We have provided 5 sample questions for the Certification Foundation examination below. For our complete set of over 150 questions and answers, please purchase our comprehensive study guide for the Certification Foundation exam.
1. Which of the following may be classified as an unfair trade practice by the FTC?
A. A website’s privacy notice clearly states that it will not encrypt sensitive personal information, and the website does not in fact encrypt the data
B. An organization promises to honor opt-out requests within 10 days but fails to honor opt-out requests
C. A rogue employee steals credit card information even though the organization took reasonable precautions to protect the credit card information
D. A federally insured bank does not comply with a regulation prohibiting the bank from revealing information about its customers
ANSWER: A. Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” Answer A is an example of an unfair trade practice because the website is not being deceptive, but the potential harm caused by the website’s failure to encrypt sensitive data clearly outweighs the cost of providing encryption, a commonplace and inexpensive security control. Answer B is an example of a deceptive trade practice. When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up these promises. A violation of a promise made in a privacy notice is an example of a deceptive trade practice. Answer C would not be an unfair trade practice because the organization has implemented reasonable security measures, and the employee simply committed a crime, which is generally considered an unforeseeable event. Answer D is incorrect because the FTC has no jurisdiction over banks and common carriers, which are under the supervision of other governmental agencies.
2. Which country released a report in February 2011 that provides guidance for utility companies on building smart grids with “privacy by design” principles?
A. United Stated
B. Canada
C. Germany
D. Australia
ANSWER: B. The Information and Privacy Commissioner of Ontario, Canada developed the “privacy by design” framework in the 1990s. It includes the following seven principles: (1) Proactive not Reactive; Preventative not Remedial; (2) Privacy as the Default Setting; (3) Privacy Embedded into Design, (4) Full Functionality — Positive-Sum, not Zero-Sum; (5) End-to-End Security — Full Lifecycle Protection; (6)Visibility and Transparency — Keep it Open; and (7) Respect for User Privacy — Keep it User-Centric. In February 2011, the Information and Privacy Commissioner released a report title “Operationalizing Privacy by Design: The Ontario Smart Grid Case Study.” The report provides guidance for utility companies on building smart grids with privacy by design principles.
3. Which of the following accurately describes the use of public-key cryptography?
A. Sender uses recipient’s public key to encrypt and receiver uses his public key to decrypt
B. Sender uses sender’s private key to encrypt and receiver uses sender’s public key to decrypt
C. Sender uses recipient’s private key to encrypt and receiver uses his public key to decrypt
D. Sender uses recipient’s public key to encrypt and receiver uses his private key to decrypt
ANSWER: D. Public-key cryptography (also called asymmetric-key cryptography) uses a pair of keys to encrypt and decrypt content. Each user has a pair of cryptographic keys – a public encryption key and a private decryption key. The public key is widely distributed, while the private key is known only to its owner. The keys are related mathematically, but the parameters used to generate the keys are chosen so that calculating the private key from the public key is virtually impossible.
4. Which of the following is correct regarding the Gramm–Leach–Bliley Act of 1999 (“GLBA”)?
A. The Act is based on the permissible purpose approach to privacy
B. The Act covers all financial information, including publicly available information
C. The Act requires opt-in consent when sharing financial information with unaffiliated third-parties
D. The Act established a complicated set of privacy and security requirements for all financial institutions
ANSWER: D. GLBA is based on the fair information practices approach to privacy and not the permissible use approach. GLBA also does not cover publicly available information, and the sharing of financial data with unaffiliated third parties is permitted with opt-out consent.
5. Which of the following is an industry standard formula for assessing risk?
A. Risk = Threat x Vulnerability x Expected Loss
B. Risk = Control / Threat x Vulnerability
C. Risk = Threat + Vulnerability – Expected Loss
D. Risk = Threat x Vulnerability / Control
ANSWER: A. As indicated by the correct formula, the risk associated with an organization’s information technology is directly related to three parameters: (1) threats, (2) vulnerabilities, and (3) expected loss. Threats are any circumstances that may cause an undesirable event, such as a data breach. Vulnerabilities are weaknesses in an organization’s information systems, policies, or procedures. When a threat exploits some vulnerability, a security event that causes risk occurs. The amount of the risk for a particular security event is equal to the probability of the event occurring times the expected loss associated with the event. Answers B – D provide incorrect formulations of risk.