You are on page 1of 59

CIPP Guide

Your Guide to the CIPP

G Concentration Prep
Materials

CBK Tests

Revision 2.0.28
CIPP Guide's G Concentration Prep Materials

Published by Jon-Michael Brook, Clearwater, FL.

Copyright 2007 - 2010 Jon-Michael Brook and the CIPP Guide

No part of this publication may be reproduced, stored in a retrieval system or transmitted in


any form or by any means, electronic, mechanical, photocopying, recording, scanning or
otherwise, except as permitted under Sections 107 or 108 of the 1976 United States
Copyright Act, without either the prior written permission of the Publisher. Requests to the
Publisher for permission should be addressed to the Permissions Department, 2541
Estancia Blvd, Clearwater, FL 33761, (727) 564-9101, fax (440) 445-7338, or by email at
publisher@cippguide.org.
Trademarks: The CIPPGuide Sleuth Logo, Your Guide to the CIPP, cippguide.org,
cippguide.com,and related trade dress are trademarks or registered trademarks of Jon-
Michael C. Brook, the CIPPguide and/or its affiliates in the United States and other
countries, and may not be used without written permission. All other trademarks are the
property of their respective owners. Jon-Michael C. Brook is not associated with any
product or vendor outside of the CIPP Guide mentioned in this book.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND
THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH
RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF
THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING
WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR
PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR
PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED
HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS
SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT
ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER
PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED,
THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE
SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE
FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION
OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A
POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT
THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE
ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT
MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET
WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED
BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

CIPP_G_CBK_Tests Page 1
Table
of
Contents

G Concentration Prep Materials:


CBK Tests
The CIPP Foundations Exam
The CIPP/G Exam...............................................................................................................i
Introduction......................................................................................................................1
CIPP_G_CBK 1...................................................................................................................3
CIPP_G_CBK 2...................................................................................................................9
CIPP_G_CBK 3.................................................................................................................15
CIPP_G_CBK 4.................................................................................................................21
CIPP_G_CBK 5.................................................................................................................27
CIPP_G_CBK 6.................................................................................................................33
CIPP_G_CBK 7.................................................................................................................39
CIPP_G_CBK 8.................................................................................................................45
CIPP_G_CBK 9.................................................................................................................51

i v. 2.0.28
Introduction

G Concentration Prep Materials


CBK Tests
Introduction

This booklet consolidates all of the tests from the CIPPguide website as of its date of
publication. Each chapter corresponds to a roughly 25 question test on site. At the end of
each chapter includes the answers. Explanations may be found on the website in the
interactive test engine. Best of luck on the exam!

1 v2.0.28
CIPP_G_CBK_Tests 2
CIPP_G_CBK
Test
1

G Concentration Prep Materials


CBK Tests
CIPP_G_CBK 1

Questions
1. What is the best way to describe the approach to privacy protection in the
United States?

A. relies on a confidence and trust business model


B. more self-regulation than government regulation
C. more government regulation than self regulation
D. comprehensive approach

2. The Housing Education and Welfare Report of 1973 lead directly to the creation
of which of the following?

A. the Privacy Act of 1974


B. the Gramm-Leach-Bliley Act
C. the Freedom of Information Act
D. the Fair Information Practice Principles

3. Which part of the Health Insurance Portability and Accountability Act sets
requirements for the use of protected health information (PHI)?

A. the Security Rule


B. the Accountability Rule
C. the Privacy Rule
D. the Portability Rule

4. Which of the following is considered a covered entity?

A. any individual who's health information is protected by HIPAA


B. any entity that handles PHI and must comply with HIPAA

3 v2.0.28
C. individuals with health insurance
D. any entity in compliance with HIPAA

5. Individuals that wish to receive a copy of their medical files and protected
health information must:

A. Make the request within five years of service


B. Submit their request in writing
C. Make sure all related medical bills are paid
D. Pay related copying and postage expenses

6. ---- is the term for an agreement covered entities enter into with third parties
before disclosing PHI to ensure the information will be adequately protected once
released.

A. Fair Practice Contract


B. HIPPA Compliance Agreement
C. Safe Harbor Agreement
D. Business Associate Contract

7. Which of the following are part of the Security Rule of HIPAA?

A. providing individuals with access to their PHI


B. conducting periodic risk assessments to examine the security of PHI
C. education and training programs for employees handling PHI
D. creation of an entity to enforce the Security Rule with the organization

8. The exceptions outlined in the Privacy Rule of HIPAA refer to:

A. cases in which disclosure of PHI is allowed without the prior approval the
individual
B. cases in which access to PHI may be denied
C. cases in which a covered entity is not held responsible for a privacy violation
D. cases in which an individual need not receive notice of a covered entity's
privacy practices

9. Which of the following is NOT a right guaranteed to individuals under the


Privacy Rule of HIPAA?

A. access to their records


B. notice of an entity's privacy practices and possible third party disclosures
C. limited disclosure of PHI
D. authorization over the destruction/disposal of their PHI

10. Which is true of the government's enforcement practices related to HIPAA?

A. HIPAA is lightly enforced by the U.S. Government.

CIPP_G_CBK_Tests 4
B. HIPAA is highly enforced by the U.S. Government.
C. The Department of Health and Human Services, Office of Civil Rights is in charge
of enforcement.
D. The Federal Trade Commission is in charge of enforcement.

11. -------- is the US Federal agency with enforcement power of the Children's
Online Privacy and Protection Act?

A. The Department of Health and Human Services, Office of Civil Rights


B. The Federal Trade Commission
C. The Department of Justice
D. None, COPPA is enforced by the state

12. In order to collect personally identifiable information online from a child a


Web site must:

A. provide retroactive notice to parents of the Web sites privacy policies


B. obtain verifiable parental consent
C. anonymize the data
D. obtain retroactive consent

13. Which of the following were COPPA and other privacy related violations
addressed in the FTC Enforcement Case against Gateway Learn- Hooked on Phonics?

A. collecting PII from children under the age of 13 without parental consent
B. disclosing information collected from children under the 13 to third parties
without parental consent
C. retroactively changing privacy policies
D. failing to notify parents regarding changes in privacy policies

14. What information may a Web site operator collect from a child without prior
parental consent?

A. his name
B. his phone number
C. his email address
D. his age

15. Cases in which PII may be collected from a child without the prior approval of
the parent:

A. There is no need to ever obtain Parental Consent.


B. Parental consent should be tried to obtained after the disclosure.
C. Allow Web sites to conduct research on the demographic of their visitors.
D. May be made under special circumstances to ensure the safety of a child.

16. Which of the following types of Web sites must comply with COPPA?

5 v2.0.28
A. the U.S. Government
B. only Web sites operated in the United States targeting children under the age of
13.
C. all Web sites, regardless of location, targeting children under the age of 13.
D. all Web sites

17. Which of the following are verifiable consent options for Web sites that may
disclose information to third parties?

A. toll-free line staffed by professionals to receive verbal consent over the phone
B. a printable form that may be mailed of faxed back
C. a Web form the parent may fill out
D. email verification

18. What is an additional verifiable consent options for companies that only plan
to use children's PII internally?

A. a Web form the parent may fill out


B. email verification
C. Email Plus, using one email to provide notice and a second email to confirm
consent
D. No consent is needed

19. The Gramm-Leach-Bliley Act is also known as:

A. the Financial Services Modernization Act


B. the Children's Privacy Protection Act
C. the Privacy Act
D. the Glass-Steagall Act

20. Who must comply with the Safeguards rule of the Gramm-Leach-Bliley Act?

A. all Financial Institutions


B. the U.S. Government
C. consumer reporting agencies
D. any entities that handle financial information

21. Title V of the Gramm-Leach-Bliley Act deals with:

A. creating information security plans


B. disclosure of financial information to affiliated and non-affiliated third
parties
C. how GLBA affects the Fair Credit Reporting Act
D. the required contents of a compliant privacy notice.

