CIPT Study Guide UPDATED ACTUAL
Exam Questions and CORRECT Answers
Nissenbaum's Contextual Integrity - CORRECT ANSWER - 1. Privacy is provided by
appropriate flows of information
2. Appropriate information flows are those that conform with contextual information norms
3. Contextual informational norms refer to five independent parameters (data subject, sender,
recipient, information type, transmission principle)
4. Conceptions of privacy are based on ethical concerns over time
Objective harm defined in Calo's Harms Dimensions - CORRECT ANSWER - Objective
harm is measurable & observable.
A person's privacy is violated due to forced or unanticipated use of personal information which
can be categorised as economic loss, lost opportunity, lost liberty, or social detriment.
Calo's Harms Dimensions - CORRECT ANSWER - - the perception of harm is just as
likely to have a significant negative impact on individual privacy as experienced harms
- personal information volunteered for use cannot result in a privacy harm
- IT professionals need to rely on privacy notice & privacy control to build & retain trust
Subjective harm defined by Calo in Harms Dimensions - CORRECT ANSWER -
Subjective harm is without a measurable or observable harm, but where an an expectation of
harm exists.
The perception of harm is just as likely to have a significantly negative impact on privacy as
experienced harms called psychological or behavioral harms.
Legal Compliance - CORRECT ANSWER - Legal Compliance is the alignment of
identification of threats & vulnerabilities to specific policy requirements and laws.
Organizations view themselves as compliant or non-compliant and do not take the lens of
privacy by design.
,8 Fair Information Practice Principles (FIPPs) - CORRECT ANSWER - 1. Collection
limitation
2. Data quality
3. Purpose specification
4. Use limitation
5. Security safeguards
6. Transparency
7. Individual participation
8. Accountability
Collection Limitation Principle - CORRECT ANSWER - A fair information practices
principle, it is the principle stating:
(1) there should be limits to the collection of personal data
(2) that any such data should be obtained by lawful
and (3) fair means and, where appropriate, with the knowledge or consent of the data subject.
Data Quality Principle - CORRECT ANSWER - Personal data should be relevant to the
purposes for which it is used and should be accurate, complete and up-to-date.
Purpose Specification Principle - CORRECT ANSWER - A fair information practices
principle, it is the principle stating:
(1) that the purposes for which personal data are collected should be specified no later than at the
time of data collection
(2) and the subsequent use limited to the fulfillment of those purposes or such others as are not
incompatible with those purposes and as are specified on each occasion of change of purpose.
Use Limitation Principle - CORRECT ANSWER - A fair information practices principle, it
is the principle that:
,(1) personal data should not be disclosed, made available or otherwise used for purposes other
than those specified in accordance with Paragraph 8 of the Fair Information Practice Principles
except with the consent of the data subject or by the authority of law.
Security Safeguards Principle - CORRECT ANSWER - A fair information practices
principle, it is the principle that personal data should be protected by reasonable security
safeguards against such risks as loss or unauthorized access, destruction, use, modification or
disclosure of data.
Transparency Principle - CORRECT ANSWER - A fair information practices principle
that encourages organizations to be open about personal information they collect
Individual Participation Principle - CORRECT ANSWER - A fair information practices
principle, it is the principle that an individual should have the right to access, edit or delete data
Accountability Principle - CORRECT ANSWER - A fair information practices principle
states that individuals controlling the collection or use of personal information should be
accountable for taking steps to ensure the implementation of these principles (FIPPs)
NIST framework - CORRECT ANSWER - National Institutes of Standards &
Technologies; explicitly addresses vulnerabilities, adverse events and relative likelihoods of
impacts of those events
NICE framework - CORRECT ANSWER - National Initiative for Cybersecurity
Education; divides computer security work into:
- securely provision
- operate & maintain
- protect & defend
- investigate
- analyze
- oversee & govern
- collect & operate
, Factors Analysis in Information Risk (FAIR) - CORRECT ANSWER - International
standard quantitative model for security risk;
The purpose is to find factors that can be calculated or reasonably estimated, thus building up an
estimate of the overall risk
Privacy risk - CORRECT ANSWER - The probable frequency and probable magnitude of
future privacy violations
Action frequency - CORRECT ANSWER - The probable frequency, given a time frame,
that a threat actor acts toward an individual in a way that is a potential privacy violation (attempt
frequency * vulnerability = action frequency)
Attempt frequency - CORRECT ANSWER - The probable frequency, given a time frame,
that a threat actor attempts an act toward an individual
(opportunity * probability of action = attempt frequency)
Vulnerability - CORRECT ANSWER - The probability that a threat actor's acts will
succeed
(capability * difficulty = vulnerability)
Opportunity - CORRECT ANSWER - The probable frequency, given a time frame, at
which a threat actor will come in contact with an individual or the individual's information & be
provided the opportunity to act in a way that could cause a privacy violation
Probability of action - CORRECT ANSWER - The probability that a threat actor will act
in a way that is a potential privacy violation, if given the opportunity
Capability - CORRECT ANSWER - The skills and resources available to a threat actor in
a given situation to act in a way that is a potential privacy violation
Exam Questions and CORRECT Answers
Nissenbaum's Contextual Integrity - CORRECT ANSWER - 1. Privacy is provided by
appropriate flows of information
2. Appropriate information flows are those that conform with contextual information norms
3. Contextual informational norms refer to five independent parameters (data subject, sender,
recipient, information type, transmission principle)
4. Conceptions of privacy are based on ethical concerns over time
Objective harm defined in Calo's Harms Dimensions - CORRECT ANSWER - Objective
harm is measurable & observable.
