CIPT, CIPT - Certified Information
Privacy Technologist, CIPT, IAPP-CIPT
Exam Questions and Answers Graded A+
Access Control List - Correct answer-A list of access control entries (ACE) that
apply to an object. Each ACE controls or monitors access to an object by a
specified user. In a discretionary access control list (DACL), the ACL controls
access; in a system access control list (SACL) the ACL monitors access in a
security event log which can comprise part of an audit trail.
Accountability - Correct answer-A fair information practices principle, it is the idea
that when personal information is to be transferred to another person or
organization, the personal information controller should obtain the consent of the
individual or exercise due diligence and take reasonable steps to ensure that the
recipient person or organization will protect the information consistently with other
fair use principles.
©COPYRIGHT 2025, ALL RIGHTS RESERVED 1
,Active Data Collection - Correct answer-When an end user deliberately provides
information, typically through the use of web forms, text boxes, check boxes or
radio buttons.
AdChoices - Correct answer-A program run by the Digital Advertising Alliance to
promote awareness and choice in advertising for internet users. Websites with ads
from participating DAA members will have an AdChoices icon near
advertisements or at the bottom of their pages. By clicking on the Adchoices icon,
users may set preferences for behavioral advertising on that website or with DAA
members generally across the web.
Adequate Level of Protection - Correct answer-A label that the EU may apply to
third-party countries who have committed to protect data through domestic law
making or international commitments. Conferring of the label requires a proposal
by the European Commission, an Article 29 Working Group Opinion, an opinion of
the article 31 Management Committee, a right of scrutiny by the European
Parliament and adoption by the European Commission.
Advanced Encryption Standard - Correct answer-An encryption algorithm for
security sensitive non-classified material by the U.S. Government. This algorithm
was selected in 2001 to replace the previous algorithm, the Date Encryption
Standard (DES), by the National Institute of Standards and Technology (NIST), a
©COPYRIGHT 2025, ALL RIGHTS RESERVED 2
,unit of the U.S. Commerce Department, through an open competition. The winning
algorithm (RijnDael, pronounced rain-dahl), was developed by two Belgian
cryptographers, Joan Daemen and Vincent Rijmen.
Adverse Action - Correct answer-Under the Fair Credit Reporting Act, the term
"adverse action" is defined very broadly to include all business, credit and
employment actions affecting consumers that can be considered to have a negative
impact, such as denying or canceling credit or insurance, or denying employment
or promotion. No adverse action occurs in a credit transaction where the creditor
makes a counteroffer that is accepted by the consumer. Such an action requires that
the decision maker furnish the recipient of the adverse action with a copy of the
credit report leading to the adverse action.
Agile Development Model - Correct answer-A process of software system and
product design that incorporates new system requirements during the actual
creation of the system, as opposed to the Plan-Driven Development Model. Agile
development takes a given project and focuses on specific portions to develop one
at a time. An example of Agile development is the Scrum Model.
Anonymization - Correct answer-The process in which individually identifiable
data is altered in such a way that it no longer can be related back to a given
individual. Among many techniques, there are three primary ways that data is
©COPYRIGHT 2025, ALL RIGHTS RESERVED 3
, anonymized. Suppression is the most basic version of anonymization and it simply
removes some identifying values from data to reduce its identifiability.
Generalization takes specific identifying values and makes them broader, such as
changing a specific age (18) to an age range (18-24). Noise addition takes
identifying values from a given data set and switches them with identifying values
from another individual in that data set. Note that all of these processes will not
guarantee that data is no longer identifiable and have to be performed in such a
way that does not harm the usability of the data.
Anonymous Data - Correct answer-Data sets that in no way indicate to whom the
data belongs. Replacing user names with unique ID numbers DOES NOT make the
data set anonymous even if identification seems impractical.
Antidiscrimination Laws - Correct answer-Refers to the right of people to be
treated equally.
Application-Layer Attacks - Correct answer-Attacks that exploit flaws in the
network applications installed on network servers. Such weaknesses exist in web
browsers, e-mail server software, network routing software and other standard
enterprise applications. Regularly applying patches and updates to applications
may help prevent such attacks.