22. What is a customer as defined under the Gramm Leach Bliley Act?

CIPP_G_CBK_Tests 6
A. any individual that makes use of a financial institution's services
B. any individual with whom the financial institution has done business with in the
past,
C. any individual with a long-standing relationship with a financial institution
D. any individual with a history on file with a credit reporting agency.

23. What information is protected under the Privacy Rule of the Gramm-Leach-Bliley
Act?

A. all information collected from the customer


B. all personally identifiable information
C. all information not part of the public record
D. all financial information

24. Which of the following is true about the Gramm-Leach-Bliley Act?

A. Customers must receive a copy of the financial institution's privacy notice


annually
B. An employee must be designated to ensure enforcement of the Safeguards Rule
C. An employee must be designated to ensure enforcement of the Security Rule
D. Financial account numbers may not be shared with nonaffiliated third parties.

25. Examples of safeguards to be used pursuant to the Safeguards Rule of the Gramm-
Leach-Bliley Act include:

A. remote access
B. employee training
C. encryption
D. disaster recovery plans

7 v2.0.28
Answers

1. A, B
2. A, D
3. C
4. B
5. B, D
6. D
7. B, C, D
8. A
9. D
10. B, C
11. A
12. B
13. B, C, D
14. A, C
15. B, D
16. A, B, C
17. A, B
18. C
19. A
20. A, C, D
21. B
22. C
23. C
24. A, B, D
25. B, C, D

CIPP_G_CBK_Tests 8
CIPP_G_CBK
Test
2

G Concentration Prep Materials


CBK Tests
CIPP_G_CBK 2

Questions
1. Which Federal law provides a model for how Government security programs should
be developed and implemented?

A. the Privacy Act of 1974


B. the Federal Information Security Management Act
C. OMB Circular A-130
D. Data Quality Act

2. What are the three main components of a successful information security program?

A. availability, confidentiality, integrity


B. compliance, integrity, availability
C. availability, enforceability, confidentiality
D. privacy, Availability, Integrity

3. Which federal office or department frequently issues memoranda that modify or


expand upon privacy laws already enforced?

A. the Department of Health and Human Services, Office of Civil Rights


B. the Federal Trade Commission
C. the Office of the President
D. the Office of Management and Budget

4. OMB Circular A-130 includes guidelines on which of the following?

A. information management such as data sharing, storage, and disclosure


B. the privacy responsibilities of individual government agencies and departments
C. reporting procedures
D. development of new privacy legislation

9 v2.0.28
5. Which of the following responsibilities outlined under Appendix I of OMB
Circular A-130 must only be followed by the specified agency?

A. The National Archives and Records must review System of Records Notice every two
years.
B. The Office of Personnel Management must create privacy training programs for
government employees.
C. The Office of Management and Budget must assist agencies in implementing the
Privacy Act by providing guidelines.
D. The Office of Management and Budget must review privacy training programs every
two years.

6. How often must Privacy Act and Matching Program Reports be published by
government agencies?

A. annually
B. only upon major changes
C. every two years
D. twice a year

7. A Biennial Privacy Act report should include:

A. record of all privacy incidents


B. statistics on requests and appeals that were approved and denied
C. list of routine uses
D. statistics on number of records

8. A Biennial Matching Activity Report should include:

A. cost/benefit analysis
B. list of any matching agreement violations
C. results of the matching program
D. information about the Data Integrity Board

9. A New or Altered Systems or Matching Program report should include:

A. a listing of other systems or changes that were rejected


B. a transmittal letter signed by a senior official
C. documentation stating the reasons for the change or new system
D. the routine uses of the system and their compatibility with the Privacy Act

10. Which of the following are the three stages for implementing and managing
information systems?

A. selection
B. control

CIPP_G_CBK_Tests 10
C. compliance
D. evaluation

11. OMB Memorandum 01-05: Guidance on Inter-agency Sharing of Personal Data


reinforced privacy guidelines already set forth in what U.S. laws?

A. the Privacy Act of 1974


B. the Children's Online Privacy Protection Act
C. the Freedom of Information Act
D. the Computer Matching and Privacy Protection Act

12. Which of the following were recommendations made in M-01-05

A. Agencies should limit the disclosure of information to other agencies unless it


is necessary for legal of national security reasons.
B. Data collected should be the minimum amount necessary.
C. Privacy Impact Assessments should be completed for new information systems.
D. Agencies must maintain records of all third party disclosures.

13. Which of the following are other names for files sharing technology?

A. Peer to Peer
B. P3P
C. P2P
D. networking

14. Why was the use of file sharing technology banned under M-04-26?

A. It puts information systems at great risk for computer viruses.


B. It puts information systems at greater risk for unauthorized access.
C. It is often used for illegally downloading copyrighted files.
D. It is illegal to use file sharing technology.

15. What are the three recommendations put forth in OMB Memorandum 04-26 to prevent
the use of file sharing technology by government employees?

A. create legislation limiting the legal usage of P2P technology


B. requiring employees to sign personal use agreements
C. implement security controls to prevent the use of P2P technology
D. provide employee training on P2P and other privacy issues

16. OMB Memorandum 05-08 called for the designation of a privacy officer in
government agencies pursuant to the recommendations in Executive Order 13353 which:

A. created the Safeguarding American Civil Liberties Board


B. led to the creation of the privacy act
C. led to the creation of the fair information privacy practices

11 v2.0.28
D. gave the FTC power to enforce privacy violations

17. Which of the following are responsibilities of the Privacy Officer of an


agency?

A. act as a member of the Safeguarding American Civil Liberties Board


B. work with policy makers in the agency to develop legislation and practices that
maintain privacy protections.
C. work with privacy advocates in the private sector to promote the protection of
civil liberties.
D. oversee privacy compliance in the agency

18. OMB Memorandum 06-15 reiterates which aspect of the Privacy Act?

A. notice
B. consent
C. minimizations
D. safeguarding data

19. What are the three types of safeguards that must be implemented to adequately
safeguard information?

A. technical
B. electronic
C. physical
D. administrative

20. M-06-15 specifically asked privacy officers to:

A. designate a team of junior privacy officials within the agency to assist in


their duties
B. review privacy policies to ensure compliance with the privacy act and report
their findings
C. publish Privacy Impact Assessments and Systems of Records Notices
D. confer with the Safeguarding American Civil Liberties Board to create new
privacy legislation

21. OMB Memorandum 06-16 dealt with the protection of:

A. Personally Identifiable Information


B. Protected Health Information
C. Sensitive Information
D. public access to information

22. Protections on remote access devices should include:

A. a time-out function

CIPP_G_CBK_Tests 12
B. encryption
C. two-factor authentication
D. restricted access to sensitive information

23. Under OMB Memorandum 06-16 data extracts containing sensitive information that
is no longer being used should be deleted:

A. within 24 hours
B. within 30 days
C. within 90 days
D. within one year

24. What is the government agency/department/group that issues technical


requirements for safeguarding information?

