CIPT Flashcards

Question 1

Q

Accountability

Answer

A

The introduction of technical and organizational measures for appropriate handling of personal data according to the law, which is an idea mentioned in GDPR and the Fair Information Practice Principles.

Question 2

Q

Abstract

Answer

A

To restrict the level of detail shared when processing personal information.

Question 3

Q

Access control entry

Answer

A

An element that governs, oversees, or rec-ords access to an object by an identified user in an access control list.

Question 4

Q

Access control list

Answer

A

A list of access control entries that correspond to an object. This could be either discretionary, meaning controlling access, or system, meaning monitoring ac-cess via security event log or audit trail.

Question 5

Q

Active Data Collection

Answer

A

When an end user purposely provides information, usually through web forms, text boxes, check boxes, or radio buttons.

Question 6

Q

AdChoices

Answer

A

A Digital Advertising Alliance program that pro-motes awareness and choice for online adver-tising. Participating DAA members’ websites need an icon near their advertisements or the bottom of their pages. Users set preferences for behavioral advertising by clicking on the icon.

Question 7

Q

Adequate level of protection

Answer

A

Confirmation that a data transfer accounts for the rule of law and legislation, respect for human rights, data protection rules, professional rules and security measures, data subject rights, independent supervi-sory authorities, and any international commitments.

Question 8

Q

Advanced encryption standard

Answer

A

An encryption algorithm that the US government us-es for security sensitive non-classified material. NIST selected this algorithm in 2001 to replace the Data Encryption Standard (DES).

Question 9

Q

Adverse action

Answer

A

Any business, credit, or employment action that affects consumers negatively, such as denying or can-celing credit, insurance, employment, or promotion. A credit transaction where the consumer accepts a counteroffer would not count.

Question 10

Q

Agile development model

Answer

A

As opposed to the plan-driven development model, this process for software system and product design integrates new system requirements during the literal creation of the system, where specific portions are developed one at a time. The Scrum Model is one ex-ample.

Question 11

Q

Algorithm

Answer

A

A mathematical instruction applied to a set of data.

Question 12

Q

Anonymization

Answer

A

The process by which individually identifiable data is changed so that it can no longer be related back to any individual without affecting the usability of the data.

Question 13

Q

Anonymous information

Answer

A

Data that is not related to an identified or an identifi-able natural person, nor can it be combined with oth-er information to re-identify persons. Being made un-identifiable, it is not in scope for the GDPR.

Question 14

Q

Anthropomorphism

Answer

A

The act of placing human characteristics or behaviors on non-living things.

Question 15

Q

Anti-discrimination laws

Answer

A

Indications of special classes of personal data. If these exist based on a class or status, it is likely that the personal information is subject to more prescrip-tive data protection regulation.

Question 16

Q

Application or field encryption

Answer

A

The ability to encrypt certain regions of data, particu-larly sensitive data including health-related infor-mation.

Question 17

Q

Application-layer attacks

Answer

A

Attacks that take advantage of flaws in network server applications, which are present in applications such as web browsers, e-mail server software, and network routing software. Patches and updates to applications can help protect against such attacks.

Question 18

Q

Appropriation

Answer

A

Adopting one identity for another person’s uses.

Question 19

Q

Asymmetric encryption

Answer

A

A type of data encryption using two distinct but relat-ed keys to encrypt data: a public key for other par-ties, and a private key only for the first party. You need both keys to decrypt the data.

Question 20

Q

Attribute-based access control

Answer

A

A permission model for access control made by review-ing attributes given to users, data, and the context of requested access.

Question 21

Q

Audit trail

Answer

A

A track or record of electronic activity used for mon-itoring or validation in tracking customer activity or investigating cybercrimes.

Question 22

Q

Authentication

Answer

A

Determining whether an entity is who it claims to be.

Question 23

Q

Authorization

Answer

A

The process for deciding if the user should have access to a specific resource like an information asset or sys-tem containing and validating the identity of the user. The criteria could include things like organizational role, security clearance, and applicable law.

Question 24

Q

Automated decision making

Answer

A

The process of making a determination apart from human involvement.

Question 25

Q

Basel III

Answer

A

An inclusive list of reform measures created by the Basel Committee on Banking Supervision to build up the regulation, supervision, and risk management of the banking sector.

Question 26

Q

Behavioral advertising

Answer

A

Advertising targeted at individuals based on observa-tions about their activity over time, likely done via au-tomated processing of personal data, or profiling.

Question 27

Q

Big data

Answer

A

Large sets of information that organizations may collect due to the expansion of the amount and availability of data. It’s also referred to as “the three V’s”: volume, variety, and velocity, referring to the amount of data, the type of data, and the speed at which data can be processed.

Question 28

Q

Biometrics

Answer

A

Data that relates to the physical or behavioral charac-teristics of a person, for example fingerprints, voice, or handwriting. This is considered a special category of data with processing only permitted in certain cir-cumstances under GDPR.

