג€™s first initial of their first name. D. Account
of the century of birth and hash of the last 3 digits of the person's Aadhaar number. - CORRECT
ANSWER - A. A count of the years of birth and hash of the person's gender.This option
provides the highest level of de-identification among the given choices because:
It uses only aggregated data (count of years of birth) rather than individual birth dates, which
reduces the risk of identifying specific individuals.
The gender information is hashed, which further obscures the original data while still allowing
for some analysis.
It retains the least amount of potentially identifying information compared to the other options,
making it more difficult to link back to individuals in the original Aadhaar database.
Options B, C, and D all contain more granular or specific information (like month of birth, day
of birth, or parts of the Aadhaar number) that could potentially be used in combination with other
data to re-identify individuals, especially given the large scale of the Aadhaar database
, What has been identified as a significant privacy concern with chatbots?
A. Most chatbot providers do not agree to code audits
B. Chatbots can easily verify the identity of the contact.
C. Usersג€™ conversations with chatbots are not encrypted in transit.
D. Chatbot technology providers may be able to read chatbot conversations with users. -
CORRECT ANSWER - D. Chatbot technology providers may be able to read chatbot
conversations with users.
What is the term for information provided to a social network by a member?
A. Profile data.
B. Declared data.
C. Personal choice data.
D. Identifier information. - CORRECT ANSWER - B. Declared data.Declared data refers
to information that a user voluntarily provides to a platform, such as a social network. This
includes details like name, age, interests, and other personal information shared during
registration or profile creation.
What tactic does pharming use to achieve its goal?
A. It modifies the user's Hosts file.
B. It encrypts files on a user's computer.
C. It creates a false display advertisement.
D. It generates a malicious instant message. - CORRECT ANSWER - C. It creates a false
display advertisement
All of the following can be indications of a ransomware attack EXCEPT?
A. The inability to access certain files.
B. An increased amount of spam email in an individual's inbox.
C. An increase in activity of the CPU of a computer for no apparent reason.
