CITP EXAM QUESTIONS AND ANSWERS:
LATEST UPDATE (ALREADY GRADED A+.)
Logs
A record of both normal and suspect events by a computer system (typically an operating system). The
application log contains events logged by applications or programs. For example, a database program
might record a file error in the application log. The program developer decides which events to record.
The system log contains events logged by the operating system components; for example, the failure of
a driver or other system component to load during startup is recorded in the system log. The event
types logged by system components are predetermined for the operating system. The security log can
record security events, such as valid and invalid log-in attempts as well as events related to resource
use, such as creating, opening, or deleting files. An administrator can specify what events are recorded
in the security log. For example, if you have enabled log-in auditing, attempts to log in to the system are
recorded in the security log.
Mandatory Access Control
An access control system by which access to data, by the owner or user, is constrained by the operating
system itself.
Metadata
Data that describes other data. "Meta" is a prefix meaning "an underlying description" in information
technology usage.
Microdata Sets
Groups of information on individuals that have been altered or suppressed in some way to anonymize
the data, protecting individuals from being identified.
Multi-Factor Authentication
The authentication of a user by multiple means. This is typically accomplished by a requirement for both
a password and at least one other form of authentication such as a pass card, biometric scan or an "out
of band" means such as a phone call.
Network Devices
The components used to link computers and other devices so they may share files and utilize other
electronic resources, e.g. printers and fax machines. The most common network devices are those used
to create Local Area Networks (LAN), which require a hub, router, cable or radio connection devices,
network cards, and (for access to the internet) a modem.
Network Encryption
, A type of network security that protects data traffic by providing encryption at the network transfer
layer. This form of encryption operates independently of other security measures and is invisible to the
ender user as data is only encrypted while in transit.
Network-Layer Attacks
Attacks that exploit the basic network protocol in order to gain any available advantage. These attacks
generally involve "spoofing" a network address so that a computer sends data to an intruder rather than
their proper recipient or destination. Other attacks can involve service disruptions through a denial of
service (DOS) attack—a brute force method that overloads the capacity of a website's domain to
respond to incoming requests such that it renders the server inoperable.
Non-Functional System Requirements
Abstracted concepts of the operation of a new software system or product being developed that inform
functional requirements. These requirements describe how a system should work rather than specific
technical processes the system completes. For example "the system shall be able to create user profiles
for individuals using the system."
Obfuscation
To make (something) more difficult to understand; to hide the true meaning. For Data Obfuscation see
Data Masking.
OECD Guidelines
(1)The Collection Limitation Principle. There should be limits to the collection of personal data and any
such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or
consent of the data subject. (2)The Data Quality Principle. Personal data should be relevant to the
purposes for which they are to be used, and, to the extent necessary for those purposes, should be
accurate, complete and kept up-to-date. (3)The Purpose Specification Principle. The purposes for which
personal data are collected should be specified not later than at the time of data collection and the
subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with
those purposes and as are specified on each occasion of change of purpose. (4)The Use Limitation
Principle. Personal data should not be disclosed, made available or otherwise used for purposes other
than those specified in accordance with Paragraph 8 (below) except a) with the consent of the data
subject; or b) by the authority of law. (5)The Security Safeguards Principle. Personal data should be
protected by reasonable security safeguards against such risks as loss or unauthorized access,
destruction, use, modification or disclosure of data. (6)The Openness Principle. There should be a
general policy of openness about developments, practices and policies with respect to personal data.
Means should be readily available of establishing the existence and nature of personal data, and the
main purposes of their use, as well as the identity and usual residence of the data controller. (7)The
Individual Participation Principle. An individual should have the right: a) to obtain from a data controller,
or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have
data relating to him communicated to him, within a reasonable time, at a charge, if any, that is not
excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons
if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial,
and d) to challenge data relating to him and, if the challenge is successful to have the data erased,
LATEST UPDATE (ALREADY GRADED A+.)
