CITP EXAM QUESTIONS AND ANSWERS:
LATEST UPDATE (ALREADY GRADED A+.)
Privacy Policy
A privacy policy is a statement or a legal document (in privacy law) that discloses some or all of the ways
a party gathers, uses, discloses, and manages a customer or client's data. It fulfills a legal requirement to
protect a customer or client's privacy.
Key things to include in privacy policy:
-Data classification
-Data retention period associated with each type of data classification
-Data deletion upon expiration of retention period
-Guidelines for creating a meaningful data inventory, including rules on where data can be placed,
minimizing offline storage, contracts to govern third parties' use of data, classifying data, creating data
flow.
Access Control
Access control list consists of access control entries, which contain the name of entity (by user, group,
device or service) and type of access the entity has to a particular resource.
---Should be validated on a regular basis to ensure that the entries are still appropriate.
Various types of access control:
(1) Discretionary access control - user has complete control over all resources she owns; user has ability
to determine permission other users have tot he resource.
(2) Mandatory access control - only the administrator can assign access rights.
(3) Role-based access control - access granted based on organizational role.
(4) Attribute-based access control - extension of role-based access control; attributes can be time,
location, age, or nationality. The extensible access control markup language (XACML) is a standard that
can be used to implement ABAC systems.
Encryption
Protecting data transmission: Secure sockets layer (SSL) protocol and transport layer security (TLS) help
protect data that is transmitted from client server machines and server to server machines.
-SSL commonly protects communications between a browser and a web server; TLS for emails between
email servers.
Protecting data at rest: Symmetric and asymmetric encryption.
-Symmetric encryption - single cryptographic key for encryption and decryption; efficient for protecting
data accessed by multiple people. (Ex. = Data encryption standard (DES))
-Asymmetric encryption - set of cryptographic keys, one for encryption and one for decryption - slow
and complicated for sharing beyond 2 people. (Ex. = RSA and ElGamal)
, Hashing
Uses cryptographic key to encrypt data but does not allow data to be later decrypted - permits use of
sensitive data while protecting original value.
Used for credit card numbers or SSN. The downside is that the information can never be decrypted.
Password control
Single Sign On (SSO) can permit access to multiple resources from a single account, with ability to
centrally lock a person to multiple resources.
Machine access restriction
Limit access to a computer based on computer identifier or IP address.
Example: Access to payroll database only limited to set of computers in payroll department.
Enterprise Architecture (EA)
EA involves managing data flow across an organization to reduce risk and support business growth.
---Data flow diagram can show origin of data, indicating whether origin was an individual, external
entity, internal group or process.
Privacy and security regulations with specific IT requirements
-Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) - company doing
business in Canada must obtain OPT-OUT consent from data subjects in order to collect, use, or disclose
personal information.
-EU: Data Protection Directive - anyone transferring data from EU citizens; applies to processing of all
online and offline data, and to all organizations holding personal data.
-Hong Kong: Personal Data (Privacy) Ordinance (PDPO) applies to companies doing business in Hong
Kong. Data subjects must be provided the right to access, correct, or delete their personal data.
-Mexico: Law on the Protection of Personal Data Held by Private Parties applies to Mexican companies
doing business in Mexico; need OPT-IN (prior) consent before gathering and processing data.
-US: Children's Online Privacy Protection Act (COPPA) applies to commercial/online services directed at
children under 13; must get OPT-IN consent from parent.
Information Lice Cycle (ILC)
Collection, Use, Disclosure, Retention, Destruction
Common Privacy Principles
a. Collection limitation: restraint from excessive collection of personal information.
b. Data quality: organizations that collect personal information should make efforts to maintain the
quality of the information.
c. Purpose specification: expression of purpose for which personal information is collected.
d. Use limitation: use of personal information should be limited within an organization.
e. Security safeguards: organizations have an obligation to provide security for the data they collect
LATEST UPDATE (ALREADY GRADED A+.)
Privacy Policy
A privacy policy is a statement or a legal document (in privacy law) that discloses some or all of the ways
a party gathers, uses, discloses, and manages a customer or client's data. It fulfills a legal requirement to
protect a customer or client's privacy.
Key things to include in privacy policy:
-Data classification
-Data retention period associated with each type of data classification
-Data deletion upon expiration of retention period
-Guidelines for creating a meaningful data inventory, including rules on where data can be placed,
minimizing offline storage, contracts to govern third parties' use of data, classifying data, creating data
flow.
Access Control
Access control list consists of access control entries, which contain the name of entity (by user, group,
device or service) and type of access the entity has to a particular resource.
---Should be validated on a regular basis to ensure that the entries are still appropriate.
Various types of access control:
(1) Discretionary access control - user has complete control over all resources she owns; user has ability
to determine permission other users have tot he resource.
(2) Mandatory access control - only the administrator can assign access rights.
(3) Role-based access control - access granted based on organizational role.
(4) Attribute-based access control - extension of role-based access control; attributes can be time,
location, age, or nationality. The extensible access control markup language (XACML) is a standard that
can be used to implement ABAC systems.
Encryption
Protecting data transmission: Secure sockets layer (SSL) protocol and transport layer security (TLS) help
protect data that is transmitted from client server machines and server to server machines.
-SSL commonly protects communications between a browser and a web server; TLS for emails between
email servers.
Protecting data at rest: Symmetric and asymmetric encryption.
-Symmetric encryption - single cryptographic key for encryption and decryption; efficient for protecting
data accessed by multiple people. (Ex. = Data encryption standard (DES))
-Asymmetric encryption - set of cryptographic keys, one for encryption and one for decryption - slow
and complicated for sharing beyond 2 people. (Ex. = RSA and ElGamal)
, Hashing
Uses cryptographic key to encrypt data but does not allow data to be later decrypted - permits use of
sensitive data while protecting original value.
Used for credit card numbers or SSN. The downside is that the information can never be decrypted.
Password control
Single Sign On (SSO) can permit access to multiple resources from a single account, with ability to
centrally lock a person to multiple resources.
Machine access restriction
Limit access to a computer based on computer identifier or IP address.
Example: Access to payroll database only limited to set of computers in payroll department.
Enterprise Architecture (EA)
EA involves managing data flow across an organization to reduce risk and support business growth.
---Data flow diagram can show origin of data, indicating whether origin was an individual, external
entity, internal group or process.
Privacy and security regulations with specific IT requirements
-Canada: Personal Information Protection and Electronic Documents Act (PIPEDA) - company doing
business in Canada must obtain OPT-OUT consent from data subjects in order to collect, use, or disclose
personal information.
-EU: Data Protection Directive - anyone transferring data from EU citizens; applies to processing of all
online and offline data, and to all organizations holding personal data.
-Hong Kong: Personal Data (Privacy) Ordinance (PDPO) applies to companies doing business in Hong
Kong. Data subjects must be provided the right to access, correct, or delete their personal data.
-Mexico: Law on the Protection of Personal Data Held by Private Parties applies to Mexican companies
doing business in Mexico; need OPT-IN (prior) consent before gathering and processing data.
-US: Children's Online Privacy Protection Act (COPPA) applies to commercial/online services directed at
children under 13; must get OPT-IN consent from parent.
Information Lice Cycle (ILC)
Collection, Use, Disclosure, Retention, Destruction
Common Privacy Principles
a. Collection limitation: restraint from excessive collection of personal information.
b. Data quality: organizations that collect personal information should make efforts to maintain the
quality of the information.
c. Purpose specification: expression of purpose for which personal information is collected.
d. Use limitation: use of personal information should be limited within an organization.
e. Security safeguards: organizations have an obligation to provide security for the data they collect
