CIPT, CIPT - CERTIFIED INFORMATION
PRIVACY TECHNOLOGIST, CIPT, IAPP-
CIPT QUESTIONS AND ANSWERS
Access Control List - ANSWER-A list of access control entries (ACE) that apply to an
object. Each ACE controls or monitors access to an object by a specified user. In a
discretionary access control list (DACL), the ACL controls access; in a system access
control list (SACL) the ACL monitors access in a security event log which can comprise
part of an audit trail.
Accountability - ANSWER-A fair information practices principle, it is the idea that when
personal information is to be transferred to another person or organization, the personal
information controller should obtain the consent of the individual or exercise due
diligence and take reasonable steps to ensure that the recipient person or organization
will protect the information consistently with other fair use principles.
Active Data Collection - ANSWER-When an end user deliberately provides information,
typically through the use of web forms, text boxes, check boxes or radio buttons.
AdChoices - ANSWER-A program run by the Digital Advertising Alliance to promote
awareness and choice in advertising for internet users. Websites with ads from
participating DAA members will have an AdChoices icon near advertisements or at the
bottom of their pages. By clicking on the Adchoices icon, users may set preferences for
behavioral advertising on that website or with DAA members generally across the web.
Adequate Level of Protection - ANSWER-A label that the EU may apply to third-party
countries who have committed to protect data through domestic law making or
international commitments. Conferring of the label requires a proposal by the European
Commission, an Article 29 Working Group Opinion, an opinion of the article 31
Management Committee, a right of scrutiny by the European Parliament and adoption
by the European Commission.
Advanced Encryption Standard - ANSWER-An encryption algorithm for security
sensitive non-classified material by the U.S. Government. This algorithm was selected
in 2001 to replace the previous algorithm, the Date Encryption Standard (DES), by the
National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce
Department, through an open competition. The winning algorithm (RijnDael,
pronounced rain-dahl), was developed by two Belgian cryptographers, Joan Daemen
and Vincent Rijmen.
Adverse Action - ANSWER-Under the Fair Credit Reporting Act, the term "adverse
action" is defined very broadly to include all business, credit and employment actions
,affecting consumers that can be considered to have a negative impact, such as denying
or canceling credit or insurance, or denying employment or promotion. No adverse
action occurs in a credit transaction where the creditor makes a counteroffer that is
accepted by the consumer. Such an action requires that the decision maker furnish the
recipient of the adverse action with a copy of the credit report leading to the adverse
action.
Agile Development Model - ANSWER-A process of software system and product design
that incorporates new system requirements during the actual creation of the system, as
opposed to the Plan-Driven Development Model. Agile development takes a given
project and focuses on specific portions to develop one at a time. An example of Agile
development is the Scrum Model.
Anonymization - ANSWER-The process in which individually identifiable data is altered
in such a way that it no longer can be related back to a given individual. Among many
techniques, there are three primary ways that data is anonymized. Suppression is the
most basic version of anonymization and it simply removes some identifying values
from data to reduce its identifiability. Generalization takes specific identifying values and
makes them broader, such as changing a specific age (18) to an age range (18-24).
Noise addition takes identifying values from a given data set and switches them with
identifying values from another individual in that data set. Note that all of these
processes will not guarantee that data is no longer identifiable and have to be
performed in such a way that does not harm the usability of the data.
Anonymous Data - ANSWER-Data sets that in no way indicate to whom the data
belongs. Replacing user names with unique ID numbers DOES NOT make the data set
anonymous even if identification seems impractical.
Antidiscrimination Laws - ANSWER-Refers to the right of people to be treated equally.
Application-Layer Attacks - ANSWER-Attacks that exploit flaws in the network
applications installed on network servers. Such weaknesses exist in web browsers, e-
mail server software, network routing software and other standard enterprise
applications. Regularly applying patches and updates to applications may help prevent
such attacks.
Asymmetric Encryption - ANSWER-A form of data encryption that uses two separate
but related keys to encrypt data. The system uses a public key, made available to other
parties, and a private key, which is kept by the first party. Decryption of data encrypted
by the public key requires the use of the private key; decryption of the data encrypted by
the private key requires the public key.
Attribute-Based Access Control - ANSWER-An authorization model that provides
dynamic access control by assigning attributes to the users, the data, and the context in
which the user requests access (also referred to as environmental factors) and analyzes
these attributes together to determine access.