Logs
A record of both normal and suspect events by a computer system (typically an operating system). The
application log contains events logged by applications or programs. For example, a database program
might record a file error in the application log. The program developer decides which events to record.
The system log contains events logged by the operating system components; for example, the failure of
a driver or other system component to load during startup is recorded in the system log. The event
types logged by system components are predetermined for the operating system. The security log can
record security events, such as valid and invalid log-in attempts as well as events related to resource
use, such as creating, opening, or deleting files. An administrator can specify what events are recorded
in the security log. For example, if you have enabled log-in auditing, attempts to log in to the system are
recorded in the security log.
Mandatory Access Control
An access control system by which access to data, by the owner or user, is constrained by the operating
system itself.
Metadata
Data that describes other data. "Meta" is a prefix meaning "an underlying description" in information
technology usage.
Microdata Sets
Groups of information on individuals that have been altered or suppressed in some way to anonymize
the data, protecting individuals from being identified.
Multi-Factor Authentication
The authentication of a user by multiple means. This is typically accomplished by a requirement for both
a password and at least one other form of authentication such as a pass card, biometric scan or an "out
of band" means such as a phone call.
Network Devices
The components used to link computers and other devices so they may share files and utilize other
electronic resources, e.g. printers and fax machines. The most common network devices are those used
to create Local Area Networks (LAN), which require a hub, router, cable or radio connection devices,
network cards, and (for access to the internet) a modem.
Network Encryption
, A type of network security that protects data traffic by providing encryption at the network transfer
layer. This form of encryption operates independently of other security measures and is invisible to the
ender user as data is only encrypted while in transit.
Network-Layer Attacks
Attacks that exploit the basic network protocol in order to gain any available advantage. These attacks
generally involve "spoofing" a network address so that a computer sends data to an intruder rather than
their proper recipient or destination. Other attacks can involve service disruptions through a denial of
service (DOS) attack—a brute force method that overloads the capacity of a website's domain to
respond to incoming requests such that it renders the server inoperable.
Non-Functional System Requirements
Abstracted concepts of the operation of a new software system or product being developed that inform
functional requirements. These requirements describe how a system should work rather than specific
technical processes the system completes. For example "the system shall be able to create user profiles
for individuals using the system."
Obfuscation
To make (something) more difficult to understand; to hide the true meaning. For Data Obfuscation see
Data Masking.
OECD Guidelines
(1)The Collection Limitation Principle. There should be limits to the collection of personal data and any
such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or
consent of the data subject. (2)The Data Quality Principle. Personal data should be relevant to the
purposes for which they are to be used, and, to the extent necessary for those purposes, should be
accurate, complete and kept up-to-date. (3)The Purpose Specification Principle. The purposes for which
personal data are collected should be specified not later than at the time of data collection and the
subsequent use limited to the fulfillment of those purposes or such others as are not incompatible with
those purposes and as are specified on each occasion of change of purpose. (4)The Use Limitation
Principle. Personal data should not be disclosed, made available or otherwise used for purposes other
than those specified in accordance with Paragraph 8 (below) except a) with the consent of the data
subject; or b) by the authority of law. (5)The Security Safeguards Principle. Personal data should be
protected by reasonable security safeguards against such risks as loss or unauthorized access,
destruction, use, modification or disclosure of data. (6)The Openness Principle. There should be a
general policy of openness about developments, practices and policies with respect to personal data.
Means should be readily available of establishing the existence and nature of personal data, and the
main purposes of their use, as well as the identity and usual residence of the data controller. (7)The
Individual Participation Principle. An individual should have the right: a) to obtain from a data controller,
or otherwise, confirmation of whether or not the data controller has data relating to him; b) to have
data relating to him communicated to him, within a reasonable time, at a charge, if any, that is not
excessive; in a reasonable manner; and in a form that is readily intelligible to him; c) to be given reasons
if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial,
and d) to challenge data relating to him and, if the challenge is successful to have the data erased,
