CITP EXAM QUESTIONS AND ANSWERS:
LATEST UPDATE (ALREADY GRADED A+.)
Privacy by Design (PbD)
To institute an effective PbD, company must commit to a privacy by design program, create a privacy
standard, perform privacy reviews, perform a data flow analysis, maintain transparency, access control,
retention periods, security measures, and privacy by resdesign as necessary.
Principles of privacy by design: proactive not reactive, privacy as default setting, privacy embedded into
design, full functionality, end-to-end security during full lifecycle, visibility & transparency, user-centric/
friendly privacy features.
It's important to implement your industry-specific standards, such as:
(i) Basel III for financial institutions,
(ii) payment card industry (PCI) standard for merchants and
(iii) payment processing actors, or Internet Advertising Bureau (IAB) rules for advertising.
Privacy by Redesign
Over time, an organization's privacy policies can change; regulations, laws and self-regulatory regimes
can be updated, tech can evolve, threats to data can intensify. As a result, privacy notices and policies
will need to be updated.
Regulatory requirements specific to online environment
(1) Children's Online Privacy Protection Act (COPPA) - US federal regulation that restricts websites'
ability to collect or use data from children under 13 without verifiable parental consent. Targeted
advertising cannot be sent to children.
(2) EU Privacy Directives - covers the processing of personal data and protection of online privacy;
requires websites that use cookies for tracking purposes to provide enhanced notice to website visitors -
websites must also provide users with ability to see, modify, and delete their data.
(3) California Online Privacy Protection Act (CalOPPA) - website must provide a privacy statement to
visitors and an easy-to-find link to same on their web pages; websites that carry data on children under
18 must allow data deletion. Websites must also inform visitors of Do Not Track mechanisms.
Phishing
With most phishing, a fake email is disguised to look like it is from a legitimate organization/person to
lure an unsuspecting customer to click on a link embedded in the email. Once clicked, user is sent to
fake website designed to look legitimate or prompted to download software onto the computer.
-fake website: gets users to fill out a form with their personal info/provide login to a website like
banking;
-malware execution: sending fake content to encourage a user to download malicious software or open
, document that contains malicious software/macros
-faulty search results and ads: search engine could return results/ads that send user to fake site where
user's data is collected
-system modification: malware could modify host's file or browser configuration causing user to be sent
to the wrong website where she is tricked into believing she is at her banking/healthcare/software
download site
Spear Phishing
Sending phishing emails to a group of people from a known organization (e.g. Facebook, banks, etc.)
Whaling
A phishing attack that targets only wealthy individuals.
Pharming
A phishing attack that automatically sends users to malicious sites by redirecting a valid internet request
to a malicious site by modifying a Host's file or corrupting the contents of a network router domain
name system (DNS) server.
Mitigating phishing exploits
-Use up-to-date software and malware protection
-Delete suspicious emails without clicking on links or opening attachments
-Type in URL instead of clicking on link in email
-Browser phishing protection (Chrome, Firefox, Internet Explorer - IT pros should be familiar with anti-
phishing feature).
SQL Injection
Structured Query Language (SQL) is the software language used for most online databases.
SQL Injection occurs when a person intentionally inserts SQL commands in places where data may be
captured and sent to a database for processing; can expose personal data, insert inappropriate data into
database, delete data from database, or shutdown a database.
Cross-site Scripting (XSS)
Older form of attack where an attacker embeds client-side script into a page that gets executed when a
user visits a site; this can happen when a person enters data in a form, fills out a comment, or posts.
Categories of Online Advertising
-Remnant: Cheapest, no data, no campaign, static ad
-Premium: expensive, ad campaign, to improve brand
-Contextual: most common type of targeted ad based on website type or data entered by user
-Demographic: based on individual's demographic data such as age, weight, zip code, occupation,
height, gender, or shoe size
-Psychographic: ads based on person's interests
-Behavioral: ads based on person's browsing habits
LATEST UPDATE (ALREADY GRADED A+.)
