CIPT EXAM QUESTIONS AND ANSWERS
(GRADED A)
Bastion Server - ANSWER-A server that has 1 purpose and only contains software to
support that purpose.
E.g. Printer, email, and database servers are bastion servers.
Using bastion servers reduces the number of applications on a server, which minimizes
vulnerability.
Privacy Impact Assessment (PIA) - ANSWER-Checklists or tools to ensure that a
personal information system is evaluated for privacy risks and designed with life cycle
principles in mind. An effective PIA evaluates the sufficiency of privacy practices and
policies with respect to legal, regulatory and industry standards, and maintains
consistency between policy and practice.
Should be conducted annually, or additionally upon occurrence of any of the following
events:
-Creation of new product/service
-New/updated program for processing data
-Merger/acquisition
-Creation of new data center
-Onboarding of new data
-Movement of data to different country
-Changes in regulations governing data use
Security Policy Principles - ANSWER-All security policies should include these
EXTERNAL requirements:
(1) Corporate - data stored from consumers, partners, vendors, and employees needs
to be protected in accordance with contracts or privacy policies; also, need to keep data
secure to protect interests.
(2) Regulatory - privacy requirements placed on organizations by government entities
(e.g. FTC, Office of the Information and Privacy Commissioner of Ontario, and the UK
Information Commissioner's Office).
(3) Industry - compliance with different industry groups shows commitment to privacy
principles of that industry, which can avoid creation of new legislation / regulatory
scrutiny.
Industry Groups - ANSWER-Industry group examples = Better Business Bureau,
Interactive Advertising Bureau, TRUSTe, and the Entertainment Software Rating Board.
,Key Security Measures - ANSWER-(1) Encryption - BEST means of protecting data
during transmission and storage; type of encryption should be based on how the
encryption's performance and complexity may impact company system.
(2) Software protection - antivirus software can detect malicious software; packet
filtering can help ensure inappropriate communications packets do not make it onto
company's network.
(3) Access controls - programmatic means for preventing unwanted access to data
hosted; should be continually certified to ensure only appropriate people have access.
(4) Physical protection - all computers should have minimum level of physical security to
prevent outside access (e.g. cameras, guards).
(5) Social engineering prevention - employees should. be trained to detect exploits
where individuals pretend to represent company/person in order to gain access to data.
(ChoicePoint data breach)
(6) Auditing - auditing system should be configured so logs are sent to remote auditing
machine outside the control of the system and application administrators.
Steps for avoiding privacy-invasive applications - ANSWER-(1) Privileged access -
restrictions can be placed on who installs/configures applications;
(2) Software policy - policy that describes requirements/guidelines for applications used
on company computers.
(3) Policy links - for each application that explains privacy obligation and is accessible
via application.
(4) Application research - companies should perform research to determine which
applications are most appropriate for their employees, computers, and networks.
(5) Employee training - employees should be periodically trained on company's software
policy, as well as on threats to privacy from installation of malicious
applications/improper configuration of legitimate apps; yearly privacy training is best
practice.
(5) IT involvement - can have one of two ways: (i) IT controlled - IT dept sets up each
computer, ensuring only specific apps are installed and ensuring apps are periodically
updated as needed or (ii) IT monitored - company computers can be periodically
scanned to validate each installed application is on approved list of apps and has right
version/proper configuration set.
(6) Employee Controlled - companies can let employees manage own computer system
based on corporate policy, as opposed to IT dept governance.
Ways to mitigate network risks - ANSWER-(1) Keep computers clear of malware - run
latest anti-malware software;
(2) Apply smartphone policies - phone passwords, auto-device lock/remote wiping
mechanism enforced for smartphones connecting to network resources;
(3) Validate network devices - each device must come from reputable vendor and have
proper configuration/most recent updates;
(4) Write secure code - developers should follow guidelines on how to write software
that avoids the risk of exposing data over network ("Writing Secure Code" and "The
Open Web Application Security Project");
, (5) Validate applications - all apps running on computers/smartphones should be
restricted from accessing network services unless they are on a safe list set up by IT
dept.
(6) Network encryption - use encryption on wireless/wired networks at transportation
level to mitigate threat of thieves accessing unprotected data.
Network Monitoring - ANSWER-Malware can infect company's network and travel from
computer to computer. Network monitoring software can look for known virus signatures
or use other means to find and cleanse network infestations.
Network monitoring can also prevent private data from leaving company / look for
signatureless advanced malware and take targeted actions.
Hashing - ANSWER-Uses cryptographic key to encrypt data but does not allow data to
be later decrypted - permits use of sensitive data while protecting original value.
Used for credit card numbers or SSN. The downside is that the information can never
be decrypted.
Password control - ANSWER-Single Sign On (SSO) can permit access to multiple
resources from a single account, with ability to centrally lock a person to multiple
resources.
Machine access restriction - ANSWER-Limit access to a computer based on computer
identifier or IP address.
Example: Access to payroll database only limited to set of computers in payroll
department.
Enterprise Architecture (EA) - ANSWER-EA involves managing data flow across an
organization to reduce risk and support business growth.
---Data flow diagram can show origin of data, indicating whether origin was an
individual, external entity, internal group or process.
Data Storage - ANSWER-(1) Files - can be protected outside of their storage system
using password-based encryption or digital rights management;
(2) Websites - Employee access should be limited, and each website should have a
policy link for employees/access control list/organized by category to protect sensitive
content.
(3) Databases - good place to store sensitive data because general access control, role-
based access control, encryption, data categorization, retention management, and
auditing.
(4) Cloud storage - provides better access to data for customers, lower operational
costs, and limits regulatory risks for cross-border transfer of customer data. Contracts
should ensure that the hosting company follows org's data storage policy.