,Audit Trail - ANSWER-A chain of electronic activity or sequence of paperwork used to
monitor, track, record, or validate an activity. The term originates in accounting as a
reference to the chain of paperwork used to validate or invalidate accounting entries. It
has since been adapted for more general use in e-commerce, to track customer's
activity, or cyber-security, to investigate cybercrimes.
Authentication - ANSWER-The process by which an entity (such as a person or
computer system) determines whether another entity is who it claims to be.
Authentication identified as an individual based on some credential; i.e. a password,
biometrics, etc. Authentication is different from authorization. Proper authentication
ensures that a person is who he or she claims to be, but it says nothing about the
access rights of the individual.
Authorization - ANSWER-In the context of information security, it is process of
determining if the end user is permitted to have access to the desired resource such as
the information asset or the information system containing the asset. Authorization
criteria may be based upon a variety of factors such as organizational role, level of
security clearance, applicable law or a combination of factors. When effective,
authentication validates that the entity requesting access is who or what it claims to be.
Basel III - ANSWER-A comprehensive set of reform measures, developed by the Basel
Committee on Banking Supervision, to strengthen the regulation, supervision and risk
management of the banking sector.
Behavioral Advertising - ANSWER-The act of tracking users' online activities and then
delivering ads or recommendations based upon the tracked activities. The most
comprehensive form of targeted advertising. By building a profile on a user through their
browsing habits such as sites they visit, articles read, searches made, ads previously
clicked on, etc., advertising companies place ads pertaining to the known information
about the user across all websites visited. Behavioral Advertising also uses data
aggregation to place ads on websites that a user may not have shown interest in, but
similar individuals had shown interest in.
Cloud Computing - ANSWER-The storage of information on the Internet. Although it is
an evolving concept, definitions typically include on-demand accessibility, scalability,
and secure access from almost any location. Cloud storage presents unique security
risks.
Collection Limitation - ANSWER-A fair information practices principle, it is the principle
stating there should be limits to the collection of personal data, that any such data
should be obtained by lawful and fair means and, where appropriate, with the
knowledge or consent of the data subject.
, Communications Privacy - ANSWER-One of the four classes of privacy, along with
information privacy, bodily privacy and territorial privacy. It encompasses protection of
the means of correspondence, including postal mail, telephone conversations,
electronic e-mail and other forms of communicative behavior and apparatus.
Completeness Arguments - ANSWER-Used as a means of assuring compliance with
privacy rules and policies in the design of new software systems. Completeness
arguments take privacy rules and compare them to the system requirements that have
been used to design a new software system. By pairing privacy rules with specific
system requirements, necessary technical safeguards can be accounted for, preventing
the software from being designed in such a way that would violate privacy policies and
regulations.
Big Data - ANSWER-A term used to describe the large data sets which exponential
growth in the amount and availability of data have allowed organizations to collect. Big
data has been articulated as "the three V's: volume (the amount of data), velocity (the
speed at which data may now be collected and analyzed), and variety (the format,
structured or unstructured, and type of data, e.g. transactional or behavioral).
Biometrics - ANSWER-Data concerning the intrinsic physical or behavioral
characteristics of an individual. Examples include DNA, fingerprints, retina and iris
patterns, voice, face, handwriting, keystroke technique and gait.
Breach Disclosure - ANSWER-The requirement that a data controller notify regulators
and victims of incidents affecting the confidentiality and security of personal data. It is a
transparency mechanism highlights operational failures, this helps mitigate damage and
aids in the understanding of causes of failure.
Bring Your Own Device - ANSWER-Use of employees' own personal computing devices
for work purposes.
Browser Fingerprinting - ANSWER-As technology has advanced, it has become easier
to differentiate between users just based on the given instance of the browser they are
using. Each browser keeps some information about the elements it encounters on a
given webpage. For instance, a browser will keep information on a text font so that the
next time that font is encountered on a webpage, the information can be reproduced
more easily. Because each of these saved elements have been accessed at different
times and in different orders, each instance of a browser is to some extent unique.
Tracking users using this kind of technology continues to become more prevalent.
Caching - ANSWER-The saving of local copies of downloaded content, reducing the
need to repeatedly download content. To protect privacy, pages that display personal
information should be set to prohibit caching.
