Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
CIPT Exam Questions With 100% Correct Answers 2024 Bastion Server - Correct Answer-A server that has 1 purpose and only contains software to support that purpose. E.g. Printer, email, and database servers are bastion servers. Using bastion servers reduces the number of applications on a server, which minimizes vulnerability. Privacy Impact Assessment (PIA) - Correct Answer-Checklists or tools to ensure that a personal information system is evaluated for privacy risks and designed with life cycle principles in mind. An effective PIA evaluates the sufficiency of privacy practices and policies with respect to legal, regulatory and industry standards, and maintains consistency between policy and practice.
Typology: Exams
1 / 40
Bastion Server - Correct Answer-A server that has 1 purpose and only contains software to support that purpose. E.g. Printer, email, and database servers are bastion servers. Using bastion servers reduces the number of applications on a server, which minimizes vulnerability. Privacy Impact Assessment (PIA) - Correct Answer-Checklists or tools to ensure that a personal information system is evaluated for privacy risks and designed with life cycle principles in mind. An effective PIA evaluates the sufficiency of privacy practices and policies with respect to legal, regulatory and industry standards, and maintains consistency between policy and practice. Should be conducted annually, or additionally upon occurrence of any of the following events: -Creation of new product/service -New/updated program for processing data
-Merger/acquisition -Creation of new data center -Onboarding of new data -Movement of data to different country -Changes in regulations governing data use Security Policy Principles - Correct Answer-All security policies should include these EXTERNAL requirements: (1) Corporate - data stored from consumers, partners, vendors, and employees needs to be protected in accordance with contracts or privacy policies; also, need to keep data secure to protect interests. (2) Regulatory - privacy requirements placed on organizations by government entities (e.g. FTC, Office of the Information and Privacy Commissioner of Ontario, and the UK Information Commissioner's Office). (3) Industry - compliance with different industry groups shows commitment to privacy principles of that industry, which can avoid creation of new legislation / regulatory scrutiny. Industry Groups - Correct Answer-Industry group examples = Better Business Bureau, Interactive Advertising Bureau, TRUSTe, and the Entertainment Software Rating Board.
Key Security Measures - Correct Answer-(1) Encryption - BEST means of protecting data during transmission and storage; type of encryption should be based on how the encryption's performance and complexity may impact company system. (2) Software protection - antivirus software can detect malicious software; packet filtering can help ensure inappropriate communications packets do not make it onto company's network. (3) Access controls - programmatic means for preventing unwanted access to data hosted; should be continually certified to ensure only appropriate people have access. (4) Physical protection - all computers should have minimum level of physical security to prevent outside access (e.g. cameras, guards). (5) Social engineering prevention - employees should. be trained to detect exploits where individuals pretend to represent company/person in order to gain access to data. (ChoicePoint data breach) (6) Auditing - auditing system should be configured so logs are sent to remote auditing machine outside the control of the system and application administrators.
Steps for avoiding privacy-invasive applications - Correct Answer-(1) Privileged access - restrictions can be placed on who installs/configures applications; (2) Software policy - policy that describes requirements/guidelines for applications used on company computers. (3) Policy links - for each application that explains privacy obligation and is accessible via application. (4) Application research - companies should perform research to determine which applications are most appropriate for their employees, computers, and networks. (5) Employee training - employees should be periodically trained on company's software policy, as well as on threats to privacy from installation of malicious applications/improper configuration of legitimate apps; yearly privacy training is best practice. (5) IT involvement - can have one of two ways: (i) IT controlled
(6) Employee Controlled - companies can let employees manage own computer system based on corporate policy, as opposed to IT dept governance. Ways to mitigate network risks - Correct Answer-(1) Keep computers clear of malware - run latest anti-malware software; (2) Apply smartphone policies - phone passwords, auto-device lock/remote wiping mechanism enforced for smartphones connecting to network resources; (3) Validate network devices - each device must come from reputable vendor and have proper configuration/most recent updates; (4) Write secure code - developers should follow guidelines on how to write software that avoids the risk of exposing data over network ("Writing Secure Code" and "The Open Web Application Security Project"); (5) Validate applications - all apps running on computers/smartphones should be restricted from accessing network services unless they are on a safe list set up by IT dept. (6) Network encryption - use encryption on wireless/wired networks at transportation level to mitigate threat of thieves accessing unprotected data.