Question 29

Q

Blackmail

Answer

A

The threat of sharing a person’s information against their wishes.
An

Question 30

Q

Breach disclosure

Answer

A

An organization must notify regulators and/or vic-tims of incidents that have impacted the confidenti-ality and security of personal data. This transparen-cy mechanism brings light to operational failures, helps mitigate harm, and assists in the identification of causes of failure.

Question 31

Q

Breach of confidentiality

Answer

A

Sharing a person’s personal information in spite of a promise otherwise.

Question 32

Q

Bring your own device

Answer

A

Allowing employees to use their own personal compu-ting device for work.

Question 33

Q

Browser fingerprinting

Answer

A

Differentiating between users from the instance of their browsers, which store information about webpages visited, making each unique due to ac-cess time and order.

Question 34

Q

Caching

Answer

A

Saving local downloaded copies so that there’s no need to keep downloading content, which should be prohibited on pages that display personal infor-mation.

Question 35

Q

California Online Privacy Protection Act

Answer

A

This act requires that all websites targeted to California citizens must provide a privacy statement to visitors with an easy-to-find link. Websites that collect personal data from individuals under 18 years of age must per-mit those children to delete their data. Websites are required to inform visitors of which Do Not Track mechanisms they support, if any.

Question 36

Q

CCTV

Answer

A

An acronym for “closed circuit television” which has become shorthand for any video surveillance sys-tem. These can be hosted via TCP/IP networks and accessed remotely, and the footage very easily shared.

Question 37

Q

Chat bots

Answer

A

Automated intelligence that mimics human interac-tions and can be used for simple customer requests and interactions.

Question 38

Q

Children’s Online Privacy Protection Act (COPPA)
Choice

Answer

A

U.S. federal law applying to operators of commercial websites and online ser-vices either directed to children under the age of 13 or known to collect per-sonal information from children under the age of 13. Operators are required under this law to post a privacy notice on the website, provide notice about collection practices to parents, obtain verifiable parental consent before col-lecting personal information of children, give parents the choice about wheth-er their child’s personal information will be shared with third parties, provide parents with rights to access, delete, and opt out of future collection or use of the information, and maintain the confidentiality, security and integrity of children’s personal information.

Question 39

Q

Choice

Answer

A

The concept that consent must be freely provided and data subjects have a true choice whether to provide personal data, without which it is unlikely the consent would be considered valid under GDPR.

Question 40

Q

Ciphertext

Answer

A

Data that is encrypted.

Question 41

Q

Cloud computing

Answer

A

Provisioning information technology services online from a third-party supplier or by a company for its in-ternal users. The services could be things like software, infrastructure, platforms, or hosting, with applications like email or data storage.

Question 42

Q

Code audits

Answer

A

The analysis of source code’s discovery of flaws, se-curity breaches, or violations in the technology eco-system.

Question 43

Q

Code reviews

Answer

A

Reports organized by code authors with a reader, moderator, and privacy specialist.

Question 44

Q

Collection limitation

Answer

A

The fair information practices principle which says that there should be limits in the collection of personal da-ta, where data should be gathered by fair and lawful means with the knowledge or consent of the data sub-ject.

Question 45

Q

Communications privacy

Answer

A

The class of privacy that encompasses protection of the means of correspondence, including mail, phone conversations, and email.

Question 46

Q

Completeness arguments

Answer

A

Assertions used to confirm compliance with privacy rules and policies in the design of new software sys-tems, where privacy rules are compared to the re-quirements used for a software system. This accounts for necessary technical safeguards and prohibits de-sign that would violate privacy regulations.

Question 47

Q

Computer forensics

Answer

A

Searching an information system for relevant clues after a compromise of security.

Question 48

Q

Concept of operations

Answer

A

An outline for the functionality of a software product or system as used in plan-driven development models to project design and implementation.

Question 49

Q

Confidentiality

Answer

A

The principal that data should be protected against unauthorized or unlawful processing.

Question 50

Q

Consent

Answer

A

The confirmation of an individual’s agreement to the collection, use, and disclosure of their personal data. There are two thoughts on this: opt-in (making an affirmative action) and opt-out (implied by lack of ac-tion).

Question 51

Q

Content delivery network

Answer

A

The servers containing the visible elements of a web page which would be signaled for those elements. In advertising, a general ad server would be signaled after a webpage is requested and search for information on the user trying to access the webpage.

Question 52

Q

Context aware computing

Answer

A

When a device adapts to its environment by changing location, video, audio, or brightness.

Question 53

Q

Context of authority

Answer

A

Resource access control on a network depends on the context in which the employee connects to the net-work.

Question 54

Q

Contextual advertising

Answer

A

Advertising using content from a visited webpage or user query. It’s a widely used form of online targeted advertising.

