,IAPP-CIPT Study Guide With A+ 2022
"Client side" Privacy Risk - (ANSWER)- Represents computers typically used by company employees.
- These computers normally connect to the company's server-side systems via wireless and hardwired
networks.
- Client side can represent a significant threat to the company's systems as well as sensitive data that
may be on the client computers.
- Employees often download customer files, corporate e-mails and legal documents to their computer
for processing.
- Employees may even store their personal information on company computers.
- Client computer can access resources across the company that could have vast amounts of planning
documents that might be of great interest to competitors or corporate spies.
Network Sniffer - (ANSWER)- Allows anyone to view or copy unprotected data from a company's
wireless network.
.
/P:count flag - (ANSWER)Format command within Windows OS. Best way to zero the entire disk.
cross-enterprise access controls - (ANSWER)Permits employees in one organization to have access to
resources that belong to another organization. Typical when major functions are outsourced or
through SAAS model. Travel, purchasing, payroll, and healthcare could be provided by companies that
specialize in those services. CEAC allows employees to access records through SSO. Access is typically
one-way.
SSL encryption - (ANSWER)secure socket layer protocol commonly used to protect communications
between a browser and web machine (data in transit)
TSL encryption - (ANSWER)transport layer security often used to protect email as it is transmitted
between email servers (data in transit)
multilayered privacy notice - (ANSWER)abbreviated form of an organization's privacy notice while
providing links to more detailed information
,privacy nutrition label - (ANSWER)informs users about the company's privacy practices of the
organization in an abbreviated form -- only practical as part company's privacy notice or as a privacy
notice for a newly installed applications.
hashing - (ANSWER)method of protecting data that uses a cryptographic key to encrypt the data but
does not allow the data to later be decrypted. Permits the use of sensitive data while protecting the
original value. Permits the encryption of passwords, credit card numbers, and SSNs while still
permitting the verification of values by matching hashes. (Ex: a credit card number can be hashed and
used as index for an individual's credit card transactions while preventing the hashed value from being
used for additional transactions. Salting, which shifts the encryption value, can also be used. Secure
Hashing Algorithm 1 (SHA-1) and Rivest Cypher 4 (RC4) are examples of hashing algorithms.
types of authentication (KHAW) - (ANSWER)"What you know" - this type of authentication involves
something the user knows, usually an ID and password.
"Something you have" - this type of authentication involves something the user carries on her person,
usually an RSA or key fob.
"Something you are" - This involves biometrics to authenticate, such as a fingerprint or retinal scan.
"Where you are" - This type of authentication involves confirmation of the user's location.
multifactor authentication - (ANSWER)when more than one type of authentication is used to validate
an individual. KHAW:
Device Identifier - (ANSWER)Device ID assigned by the device manufacturer or operating system
vendor which can be a source for user tracking as Device ID's are often not deleted, blocked, or opted
out of. Device ID, media access control (MAC) or other device-assigned ID's are TO BE AVOIDED by
developers as these device identifiers may be used to track employees.
Whaling - (ANSWER)Email targeting of wealthy individuals.
Development Lifecycle - (ANSWER)Release Planning
, Definition
Development
Validation
Deployment
Countermeasures - (ANSWER)1. Preventative - These work by keeping something from happening in
the first place. Examples: security awareness training, firewall, anti-virus, security guard and Intrusion
Prevention System (IPS).
2. Reactive - Reactive countermeasures come into effect only after an event has already occurred.
3. Detective - Examples of detective counter measures include: system monitoring, Intrusion Detection
System (IDS), anti-virus, motion detectors and IPS.
4. Administrative - These controls are the process of developing and ensuring compliance with policy
and procedures. These use policy to protect an asset.
Stages of PCI DDS Compliance - (ANSWER)1. Collecting and storing - Security collection and tamper-
proof storage of log data so its available for analysis.
2. Reporting - Ability to provide compliance during audit. Organization should show evidence that data
protection controls are in place.
3. Monitoring and Alerting - Implementing systems to enable administrators to monitor access and
usage of data.
Also known as Assess, Remediate, Report
Re-identification - (ANSWER)The act of identifying someone who was previously not identified or was
de-identified.
Symmetric key cryptography - (ANSWER)Protects data at rest. Using the same key for encrypting as
well as decrypting. It is also referred to as shared secret, secret-key or private key. This key is not
distributed, rather is kept secret by the sending and receiving parties. Safe distribution of key is
difficult. More practical for large blocks and data shared with multiple people. Symmetric encryption
performs faster than asymmetric encryption and requires smaller key for same level of protection. DES
and AES are examples of symmetric encryption.
