CIPT EXAM STUDY GUIDE WITH
COMPLETE SOLUTIONS
Nissenbaum's Contextual Integrity - ANSWER-1. Privacy is provided by appropriate
flows of information
2. Appropriate information flows are those that conform with contextual information
norms
3. Contextual informational norms refer to five independent parameters (data subject,
sender, recipient, information type, transmission principle)
4. Conceptions of privacy are based on ethical concerns over time
Objective harm defined in Calo's Harms Dimensions - ANSWER-Objective harm is
measurable & observable.
A person's privacy is violated due to forced or unanticipated use of personal information
which can be categorised as economic loss, lost opportunity, lost liberty, or social
detriment.
Calo's Harms Dimensions - ANSWER-- the perception of harm is just as likely to have a
significant negative impact on individual privacy as experienced harms
- personal information volunteered for use cannot result in a privacy harm
- IT professionals need to rely on privacy notice & privacy control to build & retain trust
Subjective harm defined by Calo in Harms Dimensions - ANSWER-Subjective harm is
without a measurable or observable harm, but where an an expectation of harm exists.
The perception of harm is just as likely to have a significantly negative impact on privacy
as experienced harms called psychological or behavioral harms.
Legal Compliance - ANSWER-Legal Compliance is the alignment of identification of
threats & vulnerabilities to specific policy requirements and laws.
Organizations view themselves as compliant or non-compliant and do not take the lens
of privacy by design.
8 Fair Information Practice Principles (FIPPs) - ANSWER-1. Collection limitation
2. Data quality
3. Purpose specification
4. Use limitation
5. Security safeguards
6. Transparency
7. Individual participation
8. Accountability
,Collection Limitation Principle - ANSWER-A fair information practices principle, it is the
principle stating:
(1) there should be limits to the collection of personal data
(2) that any such data should be obtained by lawful
and (3) fair means and, where appropriate, with the knowledge or consent of the data
subject.
Data Quality Principle - ANSWER-Personal data should be relevant to the purposes for
which it is used and should be accurate, complete and up-to-date.
Purpose Specification Principle - ANSWER-A fair information practices principle, it is the
principle stating:
(1) that the purposes for which personal data are collected should be specified no later
than at the time of data collection
(2) and the subsequent use limited to the fulfillment of those purposes or such others as
are not incompatible with those purposes and as are specified on each occasion of
change of purpose.
Use Limitation Principle - ANSWER-A fair information practices principle, it is the
principle that:
(1) personal data should not be disclosed, made available or otherwise used for
purposes other than those specified in accordance with Paragraph 8 of the Fair
Information Practice Principles except with the consent of the data subject or by the
authority of law.
Security Safeguards Principle - ANSWER-A fair information practices principle, it is the
principle that personal data should be protected by reasonable security safeguards
against such risks as loss or unauthorized access, destruction, use, modification or
disclosure of data.
Transparency Principle - ANSWER-A fair information practices principle that
encourages organizations to be open about personal information they collect
Individual Participation Principle - ANSWER-A fair information practices principle, it is
the principle that an individual should have the right to access, edit or delete data
Accountability Principle - ANSWER-A fair information practices principle states that
individuals controlling the collection or use of personal information should be
accountable for taking steps to ensure the implementation of these principles (FIPPs)
NIST framework - ANSWER-National Institutes of Standards & Technologies; explicitly
addresses vulnerabilities, adverse events and relative likelihoods of impacts of those
events
, NICE framework - ANSWER-National Initiative for Cybersecurity Education; divides
computer security work into:
- securely provision
- operate & maintain
- protect & defend
- investigate
- analyze
- oversee & govern
- collect & operate
Factors Analysis in Information Risk (FAIR) - ANSWER-International standard
quantitative model for security risk;
The purpose is to find factors that can be calculated or reasonably estimated, thus
building up an estimate of the overall risk
Privacy risk - ANSWER-The probable frequency and probable magnitude of future
privacy violations
Organization security policies - ANSWER-Security policy helps maintain and
organization's privacy policies & identifies what security measures need to be in place to
protect the organization
What should be included in security policy? - ANSWER-- encryption
- software protection
- access controls
- physical protection
- social engineering prevention
- auditing
data classification scheme - ANSWER-an information scheme used throughout an
organization that helps secure confidentiality and integrity of information that is typically
used by corporations
Data classification standard - ANSWER-The goal and objective of a __________ is to
provide a consistent definition for how an organization should handle and secure
different types of data.
COBIT - ANSWER-A framework developed by the Information Systems Audit and
Control Association and the IT Governance Institute that defines the goals for the
controls that should be used to properly manage IT and ensure IT maps to business
needs.
