CIPP Guide

Your Guide to the CIPP

CIPP/IT Prep Materials

CBK Tests

Revision 2.0.36
CIPP Guide's CIPP/IT Prep Materials

Published by Jon-Michael Brook, Clearwater, FL.

Copyright 2007 - 2010 Jon-Michael Brook and the CIPP Guide

No part of this publication may be reproduced, stored in a retrieval system or transmitted in

any form or by any means, electronic, mechanical, photocopying, recording, scanning or
otherwise, except as permitted under Sections 107 or 108 of the 1976 United States
Copyright Act, without either the prior written permission of the Publisher. Requests to the
Publisher for permission should be addressed to the Permissions Department, 2541
Estancia Blvd, Clearwater, FL 33761, (727) 564-9101, fax (440) 445-7338, or by email at
publisher@cippguide.org.
Trademarks: The CIPPGuide Sleuth Logo, Your Guide to the CIPP, cippguide.org,
cippguide.com,and related trade dress are trademarks or registered trademarks of Jon-
Michael C. Brook, the CIPPguide and/or its affiliates in the United States and other
countries, and may not be used without written permission. All other trademarks are the
property of their respective owners. Jon-Michael C. Brook is not associated with any
product or vendor outside of the CIPP Guide mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND

THE AUTHOR MAKE NO REPRESENTATIONS OR WARRANTIES WITH
RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF
THIS WORK AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING
WITHOUT LIMITATION WARRANTIES OF FITNESS FOR A PARTICULAR
PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES OR
PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED
HEREIN MAY NOT BE SUITABLE FOR EVERY SITUATION. THIS WORK IS
SOLD WITH THE UNDERSTANDING THAT THE PUBLISHER IS NOT
ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER
PROFESSIONAL SERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED,
THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE
SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE
FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION
OR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A
POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT MEAN THAT
THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE
ORGANIZATION OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT
MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNET
WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED
BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.

CIPP_IT_CBK_Tests Page 1
 Table
of
Contents

CIPP/IT Prep Materials:

CBK Tests
The CIPP/IT Exam
The CIPP/IT Exam..............................................................................................................i
Introduction......................................................................................................................1
CIPP/IT CBK Tests 1..........................................................................................................3
CIPP/IT CBK Tests 2..........................................................................................................9
CIPP/IT CBK Tests 3.........................................................................................................15
CIPP/IT CBK Tests 4.........................................................................................................21
CIPP/IT CBK Tests 5.........................................................................................................27
CIPP/IT CBK Tests 6.........................................................................................................33
CIPP/IT CBK Tests 7.........................................................................................................39
CIPP/IT CBK Tests 8.........................................................................................................45

i v. 2.0.36
 Introduction

CIPP/IT Prep Materials

CBK Tests
Introduction

This booklet consolidates all of the tests from the CIPPguide website as of its date of
publication. Each chapter corresponds to a roughly 25 question test on site. At the end of
each chapter includes the answers. Explanations may be found on the website in the
interactive test engine. Best of luck on the exam!

1 v2.0.36
CIPP_IT_CBK_Tests 2
 CIPP/IT
CBK Tests
1

CIPP/IT Prep Materials

CBK Tests
CIPP/IT CBK Tests 1
Questions
1. Which of the following would NOT be included under the US Office of Management
and Budget definition of personally identifiable information (PII)?

A. birth date
B. national identification number
C. gender
D. driver's license number

2. A term similar to "personally identifiable information" used in the EU directive

is:

A. personal data
B. private data
C. sensitive information
D. identifying information

3. Which of the following is NOT a method of implicit data collection?

A. Observing the items a user views in an online store.

B. Having a user choose the best item from a selection.
C. Keeping a record of the music a user has listened to on his/her computer.
D. Analyzing a user's social network and looking at interests and dislikes.

4. Which of the following is a method of explicit data collection?

A. Obtaining a list of videos that a user has watched on his/her computer.

B. Analyzing user viewing times.
C. Analyzing a user's social network and looking at mutual interests.
D. Having a user create a list of products that he/she likes.

3 v2.0.36
5. Highly sensitive PII must be ---- when stored on computers.

A. encrypted
B. deleted
C. destroyed
D. password protected

6. When it is time to destroy moderately sensitive PII stored on disk drives, the
disk drives must be overwritten a minimum of ---- times.

A. 1
B. 2
C. 3
D. more than 4

7. According to a 2006 Privacy Rights Clearinghouse study, 25% of data breaches

occur in:

A. business
B. government
C. medical industry
D. educational institutions

8. When it is time to destroy highly sensitive PII stored on disk drives, the disk
drives must be overwritten a minimum of ---- times.

A. 1
B. 2
C. 3
D. more than 4

9. The Fair Information Principles were proposed in 1998 by:

A. the OECD
B. the Federal Trade Commission
C. the Council of Economic Advisers
D. the National Security Council

10. Which of the following is NOT a core principle of the Fair Information
Principles?

A. Regulation
B. Participation
C. Consent
D. Awareness

CIPP_IT_CBK_Tests 4
11. The ability to access, create, modify, package, sell or remove data is also
known as:

A. the benefit of information

B. the control of information
C. the leveraging of information
D. the regulation of information

12. Of the following, who could potentially claim ownership of data?

A. consumer
B. compiler
C. decoder
D. all of the above

13. An IT professional should collect customer data if:

A. his/her customer does not have privacy concerns.

B. he/she has a compelling business value proposition.
C. he/she has a compelling customer value proposition.
D. he/she has a compelling business and customer value proposition.