California Online Privacy Protection Act - ANSWER-Requires that all websites catering
to California citizens provide a privacy statement to visitors and a easy-to-find link to it
PRIVACY TECHNOLOGIST, CIPT, IAPP-
CIPT QUESTIONS AND ANSWERS
Access Control List - ANSWER-A list of access control entries (ACE) that apply to an
object. Each ACE controls or monitors access to an object by a specified user. In a
discretionary access control list (DACL), the ACL controls access; in a system access
control list (SACL) the ACL monitors access in a security event log which can comprise
part of an audit trail.
Accountability - ANSWER-A fair information practices principle, it is the idea that when
personal information is to be transferred to another person or organization, the personal
information controller should obtain the consent of the individual or exercise due
diligence and take reasonable steps to ensure that the recipient person or organization
will protect the information consistently with other fair use principles.
Active Data Collection - ANSWER-When an end user deliberately provides information,
typically through the use of web forms, text boxes, check boxes or radio buttons.
AdChoices - ANSWER-A program run by the Digital Advertising Alliance to promote
awareness and choice in advertising for internet users. Websites with ads from
participating DAA members will have an AdChoices icon near advertisements or at the
bottom of their pages. By clicking on the Adchoices icon, users may set preferences for
behavioral advertising on that website or with DAA members generally across the web.
Adequate Level of Protection - ANSWER-A label that the EU may apply to third-party
countries who have committed to protect data through domestic law making or
international commitments. Conferring of the label requires a proposal by the European
Commission, an Article 29 Working Group Opinion, an opinion of the article 31
Management Committee, a right of scrutiny by the European Parliament and adoption
by the European Commission.
Advanced Encryption Standard - ANSWER-An encryption algorithm for security
sensitive non-classified material by the U.S. Government. This algorithm was selected
in 2001 to replace the previous algorithm, the Date Encryption Standard (DES), by the
National Institute of Standards and Technology (NIST), a unit of the U.S. Commerce
Department, through an open competition. The winning algorithm (RijnDael,
pronounced rain-dahl), was developed by two Belgian cryptographers, Joan Daemen
and Vincent Rijmen.
Adverse Action - ANSWER-Under the Fair Credit Reporting Act, the term "adverse
action" is defined very broadly to include all business, credit and employment actions
,affecting consumers that can be considered to have a negative impact, such as denying
or canceling credit or insurance, or denying employment or promotion. No adverse
action occurs in a credit transaction where the creditor makes a counteroffer that is
accepted by the consumer. Such an action requires that the decision maker furnish the
recipient of the adverse action with a copy of the credit report leading to the adverse
action.
Agile Development Model - ANSWER-A process of software system and product design
that incorporates new system requirements during the actual creation of the system, as
opposed to the Plan-Driven Development Model. Agile development takes a given
project and focuses on specific portions to develop one at a time. An example of Agile
development is the Scrum Model.
Anonymization - ANSWER-The process in which individually identifiable data is altered
in such a way that it no longer can be related back to a given individual. Among many
techniques, there are three primary ways that data is anonymized. Suppression is the
most basic version of anonymization and it simply removes some identifying values
from data to reduce its identifiability. Generalization takes specific identifying values and
makes them broader, such as changing a specific age (18) to an age range (18-24).
Noise addition takes identifying values from a given data set and switches them with
identifying values from another individual in that data set. Note that all of these
processes will not guarantee that data is no longer identifiable and have to be
performed in such a way that does not harm the usability of the data.
Anonymous Data - ANSWER-Data sets that in no way indicate to whom the data
belongs. Replacing user names with unique ID numbers DOES NOT make the data set
anonymous even if identification seems impractical.
Antidiscrimination Laws - ANSWER-Refers to the right of people to be treated equally.
Application-Layer Attacks - ANSWER-Attacks that exploit flaws in the network
applications installed on network servers. Such weaknesses exist in web browsers, e-
mail server software, network routing software and other standard enterprise
applications. Regularly applying patches and updates to applications may help prevent
such attacks.
Asymmetric Encryption - ANSWER-A form of data encryption that uses two separate
but related keys to encrypt data. The system uses a public key, made available to other
parties, and a private key, which is kept by the first party. Decryption of data encrypted
by the public key requires the use of the private key; decryption of the data encrypted by
the private key requires the public key.
Attribute-Based Access Control - ANSWER-An authorization model that provides
dynamic access control by assigning attributes to the users, the data, and the context in
which the user requests access (also referred to as environmental factors) and analyzes
these attributes together to determine access.
