1|Page
CIPT EXAM| COMPREHENSIVE
QUESTIONS AND ANSWERS
Bastion Server - correct-answer -A server that has 1 purpose and only contains
software to support that purpose.
E.g. Printer, email, and database servers are bastion servers.
Using bastion servers reduces the number of applications on a server, which
minimizes vulnerability.
Privacy Impact Assessment (PIA) - correct-answer -Checklists or tools to ensure
that a personal information system is evaluated for privacy risks and designed with
life cycle principles in mind. An effective PIA evaluates the sufficiency of privacy
practices and policies with respect to legal, regulatory and industry standards, and
maintains consistency between policy and practice.
Should be conducted annually, or additionally upon occurrence of any of the
following events:
-Creation of new product/service
-New/updated program for processing data
-Merger/acquisition
,2|Page
-Creation of new data center
-Onboarding of new data
-Movement of data to different country
-Changes in regulations governing data use
Security Policy Principles - correct-answer -All security policies should include
these EXTERNAL requirements:
(1) Corporate - data stored from consumers, partners, vendors, and employees
needs to be protected in accordance with contracts or privacy policies; also, need
to keep data secure to protect interests.
(2) Regulatory - privacy requirements placed on organizations by government
entities (e.g. FTC, Office of the Information and Privacy Commissioner of Ontario,
and the UK Information Commissioner's Office).
(3) Industry - compliance with different industry groups shows commitment to
privacy principles of that industry, which can avoid creation of new legislation /
regulatory scrutiny.
Industry Groups - correct-answer -Industry group examples = Better Business
Bureau, Interactive Advertising Bureau, TRUSTe, and the Entertainment Software
Rating Board.
Key Security Measures - correct-answer -(1) Encryption - BEST means of
protecting data during transmission and storage; type of encryption should be
,3|Page
based on how the encryption's performance and complexity may impact company
system.
(2) Software protection - antivirus software can detect malicious software; packet
filtering can help ensure inappropriate communications packets do not make it
onto company's network.
(3) Access controls - programmatic means for preventing unwanted access to data
hosted; should be continually certified to ensure only appropriate people have
access.
(4) Physical protection - all computers should have minimum level of physical
security to prevent outside access (e.g. cameras, guards).
(5) Social engineering prevention - employees should. be trained to detect exploits
where individuals pretend to represent company/person in order to gain access to
data. (ChoicePoint data breach)
(6) Auditing - auditing system should be configured so logs are sent to remote
auditing machine outside the control of the system and application
administrators.
Steps for avoiding privacy-invasive applications - correct-answer -(1) Privileged
access - restrictions can be placed on who installs/configures applications;
(2) Software policy - policy that describes requirements/guidelines for applications
used on company computers.
(3) Policy links - for each application that explains privacy obligation and is
accessible via application.
(4) Application research - companies should perform research to determine which
applications are most appropriate for their employees, computers, and networks.
(5) Employee training - employees should be periodically trained on company's
software policy, as well as on threats to privacy from installation of malicious
, 4|Page
applications/improper configuration of legitimate apps; yearly privacy training is
best practice.
(5) IT involvement - can have one of two ways: (i) IT controlled - IT dept sets up
each computer, ensuring only specific apps are installed and ensuring apps are
periodically updated as needed or (ii) IT monitored - company computers can be
periodically scanned to validate each installed application is on approved list of
apps and has right version/proper configuration set.
(6) Employee Controlled - companies can let employees manage own computer
system based on corporate policy, as opposed to IT dept governance.
Extensible Access Control Markup Language (XACML) - correct-answer -Applies a
set of tokens to a resource that describe the type of access permitted by a set of
predefined roles; takes up where SAML leaves off.
Like SAML, it provides a mechanism for protecting access to data, but it goes
further by providing a request/response language that permits the development
of an access request.
Benefits:
(1) Standard, generic
(2) Distributed - policy can be written which in turn refers to other policies kept in
arbitrary locations; different groups can manage sub-pieces of policies, and
XACML knows how to correctly combine the results from different policies into
one decision
(3) Powerful - supports a wide variety of data types, functions, and rules.