14. User data that is NOT classified as PII is known as:

A. sensitive PII
B. sensitive data
C. anonymous data
D. general information

15. An IT professional should collect customer data:

A. for which there could be a short- or long-term use.

B. only for which there is an immediate planned use.
C. for which there could be a primary or secondary benefit.
D. for which there is a primary or secondary purpose.

16. When gathering customer data, it is best to collect:

A. the most descriptive form of data.

B. the least sensitive form of data.
C. only the customer's name and address.
D. data in necessary and optional fields.

17. A client's IP address is collected to determine the client's location. After

mapping the IP address to a city, it is promptly discarded. Which of the following
fair information practices is being followed in this example?

5 v2.0.36
A. notice/awareness
B. choice/consent
C. access/participation
D. integrity/security

18. The ---- time data is retained, the ---- the likelihood of accidental
disclosure.

A. longer; lower
B. less; higher
C. longer; higher
D. none of the above

19. The type of notice and consent required depends on:

A. the type of organization collecting the information.

B. the sensitivity of the data collected.
C. how the data will be used.
D. the type of data collected and how it will be used.

20. Two types of notice used by IT professionals are:

A. prominent and hidden

B. obvious and discoverable
C. prominent and discoverable
D. conspicuous and inconspicuous

21. ---- notice contains a high-level summary of the privacy issues in the program
or application. It directs the user to additional information.

A. discoverable
B. prominent
C. conspicuous
D. obvious

22. ---- notices are recommended for websites or products that may have complex
privacy statements.

A. Prominent
B. Conspicuous
C. Layered
D. Staggered

23. Which of the following requires the customer to take action before data is
collected or transferred?

A. opt-in consent
B. explicit

CIPP_IT_CBK_Tests 6
C. implicit
D. opt-out

24. Opt-in and opt-out are two styles of:

A. consent
B. notice
C. choice
D. security

25. Customers are able to access and update PII that is stored. This is an example
of which of the following fair information principles?

A. notice/awareness
B. enforcement/redress
C. access/participation
D. integrity/security

7 v2.0.36
Answers
1. C
2. A
3. B
4. D
5. A
6. C
7. B
8. D
9. B
10. A
11. B
12. D
13. D
14. C
15. B
16. B
17. D
18. C
19. D
20. C
21. B
22. C
23. B
24. A
25. C

CIPP_IT_CBK_Tests 8
CIPP/IT CBK Tests
2

CIPP/IT Prep Materials

CBK Tests
CIPP/IT CBK Tests 2
Questions
1. ---- can prevent transfers of PII and control any automatic collection of user
data.

A. administrator controls
B. programmer controls
C. user controls
D. license controls

2. ---- act on a company's behalf. The can only use the data as instructed by the
company.

A. Independent third parties

B. Licensers
C. Agents
D. Affiliates

3. ---- use customer information for their own purposes.

A. Independent third parties

B. Licensers
C. Agents
D. Affiliates

4. Which of the following enables website visitors to access information about

sites' privacy policies?

A. SSL
B. P3P
C. P2P
D. EPAL

9 v2.0.36
5. ---- represents user preferences regarding P3P policies.

A. APPEL
B. EPAL
C. HTML
D. XML

6. P3P policies are ---- documents.

A. APPEL
B. EPAL
C. HTML
D. XML

7. Which of the following information is NOT provided by a P3P policy?

A. contact information of the programmer

B. types of information collected
C. how information may be used
D. options for dispute resolution

8. There are ---- options for websites to notify user agents about the location of
their policy reference files.

A. 1
B. 2
C. 3
D. 4

9. Which of the following enables a web browser to decide whether or not to accept
a cookie?

A. user agent
B. compact policy
C. XML file
D. proxy server

10. In which of the following user agents blocked cookies, without full
consideration of P3P policies?

A. IE5
B. IE6
C. Netscape Navigator 7
D. Privacy Bird

11. Which of the following is used to describe data handling practices according to
positive/negative authorization rights?

CIPP_IT_CBK_Tests 10
A. APPEL
B. EPAL
C. HTML
D. XML

12. A ---- notice occurs just before the collection or sharing of data.

A. first run
B. last chance
C. just-in-time
D. installation time

13. Which of the following statements is NOT true of a first run notice?

A. It explains key privacy issues and choices offered by a product.

B. The customer may not be able to make an informed decision.
C. It presents the same choices to each user.
D. It appears after a program has been installed.

14. Which of the following is an advantage of installation time notices?

A. administrator control
B. user control
C. customized choices
D. user participation

15. An "out of the box" experience is also referred to as a(n) ---- experience.

A. administrator
B. installation
C. standardized
D. setup

16. For a system administrator, an out of the box notice is the equivalent of a
---- notice.

A. installation time
B. first run
C. just in time
D. standardized

17. Which of the following correctly lists the data lifecycle?

A. access and distribution; storage; collection; destruction

B. collection; access and distribution; storage; destruction
C. storage; collection; access and distribution; destruction
D. collection; storage; access and distribution; destruction

11 v2.0.36
18. Which of the following is a benefit of data classification from an IT
perspective?