A. the Federal Trade Commission


B. the National Institute of Standards and Technology
C. the Office of Management and Budget
D. the Office of Personnel Management

25. Which of the following are part of the remote access checklist issued by NIST
and reiterated in M-06-16 to safeguard sensitive information?

A. PII at increased security risk due to remote access may not be accessed, used,
or disclosed.
B. PII at increased security risk due to remote access must be identified.
C. Organizational policy must be reviewed for compliance and efficacy.
D. Virtual Private Networks should be used to increase security controls and
provide further authentication of the user's identity.

13 v2.0.28
Answers

1. B
2. A
3. D
4. A, B, C
5. B, C
6. C
7. B, C, D
8. A, B, D
9. B, C, D
10. A, B, D
11. A, D
12. B, C
13. A, C
14. A, B, C
15. B, C, D
16. A
17. B, D
18. D
19. A, C, D
20. B
21. C
22. A, B, C
23. C
24. B
25. B, C, D

CIPP_G_CBK_Tests 14
CIPP_G_CBK
Test
3

G Concentration Prep Materials


CBK Tests
CIPP_G_CBK 3

Questions
1. What are some of the benefits of sharing PII among government agencies?

A. improved efficiency
B. identifies and prevents fraud
C. helps find beneficiaries of public programs
D. allows more information to be collected

2. In order to share information with another agency:

A. the benefits must outweigh the costs


B. the approval of the agency head must be obtained
C. a matching agreement between the two agencies must be established
D. the matching agreement must be published in the national register

3. What is the redisclosure limitation?

A. a law preventing government agencies from disclosing PII to other agencies


without the individual's consent
B. prohibits recipient agencies from disclosing information obtained through a
matching or data-sharing agreement
C. requires active consent before recipient agencies may disclose information
obtained through a data-sharing or matching agreement
D. prohibits disclosure of information to non-government entities

4. In addition to providing guidelines for the implementation of the E-Government


Acts, OMB Memorandum 03-22 also provided guidance for implementing what other
privacy law?

15 v2.0.28
A. Privacy Act
B. FISMA
C. Freedom of Information Act
D. the Children's Online Privacy Protection Act

5. Which of the following are examples in which a Privacy Impact Assessment must be
completed?

A. converting paper records to electronic records


B. before data is used in a matching system
C. before any changes are made to an information system
D. when changing anonymous data into identifiable form

6. Which of the following are among the agency requirements outline in M-03-22 for
implementing the E-Government Act?

A. posting privacy policies on public Web sites


B. reporting annually to the OMB regarding compliance
C. conduct Privacy Impact Assessments and make them publicly available
D. appoint Privacy and Civil Liberties Officers to oversee compliance

7. OMB Memorandum added what two content areas to agency privacy policies?

A. right to access and amendment


B. right to refuse
C. consent to collection and sharing
D. rights under Privacy Act and other laws

8. Under the E-Government Act and M-03022, all agency privacy policies must:

A. be password protected
B. be machine-readable
C. follow a standard agency template
D. be updated biennially

9. Agencies must submit a report on their compliance with M-03-22:

A. annually with the E-Government status report


B. biennially with the E-Government status report
C. annually with the Privacy Act Report
D. biennially with the Privacy Act Report

10. M-03-22 modifies previous OMB Memoranda such as M-99-18, M-00-13, M99-05, which
concern:

A. the creation of information systems


B. the use of tracking technology

CIPP_G_CBK_Tests 16
C. internet privacy policies
D. general privacy responsibilities of an agency

11. The ------------ issued OMB Memoranda 07-16 "Safeguarding Against and
Responding to the Breach of Personally Identifiable Information."

A. the National Institute of Standards and Technology


B. the Privacy and Civil Liberties Board
C. the Presidential Identity Theft Task Force
D. the Presidential Information Security Task Force

12. What was the primary requirement issued to agencies by OMB M-07-16
"Safeguarding Against and Responding to the Breach of Personally Identifiable
Information?"

A. creating PII privacy protections


B. implementing PII privacy protections
C. implementing NIST security requirements
D. developing PII breach notification policies

13. Which of the following factors affect an agency's decision on how or when to
alert individuals over data breaches involving their PII?

A. likelihood of harm occurring


B. time since breach occurred
C. accessibility and usability of the information
D. number of affected individuals.

14. How may individuals be identified of unauthorized access to their PII?

A. personal visit
B. telephone
C. newspapers or other media
D. e-mail

15. To whom does the Rules and Consequences Policy required under M-07-16 apply?

A. agency heads
B. all federal employees
C. all federal employees handling PII
D. third parties that the Federal Government may hire to process PII

16. Information security incidents must be reported to:

A. the Office of Management and Budget


B. the National Institute of Standards and Technology
C. the Office of Homeland Security

17 v2.0.28
D. the US Computer Emergency Readiness Team

17. What significant change to reporting procedure was issued in OMB Memorandum 06-
19?

A. When reporting incidents to US-CERT.


B. All security incidents must be reported within one hour of the incident.
C. All security incidents involving PII must be reported within one hour of
discovery.
D. All security incidents involving classified information must be reported within
one hour of discovery.

18. When reporting security incidents to the US-CERT:

A. only confirmed breaches of PII should be reported


B. confirmed and suspected breaches of PII should be reported
C. only electronic security violations must be reported
D. physical and electronic security violations must be reported

19. ---- is the government department that issues memoranda regarding the use of
government employee information.

A. Office of Management and Budget


B. Office of the President
C. Office of Personnel Management
D. Federal Trade Commission

20. According to the Office of Personnel Management, -------- should be used when
transporting or transmitting electronic data containing Social Security Numbers.

A. biometric identifiers
B. encryption
C. physical safeguards
D. all of the above

21. Social Security Numbers of federal employees are:

A. less protected than those of the public


B. equally protected under the same laws as those the public
C. equally protected under separate laws than those of the public
D. more protected than those of the public

22. The September 20, 2006 OMB Memorandum on ID Theft related data breach
notification recommends that every agency have an initial response group that
includes:

A. the Chief Privacy Officer

CIPP_G_CBK_Tests 18
B. the Chief Legal Officer
C. the Agency's Inspector General
D. All of the anove

23. Under OMB guidelines which of the following would constitute a risk of ID
theft?

A. a person's name and telephone number


B. a person's name, address or telephone number and her sports club membership
C. a person's Social Security Number
D. a government identifier such as her license and her contact information.