Question 55

Q

Contextual integrity

Answer

A

A way of ranking potential privacy risks in software systems and products considering how the product or system compares to consumer expectations. If a product or system differs from expectations, it’s possible that the consumer may perceive a privacy harm.

Question 56

Q

Cookie

Answer

A

A small text file stored on a client machine to be re-trieved by a web server. These keep track of the end user’s browsing activities and pool individual requests into sessions. They also allow users to stay signed in. Types include first party, third party, session, and per-sistent. Consent is required before collecting.

Question 57

Q

Coupling

Answer

A

The connection between objects within a technology ecosystem which controls the flow of information. Fo-cusing makes objects depend on the connection to other objects, while loosening eases the dependency, isolating processing to a specific group of classes and reducing the chance of accidentally re-purposing infor-mation.

Question 58

Q

Cross-site scripting

Answer

A

Code input by malicious web users into web pages that other users will view.

Question 59

Q

Cryptography

Answer

A

Hiding information, usually by transforming it with encryption, such as digital signature, or non-repudiation.

Question 60

Q

Cryptosystem

Answer

A

The information required to encrypt and decrypt a particular message, most often the encryption algorithm and the security key.

Question 61

Q

Customer access

Answer

A

A customer’s right to access, review, correct, and de-lete the personal information collected about them.

Question 62

Q

Customer data integration

Answer

A

The combination and management of all customer in-formation, a key element of customer relationship management.

Question 63

Q

Customer information

Answer

A

As opposed to employee information, this is data concerning the clients of private-sector organizations, healthcare patients, and the general public in relation to public-sector agencies.

Question 64

Q

Cyberbullying

Answer

A

Releasing a person’s private information or re-characterizing the individual online.

Answer 65

A

Habitual means to mislead individuals into sharing personal information.

Answer 66

A

Combining data sets to analyze trends while maintaining individual privacy using groups of individuals with similar characteristics. The data set needs to come from a large number of individuals, be broadly categorized, and exclude data unique to a single individual.

Answer 67

A

The unauthorized collection of computerized data that interrupts the security, confidentiality, or integrity of personal information maintained by a data col-lector.

Answer 68

A

Facilities where data and critical systems are stored and managed, either centralized for one organization’s data management needs or operated by a third-party provider.

Answer 69

A

The natural or legal person, public authority, agency or any other body who alone or together decides the intentions and means of personal data processing.

Answer 70

A

A piece of data with a distinct definition which can’t be whittled down further. Examples include date of birth, numerical identifier, or location coordinates. In isolation these may not be considered personal data but they would be when combined.

Answer 71

A

A graphical depiction of how data flows in an information system and how the system runs to fulfill its purpose. These would be used by systems analysts creating information systems and management recreating the flow of data within organizations.

Answer 72

A

A term for the strategy to keep end users from sharing sensitive information with external ineligible sources and the software systems that help control what data end users can transfer.

Answer 73

A

The means of de-identifying, anonymizing, or other-wise obscuring data to retain the structure but re-move the sensitivity of the content to create a data set for training or software testing.

Answer 74

A

Comparing personal data collected from multiple sources to make decisions about the identified individuals.

Answer 75

A

The idea that data controllers would simply collect and process personal data that is relevant, necessary, and adequate to fulfill the specified purposes.

Answer 76

A

Any operation or set of operations performed on personal data including alteration, collection, recording, restriction, storage, use, retrieval, disclosure, dissemination, combination, organization, erasure, or destruction, whether by automated means.

Answer 77

A

The natural or legal person public authority, agency or other body not employed by the controller who processes personal data as instructed by the controller.

Answer 78

A

Independent public authorities that oversee the application of data protection laws in the EU through guidance on data protection issues and complaints made by individuals of GDPR violations. One per EU member state with extensive enforcement power to impose fines of up to 4% of a company’s global annual revenue.

Answer 79

A

The fair information practices principle that says personal data should be relevant, accurate, up-to-date, and complete. Four questions to consider: does it meet the business needs; is it accurate; is it complete; and is it recent?

Answer 80

A

The natural or legal person, public authority, agency, third party, or another body getting personal data by disclosure. This would not apply to public authorities getting personal data in the context of an EU or member state law inquiry.

Answer 81

A

All of the constraints, entities, and relationships used to separate customer information.

Answer 82

A

An identified or identifiable natural person about whom the organization has personal information.

Answer 83

A

Personal information shared on a social network or website.

Answer 84

A

A subset of artificial intelligence and machine learning where tasks are performed repeatedly with increasing layers of data.

Answer 85

A

Online advertising based on an individual’s age, height, weight, geographic location, or gender.

Answer 86

A

Shared solutions to recurring problems which enhance program code maintenance by applying a common mental measure.

Answer 87

A

A five-phase process of empathize, define, ideate, pro-totype, and tested, used alongside value-sensitive de-sign.

