CIPT, CIPT - Certified Information Privacy
Technologist, CIPT, IAPP-CIPT UPDATED
ACTUAL Exam Questions and CORRECT
Answers
Access Control List - CORRECT ANSWER - A list of access control entries (ACE) that
apply to an object. Each ACE controls or monitors access to an object by a specified user. In a
discretionary access control list (DACL), the ACL controls access; in a system access control list
(SACL) the ACL monitors access in a security event log which can comprise part of an audit
trail.
Accountability - CORRECT ANSWER - A fair information practices principle, it is the
idea that when personal information is to be transferred to another person or organization, the
personal information controller should obtain the consent of the individual or exercise due
diligence and take reasonable steps to ensure that the recipient person or organization will protect
the information consistently with other fair use principles.
Active Data Collection - CORRECT ANSWER - When an end user deliberately provides
information, typically through the use of web forms, text boxes, check boxes or radio buttons.
AdChoices - CORRECT ANSWER - A program run by the Digital Advertising Alliance to
promote awareness and choice in advertising for internet users. Websites with ads from
participating DAA members will have an AdChoices icon near advertisements or at the bottom of
their pages. By clicking on the Adchoices icon, users may set preferences for behavioral
advertising on that website or with DAA members generally across the web.
Adequate Level of Protection - CORRECT ANSWER - A label that the EU may apply to
third-party countries who have committed to protect data through domestic law making or
international commitments. Conferring of the label requires a proposal by the European
Commission, an Article 29 Working Group Opinion, an opinion of the article 31 Management
Committee, a right of scrutiny by the European Parliament and adoption by the European
Commission.
,Advanced Encryption Standard - CORRECT ANSWER - An encryption algorithm for
security sensitive non-classified material by the U.S. Government. This algorithm was selected in
2001 to replace the previous algorithm, the Date Encryption Standard (DES), by the National
Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, through
an open competition. The winning algorithm (RijnDael, pronounced rain-dahl), was developed
by two Belgian cryptographers, Joan Daemen and Vincent Rijmen.
Adverse Action - CORRECT ANSWER - Under the Fair Credit Reporting Act, the term
"adverse action" is defined very broadly to include all business, credit and employment actions
affecting consumers that can be considered to have a negative impact, such as denying or
canceling credit or insurance, or denying employment or promotion. No adverse action occurs in
a credit transaction where the creditor makes a counteroffer that is accepted by the consumer.
Such an action requires that the decision maker furnish the recipient of the adverse action with a
copy of the credit report leading to the adverse action.
Agile Development Model - CORRECT ANSWER - A process of software system and
product design that incorporates new system requirements during the actual creation of the
system, as opposed to the Plan-Driven Development Model. Agile development takes a given
project and focuses on specific portions to develop one at a time. An example of Agile
development is the Scrum Model.
Anonymization - CORRECT ANSWER - The process in which individually identifiable
data is altered in such a way that it no longer can be related back to a given individual. Among
many techniques, there are three primary ways that data is anonymized. Suppression is the most
basic version of anonymization and it simply removes some identifying values from data to
reduce its identifiability. Generalization takes specific identifying values and makes them
broader, such as changing a specific age (18) to an age range (18-24). Noise addition takes
identifying values from a given data set and switches them with identifying values from another
individual in that data set. Note that all of these processes will not guarantee that data is no
longer identifiable and have to be performed in such a way that does not harm the usability of the
data.
Anonymous Data - CORRECT ANSWER - Data sets that in no way indicate to whom the
data belongs. Replacing user names with unique ID numbers DOES NOT make the data set
anonymous even if identification seems impractical.
,Antidiscrimination Laws - CORRECT ANSWER - Refers to the right of people to be
treated equally.
Application-Layer Attacks - CORRECT ANSWER - Attacks that exploit flaws in the
network applications installed on network servers. Such weaknesses exist in web browsers, e-
mail server software, network routing software and other standard enterprise applications.
Regularly applying patches and updates to applications may help prevent such attacks.
Asymmetric Encryption - CORRECT ANSWER - A form of data encryption that uses two
separate but related keys to encrypt data. The system uses a public key, made available to other
parties, and a private key, which is kept by the first party. Decryption of data encrypted by the
public key requires the use of the private key; decryption of the data encrypted by the private key
requires the public key.
Attribute-Based Access Control - CORRECT ANSWER - An authorization model that
provides dynamic access control by assigning attributes to the users, the data, and the context in
which the user requests access (also referred to as environmental factors) and analyzes these
attributes together to determine access.
Audit Trail - CORRECT ANSWER - A chain of electronic activity or sequence of
paperwork used to monitor, track, record, or validate an activity. The term originates in
accounting as a reference to the chain of paperwork used to validate or invalidate accounting
entries. It has since been adapted for more general use in e-commerce, to track customer's
activity, or cyber-security, to investigate cybercrimes.
