Podcast
Questions and Answers
Which action requires an organization to carry out a Privacy Impact Assessment?
Which action requires an organization to carry out a Privacy Impact Assessment?
- Storing paper-based records
- Collecting PII to store in a new information system (correct)
- Collecting PII to store in a National Security System
- Collecting any CUI, including but not limited to PII
What is the purpose of a Privacy Impact Assessment (PIA)?
What is the purpose of a Privacy Impact Assessment (PIA)?
- Determine whether Protected Health Information (PHI) is held by a covered entity
- Determine whether the collection and maintenance of PII is worth the risk to individuals (correct)
- Determine whether paper-based records are stored securely
- Determine whether information must be disclosed according to the Freedom of Information Act (FOIA)
Information that can be combined with other information to link solely to an individual is considered PII.
Information that can be combined with other information to link solely to an individual is considered PII.
True (A)
What guidance identifies federal information security controls?
What guidance identifies federal information security controls?
An organization that fails to protect PII can face consequences including:
An organization that fails to protect PII can face consequences including:
If someone tampers with or steals an individual's PII, they could be exposed to which of the following?
If someone tampers with or steals an individual's PII, they could be exposed to which of the following?
Which of the following is not an example of PII?
Which of the following is not an example of PII?
What law establishes the federal government's legal responsibility for safeguarding PII?
What law establishes the federal government's legal responsibility for safeguarding PII?
An organization with an existing system of records decides to start using PII for a new purpose outside the 'routine use' defined in the System of Records Notice (SORN). Is this a permitted use?
An organization with an existing system of records decides to start using PII for a new purpose outside the 'routine use' defined in the System of Records Notice (SORN). Is this a permitted use?
Which of the following is responsible for the most recent PII data breaches?
Which of the following is responsible for the most recent PII data breaches?
Which of the following is not an example of an administrative safeguard that organizations use to protect PII?
Which of the following is not an example of an administrative safeguard that organizations use to protect PII?
Within what timeframe must DoD organizations report PII breaches to the United States Computer Emergency Readiness Team (US-CERT) once discovered?
Within what timeframe must DoD organizations report PII breaches to the United States Computer Emergency Readiness Team (US-CERT) once discovered?
Officials or employees who knowingly disclose PII to someone without a need-to-know may be subject to which of the following?
Officials or employees who knowingly disclose PII to someone without a need-to-know may be subject to which of the following?
Your organization has a new requirement for annual security training. To track training completion, they are using employee Social Security Numbers as a record identification. Is this compliant with PII safeguarding procedures?
Your organization has a new requirement for annual security training. To track training completion, they are using employee Social Security Numbers as a record identification. Is this compliant with PII safeguarding procedures?
Identify if a PIA is required:
Identify if a PIA is required:
Which of the following is NOT included in a breach notification?
Which of the following is NOT included in a breach notification?
Misuse of PII can result in legal liability of the individual.
Misuse of PII can result in legal liability of the individual.
Which regulation governs the DoD Privacy Program?
Which regulation governs the DoD Privacy Program?
Using a Social Security Number to track individuals' training requirements is an acceptable use of PII.
Using a Social Security Number to track individuals' training requirements is an acceptable use of PII.
Misuse of PII can result in legal liability of the organization.
Misuse of PII can result in legal liability of the organization.
Which type of safeguarding measure involves restricting PII access to people with a need-to-know?
Which type of safeguarding measure involves restricting PII access to people with a need-to-know?
Flashcards
PIA Trigger
PIA Trigger
Collecting PII to store in a new information system
PIA Purpose
PIA Purpose
Determine if PII collection risk is worth it.
Combined Information = PII
Combined Information = PII
True
Federal Security Controls Guidance
Federal Security Controls Guidance
Signup and view all the flashcards
PII Breach Consequences
PII Breach Consequences
Signup and view all the flashcards
PII Theft Exposure
PII Theft Exposure
Signup and view all the flashcards
Not PII
Not PII
Signup and view all the flashcards
PII Legal Responsibility
PII Legal Responsibility
Signup and view all the flashcards
New PII Use Permitted?
New PII Use Permitted?
Signup and view all the flashcards
Cause of PII breaches
Cause of PII breaches
Signup and view all the flashcards
Not an administrative safeguard
Not an administrative safeguard
Signup and view all the flashcards
Report PII Breaches
Report PII Breaches
Signup and view all the flashcards
Unauthorized PII Disclosure
Unauthorized PII Disclosure
Signup and view all the flashcards
SSN for Training Tracking?
SSN for Training Tracking?
Signup and view all the flashcards
PIA Required?
PIA Required?
Signup and view all the flashcards
Breach Notification
Breach Notification
Signup and view all the flashcards
Misuse of liable
Misuse of liable
Signup and view all the flashcards
DoD Privacy Program Regulation
DoD Privacy Program Regulation
Signup and view all the flashcards
SSN for Training Acceptable
SSN for Training Acceptable
Signup and view all the flashcards
Misuse of PII Consequences
Misuse of PII Consequences
Signup and view all the flashcards
Need-to-Know Safeguarding
Need-to-Know Safeguarding
Signup and view all the flashcards
Study Notes
Privacy Impact Assessment (PIA)
- A PIA is required when collecting PII for a new information system.
- The purpose of a PIA is to assess whether the risks of collecting and maintaining PII outweigh the potential harm to individuals.
Personally Identifiable Information (PII) Definitions
- PII includes information that can be combined to identify an individual.
- Pet's nickname is NOT considered PII.
- Legal responsibility for safeguarding PII is established by the Privacy Act of 1974.
Consequences of Failing to Protect PII
- Organizations face remediation costs, loss of trust, and legal liability due to improper PII management.
Data Breaches
- Phishing is the leading cause of modern PII data breaches.
- Breaches must be reported to the US-CERT within 1 hour of discovery.
Safeguarding PII
- Administrative safeguards include conducting risk assessments and ensuring employee training.
- Using Social Security Numbers to track employee training is non-compliant with PII safeguarding procedures.
- Knowingly disclosing PII without a need-to-know can lead to criminal penalties.
Reporting and Compliance
- A breach notification does not include media articles related to the breach.
- Organizations must seek guidance from regulations like DoD 5400.11-R for privacy programs.
- A PIA is required for converting paper PII records to electronic form or when puchasing a new PII storage system.
Important True/False Facts
- Information misuse can result in legal liability for both individuals and organizations.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Description
Test your knowledge on Personally Identifiable Information (PII) with these flashcards. Each card presents a question related to privacy impact assessments and the handling of PII in various contexts. Perfect for anyone studying privacy regulations and practices.