Answer 88

A

Establishing rules that limit the confidence that an in-dividual has assigned to an aggregated value.

Answer 89

A

A non-profit organization that creates standards for consumer privacy, transparency, and control in online advertising and enforces the self-regulatory standards created by the Digital Advertising Alliance including AdChoices.

Answer 90

A

Using log files to identify a website visitor, mostly for security and system maintenance purposes. A log file is typically made up of the IP address, a time stamp, the URL of the requested page, a referrer URL, and the visitor’s web browser, operating system, and font preferences.

Answer 91

A

Overseeing access to and use of digital information and devices after sale. Usually done using access con-trol (denial) technologies for defending copyrights and intellectual property, claims that may be considered controversial because they prevent users from lawful use of the information and devices.

Answer 92

A

A means of ensuring the legitimacy of an electronic document, such as an e-mail, text file, spreadsheet or image file, so that anything added afterward makes it invalid.

Answer 93

A

A policy directive for the EU Member States recognizing how cookies help modern websites function and the user’s right to opt out. It was amended by the Cookie Directive 2009/136EC, which added a requirement for all websites using tracking cookies to obtain user consent unless the cookie is “strictly necessary.”

Answer 94

A

Reducing connections between data and individuals as much as possible in relation to the system opera-tional requirements.

Answer 95

A

A type of access control that permits the owner of an object to approve access to a computer-based information system.

Answer 96

A

Disseminating false or incorrect information about someone.

Answer 97

A

A firewall configuration to protect local area net-works with a number of computers acting as a broker for traffic between the LAN and the external network.

Answer 98

A

A potential policy allowing consumers the right to opt out of web tracking, in the same vein as the existing US Do-Not-Call Registry.

Answer 99

A

Websites offering online ordering, which allows access to information related to user purchases and payments for targeted advertising.

Answer 100

A

Defined by the ePrivacy Directive to include the content of a communication, traffic data, and location data.

Answer 101

A

Things that would fall under this definition include net-works used for radio and television broadcasting; trans-mission systems, switching or routing equipment, and other resources that send signals by electromagnetic means; electricity cable systems; fixed and mobile terrestrial networks; and cable television networks.

Answer 102

A

Any service allowing users to send or receive wire or electronic communications.

Answer 103

A

Digital monitoring, such as location-based services, stored communications, or video surveillance.

Answer 104

A

Obscuring information so that it can’t be read without a key or other specific knowledge, usually with a cryptographic scheme.

Answer 105

A

A cryptographic algorithm used on plain text to mask value or used on encrypted text to make it plain again.

Answer 106

A

A contract made between the user and the software application owner where the user promises to pay for the use of the software and comply with any restrictions.

Answer 107

A

An abstract outline or blueprint of the structure and operation of an organization, usually in an effort to achieve current and future goals.

Answer 108

A

The first EU-wide legislation protecting personal data use and privacy which was adopted in 1995 and re-placed by GDPR in 2018.

Answer 109

A

Denying an individual knowledge about or participation in data processing.

Answer 110

A

Sharing information that would normally be kept private, including physical details about bodies.

Answer 111

A

Also referred to as XML, this markup language allows for the transport, creation, retrieval and storage of files from tags that identify the contents. The content of a web page is described in terms of the data produced as opposed to how it should be displayed, which is done in HTML.

Answer 112

A

A network system made by connecting corporate intranets. These come with inherent security risks despite meeting organizational goals, including backdoors into the internal network and trust for third parties. Risk management would rely on a business contract to restrict access to data, list security controls in place, establish how shared devices will be managed, and create procedures for cooperating with technical staff.

Answer 113

A

A framework that separates risk by frequency of action and breadth of violation.

Answer 114

A

A model to confirm a person’s identity using a credible centralized service.

Answer 115

A

A Japanese legislation for the financial services sector that created a cross-sectional legislative framework to protect investors, strengthened disclosure requirements, provided directions for financial exchange self-regulatory operations, and established strict rules to stop unfair trading.

Answer 116

A

A data subject gives personal data through a form or survey sent to the collector upon submission.

Answer 117

A

Software used to place animation and other visual effects on web-based content.

Answer 118

A

The number of times a particular value exists in the data set.

Answer 119

A

The details for implementation related to how a system should work, which inputs create which outputs, and elements of design.

Answer 120

A

Data related to mobility, social patterns, and behaviors that comes from smartphones and other devices when people share their emotions, opinions, experiences and locations. Artificial intelligence and machine learning use these to identify meaningful patterns and trends.

Answer 121

A

Attributes from this method, as opposed to the POST HTML method, prescribe how form data is provided to a URL, particularly in name/value pairs showing pass-words and other sensitive information in the browser’s address bar.

Answer 122

A

The collection of data protection authorities set by an OECD recommendation for collaboration among member countries on enforcing privacy laws, developing common priorities, sharing best practices, and sup-porting joint enforcement and awareness activities.