Privacy by Design (PbD)
To institute an effective PbD, company must commit to a privacy by design program, create a privacy
standard, perform privacy reviews, perform a data flow analysis, maintain transparency, access control,
retention periods, security measures, and privacy by resdesign as necessary.
Principles of privacy by design: proactive not reactive, privacy as default setting, privacy embedded into
design, full functionality, end-to-end security during full lifecycle, visibility & transparency, user-centric/
friendly privacy features.
It's important to implement your industry-specific standards, such as:
(i) Basel III for financial institutions,
(ii) payment card industry (PCI) standard for merchants and
(iii) payment processing actors, or Internet Advertising Bureau (IAB) rules for advertising.
Privacy by Redesign
Over time, an organization's privacy policies can change; regulations, laws and self-regulatory regimes
can be updated, tech can evolve, threats to data can intensify. As a result, privacy notices and policies
will need to be updated.
Regulatory requirements specific to online environment
(1) Children's Online Privacy Protection Act (COPPA) - US federal regulation that restricts websites'
ability to collect or use data from children under 13 without verifiable parental consent. Targeted
advertising cannot be sent to children.
(2) EU Privacy Directives - covers the processing of personal data and protection of online privacy;
requires websites that use cookies for tracking purposes to provide enhanced notice to website visitors -
websites must also provide users with ability to see, modify, and delete their data.
(3) California Online Privacy Protection Act (CalOPPA) - website must provide a privacy statement to
visitors and an easy-to-find link to same on their web pages; websites that carry data on children under
18 must allow data deletion. Websites must also inform visitors of Do Not Track mechanisms.
Phishing
With most phishing, a fake email is disguised to look like it is from a legitimate organization/person to
lure an unsuspecting customer to click on a link embedded in the email. Once clicked, user is sent to
fake website designed to look legitimate or prompted to download software onto the computer.
-fake website: gets users to fill out a form with their personal info/provide login to a website like
banking;
-malware execution: sending fake content to encourage a user to download malicious software or open
, document that contains malicious software/macros
-faulty search results and ads: search engine could return results/ads that send user to fake site where
user's data is collected
-system modification: malware could modify host's file or browser configuration causing user to be sent
to the wrong website where she is tricked into believing she is at her banking/healthcare/software
download site
Spear Phishing
Sending phishing emails to a group of people from a known organization (e.g. Facebook, banks, etc.)
Whaling
A phishing attack that targets only wealthy individuals.
Pharming
A phishing attack that automatically sends users to malicious sites by redirecting a valid internet request
to a malicious site by modifying a Host's file or corrupting the contents of a network router domain
name system (DNS) server.
Mitigating phishing exploits
-Use up-to-date software and malware protection
-Delete suspicious emails without clicking on links or opening attachments
-Type in URL instead of clicking on link in email
-Browser phishing protection (Chrome, Firefox, Internet Explorer - IT pros should be familiar with anti-
phishing feature).
SQL Injection
Structured Query Language (SQL) is the software language used for most online databases.
SQL Injection occurs when a person intentionally inserts SQL commands in places where data may be
captured and sent to a database for processing; can expose personal data, insert inappropriate data into
database, delete data from database, or shutdown a database.
Cross-site Scripting (XSS)
Older form of attack where an attacker embeds client-side script into a page that gets executed when a
user visits a site; this can happen when a person enters data in a form, fills out a comment, or posts.
Categories of Online Advertising
-Remnant: Cheapest, no data, no campaign, static ad
-Premium: expensive, ad campaign, to improve brand
-Contextual: most common type of targeted ad based on website type or data entered by user
-Demographic: based on individual's demographic data such as age, weight, zip code, occupation,
height, gender, or shoe size
-Psychographic: ads based on person's interests
-Behavioral: ads based on person's browsing habits
