You are on page 1of 18

IPT CIPT CIPT CIPT CIPT CIPT CIPT CIP

T CIPT CIPT CIPT CIPT CIPT CIPT CIPT C


Certified Information
Privacy Technologist
(CIPT)

Study Guide

Effective September 2017

CIPT Study Guide  1


WELCOME
Congratulations on taking the first step toward achieving an IAPP privacy certification. This study guide
contains the basic information you need to get started:

• An explanation of the IAPP certification program structure


• Key areas of knowledge for the CIPT program
• Recommended steps to help you prepare for your exam
• A detailed body of knowledge for the CIPT program
• An exam blueprint
• Example questions
• General exam information

CIPT Study Guide  2


The IAPP Certification Program Structure

The IAPP currently offers three certification programs: The Certified Information Privacy Professional
(CIPP), the Certified Information Privacy Manager (CIPM) and the Certified Information Privacy
Technologist (CIPT).
The CIPP is the “what” of privacy. Earning this designation demonstrates your mastery of a
principles-based framework in information privacy in a legal or practical specialization. Within the CIPP,
there are five concentrations:
• Asian privacy (CIPP/A)
• Canadian privacy (CIPP/G)
• European privacy (CIPP/E)
• U.S. government privacy (CIPP/G)
• U.S. private-sector privacy (CIPP/US)

The CIPM is the “how” of operations. Earning this designation shows you understand how to manage
privacy in an organization through process and technology.

The CIPT is the “how” of technology. Earning this designation shows you know how to manage and
build privacy requirements and controls into technology.

There are no concentrations within the CIPM or CIPT—they cross all jurisdictions and industries.

Requirements for IAPP Certification

1. You must pay an annual maintenance fee of $125 USD

OR

2. You can become a member of the IAPP—with access to numerous benefits like discounts,
networking opportunities, members-only resources and more—for just $250 USD, which includes
your annual maintenance fee.

More information about IAPP membership, including levels, benefits and rates, is available on the IAPP
website at iapp.org/join.

CIPT Study Guide  3


CIPT Key Areas of Knowledge
The CIPT program was developed to address the growing need for individuals in the IT, security and
engineering industries to be knowledgeable about data privacy as it relates to the key role they play in
product development and risk management. With the continued calls by regulators around the globe to
include privacy in the technology development process, the need for privacy-trained IT professionals is
at an all-time high.

The CIPT is the first and only global privacy certification designed for IT, security and
engineering professionals.

Key areas of knowledge include:


Understanding the need for privacy in the IT environment
• Core privacy concepts
• Regulations and standards impacting privacy in IT
• Privacy in systems and applications
• Online privacy issues
• De-identifying and anonymizing personally identifiable information
• Cloud computing

CIPT Study Guide  4


Preparation

Privacy certification is an important effort that requires advance preparation. Deciding how you will
prepare for your exams is a personal choice that should include an assessment of your professional
background, scope of privacy knowledge and your preferred method of learning.

In general, the IAPP recommends that you plan for a minimum of 30 hours of study time in advance of
your exam date; however, you might need more or fewer hours depending on your personal choices
and professional experience.

The IAPP recommends you prepare in the following manner:

1. Review the Body of Knowledge


The body of knowledge for the CIPT program is a comprehensive outline of the subject matter areas
covered by the CIPT exam. Review it carefully to help determine which areas merit additional focus in
your preparation. See pages 6–10.

2. Review the Exam Blueprint


The CIPT exam blueprint on page 11 specifies the number of items from each area of the body of
knowledge that will appear on the exam. Studying the blueprint can help you further target your
primary study needs.

3. Study the CIPT Textbook


Privacy in Technology is the authoritative reference for the CIPT program. The IAPP strongly recommends
you take the time to carefully read and study the textbook. An ancillary textbook is also available for the
CIPT program, Introduction to IT Privacy: A Handbook for Technologists. The official textbook for the CIPT
program are included free with the purchase of the CIPT online and live training classes.

4. Get Certification Training


The IAPP offers both in-person certification prep classes and online training to help you prepare for
your exams.You can find a list of scheduled classes and/or purchase downloadable online training in the
IAPP store.

5. Take the CIPT Sample Questions


Sample questions are a great way to gain familiarity with the format and content of the actual
designation exams. They are available for purchase in a downloadable PDF file containing the questions,
an answer key and an explanation of each correct answer. Sample questions are included free with the
purchase of CIPT online and live training classes.