Answer 123

A

An identifier that is special to an individual user.

Answer 124

A

Distinctions between types of dimensions of privacy harms—namely objective and subjective. Perceived harm can have the same privacy impact as experienced harm.

Answer 125

A

Also called hashing, this refers to removing personal in-formation from user identifications using an organized system but retaining activity tracking. It can be used to encrypt or map data and in other information security applications.

Answer 126

A

Personal information is rendered unconnected or invisible to others.

Answer 127

A

How the system’s front and back ends collaborate to create the desired system behaviors.

Answer 128

A

Allowing encrypted data to be viewed or changed without decryption.

Answer 129

A

A graphic or text linked to a website or web-enabled service via URL in the HTML code. Upon selecting the right words or images, the end user is sent to the in-tended website or page.

Answer 130

A

A language for content authoring used to make web pages and render content. Some of the details that can be input include hyperlinks, pictures, headings, and text with minimal commands.

Answer 131

A

A networking language that controls data packets via Internet. It sets rules related to the formatting and transmission of messages and actions to be taken by web servers and browsers according to commands.

Answer 132

A

A network communication technique where HTTP is placed on top of the SSL/TLS to apply security capabilities.

Answer 133

A

The specificity to which a user is recognized by an authentication system. A user is more easily tracked or targeted with greater specificity and more easily falsely authorized with less.

Answer 134

A

Codes or strings that correspond to an individual, de-vice, or browser.

Answer 135

A

Technical solutions, security measures, and privacy compliance efforts taken by stakeholders involved in the processing of personal data.

Answer 136

A

Dividing data into different levels of classification and restricting access to that data using class functions.

Answer 137

A

This approach recognizes different values of data and data handling through an organization between collection and deletion. The stages involved are: collection, processing, use, disclosure, retention, and destruction.

Answer 138

A

The class of privacy which refers to the right of individuals, groups, or institutions to determine when, how, and to what extent information about them is dis-closed to others.

Answer 139

A

Protecting information in order to prevent loss, unauthorized access, and misuse. This includes measuring threats and risks to information and the processes and measures to be taken to preserve the confidentiality, integrity and availability of information.

Answer 140

A

The ability for a business to use the information it’s collected in as many ways as possible to improve its services and products.

Answer 141

A

Failure to appropriately protect collected personal in-formation.

Answer 142

A

The trade association for businesses in the advertising industry that creates industry standards, leads research, and supplies legal support.

Answer 143

A

A term referring to the myriad of devices people own that connect to the internet and are subject to automation and remote access.

Answer 144

A

A unique string of numbers tied to a computer on the Internet or other TCP/IP network. This is considered a type of personal information.

Answer 145

A

A company giving Internet access to homes and businesses via modem dial-up, DSL, broadband, or wireless connections.

Answer 146

A

Probing or leading individuals down a line of question-ing to ascertain their personal information with the possibility of risking individual privacy and social norms if a person is compelled to answer.

Answer 147

A

The result of auditing a system for threats to network security.

Answer 148

A

A code of practice for information security made up of potential controls and mechanisms for implementing effective organizational and security management practices.

Answer 149

A

Also called enterprise architecture, this is made up of policies, principles, services, and products adopted by IT providers.

Answer 150

A

The part of an organization charged with overseeing the technology used to create, store, transfer, and use information.

Answer 151

A

A computer programming language that creates interactive effects on web browsers.

Answer 152

A

Distinct information practices shared along with a con-sent request before information is collected.

Answer 153

A

A practice where direct identifiers are replaced with generalized, truncated, or redacted identifiers.

Answer 154

A

A practice where at least “l” distinct values are used on top of replacing direct identifiers with generalized, truncated, or redacted identifiers in every group of k records for sensitive attributes.

Answer 155

A

A privacy notice with sections of different lengths–a shorter version with key points and a longer, more de-tailed version.

Answer 156

A

A layered approach with three levels of security policies: a high-level document including the policy statement; the controls to be followed to meet the policy statements; and the operating procedures, about how the policy statements will be achieved in practice.

Answer 157

A

A security control allowing access according to the lowest possible level to complete the required action.

Answer 158

A

The capacity for identifiers used to track an individual to be combined with outside information and identify an individual.

Answer 159

A

Networks located inside the operational facility which are easy to manage and subject to local control.

Answer 160

A

Also known as flash cookies, these data files are made to track user preferences and used by Adobe Flash Player. They are different from HTTP cookies in being saved to the computer’s hard drive.

Answer 161

A

Services that use location information to provide applications and services, including gaming, social networking, and entertainment, usually needing geolocation to identify the real-world geographic location.

Answer 162

A

A record of all events that take place in a computer system (usually an operating system). An application log includes events tracked by applications; a system log includes events recorded by the operating system; and a security log includes security events

Answer 163

A

The specific details describing a high-level de-sign system.

