Identifying and Safeguarding

Which of the following must Privacy Impact Assessments (PIAs) do?
- Analyze how an organization handles information to ensure it satisfies requirements
-mitigate privacy risks
-determine the risks of collecting, using, maintaining, and disseminating PII on electronic information systems.
-all of the above

True or False? An Individual whose PII has been stolen is susceptible to identity theft, fraud, and other damage.

What / Which guidance identifies federal information security controls?
-The Freedom of Information Act (FOIA)
-The Privacy Act of 1974
-OMB Memorandum M-17-12: Preparing for and responding to a breach of PII
-DOD 5400.11-R: DOD Privacy Program

Which of the following is NOT an example of PII?
-Driver's License Number
-Pet's nickname
-Social Security Number
-Fingerprints

Which of the following is NOT a permitted disclosure of PII contained in a system of records?
-These are all permitted disclosures
-The record is disclosed for a new purpose that is not specified in the SORN
-The record is disclosed for routine use.
-The individual has requested that their record be disclosed.

PIA is required when organization collects PII from:

PIA is not required when the information system or electronic collection:

Within what timeframe must DOD organizations report PII breaches to the United States Computer Emergency Readiness Team (US-CERT) once discovered?
-1 hour
-12 hours
-48 hours
-24 hours

Your organization has a new requirement for annual security training. To track training completion, they are using employee Social Security Numbers as record identification. Is this compliant with PII safeguarding procedures?
- Yes or No

You are tasked with disposing of physical copies of last year's grant application forms. These documents contain PII so you use a cross-cut shredder to render them unrecognizable and beyond reconstruction. Is this compliant with PII safeguarding procedures?
-YES or NO

Organizations that fail to maintain accurate, relevant, timely, and complete information may be subject to which of the following?
-Neither civil nor criminal penalties
-civil penalties
-criminal penalties
-both civil and criminal penalties

True or False? Paper-based PP is involved in data breaches more often than electronic PP documentation?

Which regulation governs the DoD Privacy Program?
-The Freedom of Information Act (FOIA)
-The Privacy Act of 1974
-OMB Memorandum M-17-12: Preparing for and responding to a breach of PII
-DOD 5400.11-R: DOD Privacy Program

Which of the following is NOT included in a breach notification?
A. Articles and other media reporting the breach.
B. What happened, date of breach, and discovery.
C. Point of contact for affected individuals.
D. Whether the information was encrypted or otherwise protected.

TRUE OR FALSE. A PIA is required if your system for storing PII is entirely on paper.

TRUE OR FALSE. Misuse of PII can result in legal liability of the individual

TRUE OR FALSE. Misuse of PII can result in legal liability of the organization.

Where is a System of Records Notice (SORN) filed?
A. National Archives and Records Administration
B. Congress
C. Federal Register
D. SORNs are for internal reference only, and don't need to be filed with a third party.

Organizations must report to Congress the status of their PII holdings every:
A. Six Months
B. Year
C. Five years
D. Organizations are not required to report to Congress

Jane Student is delivering a document that contains PII, but she cannot find the correct cover sheet. She should:
A. Mark the document CUI and deliver it without the cover sheet.
B. Mark the document as sensitive and deliver it without the cover sheet.
C. Mark the document CUI and wait to deliver it until she has the cover sheet.
D. None of the above; provided she is delivering it by hand, it does not require a cover sheet or markings.

The acronym PHI, in this context, refers to:
A. Protected Health Information
B. Public Health Institute
C. Public Health Informatics
D. Public Health Intelligence