6. Review other IAPP preparation resources


Additional resources are available on the IAPP website, including a searchable glossary of terms.

CIPT Study Guide  5


CIPT Common Body of Knowledge Outline
I. Understanding the Need for Privacy in the IT Environment
A. Evolving Compliance Requirements
a. GDPR considerations
B. IT Risks
a. Client-side
b. Server-side
c. Security policy and personnel
d. Application
e. Network
f. Storage
C. Stakeholder Expectations for Privacy
D. Mistakes Organizations Make
a. Recent security incidents and enforcement actions
E. Privacy vs. Security—What’s Alike and What’s Different
F. IT Governance vs. Data Governance
G. The Role of the IT Professional, and Those of Other Players, in Preserving Privacy
II. Core Privacy Concepts
A. Foundational Elements for Embedding Privacy in IT
a. Organization privacy notice
b. Organization internal privacy policies
c. Organization security policies, including data classification policies, data retention and data
deletion
d. Other commitments made by the organization (contracts, agreements)
e. Common IT Frameworks (COBIT, ITIL, etc.)
f. Data inventory
g. Incident response—security and privacy perspectives
h. Security and privacy in the systems development lifecycle (SDLC) process
i. Enterprise architecture and data flows, including cross-border transfers
j. Privacy impact assessments (PIAs)
k. Privacy and security regulations with specific IT requirements
l. Common standards and framework of relevance
B. The Information Lifecycle: An Introduction
a. Collection
b. Use
c. Disclosure
d. Retention
e. Destruction
C. Common Privacy Principles
a. Collection limitation
b. Data quality
c. Purpose specification
d. Use limitation
e. Security safeguards
f. Openness
g. Individual participation
h. Accountability

CIPT Study Guide  6


III. Privacy Considerations in the Information Lifecycle
A. Collection
a. Notice
b. Choice/consent
c. Collection limitations
d. Secure transfer
e. Reliable sources/collection from third parties
f. Collection of information from individuals other than the data subject
B. Use
a. Compliance to regulations and commitments
b. Data minimization
c. Secondary uses
d. User authentication, access control, audit trails
e. Secure when in use and not in use
f. Using personally identifiable information (PII) in testing
g. Limitations on use when sources of data are unclear
C. Disclosure
a. According to notice
b. Anonymize, minimize
c. Define limitations
d. Vendor management programs
e. Inventory and secure transfers, secure remote access, review data protection capabilities prior to
engaging
f. Using intermediaries for the processing of sensitive information
D. Retention
a. Working with records management
b. Regulatory limitations, legal restrictions, limit retention of sensitive data if not necessary
c. Provide data subject access
i. Legal requirements
ii. Business rationale
iii. Access mechanisms
iv. Handling requests
d. Secure transfer to archiving, secure storage of information and meta data
e. Considerations for business continuity and disaster recovery
f. Portable media challenges
E. Destruction
a. Digital content, portable media, hard copy
b. Identify appropriate time
c. Secure transfer and disposal of information and media, return information from third parties
d. Regulatory requirements defining destruction standards

CIPT Study Guide  7


IV. Privacy in Systems and Applications
A. The Enterprise IT Environment—Common Challenges
a. Architecture considerations
b. IT involvement through mergers and acquisitions
c. Industry and function specific systems
B. Identity and Access Management
a. Limitations of access management as a privacy tool
b. Principle of least-privilege required
c. Role-based access control (RBAC)
d. User-based access controls
e. Context of authority
f. Cross-enterprise authentication and authorization models
C. Credit Card Information and Processing
a. Cardholder data types
b. Application of Payment Card Industry Data Security Standard (PCI DSS)
c. Implementation of Payment Application Data Security Standard (PCI PA DSS)
D. Remote Access, Telecommuting and Bring Your Own Devices to Work
a. Privacy considerations
b. Security considerations
c. Access to computers
d. Device controls
e. Network controls
f. Architecture controls
E. Data Encryption
a. Crypto design and implementation considerations
b. Application or field encryption
c. File encryption
d. Disk encryption
e. Encryption regulation
f. Encryption standards
F. Other Privacy Enhancing Technologies (PET) in the Enterprise Environment
a. Automated data retrieval
b. Automated system audits
c. Data masking and data obfuscation
d. Data loss prevention (DLP) implementation and maintenance
G. Other Privacy Enhancing Technologies (PET) in the Enterprise Environment
a. Software-based notice and consent
b. Agreements
i. End-user license agreement (EULA)
ii. Terms of service
iii. Terms of use for nonlicensed products
iv. Mechanisms

