CIPT Study Guide Exam Questions With 100% Correct Answers 2024

CIPT Study Guide Exam Questions With 100% Correct Answers 2024 Nissenbaum's Contextual Integrity - answer1. Privacy is provided by appropriate flows of information 2. Appropriate information flows are those that conform with contextual information norms 3. Contextual informational norms refer to five independent parameters (data subject, sender, recipient, information type, transmission principle) 4. Conceptions of privacy are based on ethical concerns over time Objective harm defined in Calo's Harms Dimensions - answerObjective harm is measurable & observable. A person's privacy is violated due to forced or unanticipated use of personal information which can be categorised as economic loss, lost opportunity, lost liberty, or social detriment. Calo's Harms Dimensions - answer- the perception of harm is just as likely to have a significant negative impact on individual privacy as experienced harms - personal information volunteered for use cannot result in a privacy harm - IT professionals need to rely on privacy notice & privacy control to build & retain trust Subjective harm defined by Calo in Harms Dimensions - answerSubjective harm is without a measurable or observable harm, but where an an expectation of harm exists. The perception of harm is just as likely to have a significantly negative impact on privacy as experienced harms called psychological or behavioral harms. Legal Compliance - answerLegal Compliance is the alignment of identification of threats & vulnerabilities to specific policy requirements and laws. Organizations view themselves as compliant or non-compliant and do not take the lens of privacy by design. 8 Fair Information Practice Principles (FIPPs) - answer1. Collection limitation 2. Data quality 3. Purpose specification 4. Use limitation 5. Security safeguards 6. Transparency 7. Individual participation 8. Accountability Collection Limitation Principle - answerA fair information practices principle, it is the principle stating: (1) there should be limits to the collection of personal data (2) that any such data should be obtained by lawful and (3) fair means and, where appropriate, with the knowledge or consent of the data subject. Data Quality Principle - answerPersonal data should be relevant to the purposes for which it is used and should be accurate, complete and up-to-date. Purpose Specification Principle - answerA fair information practices principle, it is the principle stating: (1) that the purposes for which personal data are collected should be specified no later than at the time of data collection (2) and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. Use Limitation Principle - answerA fair information practices principle, it is the principle that: (1) personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 8 of the Fair Information Practice Principles except with the consent of the data subject or by the authority of law. Security Safeguards Principle - answerA fair information practices principle, it is the principle that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. Transparency Principle - answerA fair information practices principle that encourages organizations to be open about personal information they collect Individual Participation Principle - answerA fair information practices principle, it is the principle that an individual should have the right to access, edit or delete data Accountability Principle - answerA fair information practices principle states that individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles (FIPPs) NIST framework - answerNational Institutes of Standards & Technologies; explicitly addresses vulnerabilities, adverse events and relative likelihoods of impacts of those events NICE framework - answerNational Initiative for Cybersecurity Education; divides computer security work into: - securely provision - operate & maintain - protect & defend - investigate - analyze - oversee & govern - collect & operate Factors Analysis in Information Risk (FAIR) - answerInternational standard quantitative model for security risk; The purpose is to find factors that can be calculated or reasonably estimated, thus building up an estimate of the overall risk Privacy risk - answerThe probable frequency and probable magnitude of future privacy violations Action frequency - answerThe probable frequency, given a time frame, that a threat actor acts toward an individual in a way that is a potential privacy violation (attempt frequency * vulnerability = action frequency) Attempt frequency - answerThe probable frequency, given a time frame, that a threat actor attempts an act toward an individual (opportunity * probability of action = attempt frequency) Vulnerability - answerThe probability that a threat actor's acts will succeed (capability * difficulty = vulnerability) Opportunity - answerThe probable frequency, given a time frame, at which a threat actor will come in contact with an individual or the individual's information & be provided the opportunity to act in a way that could cause a privacy violation Probability of action - answerThe probability that a threat actor will act in a way that is a potential privacy violation, if given the opportunity Capability - answerThe skills and resources available to a threat actor in a given situation to act in a way that is a potential privacy violation Difficulty - answerThe impediments that a threat actor in a given situation must overcome to act in a way that is a potential privacy violation Violation magnitude - answerThe probable extent to which the potential privacy violation constitutes an actual privacy violation for the affected population and the adverse consequential risks to that population from that privacy violation (population magnitude * adverse consequences risk = violation magnitude) Population magnitude - answerThe probable population for which a potential privacy violation is an actual privacy violation Adverse consequences risk - answerThe probable frequency & probable magnitude of adverse consequences on the affected population (consequences frequency * consequences magnitude = adverse consequences risk) Consequences frequency - answerThe probable frequency of adverse consequence on the affected population Consequences magnitude - answerThe probable magnitude of adverse consequence on the affected population Proactive, not reactive (PbD) - answerPrivacy must be a forethought in any product, service, system or process. Privacy considerations should help drive the design, not the reverse (the design driving privacy violations) Privacy as the default setting (PbD) - answerIndividuals should not have to resort to self- help to protect their privacy; the default should be privacy preserving. Activities that exceed the expected context must require affirmative informed consent of the individual Embedded into design (PbD) - answerPrivacy should be so ingrained into the design that the system or process wouldn't function without the privacy-preserving functionality Full functionality (positive sum, not zero sum) (PbD) - answerPrivacy and other design requirements should not be treated as a trade-off. Designers must develop creative win-win solutions