©COPYRIGHT 2025, ALL RIGHTS RESERVED 4
Privacy Technologist, CIPT, IAPP-CIPT
Exam Questions and Answers Graded A+
Access Control List - Correct answer-A list of access control entries (ACE) that
apply to an object. Each ACE controls or monitors access to an object by a
specified user. In a discretionary access control list (DACL), the ACL controls
access; in a system access control list (SACL) the ACL monitors access in a
security event log which can comprise part of an audit trail.
Accountability - Correct answer-A fair information practices principle, it is the idea
that when personal information is to be transferred to another person or
organization, the personal information controller should obtain the consent of the
individual or exercise due diligence and take reasonable steps to ensure that the
recipient person or organization will protect the information consistently with other
fair use principles.
©COPYRIGHT 2025, ALL RIGHTS RESERVED 1
,Active Data Collection - Correct answer-When an end user deliberately provides
information, typically through the use of web forms, text boxes, check boxes or
radio buttons.
AdChoices - Correct answer-A program run by the Digital Advertising Alliance to
promote awareness and choice in advertising for internet users. Websites with ads
from participating DAA members will have an AdChoices icon near
advertisements or at the bottom of their pages. By clicking on the Adchoices icon,
users may set preferences for behavioral advertising on that website or with DAA
members generally across the web.
Adequate Level of Protection - Correct answer-A label that the EU may apply to
third-party countries who have committed to protect data through domestic law
making or international commitments. Conferring of the label requires a proposal
by the European Commission, an Article 29 Working Group Opinion, an opinion of
the article 31 Management Committee, a right of scrutiny by the European
Parliament and adoption by the European Commission.
Advanced Encryption Standard - Correct answer-An encryption algorithm for
security sensitive non-classified material by the U.S. Government. This algorithm
was selected in 2001 to replace the previous algorithm, the Date Encryption
Standard (DES), by the National Institute of Standards and Technology (NIST), a
©COPYRIGHT 2025, ALL RIGHTS RESERVED 2
,unit of the U.S. Commerce Department, through an open competition. The winning
algorithm (RijnDael, pronounced rain-dahl), was developed by two Belgian
cryptographers, Joan Daemen and Vincent Rijmen.
Adverse Action - Correct answer-Under the Fair Credit Reporting Act, the term
"adverse action" is defined very broadly to include all business, credit and
employment actions affecting consumers that can be considered to have a negative
impact, such as denying or canceling credit or insurance, or denying employment
or promotion. No adverse action occurs in a credit transaction where the creditor
makes a counteroffer that is accepted by the consumer. Such an action requires that
the decision maker furnish the recipient of the adverse action with a copy of the
credit report leading to the adverse action.
Agile Development Model - Correct answer-A process of software system and
product design that incorporates new system requirements during the actual
creation of the system, as opposed to the Plan-Driven Development Model. Agile
development takes a given project and focuses on specific portions to develop one
at a time. An example of Agile development is the Scrum Model.
Anonymization - Correct answer-The process in which individually identifiable
data is altered in such a way that it no longer can be related back to a given
individual. Among many techniques, there are three primary ways that data is
©COPYRIGHT 2025, ALL RIGHTS RESERVED 3
, anonymized. Suppression is the most basic version of anonymization and it simply
removes some identifying values from data to reduce its identifiability.
Generalization takes specific identifying values and makes them broader, such as
changing a specific age (18) to an age range (18-24). Noise addition takes
identifying values from a given data set and switches them with identifying values
from another individual in that data set. Note that all of these processes will not
guarantee that data is no longer identifiable and have to be performed in such a
way that does not harm the usability of the data.
Anonymous Data - Correct answer-Data sets that in no way indicate to whom the
data belongs. Replacing user names with unique ID numbers DOES NOT make the
data set anonymous even if identification seems impractical.
Antidiscrimination Laws - Correct answer-Refers to the right of people to be
treated equally.
Application-Layer Attacks - Correct answer-Attacks that exploit flaws in the
network applications installed on network servers. Such weaknesses exist in web
browsers, e-mail server software, network routing software and other standard
enterprise applications. Regularly applying patches and updates to applications
may help prevent such attacks.
©COPYRIGHT 2025, ALL RIGHTS RESERVED 4