,Audit Trail - ANSWER-A chain of electronic activity or sequence of paperwork used to
monitor, track, record, or validate an activity. The term originates in accounting as a
reference to the chain of paperwork used to validate or invalidate accounting entries. It
has since been adapted for more general use in e-commerce, to track customer's
activity, or cyber-security, to investigate cybercrimes.
Authentication - ANSWER-The process by which an entity (such as a person or
computer system) determines whether another entity is who it claims to be.
Authentication identified as an individual based on some credential; i.e. a password,
biometrics, etc. Authentication is different from authorization. Proper authentication
ensures that a person is who he or she claims to be, but it says nothing about the
access rights of the individual.
Authorization - ANSWER-In the context of information security, it is process of
determining if the end user is permitted to have access to the desired resource such as
the information asset or the information system containing the asset. Authorization
criteria may be based upon a variety of factors such as organizational role, level of
security clearance, applicable law or a combination of factors. When effective,
authentication validates that the entity requesting access is who or what it claims to be.
Basel III - ANSWER-A comprehensive set of reform measures, developed by the Basel
Committee on Banking Supervision, to strengthen the regulation, supervision and risk
management of the banking sector.
Behavioral Advertising - ANSWER-The act of tracking users' online activities and then
delivering ads or recommendations based upon the tracked activities. The most
comprehensive form of targeted advertising. By building a profile on a user through their
browsing habits such as sites they visit, articles read, searches made, ads previously
clicked on, etc., advertising companies place ads pertaining to the known information
about the user across all websites visited. Behavioral Advertising also uses data
aggregation to place ads on websites that a user may not have shown interest in, but
similar individuals had shown interest in.
Cloud Computing - ANSWER-The storage of information on the Internet. Although it is
an evolving concept, definitions typically include on-demand accessibility, scalability,
and secure access from almost any location. Cloud storage presents unique security
risks.
Collection Limitation - ANSWER-A fair information practices principle, it is the principle
stating there should be limits to the collection of personal data, that any such data
should be obtained by lawful and fair means and, where appropriate, with the
knowledge or consent of the data subject.
, Communications Privacy - ANSWER-One of the four classes of privacy, along with
information privacy, bodily privacy and territorial privacy. It encompasses protection of
the means of correspondence, including postal mail, telephone conversations,
electronic e-mail and other forms of communicative behavior and apparatus.
Completeness Arguments - ANSWER-Used as a means of assuring compliance with
privacy rules and policies in the design of new software systems. Completeness
arguments take privacy rules and compare them to the system requirements that have
been used to design a new software system. By pairing privacy rules with specific
system requirements, necessary technical safeguards can be accounted for, preventing
the software from being designed in such a way that would violate privacy policies and
regulations.
Big Data - ANSWER-A term used to describe the large data sets which exponential
growth in the amount and availability of data have allowed organizations to collect. Big
data has been articulated as "the three V's: volume (the amount of data), velocity (the
speed at which data may now be collected and analyzed), and variety (the format,
structured or unstructured, and type of data, e.g. transactional or behavioral).
Biometrics - ANSWER-Data concerning the intrinsic physical or behavioral
characteristics of an individual. Examples include DNA, fingerprints, retina and iris
patterns, voice, face, handwriting, keystroke technique and gait.
Breach Disclosure - ANSWER-The requirement that a data controller notify regulators
and victims of incidents affecting the confidentiality and security of personal data. It is a
transparency mechanism highlights operational failures, this helps mitigate damage and
aids in the understanding of causes of failure.
Bring Your Own Device - ANSWER-Use of employees' own personal computing devices
for work purposes.
Browser Fingerprinting - ANSWER-As technology has advanced, it has become easier
to differentiate between users just based on the given instance of the browser they are
using. Each browser keeps some information about the elements it encounters on a
given webpage. For instance, a browser will keep information on a text font so that the
next time that font is encountered on a webpage, the information can be reproduced
more easily. Because each of these saved elements have been accessed at different
times and in different orders, each instance of a browser is to some extent unique.
Tracking users using this kind of technology continues to become more prevalent.
Caching - ANSWER-The saving of local copies of downloaded content, reducing the
need to repeatedly download content. To protect privacy, pages that display personal
information should be set to prohibit caching.
California Online Privacy Protection Act - ANSWER-Requires that all websites catering
to California citizens provide a privacy statement to visitors and a easy-to-find link to it