Authentication - CORRECT ANSWER - The process by which an entity (such as a person
or computer system) determines whether another entity is who it claims to be. Authentication
identified as an individual based on some credential; i.e. a password, biometrics, etc.
Authentication is different from authorization. Proper authentication ensures that a person is who
he or she claims to be, but it says nothing about the access rights of the individual.
Authorization - CORRECT ANSWER - In the context of information security, it is process
of determining if the end user is permitted to have access to the desired resource such as the
information asset or the information system containing the asset. Authorization criteria may be
based upon a variety of factors such as organizational role, level of security clearance, applicable
, law or a combination of factors. When effective, authentication validates that the entity
requesting access is who or what it claims to be.
Basel III - CORRECT ANSWER - A comprehensive set of reform measures, developed by
the Basel Committee on Banking Supervision, to strengthen the regulation, supervision and risk
management of the banking sector.
Behavioral Advertising - CORRECT ANSWER - The act of tracking users' online
activities and then delivering ads or recommendations based upon the tracked activities. The
most comprehensive form of targeted advertising. By building a profile on a user through their
browsing habits such as sites they visit, articles read, searches made, ads previously clicked on,
etc., advertising companies place ads pertaining to the known information about the user across
all websites visited. Behavioral Advertising also uses data aggregation to place ads on websites
that a user may not have shown interest in, but similar individuals had shown interest in.
Big Data - CORRECT ANSWER - A term used to describe the large data sets which
exponential growth in the amount and availability of data have allowed organizations to collect.
Big data has been articulated as "the three V's: volume (the amount of data), velocity (the speed
at which data may now be collected and analyzed), and variety (the format, structured or
unstructured, and type of data, e.g. transactional or behavioral).
Biometrics - CORRECT ANSWER - Data concerning the intrinsic physical or behavioral
characteristics of an individual. Examples include DNA, fingerprints, retina and iris patterns,
voice, face, handwriting, keystroke technique and gait.
Breach Disclosure - CORRECT ANSWER - The requirement that a data controller notify
regulators and victims of incidents affecting the confidentiality and security of personal data. It is
a transparency mechanism highlights operational failures, this helps mitigate damage and aids in
the understanding of causes of failure.
Bring Your Own Device - CORRECT ANSWER - Use of employees' own personal
computing devices for work purposes.
Technologist, CIPT, IAPP-CIPT UPDATED
ACTUAL Exam Questions and CORRECT
Answers
Access Control List - CORRECT ANSWER - A list of access control entries (ACE) that
apply to an object. Each ACE controls or monitors access to an object by a specified user. In a
discretionary access control list (DACL), the ACL controls access; in a system access control list
(SACL) the ACL monitors access in a security event log which can comprise part of an audit
trail.
Accountability - CORRECT ANSWER - A fair information practices principle, it is the
idea that when personal information is to be transferred to another person or organization, the
personal information controller should obtain the consent of the individual or exercise due
diligence and take reasonable steps to ensure that the recipient person or organization will protect
the information consistently with other fair use principles.
Active Data Collection - CORRECT ANSWER - When an end user deliberately provides
information, typically through the use of web forms, text boxes, check boxes or radio buttons.
AdChoices - CORRECT ANSWER - A program run by the Digital Advertising Alliance to
promote awareness and choice in advertising for internet users. Websites with ads from
participating DAA members will have an AdChoices icon near advertisements or at the bottom of
their pages. By clicking on the Adchoices icon, users may set preferences for behavioral
advertising on that website or with DAA members generally across the web.
Adequate Level of Protection - CORRECT ANSWER - A label that the EU may apply to
third-party countries who have committed to protect data through domestic law making or
international commitments. Conferring of the label requires a proposal by the European
Commission, an Article 29 Working Group Opinion, an opinion of the article 31 Management
Committee, a right of scrutiny by the European Parliament and adoption by the European
Commission.
,Advanced Encryption Standard - CORRECT ANSWER - An encryption algorithm for
security sensitive non-classified material by the U.S. Government. This algorithm was selected in
2001 to replace the previous algorithm, the Date Encryption Standard (DES), by the National
Institute of Standards and Technology (NIST), a unit of the U.S. Commerce Department, through
an open competition. The winning algorithm (RijnDael, pronounced rain-dahl), was developed
by two Belgian cryptographers, Joan Daemen and Vincent Rijmen.
Adverse Action - CORRECT ANSWER - Under the Fair Credit Reporting Act, the term
"adverse action" is defined very broadly to include all business, credit and employment actions
affecting consumers that can be considered to have a negative impact, such as denying or
canceling credit or insurance, or denying employment or promotion. No adverse action occurs in
a credit transaction where the creditor makes a counteroffer that is accepted by the consumer.