A. Simplified management of data means better data management.

B. Simplified reporting for regulatory compliance purposes.
C. Detailed control during access and distribution phase reduces the risk of
unauthorized access.
D. Classification ensures that PII is appropriately protected.

19. Data classification codes correspond to:

A. the speed with which the data must be retrieved

B. a set of access rules and protection measures
C. the value of the data
D. the type of storage medium for the data

20. -----based architectures offer an aggregation point around which access

requests can be monitored.

A. Strategy
B. Window
C. Portal
D. Collaboration

21. Portal-based architectures offer a ---- interface for users.

A. temporary
B. centralized
C. decentralized
D. unlimited

22. Which of the following architectures eliminate the risk of storing local data?

A. Portal
B. Fat client
C. Thin client
D. Multi client

23. A security patch applied to one system corrects a security flaw that may impact
hundreds of users. This example refers to which type of architecture?

A. Portal
B. Fat client
C. Thin client
D. Multi client

CIPP_IT_CBK_Tests 12
24. A user can access sensitive information through a system inside the office, but
is denied access to the same information when using a PDA connected over the web.
This example refers to which type of architecture?

A. Portal
B. Fat client
C. Thin client
D. Multi client

25. Calling "https" within the browser requests that the data be transferred
through:

A. TLS
B. TCP
C. SSL
D. SLL

13 v2.0.36
Answers

1. A
2. C
3. A
4. B
5. A
6. D
7. A
8. C
9. B
10. B
11. B
12. C
13. C
14. A
15. D
16. B
17. D
18. B
19. B
20. C
21. B
22. C
23. C
24. A
25. C

CIPP_IT_CBK_Tests 14
CIPP/IT CBK Tests
3

CIPP/IT Prep Materials

CBK Tests
CIPP/IT CBK Tests 3

Questions
1. SSL negotiates:

A. a private link and transfers the data across it.

B. a secure link and blocks all traffic.
C. a secure link and transfers the data across it.
D. a public link and transfers the data across it.

2. SSL was originated by:

A. Netscape
B. Internet Explorer
C. Safari
D. Opera

3. Which of the following is not defined as part of SSL?

A. change cipher spec protocol

B. security protocol
C. alert protocol
D. handshake protocol

4. ---- is a logical server/client link that offers a suitable type of service.

A. SSL interaction
B. SSL session
C. SSL connection
D. SSL record

5. HTTP, IMAP, POP3 and SMTP use ---- to establish secure connections.

15 v2.0.36
A. SSL
B. TLS
C. TCP
D. TSL

6. Which of the following is NOT a common web browser privacy tool?

A. privacy modes
B. object controls
C. cookie controls
D. malware detection

7. ---- describe browser mechanisms which allow users to decide which other
mechanisms should be blocked or allowed.

A. privacy modes
B. browser record
C. object controls
D. cookie controls

8. ---- in web browsers reduce local storage of personal information.

A. privacy modes
B. object controls
C. cookie controls
D. browser record

9. Which of the following browser's privacy mode blocks the referring URL from
being sent?

A. Chrome's Incognito
B. IE8 InPrivate Browsing
C. Firefox 3.5's Private Browsing
D. Safari's Private Browsing

10. In which of the following browsers are new cookies NOT deleted at the end of
the session?

A. IE 8
B. Firefox 3.5
C. Safari
D. Opera 10

11. Which of the following web browsers block third-party cookie default settings?

A. Chrome
B. IE 8
C. Safari

CIPP_IT_CBK_Tests 16
D. Opera 10

12. Which of the following web browsers automatically prevents deleted cookies from
being reset?

A. Chrome
B. Firefox
C. Safari
D. IE 8

13. Which of the following statements is NOT true of object controls?

A. They allow users to manually block individual objects.

B. They do not support automatic blocking of objects.
C. They have restrictions on which objects can be blocked.
D. They can block basic text, images and other objects.

14. There are seven types of identity knowledge linked to degrees of

identifiability. Which of the following is NOT one of those seven types of identity
knowledge?

A. locatability
B. pseudo-anonymity
C. pattern knowledge
D. gender categorization

15. Ethnicity, religion, age, region, sexual orientation and linguistic patterns
are classified under which type of identity knowledge?

A. pseudo-anonymity
B. real anonymity
C. socal categorization
D. symbols of eligibility/non-eligibility

16. ---- refers to a property associated with an individual, such as height,

weight, eye color or employer.

A. Identifier
B. Attribute
C. Charateristic
D. Authenticator

17. Both ---- and ---- can be authenticated.

A. identifiers; attributes
B. characteristics; authenticators
C. individuals; organizations

17 v2.0.36
D. attributes; traits

18. ---- refers to the use of authentication systems for reasons other than their
intended purposes.