Network Monitoring - Correct Answer-Malware can infect company's network and travel from computer to computer. Network monitoring software can look for known virus signatures or use other means to find and cleanse network infestations. Network monitoring can also prevent private data from leaving company / look for signatureless advanced malware and take targeted actions. Data Storage - Correct Answer-(1) Files - can be protected outside of their storage system using password-based encryption or digital rights management; (2) Websites - Employee access should be limited, and each website should have a policy link for employees/access control list/organized by category to protect sensitive content. (3) Databases - good place to store sensitive data because general access control, role-based access control, encryption, data categorization, retention management, and auditing. (4) Cloud storage - provides better access to data for customers, lower operational costs, and limits regulatory risks for cross-border transfer of customer data. Contracts should
ensure that the hosting company follows org's data storage policy. ---RISK: Sharing a data center - companies hosting data for other companies increases data breach risks (5) Applications - need strong role-based access controls. (6) Backup tapes - easy source of data leakage - no access control list and can be easily read by anyone. To mitigate, ensure backups are encrypted and stored in safe place. (7) Hardware - need hardware disposal procedure; data should be wiped before disposing of old hardware. Privacy Notice - Correct Answer-Privacy notice should be modeled upon company's privacy policy, and should include: -what data is collected -how data is used -how collected data is shared -user control over collected data -controlling marketing contact -use of cookies and other tracking mechanisms -gaining access to data -resolving privacy issues -date of notice
-any changes to privacy notice Privacy Policy - Correct Answer-A privacy policy is a statement or a legal document (in privacy law) that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. It fulfills a legal requirement to protect a customer or client's privacy. Key things to include in privacy policy: -Data classification -Data retention period associated with each type of data classification -Data deletion upon expiration of retention period -Guidelines for creating a meaningful data inventory, including rules on where data can be placed, minimizing offline storage, contracts to govern third parties' use of data, classifying data, creating data flow. Access Control - Correct Answer-Access control list consists of access control entries, which contain the name of entity (by user, group, device or service) and type of access the entity has to a particular resource.
---Should be validated on a regular basis to ensure that the entries are still appropriate. Various types of access control: (1) Discretionary access control - user has complete control over all resources she owns; user has ability to determine permission other users have tot he resource. (2) Mandatory access control - only the administrator can assign access rights. (3) Role-based access control - access granted based on organizational role. (4) Attribute-based access control - extension of role-based access control; attributes can be time, location, age, or nationality. The extensible access control markup language (XACML) is a standard that can be used to implement ABAC systems. Encryption - Correct Answer-Protecting data transmission: Secure sockets layer (SSL) protocol and transport layer security (TLS) help protect data that is transmitted from client server machines and server to server machines. -SSL commonly protects communications between a browser and a web server; TLS for emails between email servers.
Protecting data at rest: Symmetric and asymmetric encryption. -Symmetric encryption - single cryptographic key for encryption and decryption; efficient for protecting data accessed by multiple people. (Ex. = Data encryption standard (DES)) -Asymmetric encryption - set of cryptographic keys, one for encryption and one for decryption - slow and complicated for sharing beyond 2 people. (Ex. = RSA and ElGamal) Hashing - Correct Answer-Uses cryptographic key to encrypt data but does not allow data to be later decrypted - permits use of sensitive data while protecting original value. Used for credit card numbers or SSN. The downside is that the information can never be decrypted. Password control - Correct Answer-Single Sign On (SSO) can permit access to multiple resources from a single account, with ability to centrally lock a person to multiple resources.
Machine access restriction - Correct Answer-Limit access to a computer based on computer identifier or IP address. Example: Access to payroll database only limited to set of computers in payroll department. Enterprise Architecture (EA) - Correct Answer-EA involves managing data flow across an organization to reduce risk and support business growth. ---Data flow diagram can show origin of data, indicating whether origin was an individual, external entity, internal group or process. Privacy and security regulations with specific IT requirements - Correct Answer--Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) - company doing business in Canada must obtain OPT-OUT consent from data subjects in order to collect, use, or disclose personal information. -EU: Data Protection Directive - anyone transferring data from EU citizens; applies to processing of all online and offline data, and to all organizations holding personal data. -Hong Kong: Personal Data (Privacy) Ordinance (PDPO) applies to companies doing business in Hong Kong. Data subjects
must be provided the right to access, correct, or delete their personal data. -Mexico: Law on the Protection of Personal Data Held by Private Parties applies to Mexican companies doing business in Mexico; need OPT-IN (prior) consent before gathering and processing data. -US: Children's Online Privacy Protection Act (COPPA) applies to commercial/online services directed at children under 13; must get OPT-IN consent from parent. Information Lice Cycle (ILC) - Correct Answer-Collection, Use, Disclosure, Retention, Destruction Common Privacy Principles - Correct Answer-a. Collection limitation: restraint from excessive collection of personal information. b. Data quality: organizations that collect personal information should make efforts to maintain the quality of the information. c. Purpose specification: expression of purpose for which personal information is collected. d. Use limitation: use of personal information should be limited within an organization.