Answer 164

A

Data where the quantity of interest is presented over all units of analysis. A table showing average income by age is one example.

Answer 165

A

The ability to govern personal information in a detailed way, through things like correction, transfer, and deletion.

Answer 166

A

An access control system where the system restricts access to data.

Answer 167

A

A piece of data that pertains to other data.

Answer 168

A

Anonymized groups of information about individuals, where the individuals can’t be identified.

Answer 169

A

The capability of a system to change locations, like that of laptops or mobile phones.

Answer 170

A

The authentication process using multiple verification methods, like a password and code sent to a phone number, or log-in and biometric identifier.

Answer 171

A

This framework created common terminology in cyber-security for all sectors.

Answer 172

A

A risk management tool used to establish guidelines and best practices to the management of cybersecurity-related risks, help organizations communicate and plan around privacy risk, and build privacy governance pro-grams.

Answer 173

A

Information made into content, which allows things like text-to speech, automation of reports, and mobile applications content.

Answer 174

A

Machine reading comprehension via algorithms used to find and extract language that the computer can interpret.

Answer 175

A

The degree to which personal information stays local.

Answer 176

A

The components allowing two devices to connect for sharing electronic files, such as printers and fax ma-chines. The most common ones make Local Area Net-works using a hub, a router, a cable, a modem, and network cards.

Answer 177

A

Protecting data transfers at the network transfer layer via encryption that is invisible to the end user.

Answer 178

A

Attacks abusing the basic network protocol for ad-vantage, mostly through spoofing a network address to send data to an intruder instead of the intended recipient or service disruptions through a denial-of-service attack that overloads the capacity of a website’s domain with brute force.

Answer 179

A

The type of anonymization where certain identifying values from one data subject are swapped with identifying values from another subject from the data set.

Answer 180

A

Abstract concepts informing the functional requirements for a new software, system, or product being developed—as in how a system should work instead of the technical processes or functions.

Answer 181

A

Making something harder to understand in order to hide its meaning.

Answer 182

A

Harm that is measurable and observable resulting from privacy violations to a person.

Answer 183

A

A universal set of internationally accepted privacy principles and guidance for countries developing regulations related to cross-border data flows and law-enforcement access to personal data. The principles are Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Openness, Individual Participation, and Accountability.

Answer 184

A

Laws covering a wide range of organizations or natural persons, not simply a specific market sector or population.

Answer 185

A

Websites or online advertising services that track and analyze search terms, demographics, online activity, offline activity, browser or user profiles, location data, or preferences, to offer advertising.

Answer 186

A

Third-party vendors storing data accessible via Internet as an alternative to local storage on a hard drive or portable storage on a flash drive.

Answer 187

A

Software that can be simply viewed, shared, or edited compared to that which can only be fixed and updated by the vendor.

Answer 188

A

One of two approaches to choice, where an individual makes an affirmative indication of agreement, like checking a box to allow the business to disclose the in-formation to third parties.

Answer 189

A

One of two approaches to choice, where the lack of action on the part of the individual is taken as their implication of choice, so for example, their information will be shared with third parties if they don’t uncheck a box.

Answer 190

A

An international organization that supports policies created to boost employment, sustainable economic growth, and the standard of living.

Answer 191

A

Collecting data unbeknownst to the data subject.

Answer 192

A

Making program changes to update or fix a system.

Answer 193

A

A self-regulatory system of security standards for payment card data drafted by the Payment Card Industry Security Standards Council. Compliance necessitates companies above a certain threshold to conduct third party security assessments.

Answer 194

A

Technologies and processes intended to secure the network by stopping access from the outside.

Answer 195

A

Storing data in a stable medium such as a hard drive. An alternative to random access memory, which loses data whenever the device is disconnected from power.

Answer 196

A

Also called personal data, a term defined by CCPA as information that identifies or could be linked to a particular consumer.

Answer 197

A

Corrupting a host file or network router to send an authentic internet request to a malicious website.

Answer 198

A

Communication meant to trick a user to give a pass-word, account number, or other information to a web-site managed by the attacker. It’s called “spear ” when the attack is targeted to a specific user, like an e-mail that looks like it’s from the user’s boss.

Answer 199

A

As opposed to the agile development model, this strategy to creating software and systems involves fully de-signing the system and functions before creation, one example being the Spiral model.

Answer 200

A

A project intended to introduce user privacy into web protocols. The most successful protocol from this project is XACML.

Answer 201

A

An algorithm changed when the code is copied, while the encryption stays the same for each key.

Answer 202

A

As opposed to those of the GET method, this method’s attributes specify how form data is given to a web page in a more secure way.

Answer 203

A

An indicator of the reliability of assumptions made about a system, specifically the data it holds and how it is processed.