CIPT EXAM| COMPREHENSIVE
QUESTIONS AND ANSWERS
Bastion Server - correct-answer -A server that has 1 purpose and only contains
software to support that purpose.
E.g. Printer, email, and database servers are bastion servers.
Using bastion servers reduces the number of applications on a server, which
minimizes vulnerability.
Privacy Impact Assessment (PIA) - correct-answer -Checklists or tools to ensure
that a personal information system is evaluated for privacy risks and designed with
life cycle principles in mind. An effective PIA evaluates the sufficiency of privacy
practices and policies with respect to legal, regulatory and industry standards, and
maintains consistency between policy and practice.
Should be conducted annually, or additionally upon occurrence of any of the
following events:
-Creation of new product/service
-New/updated program for processing data
-Merger/acquisition
,2|Page
-Creation of new data center
-Onboarding of new data
-Movement of data to different country
-Changes in regulations governing data use
Security Policy Principles - correct-answer -All security policies should include
these EXTERNAL requirements:
(1) Corporate - data stored from consumers, partners, vendors, and employees
needs to be protected in accordance with contracts or privacy policies; also, need
to keep data secure to protect interests.
(2) Regulatory - privacy requirements placed on organizations by government
entities (e.g. FTC, Office of the Information and Privacy Commissioner of Ontario,
and the UK Information Commissioner's Office).
(3) Industry - compliance with different industry groups shows commitment to
privacy principles of that industry, which can avoid creation of new legislation /
regulatory scrutiny.
Industry Groups - correct-answer -Industry group examples = Better Business
Bureau, Interactive Advertising Bureau, TRUSTe, and the Entertainment Software
Rating Board.
Key Security Measures - correct-answer -(1) Encryption - BEST means of
protecting data during transmission and storage; type of encryption should be
,3|Page
based on how the encryption's performance and complexity may impact company
system.
(2) Software protection - antivirus software can detect malicious software; packet
filtering can help ensure inappropriate communications packets do not make it
onto company's network.
(3) Access controls - programmatic means for preventing unwanted access to data
hosted; should be continually certified to ensure only appropriate people have
access.
(4) Physical protection - all computers should have minimum level of physical
security to prevent outside access (e.g. cameras, guards).
(5) Social engineering prevention - employees should. be trained to detect exploits
where individuals pretend to represent company/person in order to gain access to
data. (ChoicePoint data breach)
(6) Auditing - auditing system should be configured so logs are sent to remote
auditing machine outside the control of the system and application
administrators.
Steps for avoiding privacy-invasive applications - correct-answer -(1) Privileged
access - restrictions can be placed on who installs/configures applications;
(2) Software policy - policy that describes requirements/guidelines for applications
used on company computers.
(3) Policy links - for each application that explains privacy obligation and is
accessible via application.
(4) Application research - companies should perform research to determine which
applications are most appropriate for their employees, computers, and networks.
(5) Employee training - employees should be periodically trained on company's
software policy, as well as on threats to privacy from installation of malicious
, 4|Page
applications/improper configuration of legitimate apps; yearly privacy training is
best practice.
(5) IT involvement - can have one of two ways: (i) IT controlled - IT dept sets up
each computer, ensuring only specific apps are installed and ensuring apps are
periodically updated as needed or (ii) IT monitored - company computers can be
periodically scanned to validate each installed application is on approved list of
apps and has right version/proper configuration set.
(6) Employee Controlled - companies can let employees manage own computer
system based on corporate policy, as opposed to IT dept governance.
Extensible Access Control Markup Language (XACML) - correct-answer -Applies a
set of tokens to a resource that describe the type of access permitted by a set of
predefined roles; takes up where SAML leaves off.
Like SAML, it provides a mechanism for protecting access to data, but it goes
further by providing a request/response language that permits the development
of an access request.
Benefits:
(1) Standard, generic
(2) Distributed - policy can be written which in turn refers to other policies kept in
arbitrary locations; different groups can manage sub-pieces of policies, and
XACML knows how to correctly combine the results from different policies into
one decision
(3) Powerful - supports a wide variety of data types, functions, and rules.