CIPT Study Guide  8


V. Privacy Techniques
A. Authentication Techniques and Degrees of Strength
a. User name and password
b. Single/multi factor authentication
c. Biometrics
d. Portable media supporting authentication
B. Identifiability
a. Labels that point to individuals
b. Strong and weak identifiers
c. Pseudonymous and anonymous data
d. Degrees of Identifiability
i. Definition under the EU Directive
ii. U.S. regulations
iii. Other regulations addressing identity in data
iv. Privacy stages and system characteristics
v. Identifiable versus identified
vi. Linkable versus linked
e. Data aggregation
C. Privacy by Design—Overview of Principles
D. Privacy by Redesign—Review of Framework

VI. Online Privacy Issues


A. Specific Requirements for the Online Environment
a. Organizational privacy strategy
b. Regulatory requirements specific to the online environment
c. Consumer expectations
d. Children’s online privacy
B. Social Media and Websites that Present a Higher Level of Privacy Challenges
a. Personal information shared
b. Personal information collected
c. No clear owner of content published or data collected
d. Chatbots
C. Online Threats
a. Phishing, whaling, etc.
b. SQL injection
c. Cross-site scripting (XSS)
d. Spam
e. Ransomware
f. Common safeguards against threats (DMARC, Unified Threat Management systems, etc.)
D. E-commerce Personalization
a. End user benefits
b. End user privacy concerns
E. Online Advertising
a. Understanding the common models of online advertising
b. Key considerations when working with third parties to post ads on your company’s website
F. Understanding Cookies, Beacons and Other Tracking Technologies
a. Common types
b. Privacy considerations
c. Responsible practices

CIPT Study Guide  9


G. Machine-readable Privacy Policy Languages
a. Platform for Privacy Preferences Project (P3P)
b. Application Preference Exchange Language (APPEL)
c. Enterprise Privacy Authorization Language (EPAL)
d. Security Assertion Markup Language (SAML)
e. eXtensible Access Control Markup Language (XACML)
H. Web Browser Privacy and Security Features
a. Private browsing
b. Tracking protection
c. Do not track
I. Web Security Protocols
a. Secure sockets layer/transport security layer (SSL/TLS)
b. Hypertext transfer protocol secure (HTTPS)
c. Limiting or preventing automated data capture
d. Combating threats and exploits
e. Anonymity tools
IV. Technologies with Privacy Considerations
A. Cloud Computing
a. Types of cloud
b. Common privacy concerns
c. Common security concerns
d. Associations and standards
B. Wireless IDs
a. Radio frequency identification
b. Bluetooth devices
c. Wi-Fi
d. Cellular telephones and tablet computers
C. Location-based Services
a. Evolution of location based services on mobile phones and personal digital assistants (PDAs)
b. Global positioning systems (GPS)
c. Geographic information systems (GIS)
D. “Smart” Technologies
a. Data analytics
b. Deep learning
c. Internet of Things (IoT)
d. Vehicular automation
E. Video/data/audio Surveillance
a. Drones
F. Biometric Recognition

CIPT Study Guide  10


CIPT Exam Format
The CIPT is an 2.5 hour exam comprised of 85 multiple choice items (questions). Some of the multiple
choice items are associated with scenarios. There are no essay questions. Each correct answer is worth
one point.

Exam Blueprint
The blueprint indicates the minimum and maximum number of items that are included on the CIPT
exam from the major areas of the body of knowledge. Questions may be asked from any of the topics
listed under each area.You can use this blueprint to guide your preparation.

Min Max
I. Understanding the Need for Privacy in the IT Environment 8 14

A. Evolving Compliance Requirements 1 3
GDPR considerations

B. Major Risks to a Company’s IT Framework 2 4


Client-side, server-side, application, personnel, network, storage

C. Stakeholder Expectations for Privacy 2 3

D. Privacy vs. Security 3 4



II. Core Privacy Concepts 8 14

A. Foundational Elements for Embedding Privacy in IT 5 9


Privacy notices, privacy policies, data classification policies, incident
response, SDLC process, cross-border transfers, PIAs

B. Common Privacy Principles 3 5
Collection limitation, data quality, use limitation, security safeguards,
openness, accountability