A. change of plans
B. function creep
C. privacy breach
D. widening scope

19. Pseudonymizing technologies link transactions by the same agent to:

A. the same legal name.

B. the same public identity.
C. the same pseudonym identity.
D. none of the above.

20. Anonymizing technologies link transactions by the same agent to:

A. the same legal name.

B. the same public identity.
C. the same pseudonym identity.
D. none of the above.

21. ----_ ensures that a purchaser will not have his/her purchase history tracked.

A. Anonymizing
B. Pseudonymizing
C. Authenticating
D. Encrypting

22. The Tor network uses ---- in a multilayered way.

A. anonymizing
B. pseudonymizing
C. routing
D. cryptography

23. Tor protects users against:

A. phishing
B. spyware and adware
C. traffic analysis
D. web bugs

24. Tor focuses on protecting data:

CIPP_IT_CBK_Tests 18
A. storage
B. collection
C. analysis
D. transport

25. The process of masking original data by scrambling source information is

referred to as:

A. data randomization
B. data re-identification
C. data de-identification
D. data anonymization

19 v2.0.36
Answers

1. C
2. A
3. B
4. C
5. B
6. D
7. C
8. A
9. B
10. D
11. C
12. B
13. B
14. D
15. C
16. B
17. A
18. B
19. C
20. D
21. A
22. D
23. C
24. D
25. C

CIPP_IT_CBK_Tests 20
CIPP/IT CBK Tests

CIPP/IT Prep Materials

CBK Tests
CIPP/IT CBK Tests 4

Questions
1. Which of the following is NOT one of the identifiers that must be removed in
order to de-identify data?

A. ethnicity
B. street address
C. birth dates
D. social security number

2. Individuals are treated differently based on their online profiles. This may
result in paying higher than usual prices. This is known as:

A. online differentiation
B. price discrimination
C. e-commerce pricing
D. online shopping

3. Which of the following is NOT a privacy risk that results from e-commerce
personalization?

A. subpoena
B. government surveillance
C. difficulty accessing user accounts
D. unsolicited marketing

4. Consumers are concerned about unsolicited marketing because they believe:

A. the more a company knows about them, the less they will be offered discounts or
specials.
B. the more a company knows about them, the more the company will market to them.

21 v2.0.36
C. the more a company contacts them, the more they will be tempted to spend
unwisely.
D. unsolicited marketing is a highly impersonal and ineffective method of
marketing.

5. TiVo digital video recorder users are often surprised at the programming
selections that their TiVo makes for them, based on their TV viewing history. This
is an example of:

A. government surveillance
B. unsolicited marketing
C. surprisingly accurate inferences
D. unauthorized access to accounts

6. An e-commerce privacy risk is that some online profile information may be ----
in a criminal case, or in civil litigation.

A. subpoenaed
B. summoned
C. contested
D. penalized

7. The risk of a personalized e-commerce system is that:

A. it stores information within all transaction records.

B. it does not store information for an adequate amount of time.
C. it stores information for more time than required to support a transaction.
D. it gathers information from other sources than the consumer has agreed to.

8. A regulation that personalization systems should only collect necessary data,

rather than every possible piece of data available stems from which of the
following fair information practice principles?

A. data quality
B. use limitation
C. purpose specification
D. collection limitation

9. P3P-enabled web browsers can help to support which of the following fair
information practice principles?

A. use limitation
B. purpose specification
C. security safeguards
D. collection limitation

10. In the US, privacy laws are sector-specific. Which of the following does NOT
have specific regulations on e-commerce personalization?

CIPP_IT_CBK_Tests 22
A. health care
B. children's sites
C. retail sites
D. financial sites

11. According to US privacy laws, children's web sites cannot collect PII from
children under age ----, unless their parent consents to it.

A. 12
B. 13
C. 16
D. 18

12. ---- is a self-regulatory code on business practices of online advertising

services?

A. NAI Principles
B. FTC Principles
C. OCED fair information practices
D. GAPP

13. Which of the following is NOT a practice regulated under the NAI Self-
Regulatory Code of Conduct?

A. use limitation
B. reliability
C. accountability
D. security

14. ---- refers to a process in which data collected across multiple web domains is
used to categorize consumer interest segments.

A. MSA
B. OBA
C. OPM
D. TPO

15. ---- notice gives consumers clear, conspicuous notice about the scope of PII
and non-PII collection and use.

A. Opt-in
B. Opt-out
C. Robust
D. Third-party

16. When PII is collected for marketing purposes, this does NOT include:

23 v2.0.36
A. the aggregation of PII
B. the selling of PII
C. the disposal of PII
D. the updating of PII

17. Personalization systems that tend to be more privacy invasive show all of the
following characteristics EXCEPT:

A. implicit data collection

B. transient
C. system initiated
D. predication based

18. Personalization systems that tend to be less privacy invasive show all of the
following characteristics EXCEPT:

A. predication based
B. user initiated
C. transient
D. explicit data collection

19. An user places a pair of running shoes into her online shopping cart. The web
site suggests that she purchase athletic socks and running shorts. This is an
example of:

A. unsolicited marketing
B. session-focused personalization
C. persistent personalization
D. implicit data collection

20. Which of the following is an example of government surveillance?

A. Tor network
B. rootkits
C. DES cipher
D. wiretapping systems

21. In basic terms, cryptography:

A. decodes information for certain parties.

B. encodes information and only allows it to be decoded by intended parties.
C. allows parties to decode encoded information.
D. distinguishes between sensitive data that must be encoded, and less sensitive
information.