(GRADED A)
Bastion Server - ANSWER-A server that has 1 purpose and only contains software to
support that purpose.
E.g. Printer, email, and database servers are bastion servers.
Using bastion servers reduces the number of applications on a server, which minimizes
vulnerability.
Privacy Impact Assessment (PIA) - ANSWER-Checklists or tools to ensure that a
personal information system is evaluated for privacy risks and designed with life cycle
principles in mind. An effective PIA evaluates the sufficiency of privacy practices and
policies with respect to legal, regulatory and industry standards, and maintains
consistency between policy and practice.
Should be conducted annually, or additionally upon occurrence of any of the following
events:
-Creation of new product/service
-New/updated program for processing data
-Merger/acquisition
-Creation of new data center
-Onboarding of new data
-Movement of data to different country
-Changes in regulations governing data use
Security Policy Principles - ANSWER-All security policies should include these
EXTERNAL requirements:
(1) Corporate - data stored from consumers, partners, vendors, and employees needs
to be protected in accordance with contracts or privacy policies; also, need to keep data
secure to protect interests.
(2) Regulatory - privacy requirements placed on organizations by government entities
(e.g. FTC, Office of the Information and Privacy Commissioner of Ontario, and the UK
Information Commissioner's Office).
(3) Industry - compliance with different industry groups shows commitment to privacy
principles of that industry, which can avoid creation of new legislation / regulatory
scrutiny.
Industry Groups - ANSWER-Industry group examples = Better Business Bureau,
Interactive Advertising Bureau, TRUSTe, and the Entertainment Software Rating Board.
,Key Security Measures - ANSWER-(1) Encryption - BEST means of protecting data
during transmission and storage; type of encryption should be based on how the
encryption's performance and complexity may impact company system.
(2) Software protection - antivirus software can detect malicious software; packet
filtering can help ensure inappropriate communications packets do not make it onto
company's network.
(3) Access controls - programmatic means for preventing unwanted access to data
hosted; should be continually certified to ensure only appropriate people have access.
(4) Physical protection - all computers should have minimum level of physical security to
prevent outside access (e.g. cameras, guards).
(5) Social engineering prevention - employees should. be trained to detect exploits
where individuals pretend to represent company/person in order to gain access to data.
(ChoicePoint data breach)
(6) Auditing - auditing system should be configured so logs are sent to remote auditing
machine outside the control of the system and application administrators.
Steps for avoiding privacy-invasive applications - ANSWER-(1) Privileged access -
restrictions can be placed on who installs/configures applications;
(2) Software policy - policy that describes requirements/guidelines for applications used
on company computers.
(3) Policy links - for each application that explains privacy obligation and is accessible
via application.
(4) Application research - companies should perform research to determine which
applications are most appropriate for their employees, computers, and networks.
(5) Employee training - employees should be periodically trained on company's software
policy, as well as on threats to privacy from installation of malicious
applications/improper configuration of legitimate apps; yearly privacy training is best
practice.
(5) IT involvement - can have one of two ways: (i) IT controlled - IT dept sets up each
computer, ensuring only specific apps are installed and ensuring apps are periodically
updated as needed or (ii) IT monitored - company computers can be periodically
scanned to validate each installed application is on approved list of apps and has right
version/proper configuration set.
(6) Employee Controlled - companies can let employees manage own computer system
based on corporate policy, as opposed to IT dept governance.
Ways to mitigate network risks - ANSWER-(1) Keep computers clear of malware - run
latest anti-malware software;
(2) Apply smartphone policies - phone passwords, auto-device lock/remote wiping
mechanism enforced for smartphones connecting to network resources;
(3) Validate network devices - each device must come from reputable vendor and have
proper configuration/most recent updates;
(4) Write secure code - developers should follow guidelines on how to write software
that avoids the risk of exposing data over network ("Writing Secure Code" and "The
Open Web Application Security Project");
, (5) Validate applications - all apps running on computers/smartphones should be
restricted from accessing network services unless they are on a safe list set up by IT
dept.
(6) Network encryption - use encryption on wireless/wired networks at transportation
level to mitigate threat of thieves accessing unprotected data.
Network Monitoring - ANSWER-Malware can infect company's network and travel from
computer to computer. Network monitoring software can look for known virus signatures
or use other means to find and cleanse network infestations.
Network monitoring can also prevent private data from leaving company / look for
signatureless advanced malware and take targeted actions.
Hashing - ANSWER-Uses cryptographic key to encrypt data but does not allow data to
be later decrypted - permits use of sensitive data while protecting original value.
Used for credit card numbers or SSN. The downside is that the information can never
be decrypted.
Password control - ANSWER-Single Sign On (SSO) can permit access to multiple
resources from a single account, with ability to centrally lock a person to multiple
resources.
Machine access restriction - ANSWER-Limit access to a computer based on computer
identifier or IP address.
Example: Access to payroll database only limited to set of computers in payroll
department.
Enterprise Architecture (EA) - ANSWER-EA involves managing data flow across an
organization to reduce risk and support business growth.
---Data flow diagram can show origin of data, indicating whether origin was an
individual, external entity, internal group or process.
Data Storage - ANSWER-(1) Files - can be protected outside of their storage system
using password-based encryption or digital rights management;
(2) Websites - Employee access should be limited, and each website should have a
policy link for employees/access control list/organized by category to protect sensitive
content.
(3) Databases - good place to store sensitive data because general access control, role-
based access control, encryption, data categorization, retention management, and
auditing.
(4) Cloud storage - provides better access to data for customers, lower operational
costs, and limits regulatory risks for cross-border transfer of customer data. Contracts
should ensure that the hosting company follows org's data storage policy.
