IAPP-CIPT EXAM QUESTIONS AND
ANSWERS 100% CORRECT
"Client side" Privacy Risk - ANSWER-- Represents computers typically used by
company employees.
- These computers normally connect to the company's server-side systems via wireless
and hardwired networks.
- Client side can represent a significant threat to the company's systems as well as
sensitive data that may be on the client computers.
- Employees often download customer files, corporate e-mails and legal documents to
their computer for processing.
- Employees may even store their personal information on company computers.
- Client computer can access resources across the company that could have vast
amounts of planning documents that might be of great interest to competitors or
corporate spies.
Network Sniffer - ANSWER-- Allows anyone to view or copy unprotected data from a
company's wireless network.
.
/P:count flag - ANSWER-Format command within Windows OS. Best way to zero the
entire disk.
cross-enterprise access controls - ANSWER-Permits employees in one organization to
have access to resources that belong to another organization. Typical when major
functions are outsourced or through SAAS model. Travel, purchasing, payroll, and
healthcare could be provided by companies that specialize in those services. CEAC
allows employees to access records through SSO. Access is typically one-way.
SSL encryption - ANSWER-secure socket layer protocol commonly used to protect
communications between a browser and web machine (data in transit)
TSL encryption - ANSWER-transport layer security often used to protect email as it is
transmitted between email servers (data in transit)
multilayered privacy notice - ANSWER-abbreviated form of an organization's privacy
notice while providing links to more detailed information
privacy nutrition label - ANSWER-informs users about the company's privacy practices
of the organization in an abbreviated form -- only practical as part company's privacy
notice or as a privacy notice for a newly installed applications.
, hashing - ANSWER-method of protecting data that uses a cryptographic key to encrypt
the data but does not allow the data to later be decrypted. Permits the use of sensitive
data while protecting the original value. Permits the encryption of passwords, credit card
numbers, and SSNs while still permitting the verification of values by matching hashes.
(Ex: a credit card number can be hashed and used as index for an individual's credit
card transactions while preventing the hashed value from being used for additional
transactions. Salting, which shifts the encryption value, can also be used. Secure
Hashing Algorithm 1 (SHA-1) and Rivest Cypher 4 (RC4) are examples of hashing
algorithms.
types of authentication (KHAW) - ANSWER-"What you know" - this type of
authentication involves something the user knows, usually an ID and password.
"Something you have" - this type of authentication involves something the user carries
on her person, usually an RSA or key fob.
"Something you are" - This involves biometrics to authenticate, such as a fingerprint or
retinal scan.
"Where you are" - This type of authentication involves confirmation of the user's
location.
multifactor authentication - ANSWER-when more than one type of authentication is
used to validate an individual. KHAW:
Device Identifier - ANSWER-Device ID assigned by the device manufacturer or
operating system vendor which can be a source for user tracking as Device ID's are
often not deleted, blocked, or opted out of. Device ID, media access control (MAC) or
other device-assigned ID's are TO BE AVOIDED by developers as these device
identifiers may be used to track employees.
Whaling - ANSWER-Email targeting of wealthy individuals.
Development Lifecycle - ANSWER-Release Planning
Definition
Development
Validation
Deployment
Countermeasures - ANSWER-1. Preventative - These work by keeping something from
happening in the first place. Examples: security awareness training, firewall, anti-virus,
security guard and Intrusion Prevention System (IPS).
2. Reactive - Reactive countermeasures come into effect only after an event has
already occurred.
3. Detective - Examples of detective counter measures include: system monitoring,
Intrusion Detection System (IDS), anti-virus, motion detectors and IPS.
ANSWERS 100% CORRECT
"Client side" Privacy Risk - ANSWER-- Represents computers typically used by
company employees.
- These computers normally connect to the company's server-side systems via wireless
and hardwired networks.
- Client side can represent a significant threat to the company's systems as well as
sensitive data that may be on the client computers.
- Employees often download customer files, corporate e-mails and legal documents to
their computer for processing.
- Employees may even store their personal information on company computers.
- Client computer can access resources across the company that could have vast
amounts of planning documents that might be of great interest to competitors or
corporate spies.
Network Sniffer - ANSWER-- Allows anyone to view or copy unprotected data from a
company's wireless network.
.
/P:count flag - ANSWER-Format command within Windows OS. Best way to zero the
entire disk.
cross-enterprise access controls - ANSWER-Permits employees in one organization to
have access to resources that belong to another organization. Typical when major
functions are outsourced or through SAAS model. Travel, purchasing, payroll, and
healthcare could be provided by companies that specialize in those services. CEAC
allows employees to access records through SSO. Access is typically one-way.
SSL encryption - ANSWER-secure socket layer protocol commonly used to protect
communications between a browser and web machine (data in transit)
TSL encryption - ANSWER-transport layer security often used to protect email as it is
transmitted between email servers (data in transit)
multilayered privacy notice - ANSWER-abbreviated form of an organization's privacy
notice while providing links to more detailed information
privacy nutrition label - ANSWER-informs users about the company's privacy practices
of the organization in an abbreviated form -- only practical as part company's privacy
notice or as a privacy notice for a newly installed applications.
, hashing - ANSWER-method of protecting data that uses a cryptographic key to encrypt
the data but does not allow the data to later be decrypted. Permits the use of sensitive
data while protecting the original value. Permits the encryption of passwords, credit card
numbers, and SSNs while still permitting the verification of values by matching hashes.
(Ex: a credit card number can be hashed and used as index for an individual's credit
card transactions while preventing the hashed value from being used for additional
transactions. Salting, which shifts the encryption value, can also be used. Secure
Hashing Algorithm 1 (SHA-1) and Rivest Cypher 4 (RC4) are examples of hashing
algorithms.
types of authentication (KHAW) - ANSWER-"What you know" - this type of
authentication involves something the user knows, usually an ID and password.
"Something you have" - this type of authentication involves something the user carries
on her person, usually an RSA or key fob.
"Something you are" - This involves biometrics to authenticate, such as a fingerprint or
retinal scan.
"Where you are" - This type of authentication involves confirmation of the user's
location.
multifactor authentication - ANSWER-when more than one type of authentication is
used to validate an individual. KHAW:
Device Identifier - ANSWER-Device ID assigned by the device manufacturer or
operating system vendor which can be a source for user tracking as Device ID's are
often not deleted, blocked, or opted out of. Device ID, media access control (MAC) or
other device-assigned ID's are TO BE AVOIDED by developers as these device
identifiers may be used to track employees.
Whaling - ANSWER-Email targeting of wealthy individuals.
Development Lifecycle - ANSWER-Release Planning
Definition
Development
Validation
Deployment
Countermeasures - ANSWER-1. Preventative - These work by keeping something from
happening in the first place. Examples: security awareness training, firewall, anti-virus,
security guard and Intrusion Prevention System (IPS).
2. Reactive - Reactive countermeasures come into effect only after an event has
already occurred.
3. Detective - Examples of detective counter measures include: system monitoring,
Intrusion Detection System (IDS), anti-virus, motion detectors and IPS.