e. Security safeguards: organizations have an obligation to provide security for the data they collect from users. f. Openness: encourages organizations to be open about the personal information they collect and the privacy principles that govern their treatment of such information. g. Individual participation: ability for an individual to receive confirmation from an organization that the organization holds data collected from or relating to the individual. h. Accountability: whenever an organization plans to transfer an individual's personal information, it should obtain consent from the individual or exercise extreme care in handling the personal information ILC - Disclosure - Correct Answer--Internal disclosure of data should be documented by a data flow diagram, data sharing restrictions, and request for data should be passed on tot he original collectors of the data. -External disclosure should be covered by contracts that govern use, retention, and destruction of data. ILC - Destruction - Correct Answer--Need proper formatting to delete data; best way to destroy a disk is by formatting the disk using /P:count flag command to zero the disk
-Digital Rights Management capabilities to make data inaccessible with encryption after a certain time period. -WORM (write once read many) media (ROMS, CDs, and DVDs) have to be destroyed to rid data. -Printers, copiers, and fax machines have hard drives that should be wiped clean or destroyed. Data should be assigned a minimum and maximum retention period. Identity Management - Correct Answer-The processes involved in verifying the identity of an individual, group, process, or device. Various methods: -Authentication = act of validating a person's identity with an identity management service before access to resources is permitted. Can be ID/password, RFID card, key fob, USB, biometrics (fingerprint/retinal), or user location -Multifactor authentication - more than 1 type of authentication used to validate; could be single or dual factor
-Authorization - confirming authenticated person has legitimate access to a resource or permission to execute a command. -Access control list - indicates types of permission for which identities are authorized. (e.g. Alice and Bob have write access to file, but Carlos only has read access). Discretionary Access Control (DAC) - Correct Answer-Allows users who own resource to manage access control lists. Easier to manage, but permits employees to act against organizational policy. Mandatory Access Control (MAC) - Correct Answer-Only system administrators are permitted to modify a resource's access control list. More secure, but puts burden on IT department to manage access control lists for all resources. Cross-enterprise authentication and authorization models - Correct Answer--single sign on (SSO): users only have to remember one ID and password that will be used across
multiple sites. With SSO user can reset password for all sites at once. -Open ID Federation: provides a mechanism that allows users to be authenticated to a relying party using a 3rd party authentication service. *E.g. Klout.com uses Twitter/FB to authenticate. -Liberty Alliance: defines standards, guidelines, and best practices for identity management. *Kantara initiative (4 assurance levels) -Identity metasystem architecture: privacy enhancing, security-enhancing identity solution for the Internet developed by Windows. *More private solution; does not permit tracking of users by the relying party or identity provider. -Social networks: Facebook, Google+ users can sign in with a single ID. *Must understand what data is exchanged and how data is used. Payment Card Industry Data Security Standard (PCI DSS) - Correct Answer--Managed by PCI Security Standards Council (SCC)
-PCI DSS 12 requirements: (1) Build and maintain a secure network; (2) Protect cardholder data (name, CC #, expiration date, and security code); (3) Maintain a vulnerability management program; (4) Implement strong access control measures; (5) Regularly monitor/test networks; (6) Maintain an information security policy; -PCI DSS 12 requirements are fulfilled by 3 steps: assess remediate, and report. PCI Payment Application Data Security Standard (PCI PA DSS) - Correct Answer-Vendors who create payment application software need to be PA-DSS compliant if the software stores, processes, or transmits cardholder data. Encryption Regulation - Correct Answer-Basel III, HIPAA, PCI DSS (requires encrypted transmission of cardholder data across open, public networks), Financial instruments and change laws of Japan
Linux Unified Key Setup (LUKS) - Correct Answer-Disk encryption specification for encrypting an entire disk; key file for a LUKS-encrypted drive can be stored on a USB key. Protects in case computer is stolen/confiscated. Privacy Enhancing Technologies (PET) - Correct Answer-- automated data retrieval -automated system audits: limit viewing of personal data to one record at a time and tie record access to a work order/task that validates the employees' need to access a record -data masking and data obfuscation: masking sensitive info such as CC # or SSN. Obfuscation = hiding the contents of a value while maintaining its utility. -data loss prevention: policies and training, physical security, access security, hardware, constraints, network monitoring, software tools Considerations for Customer-Facing Applications - Correct Answer-(1) Software-based notice and consent *Just in Time Notices: link/access to privacy policy when first interacting with the users, i.e. when signing up to a website (2) Software agreements
*End-user license agreement (EULA) - or terms of use, terms of conditions. Must make agreements readable; usually presented for approval during installation of software. Privacy by Design (PbD) - Correct Answer-To institute an effective PbD, company must commit to a privacy by design program, create a privacy standard, perform privacy reviews, perform a data flow analysis, maintain transparency, access control, retention periods, security measures, and privacy by resdesign as necessary. Principles of privacy by design: proactive not reactive, privacy as default setting, privacy embedded into design, full functionality, end-to-end security during full lifecycle, visibility & transparency, user-centric/ friendly privacy features. It's important to implement your industry-specific standards, such as: (i) Basel III for financial institutions, (ii) payment card industry (PCI) standard for merchants and (iii) payment processing actors, or Internet Advertising Bureau (IAB) rules for advertising.