CIPT Study Guide  11


Min Max

III. Privacy Considerations in the Information Lifecycle 16 27

A. Collection 4 6
Notice, choice/consent, collection limitations, secure transfer,
collection from third parties

B. Use 3 5
Compliance with regulation, data minimization, secondary uses, user
authentication, using PII in testing

C. Disclosure 3 5
According to notice, anonymize, minimize, define limitations, vendor
management programs

D. Retention 4 8
Working with records management, regulatory limitations, providing
data subject access, secure storage and archiving

E. Destruction 2 3
Digital, portable media, hard copy, identifying appropriate time
IV. Privacy in Systems and Applications 13 24

A. The Enterprise IT Environment--Common Challenges 2 4


Architecture considerations, mergers and acquisitions

B. Identity and Access Management 2 3


Principle of least privilege required, role-based and user-based access
controls, cross-enterprise authentication

C. Credit Card Information and Processing 1 3


Application of Payment Card Industry Data Security Standard (PCI
DSS)

D. Remote Access, Telecommuting, and Bringing Devices to Work 2 3


Privacy and security considerations, device, network and architecture
controls

E. Data Encryption 3 5
Regulations and standards, file and disk encryption, application or
field encryption

F. Other Privacy Enhancing Technologies 1 3


Data masking and obfuscation, data loss prevention, automated
system audits

G. Customer-Facing Applications 2 3
Software-based notice and consent, agreements

CIPT Study Guide  12


Min Max

V. Privacy Techniques 5 13

A. Authentication Techniques 2 5
User name and password, single and multi-factor authentication

B. Identifiability 2 5
Labels that point to individuals, weak and strong identifiers,
pseudonymous and anonymous data, degrees of identifiability

C. Privacy by Design 1 3
Overview of Principles

VI. Online Privacy Issues 11 22

A. Specific Requirements for the Online Environment 2 4


Regulatory requirements, children’s online privacy

B. Social Media 2 3
Personal information shared and collected

C. Online Threats 2 3
Phishing, SQL injection, cross-site scripting

D. Online Advertising 1 3

E. Tracking Technologies 2 3
Cookies, beacons, responsible practices

F. Web Browser Privacy and Security 1 3


Tracking protection, do not track

G. Web Security Protocols 1 3


HTTPS, SFTP, FTPS

VI. Technologies with Privacy Considerations 8 17

A. Cloud Computing 2 5
Types of clouds, privacy and security concerns

B. Wireless IDs 2 3
Bluetooth, Wi-Fi, cell phones and tablets

C. Location-based Services 2 3
Overview of principles

D. Smart Technologies 1 3
Data analytics, deep learning, Internet of Things (IOT), vehicular
automation

E. Video/Data/Audio Surveillance 1 2

F. Biometrics 1 2

CIPT Study Guide  13


Example Questions
1. Which descriptor best describes the general attitude an organization should exhibit regarding its
practices and policies for data protection?
A. Security.
B. Openness.
C. Secrecy.
D. Education.

2. Where should procedures for resolving complaints about privacy protection be found?
A. In written policies regarding privacy.
B. In the Emergency Response Plan.
C. In memoranda from the CEO.
D. In the minutes of corporate or organizational board meetings.

Sample Scenario
Country Fresh Sundries started in the kitchen of its founder Margaret Holmes as she made soap
following a traditional family recipe. It is a much different business today, having grown first through
product placement in health and beauty retail outlets, then through a thriving catalog business. The
company was slow to launch an online store, but once it did so, the online business grew rapidly. Online
sales now account for 65% of a business which is increasingly international in scope. In fact, Country
Fresh is now a leading seller of luxury soaps in Europe and South America, as well as continuing its
strong record of growth in the United States. Despite its rapid ascent, Country Fresh prides itself on
maintaining its homey atmosphere, as symbolized by its company headquarters with a farmhouse in front
of a factory in a rural region of Maine, in the U.S. The company is notably “employee friendly,” allowing,
for instance, employees to use their personal computers for conducting business and encouraging people
to work at home to spend more time with their families.

As the incoming Director of Privacy, you are the company’s first dedicated privacy professional. During
the interview process, you found that while the people you talked to, including Shelly Holmes, CEO,
daughter of the founder, and Jim Greene,Vice President for Operations, meant well, they did not possess
a sophisticated knowledge of privacy practices and regulations, and were unsure of exactly where the
company stood in relation to compliance and security. Jim candidly admitted, “We know there’s a lot we
need to be thinking about and doing regarding privacy, but none of us know much about it. We’ve put
some safeguards in place, but we’re not even sure they are effective. We need someone to build a privacy
program from the ground up.”

