CIPT Exam 2025 Prep Questions and
Answers for 100% Success
Bastion Server - ✔✔A server that has 1 purpose and only contains software to support
that purpose.
E.g. Printer, email, and database servers are bastion servers.
Using bastion servers reduces the number of applications on a server, which minimizes
vulnerability.
Privacy Impact Assessment (PIA) - ✔✔Checklists or tools to ensure that a personal
information system is evaluated for privacy risks and designed with life cycle principles
in mind. An effective PIA evaluates the sufficiency of privacy practices and policies
with respect to legal, regulatory and industry standards, and maintains consistency
between policy and practice.
Should be conducted annually, or additionally upon occurrence of any of the following
events:
-Creation of new product/service
COPYRIGHT © 2025 BY OLIVIA WEST, ALL RIGHTS RESERVED 1
,-New/updated program for processing data
-Merger/acquisition
-Creation of new data center
-Onboarding of new data
-Movement of data to different country
-Changes in regulations governing data use
Security Policy Principles - ✔✔All security policies should include these EXTERNAL
requirements:
(1) Corporate - data stored from consumers, partners, vendors, and employees needs to
be protected in accordance with contracts or privacy policies; also, need to keep data
secure to protect interests.
(2) Regulatory - privacy requirements placed on organizations by government entities
(e.g. FTC, Office of the Information and Privacy Commissioner of Ontario, and the UK
Information Commissioner's Office).
(3) Industry - compliance with different industry groups shows commitment to privacy
principles of that industry, which can avoid creation of new legislation / regulatory
scrutiny.
Industry Groups - ✔✔Industry group examples = Better Business Bureau, Interactive
Advertising Bureau, TRUSTe, and the Entertainment Software Rating Board.
Key Security Measures - ✔✔(1) Encryption - BEST means of protecting data during
transmission and storage; type of encryption should be based on how the encryption's
performance and complexity may impact company system.
COPYRIGHT © 2025 BY OLIVIA WEST, ALL RIGHTS RESERVED 2
, (2) Software protection - antivirus software can detect malicious software; packet
filtering can help ensure inappropriate communications packets do not make it onto
company's network.
(3) Access controls - programmatic means for preventing unwanted access to data
hosted; should be continually certified to ensure only appropriate people have access.
(4) Physical protection - all computers should have minimum level of physical security
to prevent outside access (e.g. cameras, guards).
(5) Social engineering prevention - employees should. be trained to detect exploits
where individuals pretend to represent company/person in order to gain access to data.
(ChoicePoint data breach)
(6) Auditing - auditing system should be configured so logs are sent to remote auditing
machine outside the control of the system and application administrators.
Steps for avoiding privacy-invasive applications - ✔✔(1) Privileged access - restrictions
can be placed on who installs/configures applications;
(2) Software policy - policy that describes requirements/guidelines for applications
used on company computers.
(3) Policy links - for each application that explains privacy obligation and is accessible
via application.
(4) Application research - companies should perform research to determine which
applications are most appropriate for their employees, computers, and networks.
(5) Employee training - employees should be periodically trained on company's
software policy, as well as on threats to privacy from installation of malicious
applications/improper configuration of legitimate apps; yearly privacy training is best
practice.
COPYRIGHT © 2025 BY OLIVIA WEST, ALL RIGHTS RESERVED 3
Answers for 100% Success
Bastion Server - ✔✔A server that has 1 purpose and only contains software to support
that purpose.
E.g. Printer, email, and database servers are bastion servers.
Using bastion servers reduces the number of applications on a server, which minimizes
vulnerability.
Privacy Impact Assessment (PIA) - ✔✔Checklists or tools to ensure that a personal
information system is evaluated for privacy risks and designed with life cycle principles
in mind. An effective PIA evaluates the sufficiency of privacy practices and policies
with respect to legal, regulatory and industry standards, and maintains consistency
between policy and practice.
Should be conducted annually, or additionally upon occurrence of any of the following
events:
-Creation of new product/service
COPYRIGHT © 2025 BY OLIVIA WEST, ALL RIGHTS RESERVED 1
,-New/updated program for processing data
-Merger/acquisition
-Creation of new data center
-Onboarding of new data
-Movement of data to different country
-Changes in regulations governing data use
Security Policy Principles - ✔✔All security policies should include these EXTERNAL
requirements:
(1) Corporate - data stored from consumers, partners, vendors, and employees needs to
be protected in accordance with contracts or privacy policies; also, need to keep data
secure to protect interests.
(2) Regulatory - privacy requirements placed on organizations by government entities
(e.g. FTC, Office of the Information and Privacy Commissioner of Ontario, and the UK
Information Commissioner's Office).
(3) Industry - compliance with different industry groups shows commitment to privacy
principles of that industry, which can avoid creation of new legislation / regulatory
scrutiny.
Industry Groups - ✔✔Industry group examples = Better Business Bureau, Interactive
Advertising Bureau, TRUSTe, and the Entertainment Software Rating Board.
Key Security Measures - ✔✔(1) Encryption - BEST means of protecting data during
transmission and storage; type of encryption should be based on how the encryption's
performance and complexity may impact company system.
COPYRIGHT © 2025 BY OLIVIA WEST, ALL RIGHTS RESERVED 2
, (2) Software protection - antivirus software can detect malicious software; packet
filtering can help ensure inappropriate communications packets do not make it onto
company's network.
(3) Access controls - programmatic means for preventing unwanted access to data
hosted; should be continually certified to ensure only appropriate people have access.
(4) Physical protection - all computers should have minimum level of physical security
to prevent outside access (e.g. cameras, guards).
(5) Social engineering prevention - employees should. be trained to detect exploits
where individuals pretend to represent company/person in order to gain access to data.
(ChoicePoint data breach)
(6) Auditing - auditing system should be configured so logs are sent to remote auditing
machine outside the control of the system and application administrators.
Steps for avoiding privacy-invasive applications - ✔✔(1) Privileged access - restrictions
can be placed on who installs/configures applications;
(2) Software policy - policy that describes requirements/guidelines for applications
used on company computers.
(3) Policy links - for each application that explains privacy obligation and is accessible
via application.
(4) Application research - companies should perform research to determine which
applications are most appropriate for their employees, computers, and networks.
(5) Employee training - employees should be periodically trained on company's
software policy, as well as on threats to privacy from installation of malicious
applications/improper configuration of legitimate apps; yearly privacy training is best
practice.
COPYRIGHT © 2025 BY OLIVIA WEST, ALL RIGHTS RESERVED 3