24. Which of the following are factors which determine the level of risk of ID
theft due to a data breach?

A. how the data loss occurred


B. the ability of the agency to mitigate harm
C. evidence the information will be used to commit fraud
D. all of the above

25. Why do agencies only alert individuals of data breaches when a significant risk
of ID theft has occurred?

A. to avoid negative publicity


B. countermeasures are costly for the public
C. notification is costly
D. to avoid confusing the public over what actually constitutes a threat

19 v2.0.28
Answers
1. A, B, C
2. A, C, D
3. B
4. D
5. A, B, D
6. A, B, C
7. C, D
8. B
9. A
10. B, C, D
11. C
12. D
13. A, C, D
14. B, C, D
15. C
16. D
17. C
18. B, D
19. C
20. B
21. B
22. D
23. B, C, D
24. D
25. B, C, D

CIPP_G_CBK_Tests 20
CIPP_G_CBK
Test
4

G Concentration Prep Materials


CBK Tests
CIPP_G_CBK 4

Questions
1. Why was the Safe Harbor agreement created?

A. To protect the PII of U.S. citizens when transferred to the E.U.


B. To protect the PII of E.U. citizens when transferred to the U.S.
C. To facilitate the exchange of data between the United States and the European
Union
D. To force the U.S. Government to create stronger data protection laws

2. What are the main reasons the European Union finds data protection in the U.S.
to be inadequate?

A. There is a different definition of PII


B. There is no comprehensive law governing all PII
C. There is no central authority overseeing data protection
D. There is limited enforcement

3. When transferring data to other countries an entity must:

A. Ensure the data protection laws of the receiving country are equal to those of
the originating country
B. Add additional encryption and other security controls
C. Ensure the receiving entity will provide equal data protection even if they are
not already required to do so by the local laws
D. Relinquish rights to the data

4. Where must a System of Records Notice be published?

A. A printed booklet distributed by the agency

21 v2.0.28
B. The Federal Register
C. On display at the agency's location
D. The agency's website

5. The ----__ must be consulted for approval when a government agency collects
information from more than ten people which may require disclosure.

A. Office of the President


B. The agency's Chief Information Officer
C. The Head of the agency
D. The Office of Management and Budget

6. What is the government agency in charge of handling workforce related isues for
Federal employees?

A. The Office of Management and Budget


B. The Office of Personnel Management
C. The Office of Human Resources
D. The Office of the President

7. What is the importance of increased screening, particularly background checks,


during the interview process of potential employees?

A. To ensure that people working with children, the elderly, and the disabled don't
have a criminal record
B. To determine security clearance for individuals
C. To verify credentials
D. To sort through large pools of candidates

8. Which of the following is information that may be asked of potential employees


during the interview process under U.S. law?

A. Height and weight if there are specific height and weight restrictions in order
to perform the job function
B. Ethnic background
C. Current and past illegal drug use
D. A photograph

9. Which of the following may not be asked of a candidate during the interview
process under U.S. law?

A. Polygraph or genetic testing


B. Past or present illnesses
C. For consent to perform an investigative consumer report
D. Questions about a military discharge or military service outside the U.S.

10. The Office of Management and Budget is required to submit general reports to
Congress on Government implementation of which laws?

CIPP_G_CBK_Tests 22
A. The Federal Information Security Management Act
B. The Privacy Act
C. Computer Matching Act
D. E-Government Act

11. What is the purpose of the semiannual reports the Inspector General of many
agencies must make to Congress?

A. To keep Congress informed of the actions of each agency


B. To plan new legislation
C. To conduct audits of the agency's activities
D. To report on privacy issues in the agency

12. Which agency performs audits of the U.S. Government and reports to Congress and
the public regarding the use of funding in different agencies?

A. The Office of Management and Budget


B. The Department of Justice
C. The Securities and Exchange Commission
D. The General Accounting Office

13. Which agency reports to Congress each year on the number of requests received
by government agencies to perform electronic surveillance under the Foreign
Intelligence Surveillance Act?

A. The Office of Management and Budget


B. The Department of Justice
C. The Inspector General
D. The General Accounting Office

14. The Securities and Exchange Commission publishes an annual report which
includes:

A. Major enforcement cases conducted by the agency for fraudulent behavior with
regard to securities
B. A performance summary of the agency
C. A listing of all SEC filings
D. An analysis of the governments financial holdings in terms of securities

15. Which agency publishes reports on work force hiring in the Federal Government
and the private sector?

A. The Office of Management and Budget


B. The Department of Justice
C. The Equal Employment Opportunity Commission
D. The Department of Health and Human Services Office of Civil Rights

23 v2.0.28
16. In terms of data protection, what is the most important thing to consider in
the data lifecycle?

A. How data is collected


B. How data is stored
C. How data is destroyed
D. That data is protected in all stages of the lifecycle.

17. Which U.S. Law greatly expanded the financial reporting requirements originally
issued under the Bank Secrecy Act?

A. The Federal Information Security Management Act


B. The Right to Financial Privacy Act
C. The USA PATRIOT Act
D. The Electronic Communications Privacy Act

18. What is the minimum amount for a general transaction that requires the filing
of a Currency Transaction Report under the Bank Secrecy Act?

A. $5000
B. $10000
C. $25000
D. $100000

19. What type of PII is included in a Currency Transaction Report?

A. The Social Security Number of the individual


B. The serial number of the instrument used
C. The bank account number of the individual
D. The individual's consumer report

20. When must a Suspicious Activity Report be filed as required under the Bank
Secrecy Act?

A. When there is a suspected crime involving $5,000 or more and a probable suspect
B. When there is suspected criminal activity involving $10,000 or more and a
probable suspect
C. When there is suspected criminal activity and no probable suspect can be
identified
D. When an insider is suspected of committing or aiding a crime

21. What is the purpose of the Foreign Intelligence Surveillance Act?

A. To authorize the use of government surveillance on U.S. citizens


B. To deny the use of government surveillance on U.S. citizens
C. To regulate the use of electronic surveillance by the government
D. To regulate the use of physical surveillance by the government

CIPP_G_CBK_Tests 24
22. The Foreign Intelligence Surveillance Act protects:

A. U.S. citizens
B. Permanent residents
C. Anyone with a valid U.S. Visa
D. U.S. Companies

23. The U.S. Government can conduct surveillance:

A. In relation to any suspicious activity


B. On anyone convicted of a felony
C. If there is probable cause that the individual is an agent of foreign power
D. Individuals connected to international terrorist groups

24. Under the Foreign Intelligence Surveillance Act, when may warrantless
surveillance take place?

A. For a period of one year for any individual for which there is reasonable cause
to suspect they are an agent of foreign power
B. For a period of one year if the surveillances is not expected to involved a U.S.
person and there is reasonable cause to suspect they are an agent of foreign power
C. For fifteen days following a declaration of war by Congress
D. On groups engaged in international terrorism

25. What information from the FISA court, which oversees requests for surveillance,
is available to the public?

A. Dates, locations and times of hearings


B. The type of information collected
C. Records of surveillance
D. The number of warrant applications and the number that are approved and denied

25 v2.0.28
Answers
1. B, C
2. B, C, D
3. A, C
4. B, D
5. D
6. B
7. A, B, C
8. A, C
9. A, B, D
10. A, D
11. A, C
12. D
13. B
14. A, B
15. C
16. D
17. C
18. B
19. A, C
20. A, C, D
21. C, D
22. A, B, D
23. C, D
24. B, C
25. D

CIPP_G_CBK_Tests 26
CIPP_G_CBK
Test
5

G Concentration Prep Materials


CBK Tests
CIPP_G_CBK 5

Questions
1. Under OMB Memorandum 06-20, how often must agency privacy updates be submited to
support the President's Management Agenda scorecard?