A person's privacy is violated due to forced or unanticipated use of personal information which
can be categorised as economic loss, lost opportunity, lost liberty, or social detriment.
Calo's Harms Dimensions - CORRECT ANSWER - - the perception of harm is just as
likely to have a significant negative impact on individual privacy as experienced harms
- personal information volunteered for use cannot result in a privacy harm
- IT professionals need to rely on privacy notice & privacy control to build & retain trust
Subjective harm defined by Calo in Harms Dimensions - CORRECT ANSWER -
Subjective harm is without a measurable or observable harm, but where an an expectation of
harm exists.
The perception of harm is just as likely to have a significantly negative impact on privacy as
experienced harms called psychological or behavioral harms.
Legal Compliance - CORRECT ANSWER - Legal Compliance is the alignment of
identification of threats & vulnerabilities to specific policy requirements and laws.
Organizations view themselves as compliant or non-compliant and do not take the lens of
privacy by design.
,8 Fair Information Practice Principles (FIPPs) - CORRECT ANSWER - 1. Collection
limitation
2. Data quality
3. Purpose specification
4. Use limitation
5. Security safeguards
6. Transparency
7. Individual participation
8. Accountability
Collection Limitation Principle - CORRECT ANSWER - A fair information practices
principle, it is the principle stating:
(1) there should be limits to the collection of personal data
(2) that any such data should be obtained by lawful
and (3) fair means and, where appropriate, with the knowledge or consent of the data subject.
Data Quality Principle - CORRECT ANSWER - Personal data should be relevant to the
purposes for which it is used and should be accurate, complete and up-to-date.
Purpose Specification Principle - CORRECT ANSWER - A fair information practices
principle, it is the principle stating:
(1) that the purposes for which personal data are collected should be specified no later than at the
time of data collection
(2) and the subsequent use limited to the fulfillment of those purposes or such others as are not
incompatible with those purposes and as are specified on each occasion of change of purpose.
Use Limitation Principle - CORRECT ANSWER - A fair information practices principle, it
is the principle that:
,(1) personal data should not be disclosed, made available or otherwise used for purposes other
than those specified in accordance with Paragraph 8 of the Fair Information Practice Principles
except with the consent of the data subject or by the authority of law.
Security Safeguards Principle - CORRECT ANSWER - A fair information practices
principle, it is the principle that personal data should be protected by reasonable security
safeguards against such risks as loss or unauthorized access, destruction, use, modification or
disclosure of data.
Transparency Principle - CORRECT ANSWER - A fair information practices principle
that encourages organizations to be open about personal information they collect
Individual Participation Principle - CORRECT ANSWER - A fair information practices
principle, it is the principle that an individual should have the right to access, edit or delete data
Accountability Principle - CORRECT ANSWER - A fair information practices principle
states that individuals controlling the collection or use of personal information should be
accountable for taking steps to ensure the implementation of these principles (FIPPs)
NIST framework - CORRECT ANSWER - National Institutes of Standards &
Technologies; explicitly addresses vulnerabilities, adverse events and relative likelihoods of
impacts of those events
NICE framework - CORRECT ANSWER - National Initiative for Cybersecurity
Education; divides computer security work into:
- securely provision
- operate & maintain
- protect & defend
- investigate
- analyze
- oversee & govern
- collect & operate
, Factors Analysis in Information Risk (FAIR) - CORRECT ANSWER - International
standard quantitative model for security risk;
The purpose is to find factors that can be calculated or reasonably estimated, thus building up an
estimate of the overall risk
Privacy risk - CORRECT ANSWER - The probable frequency and probable magnitude of
future privacy violations
Action frequency - CORRECT ANSWER - The probable frequency, given a time frame,
that a threat actor acts toward an individual in a way that is a potential privacy violation (attempt
frequency * vulnerability = action frequency)
Attempt frequency - CORRECT ANSWER - The probable frequency, given a time frame,
that a threat actor attempts an act toward an individual
(opportunity * probability of action = attempt frequency)
Vulnerability - CORRECT ANSWER - The probability that a threat actor's acts will
succeed
(capability * difficulty = vulnerability)
Opportunity - CORRECT ANSWER - The probable frequency, given a time frame, at
which a threat actor will come in contact with an individual or the individual's information & be
provided the opportunity to act in a way that could cause a privacy violation
Probability of action - CORRECT ANSWER - The probability that a threat actor will act
in a way that is a potential privacy violation, if given the opportunity
Capability - CORRECT ANSWER - The skills and resources available to a threat actor in
a given situation to act in a way that is a potential privacy violation