Such an action requires that the decision maker furnish the recipient of the adverse action with a
copy of the credit report leading to the adverse action.
Agile Development Model - CORRECT ANSWER - A process of software system and
product design that incorporates new system requirements during the actual creation of the
system, as opposed to the Plan-Driven Development Model. Agile development takes a given
project and focuses on specific portions to develop one at a time. An example of Agile
development is the Scrum Model.
Anonymization - CORRECT ANSWER - The process in which individually identifiable
data is altered in such a way that it no longer can be related back to a given individual. Among
many techniques, there are three primary ways that data is anonymized. Suppression is the most
basic version of anonymization and it simply removes some identifying values from data to
reduce its identifiability. Generalization takes specific identifying values and makes them
broader, such as changing a specific age (18) to an age range (18-24). Noise addition takes
identifying values from a given data set and switches them with identifying values from another
individual in that data set. Note that all of these processes will not guarantee that data is no
longer identifiable and have to be performed in such a way that does not harm the usability of the
data.
Anonymous Data - CORRECT ANSWER - Data sets that in no way indicate to whom the
data belongs. Replacing user names with unique ID numbers DOES NOT make the data set
anonymous even if identification seems impractical.
,Antidiscrimination Laws - CORRECT ANSWER - Refers to the right of people to be
treated equally.
Application-Layer Attacks - CORRECT ANSWER - Attacks that exploit flaws in the
network applications installed on network servers. Such weaknesses exist in web browsers, e-
mail server software, network routing software and other standard enterprise applications.
Regularly applying patches and updates to applications may help prevent such attacks.
Asymmetric Encryption - CORRECT ANSWER - A form of data encryption that uses two
separate but related keys to encrypt data. The system uses a public key, made available to other
parties, and a private key, which is kept by the first party. Decryption of data encrypted by the
public key requires the use of the private key; decryption of the data encrypted by the private key
requires the public key.
Attribute-Based Access Control - CORRECT ANSWER - An authorization model that
provides dynamic access control by assigning attributes to the users, the data, and the context in
which the user requests access (also referred to as environmental factors) and analyzes these
attributes together to determine access.
Audit Trail - CORRECT ANSWER - A chain of electronic activity or sequence of
paperwork used to monitor, track, record, or validate an activity. The term originates in
accounting as a reference to the chain of paperwork used to validate or invalidate accounting
entries. It has since been adapted for more general use in e-commerce, to track customer's
activity, or cyber-security, to investigate cybercrimes.
Authentication - CORRECT ANSWER - The process by which an entity (such as a person
or computer system) determines whether another entity is who it claims to be. Authentication
identified as an individual based on some credential; i.e. a password, biometrics, etc.
Authentication is different from authorization. Proper authentication ensures that a person is who
he or she claims to be, but it says nothing about the access rights of the individual.
Authorization - CORRECT ANSWER - In the context of information security, it is process
of determining if the end user is permitted to have access to the desired resource such as the
information asset or the information system containing the asset. Authorization criteria may be
based upon a variety of factors such as organizational role, level of security clearance, applicable
, law or a combination of factors. When effective, authentication validates that the entity
requesting access is who or what it claims to be.
Basel III - CORRECT ANSWER - A comprehensive set of reform measures, developed by
the Basel Committee on Banking Supervision, to strengthen the regulation, supervision and risk
management of the banking sector.
Behavioral Advertising - CORRECT ANSWER - The act of tracking users' online
activities and then delivering ads or recommendations based upon the tracked activities. The
most comprehensive form of targeted advertising. By building a profile on a user through their
browsing habits such as sites they visit, articles read, searches made, ads previously clicked on,
etc., advertising companies place ads pertaining to the known information about the user across
all websites visited. Behavioral Advertising also uses data aggregation to place ads on websites
that a user may not have shown interest in, but similar individuals had shown interest in.
Big Data - CORRECT ANSWER - A term used to describe the large data sets which
exponential growth in the amount and availability of data have allowed organizations to collect.
Big data has been articulated as "the three V's: volume (the amount of data), velocity (the speed
at which data may now be collected and analyzed), and variety (the format, structured or
unstructured, and type of data, e.g. transactional or behavioral).
Biometrics - CORRECT ANSWER - Data concerning the intrinsic physical or behavioral
characteristics of an individual. Examples include DNA, fingerprints, retina and iris patterns,
voice, face, handwriting, keystroke technique and gait.
Breach Disclosure - CORRECT ANSWER - The requirement that a data controller notify
regulators and victims of incidents affecting the confidentiality and security of personal data. It is
a transparency mechanism highlights operational failures, this helps mitigate damage and aids in
the understanding of causes of failure.
Bring Your Own Device - CORRECT ANSWER - Use of employees' own personal
computing devices for work purposes.