A. Annually
B. Quarterly
C. Biannually
D. Biennially with the Privacy Act Report

2. Information systems that are -------- must be reported to the OMB and Congress
under Memorandum 06-20.

A. Missing from the inventory of major information systems


B. Undergoing significant changes
C. In need of significant changes
D. In need of replacement

3. OMB Memorandum 07-19 provided reporting templates for individuals in which of


the following positions?

A. Chief Information Officers


B. Senior Agency Officials for Privacy
C. Inspector General
D. The head of the agency

4. OMB M-07-19 required all agencies to attach the report required under OMB M-07-
16 to their report to congress. OMB M-07-16 dealt primarily with:

A. Reporting security incidents

27 v2.0.28
B. Creating privacy programs
C. Safeguarding against the breach of personal information
D. Reporting Agency complaints and responses

5. The major additions to FISMA reporting requirements outlined on OMB Memorandum


08-09 deal primarily with:

A. Reporting security incidents


B. Creating privacy programs
C. Safeguarding against the breach of personal information
D. Reporting Agency complaints and responses

6. How many different classes of privacy complaints are outlined in OMB M-08-09
which must be reported to Congress?

A. One
B. Three
C. Five
D. Ten

7. Why might an agency have multiple privacy policies for its website?

A. Only part of the website is targeted towards children


B. Only part of the website collects personally identifiable information
C. Different parts of the website collect different types of PII.
D. Each individual page has a separate privacy policy based on the information
collected on that page.

8. When an agency changes their privacy policy:

A. The changes may be applied to information collected prior to the policy date
without the individual's consent.
B. The changes only apply to information collected after the policy date.
C. The individual must be notified of the changes and given the right to withdraw
their consent
D. The changes must be posted conspicuously on the website.

9. Which of the following is an administrative control for enforcing privacy


policies in Federal agencies?

A. Technical safeguards
B. Education and Training on privacy responsibilities for employees
C. Issuing reprimands and consequences for employees failing to protect privacy
D. Password protection

10. Which of the following are ways government agencies can ensure clear and
ongoing communication about privacy issues with their employees?

CIPP_G_CBK_Tests 28
A. Periodic privacy training sessions.
B. Alerting employees of all non-compliance that takes place
C. Sending out periodic privacy bulletins
D. Requiring annual signing of a rules and consequences policy

11. Which of the following are among the eight principles/processes guiding inter-
agency data sharing under M-01--05

A. Notice, consent, accuracy


B. Security controls
C. Completing Privacy Impact Assessments
D. Establishment of a privacy officer

12. Which of the following falls under the privacy principle of accountability as
required in inter-agency data sharing?

A. Ensuring the recipient agency follows the outlined redisclosure limitations


B. Completing privacy impact assessments
C. Training programs to educate employees on their personal accountability and
potential consequences of non-compliance.
D. Setting up internal controls

13. ---- may be transmitted without protection because it does not pose a
significant risk of harm to the individual if the data is compromised.

A. Personal information
B. Sensitive information
C. Non-sensitive personally identifiable information
D. Public record information

14. Which of the following types of information must use encryption protection when
transmitted electronically?

A. Criminal history
B. Medical information
C. Name and address
D. Date and place of birth

15. --- is an attempt by an agency to limit the information collected from


individuals to that which is absolutely necessary.

A. Minimization
B. Redisclosure limitations
C. Integrity
D. Accountability

16. Privacy protections:

29 v2.0.28
A. Make a distinction between paper and electronic records in terms of level of
protection
B. Provide stronger protections for paper records
C. Provide stronger records for electronic records
D. Do not make a distinction between the two

17. All Personally Identifiable Information:

A. is not created equally


B. is created equally
C. Should use the same safeguards
D. Poses significant harm to individuals if disclosed to unauthorized individuals

18. Agencies must consider the location where PII is stored because:

A. Different states have different laws guiding the use of PII by the government
B. Different locations around the country have varying levels of security
capabilities
C. Data protections and storage locations are determined by the frequency and use
of the PII
D. Part of security includes creating physical safeguards such as locked offices,
security officers and equipment and biometric passwords.

19. The Common Rule for Protection of Human Subjects protects:

A. The privacy of prisoners


B. The safety of individuals participating in experimental testing
C. The privacy of individuals participating in experimental testing
D. The privacy of prisoners which are not U.S. citizens

20. When should an Institutional Review Board be created?

A. After the research has received goverment approval


B. Prior to finding human subjects
C. Prior to beginning any form of experimental testing
D. Prior to publishing the experimental conclusions

21. The Government department in charge of HIPAA is also in charge of enforcing


what other privacy law?

A. The Children's Online Privacy and Protection Act


B. The Privacy Act
C. The Freedom of Information Act
D. The Common Rule for Protection of Human Subjects

22. Which of the Fair Information Practices does the Common Rule for Protection of
Human Subjects stress/enforce the most?

CIPP_G_CBK_Tests 30
A. Notice
B. Consent
C. Integrity
D. Accountability

23. This type of audit or review should be performed before implementing a new
information system:

A. Institutional Review Board (IRB)


B. Privacy Impact Assessment (PIA)
C. Privacy Act Review (PAR)
D. System of Records Notice (SORN)

24. Why are regular privacy and security audits of an information system necessary?

A. To ensure compliance
B. To develop stronger security controls
C. Because privacy and security risks can change as technologies develop
D. All of the above

25. PII collected specifically for statistical purposes:

A. May not be disclosed in identifiable form for any other use other than
statistical information
B. May disclose PII to other agencies for purposes other than statistical
information only with the consent of the individual
C. Must be authorized by the head of the disclosing agency to make sure no other
laws are violated
D. All of the above

31 v2.0.28
Answers
1. B
2. A
3. A, B, C
4. C
5. D
6. B
7. A, B, C
8. B, C, D
9. B, C
10. A, C, D
11. A, B, C
12. A, C
13. C
14. A, B, D
15. A
16. D
17. A
18. B, C
19. B, C
20. C
21. D
22. B
23. B
24. D
25. D

CIPP_G_CBK_Tests 32
CIPP_G_CBK
Test
6

G Concentration Prep Materials


CBK Tests
CIPP_G_CBK 6

Questions
1. Which financial privacy law was created in reaction to a series of district and
federal court rulings?