Answer 204

A

The costliest and most pronounced type of web advertising displayed on a website’s homepage which only big name companies can afford.

Answer 205

A

Generally regarded as a synonym for Data Protection by Design, this is an approach where privacy is embedded into technology, systems, and practices from early de-sign stage to include privacy requirements in the processing of personal information. It ensures the existence of privacy from the outset.

Answer 206

A

A concept in which privacy values and principles are considered in technology systems and programs while protecting security and mitigating risk, requiring engineers and privacy professionals to work together.

Answer 207

A

A statement provided to the data subject explaining how an organization collects, uses, stores, and discloses personal information.

Answer 208

A

A standard label designed to make privacy policies more understandable, developed by the lab at Carnegie Mellon University.

Answer 209

A

An individual designated as the head of privacy compliance and operations in an organization. The US federal government sees this person as the official in charge of the implementation and management of all privacy and confidentiality efforts.

Answer 210

A

Borrowing from design patterns, these are common solutions to privacy problems encountered in software design.

Answer 211

A

An internal statement that explains an organization or entity’s handling of personal information to the members of the organization interacting with the personal in-formation, informing them about the collection, use, retention, and destruction of the data and data subject rights.

Answer 212

A

An analysis of how well new comply with the organization’s privacy policy to minimize potential privacy risks.

Answer 213

A

A formula used to determine the impact a new project may have on the privacy of the consumer base involved. In the evaluation, the likelihood of the threat taking place should be considered along with its potential impact. Then, projects should be compared in terms of their resulting risk.

Answer 214

A

The minimum level of privacy protection to be placed in all new projects, applications, and services both in terms of internal organizational policy and external regulations. There should be guidelines to help reach adherence.

Answer 215

A

A term for technology professionals who play a role in protecting privacy in technology. These could be audit, risk and compliance managers; data scientists; soft-ware engineers; or privacy engineers.

Answer 216

A

Any individually identifiable health information created, received, transmitted, or stored by a HIPAA-covered entity or its business associate or employee which can be used to identify the individual is created or received by a covered entity or an employer and is related to any physical or mental condition or payment or provision of healthcare.

Answer 217

A

An act that criminalizes cyber bullying and allows police to obtain warrants for telecommunications and internet data and hold onto electronic evidence.

Answer 218

A

Data points no longer directly associated with an identified person although it’s known whether multiple of the data points relate to the same person. An ID is used instead of PII to tell if data has the same source. Examples include IP address, GUID, and ticket numbers.

Answer 219

A

Sending a user content based on their interest deter-mined by their known preferences online rather than their interactions with web pages and advertisements.

Answer 220

A

A system composed of digital certificates, authorities, and other registration entities that uses cryptography to check the authenticity of each party participating in an electronic transaction.

Answer 221

A

Information gathered and stored by a government entity that it makes available to the public.

Answer 222

A

Software development issues that cannot be fixed by one design element or function alone, one example being privacy. Implementing Privacy by Design in soft-ware development will help to account for the issues in all system functions.

Answer 223

A

The use of quantum mechanics principles to encrypt messages so that no one other than the intended recipient can view them.

Answer 224

A

Technologies that identify people or objects with microchips using radio waves.

Answer 225

A

The action of reapplying characteristics to pseudonymized or de-identified data that could be used to identify an individual. There is risk in undoing the de-identification actions applied to data.

Answer 226

A

The simplest form of web advertising, lacking personalization because no data about the user or webpage is used.

Answer 227

A

The secondary use of information collected for a different purpose.

Answer 228

A

The part of the information life cycle that pertains to organizations keeping personal information only as long as required to fulfill the intended purpose.

Answer 229

A

The right of an individual to ask and obtain their person-al data from a business or other organization.

Answer 230

A

Access policies following the restriction where no employee can gain greater information access than what is necessary to perform their job.

Answer 231

A

The most prevalent inter-net encryption and authentication system which uses an algorithm to generate a public key, which is then used to encrypt data and decrypt an authentication, and a private key, which can decrypt the data and encrypt an authentication.

Answer 232

A

Auditing and evaluating data collected from an operating system.

Answer 233

A

Programs requiring participants to follow codes of in-formation practices which will be monitored. The companies that comply with the terms will show the pro-gram’s seal on their website.

Answer 234

A

The use of an individual’s information for purposes that are unrelated to the original processing purpose without consent.

Answer 235

A

A cryptographic key that corresponds to a private cryptographic algorithm, connected to one or more entities. The key should be protected from disclosure.

Answer 236

A

Internal security measures that prevent unauthorized or unnecessary access to corporate data or resources, which may be either physical, technical, or organizational. Protected resources may be intellectual proper-ty, financial data, or personal information.

Answer 237

A

The fair information practices principle establishing that personal data be protected by acceptable security safeguards from risks of loss or unauthorized access, destruction, use, modification, or disclosure of data.