"Client side" Privacy Risk - (ANSWER)- Represents computers typically used by company employees.
- These computers normally connect to the company's server-side systems via wireless and hardwired
networks.
- Client side can represent a significant threat to the company's systems as well as sensitive data that
may be on the client computers.
- Employees often download customer files, corporate e-mails and legal documents to their computer
for processing.
- Employees may even store their personal information on company computers.
- Client computer can access resources across the company that could have vast amounts of planning
documents that might be of great interest to competitors or corporate spies.
Network Sniffer - (ANSWER)- Allows anyone to view or copy unprotected data from a company's
wireless network.
.
/P:count flag - (ANSWER)Format command within Windows OS. Best way to zero the entire disk.
cross-enterprise access controls - (ANSWER)Permits employees in one organization to have access to
resources that belong to another organization. Typical when major functions are outsourced or
through SAAS model. Travel, purchasing, payroll, and healthcare could be provided by companies that
specialize in those services. CEAC allows employees to access records through SSO. Access is typically
one-way.
SSL encryption - (ANSWER)secure socket layer protocol commonly used to protect communications
between a browser and web machine (data in transit)
TSL encryption - (ANSWER)transport layer security often used to protect email as it is transmitted
between email servers (data in transit)
multilayered privacy notice - (ANSWER)abbreviated form of an organization's privacy notice while
providing links to more detailed information
,privacy nutrition label - (ANSWER)informs users about the company's privacy practices of the
organization in an abbreviated form -- only practical as part company's privacy notice or as a privacy
notice for a newly installed applications.
hashing - (ANSWER)method of protecting data that uses a cryptographic key to encrypt the data but
does not allow the data to later be decrypted. Permits the use of sensitive data while protecting the
original value. Permits the encryption of passwords, credit card numbers, and SSNs while still
permitting the verification of values by matching hashes. (Ex: a credit card number can be hashed and
used as index for an individual's credit card transactions while preventing the hashed value from being
used for additional transactions. Salting, which shifts the encryption value, can also be used. Secure
Hashing Algorithm 1 (SHA-1) and Rivest Cypher 4 (RC4) are examples of hashing algorithms.
types of authentication (KHAW) - (ANSWER)"What you know" - this type of authentication involves
something the user knows, usually an ID and password.
"Something you have" - this type of authentication involves something the user carries on her person,
usually an RSA or key fob.
"Something you are" - This involves biometrics to authenticate, such as a fingerprint or retinal scan.
"Where you are" - This type of authentication involves confirmation of the user's location.
multifactor authentication - (ANSWER)when more than one type of authentication is used to validate
an individual. KHAW:
Device Identifier - (ANSWER)Device ID assigned by the device manufacturer or operating system
vendor which can be a source for user tracking as Device ID's are often not deleted, blocked, or opted
out of. Device ID, media access control (MAC) or other device-assigned ID's are TO BE AVOIDED by
developers as these device identifiers may be used to track employees.
Whaling - (ANSWER)Email targeting of wealthy individuals.
Development Lifecycle - (ANSWER)Release Planning
, Definition
Development
Validation
Deployment
Countermeasures - (ANSWER)1. Preventative - These work by keeping something from happening in
the first place. Examples: security awareness training, firewall, anti-virus, security guard and Intrusion
Prevention System (IPS).
2. Reactive - Reactive countermeasures come into effect only after an event has already occurred.
3. Detective - Examples of detective counter measures include: system monitoring, Intrusion Detection
System (IDS), anti-virus, motion detectors and IPS.
4. Administrative - These controls are the process of developing and ensuring compliance with policy
and procedures. These use policy to protect an asset.
Stages of PCI DDS Compliance - (ANSWER)1. Collecting and storing - Security collection and tamper-
proof storage of log data so its available for analysis.
2. Reporting - Ability to provide compliance during audit. Organization should show evidence that data
protection controls are in place.
3. Monitoring and Alerting - Implementing systems to enable administrators to monitor access and
usage of data.
Also known as Assess, Remediate, Report
Re-identification - (ANSWER)The act of identifying someone who was previously not identified or was
de-identified.
Symmetric key cryptography - (ANSWER)Protects data at rest. Using the same key for encrypting as
well as decrypting. It is also referred to as shared secret, secret-key or private key. This key is not
distributed, rather is kept secret by the sending and receiving parties. Safe distribution of key is
difficult. More practical for large blocks and data shared with multiple people. Symmetric encryption
performs faster than asymmetric encryption and requires smaller key for same level of protection. DES
and AES are examples of symmetric encryption.