A. The Bank Secrecy Act


B. The Right to Financial Privacy Act
C. Safe Harbor Agreement
D. The Fair Information Practice Principles

2. What were the three main purposes for which the Right to Financial Privacy Act
was designed?

A. To allow customers to challenge improper disclosure of their records


B. To require customers to be notified prior to disclosure of their information to
the government
C. To restrict government access to corporate financial records
D. To require agencies to maintain records on disclosure of customer records to the
government

3. The Right to Financial Privacy Act protects the rights of:

A. Individuals
B. Private corporations
C. Trusts and estates
D. All of the above

4. The Right to Financial Privacy Act regulates disclosure of financial information


to:

33 v2.0.28
A. The Federal government
B. State & local governments
C. Private third parties
D. All of the above

5. Under the Right to Financial Privacy Act, notice is given to customers when:

A. A Suspicious Activity Report is filed


B. When financial records are released to the U.S. Government
C. When financial records are transferred between government agencies
D. When financial records are disclosed to third parties

6. Under the Right to Financial Privacy Act, in order to gain access to financial
information, a government agency must provide:

A. A reasonable description of the records sought


B. Customer consent
C. A subpoena, warrant or court order for the info if no consent is obtained
D. A subpoena, summons or court order even when consent is obtained

7. Which of the following may be considered financial institutions under the Right
to Financial Privacy Act?

A. Casinos
B. The Post Office
C. Credit Unions
D. Schools

8. Under the Electronic Communication Privacy Act, protected communications are:

A. Signs and signals


B. Images and sounds
C. Text
D. All of the above

9. Under the Electronic Communications Privacy Act, electronic transmission may


include:

A. Wire transfers
B. Communications from a tracking device
C. Radio transfers
D. Photo-electric and photo-optical systems

10. Title I of the Electronic Communications Privacy Act:

A. Prohibits the use of pen registers and tracing devices without a warrant.
B. Protect store communications

CIPP_G_CBK_Tests 34
C. Protects communications in transit
D. All of the above

11. Title II of the Electronic Communications Privacy Act:

A. Prohibits the use of pen registers and tracing devices without a warrant.
B. Protect store communications
C. Protects communications in transit
D. All of the above

12. Title II of the Electronic Communications Privacy Act:

A. Prohibits the use of pen registers and tracing devices without a warrant.
B. Protect store communications
C. Protects communications in transit
D. All of the above

13. Why is protection of data even more relevant today than it was when the
Electronic Communications Privacy Act was originally passed?

A. The ECPA is weakened by the USA-PATRIOT act


B. Data is stored differently
C. Data is worth more today
D. Increased use of the Internet to store personal and corporate data

14. What are the major criticisms of the ECPA?

A. It does not adequately protect all the technology and uses of electronic
communiction in practice today
B. There is no judicial review to oversee the issuing of warrants
C. The protection granted email is unclear
D. The act restricts the government's ability to investigate national security
threats

15. Which part of the Electronic Communications Privacy Act is unofficially


referred to as the "Wiretap Act" ?

A. Title I
B. Title II
C. Title III
D. All of the above

16. The USA PATRIOT Act allowed which of the following changes?

A. Allowed non-specific wiretapping to gather foreign intelligence information


B. Expanded the ability of the Secretary of Treasury to regulate financial
transactions

35 v2.0.28
C. Increased ability for the government to search electronic communications, and
financial, medical and other private records
D. Expanded the techniques that may be use by the U.S. government to gather
intelligence information

17. Which of the following are U.S. privacy laws modified by the USA-PATRIOT Act?

A. Safe Harbor Agreement


B. The Electronic Communications Privacy Act
C. Driver's Privacy Protection Act
D. Bank Secrecy Act

18. Which of the following are changes made by the USA-PATRIOT Act with regard to
accessing electronic information?

A. FBI access to stored voicemail with a search warrant


B. Altered definition of a protected computer
C. Ability to demand PII from service providers without a warrant
D. Restricted protections to data stored on the Internet

19. What is a protected computer as defined by the USA-PATRIOT Act?

A. A computer controlled by a government agency


B. A computer requiring a search warrant for the government to access
C. A computer whose owner allows voluntary interception or disclosure of its
contents to the government
D. An encrypted computer

20. How did the USA-PATRIOT Act change the government's ability to gather foreign
intelligence information?

A. May gather information from U.S. citizens and non-citizens


B. May gather information from U.S. citizens without a court order
C. Expanded duration of search orders
D. Allows surveillance of citizens regardless of their activity

21. What is a "sneak & peak" warrant?

A. A warrant used to gather information on U.S. corporations


B. A warrant to gather intelligence on U.S. persons
C. A warrant allowing surveillance without a specific target
D. A warrant with delayed notification to the targeted individual

22. What is a roving wiretap?

A. A warrant used to gather information on U.S. corporations


B. A warrant to gather intelligence on U.S. persons

CIPP_G_CBK_Tests 36
C. A warrant allowing surveillance without a specific target
D. A warrant with delayed notification to the targeted individual

23. Which provision of the USA-PATRIOT act has been contested in court for
violating the fourth amendment?

A. Roving wiretaps
B. "Sneak & Peak" Warrants
C. Duration of FISA surveillance
D. Use of pen registers and other tracing devices

24. Title II of the USA-PATRIOT Act allows the FBI to order the reproduction of all
books, reports, records and documents related to an individual during the course of
an investigation involving national security unless:

A. The records are about U.S. citizens


B. The individual has not granged their consent
C. The investigation is conducted solely based on activities protected by the
fourth amendment
D. The individual has not received notice of the request

25. Title III of the USA-PATRIOT Act:

A. Widened domestic intelligence capabilities


B. Expanded the power of the military
C. Strengthened border security
D. Created new requirements to prevent money laundering

37 v2.0.28
Answers

1. B
2. A, B, D
3. A
4. A
5. B, C
6. A, B, C
7. A, B, C
8. D
9. A, C, D
10. C
11. B
12. A
13. D
14. A, B, C
15. A
16. B, C, D
17. B, D
18. A, B
19. C
20. A, C
21. D
22. C
23. B
24. C
25. D

CIPP_G_CBK_Tests 38
CIPP_G_CBK
Test
7

G Concentration Prep Materials


CBK Tests
CIPP_G_CBK 7

Questions
1. The Rearing and Empowering America for Longevity Against Acts of International
Destruction is otherwise known as?

A. The Wiretap act


B. The REAL ID act
C. The Anti-privacy act
D. The Anti-immigration act

2. The issuing of Driver's licenses and other ID cards falls under the jurisdiction
of:

A. Local governments
B. County governments
C. States governments
D. Federal government

3. If a state does not meet the requirements of the REAL ID Act, license holders:

A. Need to apply for a national ID


B. Need to apply for a passport
C. Would not be allowed to drive
D. Would not be allowed through airport security

4. Which of the following is required on a REAL ID Act standardized card?

A. Cardholder's signature
B. Cardholder's photograph
C. Cardholder's date of birth

39 v2.0.28
D. All of the above

5. Which of the following is a specific security feature required on a REAL ID Act


standardized card?

A. Electro-magnetic strip
B. Common machine readable technology
C. Holograms
D. Raised characters

6. Which of the following are not changes made by the REAL ID act?

A. States must share motor vehicle information with all entities participating in
the Driver's License Agreement
B. States must share motor vehicle information with other states
C. Immigrants seeking asylum may be asked to present corroborating evidence
D. Stricter rules for required documentation in order to apply for an ID card

7. The Freedom of Information Act is related to which of the Fair Information


Practice Principles?

A. Access & Redress


B. Integrity & Transparency
C. Access & Integrity
D. Consent & Redress

8. All of the following are exemptions under which the government can deny access
to data under the FOIA except:

A. Geological information
B. Law enforcement records
C. Birth/death records
D. Intra-agency memos

9. The Freedom of Information Act applies to:

A. Congressional records
B. Judicial records
C. Federal Agency records
D. All of the above

10. A Freedom of Information Act request:

A. Must be authenticated using a Social Security number


B. Must be submitted in writing
C. Must always be fulfilled
D. All of the above

CIPP_G_CBK_Tests 40
11. Which of the following is considered "compelling need" for the fulfillment of
an FOIA expedited request?