Privacy by Redesign - Correct Answer-Over time, an organization's privacy policies can change; regulations, laws and self-regulatory regimes can be updated, tech can evolve, threats to data can intensify. As a result, privacy notices and policies will need to be updated. Regulatory requirements specific to online environment - Correct Answer-(1) Children's Online Privacy Protection Act (COPPA) - US federal regulation that restricts websites' ability to collect or use data from children under 13 without verifiable parental consent. Targeted advertising cannot be sent to children. (2) EU Privacy Directives - covers the processing of personal data and protection of online privacy; requires websites that use cookies for tracking purposes to provide enhanced notice to website visitors - websites must also provide users with ability to see, modify, and delete their data. (3) California Online Privacy Protection Act (CalOPPA) - website must provide a privacy statement to visitors and an easy-to-find link to same on their web pages; websites that carry data on children under 18 must allow data deletion. Websites must also inform visitors of Do Not Track mechanisms.
Phishing - Correct Answer-With most phishing, a fake email is disguised to look like it is from a legitimate organization/person to lure an unsuspecting customer to click on a link embedded in the email. Once clicked, user is sent to fake website designed to look legitimate or prompted to download software onto the computer. -fake website: gets users to fill out a form with their personal info/provide login to a website like banking; -malware execution: sending fake content to encourage a user to download malicious software or open document that contains malicious software/macros -faulty search results and ads: search engine could return results/ads that send user to fake site where user's data is collected -system modification: malware could modify host's file or browser configuration causing user to be sent to the wrong website where she is tricked into believing she is at her banking/healthcare/software download site Spear Phishing - Correct Answer-Sending phishing emails to a group of people from a known organization (e.g. Facebook, banks, etc.)
Whaling - Correct Answer-A phishing attack that targets only wealthy individuals. Pharming - Correct Answer-A phishing attack that automatically sends users to malicious sites by redirecting a valid internet request to a malicious site by modifying a Host's file or corrupting the contents of a network router domain name system (DNS) server. Mitigating phishing exploits - Correct Answer--Use up-to-date software and malware protection -Delete suspicious emails without clicking on links or opening attachments -Type in URL instead of clicking on link in email -Browser phishing protection (Chrome, Firefox, Internet Explorer - IT pros should be familiar with anti-phishing feature). SQL Injection - Correct Answer-Structured Query Language (SQL) is the software language used for most online databases.
SQL Injection occurs when a person intentionally inserts SQL commands in places where data may be captured and sent to a database for processing; can expose personal data, insert inappropriate data into database, delete data from database, or shutdown a database. Cross-site Scripting (XSS) - Correct Answer-Older form of attack where an attacker embeds client-side script into a page that gets executed when a user visits a site; this can happen when a person enters data in a form, fills out a comment, or posts. Categories of Online Advertising - Correct Answer--Remnant: Cheapest, no data, no campaign, static ad -Premium: expensive, ad campaign, to improve brand -Contextual: most common type of targeted ad based on website type or data entered by user -Demographic: based on individual's demographic data such as age, weight, zip code, occupation, height, gender, or shoe size -Psychographic: ads based on person's interests -Behavioral: ads based on person's browsing habits
Types of Online Advertising - Correct Answer--Search ads: based on keywords searched; displayed alongside the results from a search performed with a search engine -Display ads: image ads that are commonly viewed on a webpage -Publisher ads: publisher/owner of website forms an agreement with an advertiser to display a specific ad -Third-party ad: an ad network makes an agreement with a set of advertisers to display ads on various publisher sites with whom it has made agreements to serve an ad. Key considerations when working with third parties to post ads on your company's website - Correct Answer-(1) Have a contract describing obligations and limitations on how data is collected, used, and shared. (2) Limit ability for ad networks to have other entities place cookies on your site (3) Provide a behavioral advertising opt-out mechanism for visitors on your site. (4) Insist that ad networks on your site provide an opt-out mechanism and be members of the Digital Advertising Alliance (DAA) self-regulatory program
Cookies - Correct Answer-Text files used for storing information (configuration demographic, and identity) for a website. Can be used to track users, simplify user experience, and only the website that creates a cookie is able to access it. *Super cookie - mechanism for ensuring the value of a cookie persists even after deletion Web beacons, web bugs, pixel tags, and clear GIFs - Correct Answer-Resources existing on a page but invisible to the naked eye. May exist in ads; these can help place cookies in an individual's browser. Local Shared Objects (LSOs) - Correct Answer-Memory within a browser component that can be used to store data similar to the way it is stored in a cookie; only website that stored data in LSO can access that data.