22. ---- cryptography involves a key pair.

CIPP_IT_CBK_Tests 24
A. Asymmetric
B. Secret-key
C. Public-key
D. Symmetric

23. ---- cryptography uses the same key for encryption an decryption.

A. Asymmetric
B. Secret-key
C. Public-key
D. Symmetric

24. Mixnets provide anonymity in Internet communications. The fundamental unit of

the mixnet is a:

A. MIX
B. NET
C. node
D. key

25. Mixnets rely on:

A. secret-key cryptography
B. public-key cryptography
C. symmetric cryptography
D. key cryptography

25 v2.0.36
Answers

1. A
2. B
3. C
4. B
5. C
6. A
7. C
8. D
9. B
10. C
11. B
12. A
13. C
14. B
15. C
16. C
17. B
18. A
19. B
20. D
21. B
22. C
23. D
24. A
25. B

CIPP_IT_CBK_Tests 26
CIPP/IT CBK Tests
5

CIPP/IT Prep Materials

CBK Tests
CIPP/IT CBK Tests 5

Questions
1. Which of the following Internet anonymity tools ensures peer to peer anonymous
publication?

A. remailers
B. freehaven
C. digicash
D. ZKS freedom

2. Proxying tools that anonymize email are referred to as:

A. remailers
B. onion routing
C. freehaven
D. ZKS freedom

3. Type 2 remailers are referred to as:

A. cypherpunk remailers
B. nym servers
C. mixmaster remailers
D. anonymous remailers

4. Which of the following remailer(s) support replies and persistent pseudonyms?

A. pseudonymous remailers
B. cypherpunk remailers
C. mixmaster remailers and cypherpunk remailers
D. mixmaster remailers and mixminion remailers

5. End user license agreements are contracts between:

27 v2.0.36
A. the programmer and purchaser of software
B. the licensor and puchaser of software
C. the designer and developer of software
D. the retailer and purchaser of software

6. Privacy Impact Assessments do NOT enable which of the following?

A. address privacy impacts of new initiatives

B. negotiate privacy solutions
C. access systems of redress
D. ensure data protection compliance

7. Privacy Impact Assessments are best used as a:

A. strategic planning solution

B. risk management technique
C. research and development approach
D. HR tool

8. Privacy Impact Assessments examine aspects of privacy from all of the following
angles except:

A. privacy of the person

B. privacy of the organization
C. privacy of behavior
D. privacy of communications

9. Privacy Impact Assessments should be started:

A. before system design begins

B. in the early stages of system development
C. at the midpoint of system development
D. after systems development has been completed

10. Which of the following systems are NOT required to complete a PIA?

A. new systems
B. systems under development
C. systems undergoing major modifications
D. currently operational systems

11. The goal of digital rights management (DRM) technology is to:

A. distribute digital content while protecting the rights of everyone involved.

B. limit the distribution of digital content to only a few copyright owners.
C. allow only the creators of digital content to distribute the content to users.

CIPP_IT_CBK_Tests 28
D. curb the rights of distributors of digital content.

12. Proponents of DRM research believe that:

A. cryptography alone is sufficient to protect privacy.

B. cryptography alone is insufficient to protect privacy.
C. development of privacy-enhancing technologies is enough to respond to all
privacy threats.
D. cryptography has eradicated user privacy issues.

13. According to data protection design, what are the two sets of costs involved in
respecting customer privacy?

A. opportunity costs and variable costs

B. fixed costs and variable costs
C. direct costs and opportunity costs
D. opportunity costs and operational costs

14. The usefulness of online privacy technologies may be related to Metcalfe's law,
stating that the usefulness of a network is:

A. unrelated to the number of nodes.

B. vaguely related to the square of the number of nodes.
C. proportional to the square of the number of nodes.
D. inversely proportional to the number of nodes.

15. ---- is a framework for IT management that provides guidelines for appropriate
IT use and IT governance in an organization.

A. COBIT
B. PIA
C. ITIL
D. ISACA

16. COBIT is designed to be:

A. user-friendly
B. business-focused
C. driven by public opinion
D. collaborative

17. COBIT's business requirements for information include all of the following
criteria EXCEPT:

A. effectiveness
B. integrity
C. accountability

29 v2.0.36
D. compliance

18. COBIT defines IT resources as all of the following EXCEPT:

A. applications
B. hardware
C. information
D. people

19. A systems engineer asks if changes can be made without upsetting current
business operations. Within the COBIT framework, this action would fit under the
---- domain.

A. plan and organize

B. acquire and implement
C. deliver and support
D. monitor and evaluate

20. A systems engineer asks if IT performance can be linked back to business goals.
Within the COBIT framework, this action would fit under the ---- domain.

A. plan and organize

B. acquire and implement
C. deliver and support
D. monitor and evaluate

21. COBIT is based on ---- IT processes that are generally used to plan, build, run
and monitor IT responsibilities.

A. 4
B. 12
C. 34
D. 56

22. The objective of the ISO/IEC 38500: 2008 is to:

A. provide a framework for evaluation, direction and monitoring IT in

organizations.
B. provide a framework of accessibility considerations for people with
disabilities.
C. provide principles and guidelines for risk management.
D. provide a framework for environmental management systems.