A. Imminent threat to the physical safety of an individual


B. Impairment of due process
C. Immediately needed for proper dissemination of information to the public about
government activity
D. All of the above

12. An agency may charge search fees for:

A. All research undertaken


B. Research requiring five or more hours of a researcher's time
C. When obtaining the records requires unusual or exceptional circumstances
D. Never

13. Which of the following is not an exceptional circumstances under which an


agency can charge search fees for an FOIA request?

A. Voluminous amounts of records


B. Records are not computerized
C. Consultation with other agencies is necessary
D. Retrieval from a field office

14. If a requested document contains information that may remain confidential under
one of the FOIA exemptions then:

A. The requestor may not access the document


B. Information not protected within the requested material is copied and pasted
into a new document
C. Information not protected within the requested material is blacked out on a
photocopy of the document
D. None of the above

15. Aggregating requests:

A. Is illegal
B. Allows the government to assess fees for similar requests
C. Deters FOIA requests
D. Can happen in theory but does not often occur in practice

16. Agencies can charge what type of fees for an FOIA request?

A. Standard request fees


B. Search fees
C. Certification fees

41 v2.0.28
D. Duplication fees

17. Which of the following is not a reason a requestor may appeal an FOIA request?

A. The requestor finds erroneous information


B. There were denied access to records either in part or in full
C. No response was received within 20 days
D. The fee is to high

18. Why are so many FOIA requests denied when they should be fulfilled?

A. Budgeting constraints
B. The requested information is difficult to retrieve
C. There is a large backlog of requests
D. Rules are unclear for what may and may not be released

19. A requestor whose requests and appeals are repeatedley denied may:

A. File a lawsuit against the agency


B. File a complaint with the agency
C. Both 1 & 2
D. Neither 1 or 2

20. An annual report on FOIA requests must be made to:

A. The President
B. The Department of Justice
C. The FCC
D. Congress

21. The annual FOIA report does not contain:

A. A breakdown of the types of information requested


B. Number of appeals and requests received
C. Number of appeals and requests granted and denied
D. Processing times for each request

22. The goal of the Privacy Act of 1974 is:

A. Establishing fair use practice principles for information collected by the U.S.
Government
B. Controlling the disclosure of personally identifiable information
C. Ensuring transparency and access by outlawing secret records systems
D. All of the above

23. "Collecting only information that is absolutely necessary" relates to:

CIPP_G_CBK_Tests 42
A. Accountability
B. Accessibility
C. Minimization
D. Consent

24. Under the Privacy Act, with regard to a system of records, an individual may:

A. Request to be removed from a system of records


B. Request to correct erroneous information in a system of records
C. Receive notification when a system of records containing their information is
updated or moved
D. All of the above

25. A system of records:

A. May not be shared amongst agencies


B. May not contain information on how a citizen exercises their first amendment
rights
C. May not be disclosed to third parties
D. Must be kept electronically

43 v2.0.28
Answers

1. B
2. C
3. D
4. D
5. B
6. A
7. A
8. C
9. C
10. B
11. D
12. C
13. B
14. C
15. B
16. D
17. A
18. C
19. C
20. D
21. A
22. D
23. C
24. B
25. B

CIPP_G_CBK_Tests 44
CIPP_G_CBK
Test
8

G Concentration Prep Materials


CBK Tests
CIPP_G_CBK 8

Questions
1. ----- is "any group of records under the control of any agency from which
information is retrieved by the name of an individual or by some identifying
number, symbol, or other identifying particular assigned to the individual"

A. An information system
B. A PII database
C. System of Records
D. Social Security database

2. What is the purpose of a System of Records Notice?

A. To create a centralized database of PII collected by the U.S. government


B. To facilitate data sharing amonst U.S. agencies
C. To ensure no records system containing PII is kept secret
D. All of the above

3. Which of the following are requirements for data management under the Privacy
Act of 1974?

A. Information must be used for the purposes under which it was originally
collected
B. Information may not be disclosed to third parties without prior consent of the
individual
C. Individuals must be able to amend erroneous information maintained about them
D. All of the above

4. Data held by a U.S. agency

45 v2.0.28
A. May be shared freely with other government agencies
B. may be shared freely with government agencies and state governments
C. Must use data sharing agreements when sharing information with state governments
D. Must use data sharing agreements when sharing information with other agencies

5. Before a matching program may be run:

A. A data sharing agreement must be signed between the two agencies participating
in the matching program
B. The data sharing agreement must be given to Congress
C. The data sharing agreement must be shared with the public
D. All of the above

6. Disclosures to entities outside the agency must be recorded:

A. Anytime information is disclosed


B. Only if a Data Sharing Agreement has not been signed
C. Only if the disclosure does not fall under routine use
D. Only if disclosure takes place without the consent of the individual

7. What is the practice defined in the Privacy Act, which allows PII to be used for
additional purposes without the consent the individual

A. Compelling need
B. Exceptional circumstances
C. Routine use
D. Exceptional use

8. Contractors:

A. May never be hired to manage system of records on behalf of the U.S. Government
B. Effectively become government employees when contracted to work with a system of
records and must follow the requirements of the privacy act
C. Must destroy all PII from a system of records once the contract has been
fulfilled
D. May not work with non-government clients when fulfilling a contract for a U.S.
agency

9. A SORN must be published

A. Biennially
B. Whenever a system of records is created
C. Whenever a system of records adds new routine uses for the information it
contains
D. All of the above

10. A SORN does not contain:

CIPP_G_CBK_Tests 46
A. The location of a system of records
B. Privacy practices and usage policies for the system of records
C. Information on the efficacy of the system of records
D. The types of data a system of records maintains

11. What is the purpose of periodic reviews under the Privacy Act?

A. Internal enforcement of the Privacy Act


B. To clarify routine uses for the agency
C. To ensure minimization
D. All of the above

12. Under the Privacy Act, notice must be given to an individual:

A. When their information is disclosed under routine use


B. When their information is disclosed to third parties not under routine use
C. Only upon collection of their information
D. annually

13. Agencies must provide notice to individuals about the use of their information:

A. In writing
B. Through the federal register
C. When changes occur to how their information is handled
D. All of the above

14. Which of the following is not usually included in notice given to individual's
under the Privacy Act?

A. For what purpose the information is collected


B. How long the information may be kept in the records system
C. The routine uses under which the information may be use
D. None of the above

15. Which of the following are records exempt from following the rules of the
Privacy Act?

A. Congressional records
B. Judicial records
C. State Records
D. All of the above

16. The E-Government Act of 2002 primarily accomplished:

A. Converting government records from paper to electronic systems


B. Requiring the use of specific technologies to protect PII in records held by
government agencies

47 v2.0.28
C. Specifying the privacy protections granted to information collected and
maintained electronically by government agencies
D. All of the above

17. Section 208 of the E-Government act dealt specifically with:

A. Outlining data protection requirements for information collected by the U.S.


Governent via the Internet
B. Providing access to public documents via the Internet
C. Standardizing government websites
D. All of the above

18. On Government agency websites:

A. Cookies may collect information from visitors without their knowledge


B. Consent and notice is required prior to all information collection
C. Consent is needed prior to disclosure
D. Consent is implied by visiting the website

