CIPT Exam UPDATED ACTUAL Exam
Questions and CORRECT Answers
Bastion Server - CORRECT ANSWER - A server that has 1 purpose and only contains
software to support that purpose.
E.g. Printer, email, and database servers are bastion servers.
Using bastion servers reduces the number of applications on a server, which minimizes
vulnerability.
Privacy Impact Assessment (PIA) - CORRECT ANSWER - Checklists or tools to ensure
that a personal information system is evaluated for privacy risks and designed with life cycle
principles in mind. An effective PIA evaluates the sufficiency of privacy practices and policies
with respect to legal, regulatory and industry standards, and maintains consistency between
policy and practice.
Should be conducted annually, or additionally upon occurrence of any of the following events:
-Creation of new product/service
-New/updated program for processing data
-Merger/acquisition
-Creation of new data center
-Onboarding of new data
-Movement of data to different country
-Changes in regulations governing data use
Security Policy Principles - CORRECT ANSWER - All security policies should include
these EXTERNAL requirements:
(1) Corporate - data stored from consumers, partners, vendors, and employees needs to be
protected in accordance with contracts or privacy policies; also, need to keep data secure to
protect interests.
,(2) Regulatory - privacy requirements placed on organizations by government entities (e.g. FTC,
Office of the Information and Privacy Commissioner of Ontario, and the UK Information
Commissioner's Office).
(3) Industry - compliance with different industry groups shows commitment to privacy principles
of that industry, which can avoid creation of new legislation / regulatory scrutiny.
Industry Groups - CORRECT ANSWER - Industry group examples = Better Business
Bureau, Interactive Advertising Bureau, TRUSTe, and the Entertainment Software Rating Board.
Key Security Measures - CORRECT ANSWER - (1) Encryption - BEST means of
protecting data during transmission and storage; type of encryption should be based on how the
encryption's performance and complexity may impact company system.
(2) Software protection - antivirus software can detect malicious software; packet filtering can
help ensure inappropriate communications packets do not make it onto company's network.
(3) Access controls - programmatic means for preventing unwanted access to data hosted; should
be continually certified to ensure only appropriate people have access.
(4) Physical protection - all computers should have minimum level of physical security to
prevent outside access (e.g. cameras, guards).
(5) Social engineering prevention - employees should. be trained to detect exploits where
individuals pretend to represent company/person in order to gain access to data. (ChoicePoint
data breach)
(6) Auditing - auditing system should be configured so logs are sent to remote auditing machine
outside the control of the system and application administrators.
Steps for avoiding privacy-invasive applications - CORRECT ANSWER - (1) Privileged
access - restrictions can be placed on who installs/configures applications;
(2) Software policy - policy that describes requirements/guidelines for applications used on
company computers.
(3) Policy links - for each application that explains privacy obligation and is accessible via
application.
(4) Application research - companies should perform research to determine which applications
are most appropriate for their employees, computers, and networks.
, (5) Employee training - employees should be periodically trained on company's software policy,
as well as on threats to privacy from installation of malicious applications/improper
configuration of legitimate apps; yearly privacy training is best practice.
(5) IT involvement - can have one of two ways: (i) IT controlled - IT dept sets up each computer,
ensuring only specific apps are installed and ensuring apps are periodically updated as needed or
(ii) IT monitored - company computers can be periodically scanned to validate each installed
application is on approved list of apps and has right version/proper configuration set.
(6) Employee Controlled - companies can let employees manage own computer system based on
corporate policy, as opposed to IT dept governance.
Ways to mitigate network risks - CORRECT ANSWER - (1) Keep computers clear of
malware - run latest anti-malware software;
(2) Apply smartphone policies - phone passwords, auto-device lock/remote wiping mechanism
enforced for smartphones connecting to network resources;
(3) Validate network devices - each device must come from reputable vendor and have proper
configuration/most recent updates;
(4) Write secure code - developers should follow guidelines on how to write software that avoids
the risk of exposing data over network ("Writing Secure Code" and "The Open Web Application
Security Project");
(5) Validate applications - all apps running on computers/smartphones should be restricted from
accessing network services unless they are on a safe list set up by IT dept.
(6) Network encryption - use encryption on wireless/wired networks at transportation level to
mitigate threat of thieves accessing unprotected data.
Network Monitoring - CORRECT ANSWER - Malware can infect company's network and
travel from computer to computer. Network monitoring software can look for known virus
signatures or use other means to find and cleanse network infestations.
Network monitoring can also prevent private data from leaving company / look for signatureless
advanced malware and take targeted actions.