23. Which of the following is NOT a purpose of the ISO/IEC 38500 2008 standard?

A. provide a basis for objective evaluation

B. provide a means of redress
C. inform and guide IT directors

CIPP_IT_CBK_Tests 30
D. assure stakeholders in their confidence in the organization

24. ---- is a set of concepts and practices for IT development and IT operations.

A. COBIT
B. ISO/IEC 38500: 2008
C. ITIL
D. ITSM

25. The ---- government originated the ITIL.

A. US
B. UK
C. Canadian
D. German

31 v2.0.36
Answers

1. B
2. A
3. C
4. C
5. B
6. C
7. B
8. B
9. B
10. D
11. A
12. B
13. C
14. C
15. A
16. B
17. C
18. B
19. B
20. D
21. C
22. A
23. B
24. C
25. B

CIPP_IT_CBK_Tests 32
CIPP/IT CBK Tests
6

CIPP/IT Prep Materials

CBK Tests
CIPP/IT CBK Tests 6

Questions
1. The two main disciplines of the ITIL include:

A. service support and service withdrawal

B. service support and service managment
C. service delivery and service support
D. service management and security management

2. ---- is a knowledge base of IT service managemetn processes.

A. COBIT
B. ITIL
C. ITUP
D. ISO/IEC 38500: 2008

3. Which of the following is NOT an element of the ITUP database?

A. tools
B. scenarios
C. management
D. process descriptions

4. PCI DSS is:

A. a methodology involving data and statistical analysis for measuring an

organization's operational performance.
B. a process improvement approach for organizations.
C. a set of management processes for deliver of IT services to customers.
D. a set of requirements for enhancing payment account data security.

5. Which of the following is NOT a core element of the PCI DSS

33 v2.0.36
A. protect cardholder data
B. implement cryptographic measures
C. maintain an information security policy
D. monitor and test networks

6. Encrypting transmission of cardholder data would fall under which of the

following PCI DSS core elements?

A. build and maintain a secure network

B. protect cardholder data
C. implement strong access control measures
D. maintain a vulnerability management program

7. Regular updates of anti-virus software would fall under which of the following
PCI DSS core elements?

A. monitor and test networks

B. maintain an information security policy
C. protect cardholder data
D. maintain a vulnerability management program

8. The HITRUST alliance is known for developing which of the following frameworks?

A. Common Security Framework (CSF)

B. PCI DSS
C. ITIL
D. COBIT

9. The CSF is the first IT security framework specifically developed for:

A. financial information
B. healthcare information
C. personally identifiable information
D. legal information

10. Which of the following is NOT a category of the CSF?

A. succession planning
B. access control
C. asset management
D. physical and environmental security

11. Which of the following is NOT considered an implementation category, under the
HITRUST CSF?

A. scoping
B. designing

CIPP_IT_CBK_Tests 34
C. assessment
D. remediation

12. ---- assumes fiduciary responsibility over handling and protecting consumer
data.

A. transparency
B. openness
C. accountability
D. stewardship

13. A privacy audit deals with three levels of compliance, including all of the
following EXCEPT:

A. existence
B. development
C. coverage
D. effectiveness

14. A(n) ---- audit is conducted through desk research and correspondence.

A. intensive
B. research
C. scoping
D. real-time

15. An evaluation of the policies and organization structures that ensure

compliance with privacy requirements would be classified as a(n):

A. intensive audit
B. review audit
C. research audit
D. real-time audit

16. ---- audits typically involve more than one organization.

A. intensive audit
B. scoping audit
C. real-time audit
D. compliance audit

17. The GAPP was developed by ---- and ---- accounting professionals.

A. American; Canadian
B. American; French
C. British; French
D. German; British

35 v2.0.36
18. Which of the following is NOT identified as a principle in the GAPP?

A. management
B. notice
C. consent
D. acceptance

19. An organization appropriately destroys personal information after it is used to

fulfill the stated purposes. This is an example of which of the following
principles under the GAPP?

A. choice and consent

B. use, retention and disposal
C. security for privacy
D. quality

20. Which of the following is NOT a category of IT audit?

A. systems development
B. systems and applications
C. innovative comparison
D. client/server

21. An audit which verifies that applications are processed appropriately would be
classified as which of the following audits?

A. systems and applications

B. information processing facilities
C. systems development
D. management of IT and enterprise architecture

22. For a control objective to be effective, compliance must be:

A. attainable and clear

B. measurable and observable
C. collectively achieved
D. efficient and obvious

23. Internal controls are limited by:

A. judgment
B. resources
C. management orverride
D. breakdowns

24. Which of the following would represent a risk assessment undertaken during an

CIPP_IT_CBK_Tests 36
audit?