19. The E-Government Act applies privacy protections to the web already guaranteed
by which privacy law?

A. The Federal Information Security Management Act


B. The Privacy Act
C. The Freedom of Information Act
D. All of the above

20. Which of the following are old OMB requirements modified by the E-Government
Act?

A. Electronic media may be used if it is cost effective and most users have the
training to access the information
B. Privacy must be considered whe developing new policies
C. Records must reflect government activity
D. The sharing of PII should be limited

21. Each privacy policy must notify individuals of their rights under:

A. The E-Government Act


B. The Privacy Act
C. The IRS Restructuring and Reform Act
D. All of the above

22. Under the E-Government Act, notice must be given:

A. In machine readable format


B. In text format

CIPP_G_CBK_Tests 48
C. All of the above
D. None of the above

23. A machine readable privacy policy:

A. Allows web browsers to prevent access to sites not compliant with an


individual's privacy preferences
B. Allows users to provide instant online consent
C. Is not required on government websites
D. Contains a mixture of text and code to be viewable in a web browser

24. OMB M-99-05:

A. Added specific content areas to agency privacy policies


B. Requires the appointment of a privacy official to oversee privacy in agencies
C. Prohibited the use of tracking cookies
D. All of the above

25. OMB M-99-18:

A. Added specific content areas to agency privacy policies


B. Requires the appointment of a privacy official to oversee privacy in agencies
C. Prohibited the use of tracking cookies
D. All of the above

49 v2.0.28
Answers

1. C
2. C
3. D
4. D
5. D
6. A
7. C
8. B
9. D
10. C
11. D
12. B
13. D
14. B
15. D
16. C
17. A
18. B
19. B
20. A
21. D
22. C
23. A
24. B
25. A

CIPP_G_CBK_Tests 50
CIPP_G_CBK
Test
9

G Concentration Prep Materials


CBK Tests
CIPP_G_CBK 9

Questions
1. OMB M-00-13

A. Added specific content areas to agency privacy policies


B. Requires the appointment of a privacy official to oversee privacy in agencies
C. Prohibited the use of tracking cookies
D. All of the above

2. PIA stands for:

A. Personal Information Assessment


B. Personally Identifiable Access
C. Privacy Impact Assessment
D. Privacy Information Assessment

3. An agency converting paper records to electronic records must:

A. Notify the individuals whose information is kept in the system


B. Conduct a PIA
C. Change their website privacy policy
D. All of the above

4. Which of the following is not a case in which a PIA must be conducted?

A. Before using a new means of electronic information collection


B. When new PII data elements are added to a system
C. When anonymized data is converted to identifiable form
D. When info is shared using a matching program under a matching agreement

51 v2.0.28
5. A PIA should be conducted:

A. Before instituting a new system of significant changes


B. After instituting a new system or significant changes
C. Before and after instituting a new system or significant changes
D. Annually

6. Which of the following is information not included in a Privacy Impact


Assessment?

A. Technical and administrative safeguards in place


B. Purposes for which the information is used
C. An analysis of the efficiency of the system
D. How an individual can provide consent to the uses of their information

7. The following are exceptions to the rule regarding conducting PIAs except for:

A. If the system deals with national security information


B. If the system contains information that is not in identifiable form
C. If the system deals with internal government operation
D. If the system is confidential

8. PIA are required for government websites that:

A. Collect information in identifiable form


B. Collect PII for the purpose of providing feedback
C. Use tracking cookies
D. All of the above

9. What is the main difference between a Privacy Impact Assessment and a System of
Records Notice?

A. A SORN is published annually and a PIA is published biennially


B. SORNs apply to all information systems, a PIA applies to systems containing PII
C. SORNs are public documents but PIAs are not
D. SORN privacy protections are not as strong as those under a PIA

10. Privacy Impact Assessments are published:

A. In the Federal Register


B. In quarterly privacy bulletins
C. On the agency's website
D. All of the above

11. The Director of each agency must submit a ---------- annually

A. Privacy Impact Assessment

CIPP_G_CBK_Tests 52
B. System of Records Notice
C. E-Government Act status report
D. Privacy report

12. What main privacy contribution did the Consolidated Appropriations Act of 2005
make?

A. Website privacy policy requirements


B. Guidelines for information management
C. Implementation of the fair information practice principles
D. Required a Chief Privacy Officer for every agency

13. A Chief Privacy Officer's responsibilities include:

A. Ensuring compliance with the Privacy Act


B. Ensuring information collection practices match stated privacy policies
C. Ensuring consideration of privacy in development of new technologies and
policies
D. All of the above

14. By signing a privacy report, the Chief Privacy Officer:

A. Asserts that no mishandling of PII has occurred


B. Asserts that the agency has addressed all security weaknesses
C. Asserts PII is only used as stated in the agency report
D. All of the above

15. Section 522 of the Consolidated Appropriations Act requires:

A. Expansion of website privacy policies


B. A PIA to be completed biannually
C. Creation of a separate privacy department in each agency
D. A third party review of privacy practices conducted bienially

16. Which of the following is no included in the third party review required under
the Consolidated Appropriations Act of 2005?

A. Uses of PII match stated privacy policies


B. Privacy policies are consistent both on and offline
C. Data sharing between agencies is minimal
D. Evaluation of the security technologies used

17. The main purpose of the Data Quality Act of 2002 was to:

A. Ensure the integrity of data maintained by the U.S. Government


B. Ensure the integrity of information disseminated by the U.S. Government
C. Limit the type of information that may be disseminated

53 v2.0.28
D. All of the above

18. Data disseminated by U.S. agencies must:

A. Be certified and accredited


B. Meet standards of objectivity, utility and integrity
C. Be approved by the agency head
D. All of the above

19. The ----- created guidelines for other government agencies to create their own
data quality guidelines

A. Office of Management and Budget


B. National Institute of Standards and Technology
C. Office of the President
D. The Federal Register

20. In the Data Quality Act, utility refers to:

A. How the information is used by the government


B. How useful the information is to the recipients
C. How long the information is used
D. How long the information is maintained

21. In the Data Quality Act, integrity refers to:

A. Unbiased information
B. Information is protected from disclosure
C. Information is protected from unauthorized access/revision
D. Usefulness

22. In the Data Quality Act, objectivity refers to:

A. Unbiased information
B. Presentation of information as unbiased
C. Information from an unbiased source
D. Cooperating with the press

23. Under the Data Quality Act, agencies must:

A. Provide administrative mechanisms for redress


B. Include redress options for information held in archival libraries
C. Allow redress no mater the length of time after the initial dissemination
D. Require the agency head to handle all redress complaints

24. What are the agency reporting requirements under the Data Quality Act?

CIPP_G_CBK_Tests 54
A. Publish agency requirements within one year
B. Report to Congress every two years
C. Publish agency requirements within one year and send an annual report to
Congress
D. Publish agency requirements within one year and send a report to Congress
biennially

25. The FISMA deals mainly with:

A. Business privacy oversight


B. Government privacy oversight
C. Business information security
D. Government information security

55 v2.0.28
Answers

1. C
2. C
3. B
4. D
5. A
6. C
7. D
8. A
9. D
10. A
11. C
12. D
13. D
14. C
15. D
16. C
17. B
18. B
19. A
20. B
21. C
22. B
23. A
24. C
25. D

CIPP_G_CBK_Tests 56