Data Storage - CORRECT ANSWER - (1) Files - can be protected outside of their storage
system using password-based encryption or digital rights management;
Questions and CORRECT Answers
Bastion Server - CORRECT ANSWER - A server that has 1 purpose and only contains
software to support that purpose.
E.g. Printer, email, and database servers are bastion servers.
Using bastion servers reduces the number of applications on a server, which minimizes
vulnerability.
Privacy Impact Assessment (PIA) - CORRECT ANSWER - Checklists or tools to ensure
that a personal information system is evaluated for privacy risks and designed with life cycle
principles in mind. An effective PIA evaluates the sufficiency of privacy practices and policies
with respect to legal, regulatory and industry standards, and maintains consistency between
policy and practice.
Should be conducted annually, or additionally upon occurrence of any of the following events:
-Creation of new product/service
-New/updated program for processing data
-Merger/acquisition
-Creation of new data center
-Onboarding of new data
-Movement of data to different country
-Changes in regulations governing data use
Security Policy Principles - CORRECT ANSWER - All security policies should include
these EXTERNAL requirements:
(1) Corporate - data stored from consumers, partners, vendors, and employees needs to be
protected in accordance with contracts or privacy policies; also, need to keep data secure to
protect interests.
,(2) Regulatory - privacy requirements placed on organizations by government entities (e.g. FTC,
Office of the Information and Privacy Commissioner of Ontario, and the UK Information
Commissioner's Office).
(3) Industry - compliance with different industry groups shows commitment to privacy principles
of that industry, which can avoid creation of new legislation / regulatory scrutiny.
Industry Groups - CORRECT ANSWER - Industry group examples = Better Business
Bureau, Interactive Advertising Bureau, TRUSTe, and the Entertainment Software Rating Board.
Key Security Measures - CORRECT ANSWER - (1) Encryption - BEST means of
protecting data during transmission and storage; type of encryption should be based on how the
encryption's performance and complexity may impact company system.
(2) Software protection - antivirus software can detect malicious software; packet filtering can
help ensure inappropriate communications packets do not make it onto company's network.
(3) Access controls - programmatic means for preventing unwanted access to data hosted; should
be continually certified to ensure only appropriate people have access.
(4) Physical protection - all computers should have minimum level of physical security to
prevent outside access (e.g. cameras, guards).
(5) Social engineering prevention - employees should. be trained to detect exploits where
individuals pretend to represent company/person in order to gain access to data. (ChoicePoint
data breach)
(6) Auditing - auditing system should be configured so logs are sent to remote auditing machine
outside the control of the system and application administrators.
Steps for avoiding privacy-invasive applications - CORRECT ANSWER - (1) Privileged
access - restrictions can be placed on who installs/configures applications;
(2) Software policy - policy that describes requirements/guidelines for applications used on
company computers.
(3) Policy links - for each application that explains privacy obligation and is accessible via
application.
(4) Application research - companies should perform research to determine which applications
are most appropriate for their employees, computers, and networks.
, (5) Employee training - employees should be periodically trained on company's software policy,
as well as on threats to privacy from installation of malicious applications/improper
configuration of legitimate apps; yearly privacy training is best practice.
(5) IT involvement - can have one of two ways: (i) IT controlled - IT dept sets up each computer,
ensuring only specific apps are installed and ensuring apps are periodically updated as needed or
(ii) IT monitored - company computers can be periodically scanned to validate each installed
application is on approved list of apps and has right version/proper configuration set.
(6) Employee Controlled - companies can let employees manage own computer system based on
corporate policy, as opposed to IT dept governance.
Ways to mitigate network risks - CORRECT ANSWER - (1) Keep computers clear of
malware - run latest anti-malware software;
(2) Apply smartphone policies - phone passwords, auto-device lock/remote wiping mechanism
enforced for smartphones connecting to network resources;
(3) Validate network devices - each device must come from reputable vendor and have proper
configuration/most recent updates;
(4) Write secure code - developers should follow guidelines on how to write software that avoids
the risk of exposing data over network ("Writing Secure Code" and "The Open Web Application
Security Project");
(5) Validate applications - all apps running on computers/smartphones should be restricted from
accessing network services unless they are on a safe list set up by IT dept.
(6) Network encryption - use encryption on wireless/wired networks at transportation level to
mitigate threat of thieves accessing unprotected data.
Network Monitoring - CORRECT ANSWER - Malware can infect company's network and
travel from computer to computer. Network monitoring software can look for known virus
signatures or use other means to find and cleanse network infestations.
Network monitoring can also prevent private data from leaving company / look for signatureless
advanced malware and take targeted actions.
Data Storage - CORRECT ANSWER - (1) Files - can be protected outside of their storage
system using password-based encryption or digital rights management;