Continued on next page


CIPT Study Guide  14


The final interview ended after the close of business. The cleaning crew had started its nightly work. As
you walked through the office, you noticed that computers had been left on at employee work stations
and the only shredder you saw was marked with a sign that said “Out of Order. Do Not Use.”

You have accepted the job offer and are about to report to work on Monday.You are now on a plane
headed toward your new office, considering your course of action in this position and jotting down some
notes.

1. How can you discover where personal data resides at the company?
A. Focus solely on emerging technologies as they present the greatest risks.
B. Check all public interfaces for breaches of personal data.
C. Conduct a data inventory and map data flows.
D. Interview each department head.

2. In analyzing the company’s existing privacy program, you find procedures that are informal and
incomplete. What stage does this represent in the AICPA/CICA Privacy Maturity Model?
A. Early.
B. Ad hoc.
C. Non-repeatable.
D. Pre-program.

CIPT Study Guide  15


General Exam Information
The IAPP offers testing via computer-based delivery at test centers worldwide. There are approximately
800 Kryterion High-stakes Online Secured Testing (HOST) locations around the world where IAPP
certification exams are administered.

The IAPP also offers testing at our major annual conferences. Event-based testing is paper-pencil format.

You can find detailed information about how to register for exams, as well as exam-day instructions in
the IAPP Certification Information Candidate Handbook, on our website at iapp.org/certify.

Questions?
The IAPP recognizes that privacy certification is an important professional development effort requiring
commitment and preparation. We thank you for choosing to pursue certification, and we welcome your
questions and comments regarding our certification program.

Please don’t hesitate to contact us at certification@iapp.org or +1 603.427.9200.

CIPT Study Guide  16


Example Questions: Answers
1. Which descriptor best describes the general attitude an organization should exhibit regarding its
practices and policies for data protection?
A. Security.
B. Openness.
C. Secrecy.
D. Education.

2. Where should procedures for resolving complaints about privacy protection be found?
A. In written policies regarding privacy.
B. In the Emergency Response Plan.
C. In memoranda from the CEO.
D. In the minutes of corporate or organizational board meetings.

Sample Scenario
Country Fresh Sundries started in the kitchen of its founder Margaret Holmes as she made soap
following a traditional family recipe. It is a much different business today, having grown first through
product placement in health and beauty retail outlets, then through a thriving catalog business. The
company was slow to launch an online store, but once it did so, the online business grew rapidly. Online
sales now account for 65% of a business which is increasingly international in scope. In fact, Country
Fresh is now a leading seller of luxury soaps in Europe and South America, as well as continuing its
strong record of growth in the United States. Despite its rapid ascent, Country Fresh prides itself on
maintaining its homey atmosphere, as symbolized by its company headquarters with a farmhouse in front
of a factory in a rural region of Maine, in the U.S. The company is notably “employee friendly,” allowing,
for instance, employees to use their personal computers for conducting business and encouraging people
to work at home to spend more time with their families.

As the incoming Director of Privacy, you are the company’s first dedicated privacy professional. During
the interview process, you found that while the people you talked to, including Shelly Holmes, CEO,
daughter of the founder, and Jim Greene,Vice President for Operations, meant well, they did not possess
a sophisticated knowledge of privacy practices and regulations, and were unsure of exactly where the
company stood in relation to compliance and security. Jim candidly admitted, “We know there’s a lot we
need to be thinking about and doing regarding privacy, but none of us know much about it. We’ve put
some safeguards in place, but we’re not even sure they are effective. We need someone to build a privacy
program from the ground up.”

Continued on next page


CIPT Study Guide  17


Example Questions: Answers
The final interview ended after the close of business. The cleaning crew had started its nightly work. As
you walked through the office, you noticed that computers had been left on at employee work stations
and the only shredder you saw was marked with a sign that said “Out of Order. Do Not Use.”

You have accepted the job offer and are about to report to work on Monday.You are now on a plane
headed toward your new office, considering your course of action in this position and jotting down some
notes.

1. How can you discover where personal data resides at the company?
A. Focus solely on emerging technologies as they present the greatest risks.
B. Check all public interfaces for breaches of personal data.
C. Conduct a data inventory and map data flows.
D. Interview each department head.

2. In analyzing the company’s existing privacy program, you find procedures that are informal and
incomplete. What stage does this represent in the AICPA/CICA Privacy Maturity Model?
A. Early.
B. Ad hoc.
C. Non-repeatable.
D. Pre-program.

CIPT Study Guide  18