CITP EXAM QUESTIONS AND ANSWERS:
LATEST UPDATE (ALREADY GRADED A+.)
Under the Family Educational Rights and Privacy Act (FERPA), releasing personally identifiable
information from a student's educational record requires written permission from the parent or
eligible student in order for information to be?
A. Released to a prospective employer.
B. Released to schools to which a student is transferring.
C. Released to specific individuals for audit or evaluation purposes.
D. Released in response to a judicial order or lawfully ordered subpoena.
A. Released to a prospective employer.
https://www.cdc.gov/phlp/php/resources/family-educational-rights-and-privacy-act-
ferpa.html#:~:text=Schools%20need%20written%20permission%20from%20the%20parent%20or,not
%20comply%20with%20FERPA%20risk%20losing%20federal%20funding.
Revocation and reissuing of compromised credentials is impossible for which of the following
authentication techniques?
a) Personal identification number.
b) Picture passwords.
c) Biometric data.
d) Radio frequency identification.
c) Biometric data, Biometric recognition systems are generally user-friendly and designed for ease of
use, as they rely on inherent physical or behavioral traits like fingerprints or facial features. The other
options, such as requiring more maintenance and support (A), being expensive (B), and having limited
compatibility across systems (C), are well-documented drawbacks of biometric systems.
What is a main benefit of data aggregation?
A. It is a good way to perform analysis without needing a statistician.
B. It applies two or more layers of protection to a single data record.
C. It allows one to draw valid conclusions from small data samples.
D. It is a good way to achieve de-identification and unlinkabilty.
D. It is a good way to achieve de-identification and unlinkabilty. Data aggregation involves collecting and
summarizing data from multiple sources, which can help protect individual privacy by presenting
information in a consolidated form. This process can effectively de-identify data by removing or
obscuring individual-level details, making it more difficult to link specific information back to particular
individuals35. By aggregating data, organizations can preserve privacy and security while still gaining
valuable insights from the summarized information3.
After committing to a Privacy by Design program, which activity should take place first?
A. Create a privacy standard that applies to all projects and services.
, B. Establish a retention policy for all data being collected.
C. Implement easy to use privacy settings for users.
D. Perform privacy reviews on new projects.
A. Create a privacy standard that applies to all projects and services. The first activity in a Privacy by
Design program should involve conducting a Privacy Impact Assessment (PIA) to identify existing privacy
practices, risks, and compliance gaps12. This foundational step allows the organization to understand
how personal data is handled and ensures privacy considerations are integrated into the design of
systems and processes from the outset. Creating a privacy standard (A) is important but typically comes
after assessing current practices and risks.
When releasing aggregates, what must be performed to magnitude data to ensure privacy?
A. Value swapping.
B. Noise addition.
C. Basic rounding.
D. Top coding.
B. Noise addition
What term describes two re-identifiable data sets that both come from the same unidentified
individual?
A. Pseudonymous data.
B. Anonymous data.
C. Aggregated data.
D. Imprecise data.
A. Pseudonymous data.Pseudonymous data refers to information that does not directly identify an
individual but can be linked back to them through additional information or by combining multiple data
sets5. This type of data retains a unique identifier that allows for re-identification when combined with
other information, which aligns with the scenario described in the question.
Which of the following most embodies the principle of Data Protection by Default?
A. A messaging app for high school students that uses HTTPS to communicate with the server.
B. An electronic teddy bear with built-in voice recognition that only responds to its owner's voice.
C. An internet forum for victims of domestic violence that allows anonymous posts without
registration.
D. A website that has an opt-in form for marketing emails when registering to download a
whitepaper.
C. An internet forum for victims of domestic violence that allows anonymous posts without
registration.This best embodies the principle of Data Protection by Default because it prioritizes user
privacy by minimizing data collection and ensuring anonymity by default. Under this principle, only the
necessary data for the intended purpose should be processed, and privacy-friendly settings should be
enabled automatically, as seen in this example where no registration or personal data is required to
participate.
Aadhaar is a unique-identity number of 12 digits issued to all Indian residents based on their
biometric and demographic data. The data is collected by the Unique Identification Authority of India.