A. new information systems

B. assignment of authority
C. commitment to competence
D. organizational structure

25. Which of the following acronyms represents the control activities?

A. ICHAMPBO
B. PIPS
C. SIPS
D. CHAMP

37 v2.0.36
Answers

1. C
2. C
3. C
4. D
5. B
6. B
7. D
8. A
9. B
10. A
11. B
12. D
13. B
14. C
15. A
16. B
17. A
18. D
19. B
20. C
21. B
22. B
23. B
24. A
25. B

CIPP_IT_CBK_Tests 38
CIPP/IT CBK Tests

CIPP/IT Prep Materials

CBK Tests
CIPP/IT CBK Tests 7

Questions
1. ---- controls define and help to enforce acceptable behaviors.

A. Internal
B. Active
C. Protective
D. Detective

2. Which of the following communication networks is suitable for ubiquitous

computing?

A. PSTN voice networks

B. ADLS broadband
C. audio broadcast networks
D. wireless networks

3. Ubiquitous computing is the opposite of:

A. virtual reality
B. technological advancement
C. WLAN
D. Bluetooth

4. The "software as a service" distribution model is most closely related to:

A. biometric identification
B. virtual reality
C. ASP
D. SOA

39 v2.0.36
5. Which of the following is NOT a characteristic of the SaaS model?

A. needs network infrastructure

B. easier collaboration
C. global accessibility
D. difficult software maintenance

6. Which of the following is NOT an example of a biometric identification system?

A. voice analysis
B. retina scan
C. signature
D. all of the above

7. Which of the following is NOT necessary for a successful biometric identifier?

A. the physical characteristic should develop over the course of the individual's
lifetime
B. the data must be easily verified in a convenient manner
C. the physical characteristic must be easily scanned, with affordable equipment
that produces an immediate result
D. the physical characteristic must identify the individual uniquely

8. Which of the following offers a technical means for controlling access to

comptuer resources?

A. SaaS
B. ASP
C. RBAC
D. CRM

9. With RBAC, the process of defining user roles should be based on:

A. employee seniority in the organization

B. salary levels
C. user involvement in the operation of the organization
D. computer literacy levels

10. In an RBAC context, which of the following statements is NOT true?

A. security management processes can be significantly streamlined

B. user responsibilities and privileges must not overlap
C. users do not have more privilege than necessary to perform their jobs
D. roles can be adjusted to match the development of the organization

11. With user-based access control, difficulties may arise when:

CIPP_IT_CBK_Tests 40
A. permissions must be changed
B. permissions must be defined
C. the system involves complex tasks
D. the system involves simple tasks

12. Which of the following organizations focuses on technology, business and

privacy aspects of identity management?

A. W3C
B. Liberty Alliance
C. PIAC
D. Public Voice

13. The varied business, legal and privacy considerations involved in identity
management are referred to as:

A. circle of trust
B. collaborative development
C. angle of approach
D. special interest concerns

14. Which of the following Liberty services work towards correcting consumer
privacy issues?

A. Deployment workshops
B. Liberty Interoperable
C. "work with other standards" bodies
D. PPEG

15. Which of the following services enables improved security and faster sign up
processes for websites?

A. Liberty Interoperable
B. circle of trust
C. OpenID
D. ubicomp

16. OpenID is controlled and operated by:

A. Google
B. Apple
C. Microsoft
D. none of the above

17. Which of the following is NOT true about OpenID?

A. It asks that users create and store a profile that includes personal

41 v2.0.36
information, such as their birth date, name and location.
B. It allows users to use one account to access multiple websites and services
online.
C. It puts users at a greater risk for security breaches, since personal
information is centralized.
D. It is available to government, website operators as well as individuals.

18. Which of the following is model of digital identity architecture that allows
users to create and use a number of digital identities?

A. OpenID
B. identity metasystem
C. multiple identity management
D. Liberty Digital

19. Which of the following was NOT a criteria of the identity metasystem model?

A. wide acceptance and interoperability

B. integrate new authentication technologies, but disallow the use of existing,
technologies
C. help users make informed authentication decisions for themselves
D. be applicable in a number of identity contexts

20. ---- is a short-range wireless connectivity standard that enables devices to

communicate through magnetic fields.

A. NFC
B. Bluetooth
C. RFID
D. GIS

21. Which of the following is an example of NFC?

A. accessing web services through a mobile device

B. configuring mobile devices remotely
C. sharing data with other users who are connected on the same LAN
D. transferring files between a laptop and desktop by touching them together

22. ---- is an open wireless technology standard for short-range connectivity

through radio technology.

A. NFC
B. Bluetooth
C. RFID
D. GIS

23. Bluetooth is:

CIPP_IT_CBK_Tests 42
A. packet-based
B. circuit-based
C. protocol-based
D. wave-based

24. A master Bluetooth device is able to communicate with up to:

A. 3
B. 5
C. 7
D. 10

25. RFID tags frequently replace:

A. UPC barcodes
B. GPS devices
C. PANs
D. Bluetooth devices

43 v2.0.36
Answers

1. C
2. D
3. A
4. C
5. D
6. D
7. A
8. C
9. C
10. B
11. A
12. B
13. A
14. D
15. C
16. D
17. C
18. B
19. B
20. A
21. D
22. B
23. A
24. C
25. A

CIPP_IT_CBK_Tests 44
CIPP/IT CBK Tests
8

CIPP/IT Prep Materials

CBK Tests
CIPP/IT CBK Tests 8

Questions
1. RFID technology developed from:

A. microwave radio links

B. WWII radar systems
C. fiber optics
D. Bluetooth technologies

2. ---- is an umbrella term that refers to the delivery of hosted services over the
Internet.