Action frequency - ANSWER-The probable frequency, given a time frame, that a threat
actor acts toward an individual in a way that is a potential privacy violation (attempt
frequency * vulnerability = action frequency)
COMPLETE SOLUTIONS
Nissenbaum's Contextual Integrity - ANSWER-1. Privacy is provided by appropriate
flows of information
2. Appropriate information flows are those that conform with contextual information
norms
3. Contextual informational norms refer to five independent parameters (data subject,
sender, recipient, information type, transmission principle)
4. Conceptions of privacy are based on ethical concerns over time
Objective harm defined in Calo's Harms Dimensions - ANSWER-Objective harm is
measurable & observable.
A person's privacy is violated due to forced or unanticipated use of personal information
which can be categorised as economic loss, lost opportunity, lost liberty, or social
detriment.
Calo's Harms Dimensions - ANSWER-- the perception of harm is just as likely to have a
significant negative impact on individual privacy as experienced harms
- personal information volunteered for use cannot result in a privacy harm
- IT professionals need to rely on privacy notice & privacy control to build & retain trust
Subjective harm defined by Calo in Harms Dimensions - ANSWER-Subjective harm is
without a measurable or observable harm, but where an an expectation of harm exists.
The perception of harm is just as likely to have a significantly negative impact on privacy
as experienced harms called psychological or behavioral harms.
Legal Compliance - ANSWER-Legal Compliance is the alignment of identification of
threats & vulnerabilities to specific policy requirements and laws.
Organizations view themselves as compliant or non-compliant and do not take the lens
of privacy by design.
8 Fair Information Practice Principles (FIPPs) - ANSWER-1. Collection limitation
2. Data quality
3. Purpose specification
4. Use limitation
5. Security safeguards
6. Transparency
7. Individual participation
8. Accountability
,Collection Limitation Principle - ANSWER-A fair information practices principle, it is the
principle stating:
(1) there should be limits to the collection of personal data
(2) that any such data should be obtained by lawful
and (3) fair means and, where appropriate, with the knowledge or consent of the data
subject.
Data Quality Principle - ANSWER-Personal data should be relevant to the purposes for
which it is used and should be accurate, complete and up-to-date.
Purpose Specification Principle - ANSWER-A fair information practices principle, it is the
principle stating:
(1) that the purposes for which personal data are collected should be specified no later
than at the time of data collection
(2) and the subsequent use limited to the fulfillment of those purposes or such others as
are not incompatible with those purposes and as are specified on each occasion of
change of purpose.
Use Limitation Principle - ANSWER-A fair information practices principle, it is the
principle that:
(1) personal data should not be disclosed, made available or otherwise used for
purposes other than those specified in accordance with Paragraph 8 of the Fair
Information Practice Principles except with the consent of the data subject or by the
authority of law.
Security Safeguards Principle - ANSWER-A fair information practices principle, it is the
principle that personal data should be protected by reasonable security safeguards
against such risks as loss or unauthorized access, destruction, use, modification or
disclosure of data.
Transparency Principle - ANSWER-A fair information practices principle that
encourages organizations to be open about personal information they collect
Individual Participation Principle - ANSWER-A fair information practices principle, it is
the principle that an individual should have the right to access, edit or delete data
Accountability Principle - ANSWER-A fair information practices principle states that
individuals controlling the collection or use of personal information should be
accountable for taking steps to ensure the implementation of these principles (FIPPs)
NIST framework - ANSWER-National Institutes of Standards & Technologies; explicitly
addresses vulnerabilities, adverse events and relative likelihoods of impacts of those
events
, NICE framework - ANSWER-National Initiative for Cybersecurity Education; divides
computer security work into:
- securely provision
- operate & maintain
- protect & defend
- investigate
- analyze
- oversee & govern
- collect & operate
Factors Analysis in Information Risk (FAIR) - ANSWER-International standard
quantitative model for security risk;
The purpose is to find factors that can be calculated or reasonably estimated, thus
building up an estimate of the overall risk
Privacy risk - ANSWER-The probable frequency and probable magnitude of future
privacy violations
Organization security policies - ANSWER-Security policy helps maintain and
organization's privacy policies & identifies what security measures need to be in place to
protect the organization
What should be included in security policy? - ANSWER-- encryption
- software protection
- access controls
- physical protection
- social engineering prevention
- auditing
data classification scheme - ANSWER-an information scheme used throughout an
organization that helps secure confidentiality and integrity of information that is typically
used by corporations
Data classification standard - ANSWER-The goal and objective of a __________ is to
provide a consistent definition for how an organization should handle and secure
different types of data.
COBIT - ANSWER-A framework developed by the Information Systems Audit and
Control Association and the IT Governance Institute that defines the goals for the
controls that should be used to properly manage IT and ensure IT maps to business
needs.
Action frequency - ANSWER-The probable frequency, given a time frame, that a threat
actor acts toward an individual in a way that is a potential privacy violation (attempt
frequency * vulnerability = action frequency)
