CIPT Study Guide 2024 Approved Questions and Answers Graded A+

Nissenbaum's Contextual Integrity - 1. Privacy is provided by appropriate flows of information 2. Appropriate information flows are those that conform with contextual information norms 3. Contextual informational norms refer to five independent parameters (data subject, sender, recipient, information type, transmission principle) 4. Conceptions of privacy are based on ethical concerns over time Objective harm defined in Calo's Harms Dimensions - Objective harm is measurable & observable. A person's privacy is violated due to forced or unanticipated use of personal information which can be categorized as economic loss, lost opportunity, lost liberty, or social detriment. Calo's Harms Dimensions - - the perception of harm is just as likely to have a significant negative impact on individual privacy as experienced harms - personal information volunteered for use cannot result in a privacy harm - IT professionals need to rely on privacy notice & privacy control to build & retain trust Subjective harm defined by Calo in Harms Dimensions - Subjective harm is without a measurable or observable harm, but where an expectation of harm exists. The perception of harm is just as likely to have a significantly negative impact on privacy as experienced harms called psychological or behavioral harms. Legal Compliance - Legal Compliance is the alignment of identification of threats & vulnerabilities to specific policy requirements and laws. Organizations view themselves as compliant or non-compliant and do not take the lens of privacy by design. 8 Fair Information Practice Principles (FIPPs) - 1. Collection limitation 2. Data quality 3. Purpose specification 4. Use limitation 5. Security safeguards 6. Transparency 7. Individual participation 8. Accountability Collection Limitation Principle - A fair information practices principle, it is the principle stating: (1) there should be limits to the collection of personal data (2) that any such data should be obtained by lawful and (3) fair means and, where appropriate, with the knowledge or consent of the data subject. Data Quality Principle - Personal data should be relevant to the purposes for which it is used and should be accurate, complete and up-to-date. Purpose Specification Principle - A fair information practices principle, it is the principle stating: (1) that the purposes for which personal data are collected should be specified no later than at the time of data collection (2) and the subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose. Use Limitation Principle - A fair information practices principle, it is the principle that: (1) personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Paragraph 8 of the Fair Information Practice Principles except with the consent of the data subject or by the authority of law. Security Safeguards Principle - A fair information practices principle, it is the principle that personal data should be protected by reasonable security safeguards against such risks as loss or unauthorized access, destruction, use, modification or disclosure of data. Transparency Principle - A fair information practices principle that encourages organizations to be open about personal information they collect Individual Participation Principle - A fair information practices principle, it is the principle that an individual should have the right to access, edit or delete data Accountability Principle - A fair information practices principle states that individuals controlling the collection or use of personal information should be accountable for taking steps to ensure the implementation of these principles (FIPPs) NIST framework - National Institutes of Standards & Technologies; explicitly addresses vulnerabilities, adverse events and relative likelihoods of impacts of those events NICE framework - National Initiative for Cybersecurity Education; divides computer security work into: - securely provision - operate & maintain - protect & defend - investigate - analyze - oversee & govern