A. software as a service
B. platform as a service
C. infrastructure as a service
D. cloud computing

3. In cloud computing, the "cloud" refers to:

A. the remote server connected to the user's computer

B. the user's computer
C. the network between the user's computer and another server
D. the Internet service provider

4. Which of the following statements is NOT true of cloud computing?

A. The user assumes responsibility for protecting personal or sensitive

information.
B. Threats may include data breaches or hacking.
C. It increases the risk of privacy breaches.
D. It requires the individual to accept a certain level of risk to his/her privacy.

5. Which of the following statements is true of cloud computing?

45 v2.0.36
A. Privacy and confidentiality rights may change when a user chooses to disclose
information to a cloud service provider.
B. Data stored with cloud service providers are subject to the privacy laws of the
location where the data is kept.
C. Cloud service providers are prohibited to change their terms of service and
policies at will.
D. Cloud computing can undermine trade secrets and other professional secrecy
obligations.

6. The legal location of data placed in a cloud is:

A. the place of business of the cloud provider

B. the location where the user communicates with the service provider
C. the location where the data is stored
D. all of the above

7. Which of the following entities is prohibited from sharing information with a

cloud service provider?

A. financial institutions
B. IT technicians
C. retail stores
D. government agencies

8. Which of the following is NOT included under the IAB's self-regulatory

principles?

A. education principle
B. material changes principle
C. responsibility principle
D. accountability principle

9. Which of the following is NOT true of behavioral advertising?

A. The advertising industry favors self-regulation over government regulation in

this respect.
B. It is common practice for users to consent to and be informed about how their
personal information will be collected, used and disclosed.
C. It increases the value of online ads.
D. Currently, tracking can include sensitive information, such as political
affiliation, or ethnicity.

10. ---- is able to inspect each byte of every packet sent over a network
connection.

A. deep packet inspection

B. accurate packet scanning
C. packet intrusion

CIPP_IT_CBK_Tests 46
D. shallow packet inspection

11. Deep packet inspection is capable of looking at which of the following layers
in the OSI model?

A. all layers
B. layers 1-4
C. layers 4-7
D. layers 2-7

12. Which of the following statements is NOT true?

A. DPI devices can reassemble data, such as the body of an email.

B. DPI devices can identify and uninstall viruses passing through the network.
C. DPI can be implemented without any loss of throughput.
D. DPI can filter Internet traffic to remove specific material.

13. The process of using one website in order to drive traffic to another is known
as:

A. DPI
B. affiliate marketing
C. search engine optimization
D. traffic management

14. Which of the following contributes the most to privacy risks on social
networking sites?

A. the hackers that are drawn to the sites

B. the age of the users of the sites
C. the amount of data processed by the sites
D. the careless practices of users

15. An e-commerce site would most likely use ---- for payment transactions.

A. TCP/IP
B. HTTP
C. S-HTTP
D. HTTPS

16. Which of the following is NOT a criteria of an HTTPS connection?

A. the user provides a valid certificate

B. the user trusts the browser software
C. the user trusts the protocol's encryption layer
D. the certificate correctly identifies the website

47 v2.0.36
17. Which of the following statements is true of HTTPS?

A. It operates at the third layer of the OSI model.

B. URLS begin with "http://"
C. It is ordinary HTTP over an encrypted SSL layer.
D. It involves the encryption of HTTP messages only.

18. A 1X1 clear pixel is also known as:

A. web beacon
B. online bug
C. web tracker
D. visitor counter

19. Which of the following actions can help prevent web beacons from collecting
user information?

A. alternating between different web browsers

B. consistently clearing browser history
C. turning off browser cookies
D. refrain from bookmarking certain web pages

20. Which of the following statements is NOT true?

A. Web beacons are not always invisible on a web page.

B. 1x1 pixel images are the smallest possible images on a web page.
C. Not all invisible images are web beacons.
D. Viewers cannot identify web beacons on a page.

21. Which of the following is not true of a thin client computer?

A. carries out traditional computational roles

B. provides a graphical user interface
C. is only marginally scalable
D. must be networked with other terminals and a server

22. TSL and SSL are examples of:

A. ISPs
B. cryptographic protcols
C. security functions
D. Web beacons

23. Server computers must have all of the following EXCEPT:

A. stable power supply

B. display device

CIPP_IT_CBK_Tests 48
C. redundant disks
D. hot swappable components

24. A web browser certificate is most similar to:

A. a thin client
B. a Web beacon
C. an encryption device
D. an ID card

25. Web browser certificates are stored:

A. on the computer's hard disk

B. on a DVD
C. on a removable USB device
D. on a web site

49 v2.0.36
Answers

1. B
2. D
3. C
4. A
5. C
6. D
7. A
8. C
9. B
10. A
11. D
12. B
13. B
14. C
15. D
16. A
17. C
18. A
19. C
20. D
21. A
22. B
23. B
24. D
25. A

CIPP_IT_CBK_Tests 50