Answer 238

A

Processing personal data in a way that prevents identification of the individual, either using physically separate locations or isolating the data by purpose.

Answer 239

A

The standard authentication technique where a user name and password are provided for access.

Answer 240

A

An authentication method where the user provides one set of credentials to access multiple applications.

Answer 241

A

A term for a security vulnerability created by attackers persuading a user to provide information.

Answer 242

A

Formal documentation of a software system or product with functional and nonfunctional requirements that cover the needs of the customer.

Answer 243

A

Commercial e-mail that is unsolicited.

Answer 244

A

Phishing that is meant to reach a group of people connected to a specific organization.

Answer 245

A

Voice command technology permitting users to speak to technologies in order to control them.

Answer 246

A

Targeting SQL forms with commands entered into in-formation entry boxes which may alter the system. This could erase data sets or over load servers if the SQL is left vulnerable.

Answer 247

A

Using encryption to protect stored or backed-up data in transit and at rest.

Answer 248

A

A programming language made by IBM that uses inter-active forms into which users can insert or edit data to be made into usable data sets by the system administrators. It’s now an international standard for the col-lection and use of information.

Answer 249

A

Only an expectation of harm existing, lacking anything perceptible or quantitative.

Answer 250

A

A tracking tool that remains in a device even after deleting all cookies, kept in different types of storage.

Answer 251

A

Capturing or watching an individual’s activities.

Answer 252

A

Collection of data made by observing a data subject without interfering in their activity.

Answer 253

A

A form of encryption where a single secret key is used to both encrypt and decrypt data, also called Secret Key Encryption.

Answer 254

A

Content that is created, bought, or licensed from a third party that may introduce malicious code into the organization’s website code. Cross-site scripting (XSS) attacks may take advantage of this vulnerability.

Answer 255

A

A conceptual model used to follow an information system development project through various stages.

Answer 256

A

Decreasing the detail of the data in a data set to extend l-diversity.

Answer 257

A

A set of rules governing the use of a service to which a user agrees implicitly or explicitly before participating.

Answer 258

A

Data taken from a source that is not the data subject.

Answer 259

A

Replacing random tokens for true data as way of de-identifying data.

Answer 260

A

Moving information from one organization to another intended recipient.

Answer 261

A

Short-term data storage such as that used by a session cookie stored on a browser which will be erased once the browser is closed.

Answer 262

A

A protocol allowing two devices to connect and transfer data. TCP and IP are combined to send data over the Internet in the form of a packet, made up of content and a destination.

Answer 263

A

A protocol that maintains separation between client-server applications and Internet users. The connection is secured to make sure no third party has access when a server and client communicate.

Answer 264

A

A type of malware where bad software looks like beneficial software.

Answer 265

A

Processing information connected to an encountered activity or object.

Answer 266

A

A notation language used to detail the elements of a system design for software development.

Answer 267

A

The letter and number coordinates that an end user in-puts into a web browser to get to a website; for example, https://privacyref.com.

Answer 268

A

Stipulations for new software systems or products created using the Agile Development Model, typically comprised of a few sentences on how a consumer would use the system or product and its intended functionality. This is a way of informing the developers about how a system or product should operate while they are design-ing it.

Answer 269

A

Determining whether to grant or deny access to the re-source based on the identity of the user.

Answer 270

A

Non-core services that are outside of voice calls and fax transmissions available at almost no cost to pro-mote the business.

Answer 271

A

An approach to design with moral and ethical values in mind like privacy, trust, courtesy, or freedom from bias for both technologies and stakeholders.

Answer 272

A

A network that mostly uses public telecommunication infrastructure such as the Internet to allow remote users access to a central organizational network. The re-mote user is typically authenticated and data is se-cured using encryption technologies to prevent unauthorized disclosure of information.

Answer 273

A

A technology to let phone calls be made over an LAN or the Internet, in a similar risk to network-connected PBX systems but with the extra risk of data interception if using an unsecured connection.

Answer 274

A

Evaluating and creating plans for the possibility that a threat actor will succeed.

Answer 275

A

Also called a web bug, pixel tag or clear GIF, this is a clear graphic image delivered via web browser or e-mail which records a user’s visit or views. It may be used along with a web cookie for third-party tracking. They can be used to create specific profiles of user behavior or reports on what e-mails are opened. Similar privacy considerations should be made here to those for cookies.

Answer 276

A

Phishing targeted at wealthy individuals.

Answer 277

A

A non-localized network for sending data across far distances.

Answer 278

A

A computer program or algorithm that clones itself over the network and completes malicious actions.

Answer 279

A

A data storage device that doesn’t allow information to be modified after it is written to ensure that the data originally written to the device won’t be manipulated. The data can only be destroyed if the whole device is destroyed.

Brainscape's Knowledge GenomeTM

CIPT Flashcards

Brainscape's Knowledge Genome^TM