LATEST UPDATE (ALREADY GRADED A+.)
Under the Family Educational Rights and Privacy Act (FERPA), releasing personally identifiable
information from a student's educational record requires written permission from the parent or
eligible student in order for information to be?
A. Released to a prospective employer.
B. Released to schools to which a student is transferring.
C. Released to specific individuals for audit or evaluation purposes.
D. Released in response to a judicial order or lawfully ordered subpoena.
A. Released to a prospective employer.
https://www.cdc.gov/phlp/php/resources/family-educational-rights-and-privacy-act-
ferpa.html#:~:text=Schools%20need%20written%20permission%20from%20the%20parent%20or,not
%20comply%20with%20FERPA%20risk%20losing%20federal%20funding.
Revocation and reissuing of compromised credentials is impossible for which of the following
authentication techniques?
a) Personal identification number.
b) Picture passwords.
c) Biometric data.
d) Radio frequency identification.
c) Biometric data, Biometric recognition systems are generally user-friendly and designed for ease of
use, as they rely on inherent physical or behavioral traits like fingerprints or facial features. The other
options, such as requiring more maintenance and support (A), being expensive (B), and having limited
compatibility across systems (C), are well-documented drawbacks of biometric systems.
What is a main benefit of data aggregation?
A. It is a good way to perform analysis without needing a statistician.
B. It applies two or more layers of protection to a single data record.
C. It allows one to draw valid conclusions from small data samples.
D. It is a good way to achieve de-identification and unlinkabilty.
D. It is a good way to achieve de-identification and unlinkabilty. Data aggregation involves collecting and
summarizing data from multiple sources, which can help protect individual privacy by presenting
information in a consolidated form. This process can effectively de-identify data by removing or
obscuring individual-level details, making it more difficult to link specific information back to particular
individuals35. By aggregating data, organizations can preserve privacy and security while still gaining
valuable insights from the summarized information3.
After committing to a Privacy by Design program, which activity should take place first?
A. Create a privacy standard that applies to all projects and services.
, B. Establish a retention policy for all data being collected.
C. Implement easy to use privacy settings for users.
D. Perform privacy reviews on new projects.
A. Create a privacy standard that applies to all projects and services. The first activity in a Privacy by
Design program should involve conducting a Privacy Impact Assessment (PIA) to identify existing privacy
practices, risks, and compliance gaps12. This foundational step allows the organization to understand
how personal data is handled and ensures privacy considerations are integrated into the design of
systems and processes from the outset. Creating a privacy standard (A) is important but typically comes
after assessing current practices and risks.
When releasing aggregates, what must be performed to magnitude data to ensure privacy?
A. Value swapping.
B. Noise addition.
C. Basic rounding.
D. Top coding.
B. Noise addition
What term describes two re-identifiable data sets that both come from the same unidentified
individual?
A. Pseudonymous data.
B. Anonymous data.
C. Aggregated data.
D. Imprecise data.
A. Pseudonymous data.Pseudonymous data refers to information that does not directly identify an
individual but can be linked back to them through additional information or by combining multiple data
sets5. This type of data retains a unique identifier that allows for re-identification when combined with
other information, which aligns with the scenario described in the question.
Which of the following most embodies the principle of Data Protection by Default?
A. A messaging app for high school students that uses HTTPS to communicate with the server.
B. An electronic teddy bear with built-in voice recognition that only responds to its owner's voice.
C. An internet forum for victims of domestic violence that allows anonymous posts without
registration.
D. A website that has an opt-in form for marketing emails when registering to download a
whitepaper.
C. An internet forum for victims of domestic violence that allows anonymous posts without
registration.This best embodies the principle of Data Protection by Default because it prioritizes user
privacy by minimizing data collection and ensuring anonymity by default. Under this principle, only the
necessary data for the intended purpose should be processed, and privacy-friendly settings should be
enabled automatically, as seen in this example where no registration or personal data is required to
participate.
Aadhaar is a unique-identity number of 12 digits issued to all Indian residents based on their
biometric and demographic data. The data is collected by the Unique Identification Authority of India.
