Personally Identifiable Information (PII) v4.0
Which of the following is NOT a permitted disclosure of PII contained in a system of records? a. The individual has requested that their record be disclosed. b. The record is disclosed for routine use. c. All permitted disclosures. d. The record is disclosed for a new purpose that is not specified in the SORN.
d. The record is disclosed for a new purpose that is not specified in the SORN.
True or false? A system of records Notice (SORN) is not required if an orgnaization determines that PII will be stroed using a system of records>
false
You are tasked with disposing of physical copies of last years grant application forms> These documents contain pii so you use a cross cut shredder to render them unrecognizable and beyond reconstruction> Is this compliant with PII safeguarding procedures?
yes
Which of the following is NOT included in a breach notification? A. Articles and other media reporting the breach. B. What happened, date of breach, and discovery. C. Point of contact for affected individuals. D. Whether the information was encrypted or otherwise protected.
A. Articles and other media reporting the breach.
Which regulation governs the DoD Privacy Program? A. DoD 5400.11-R: DoD Privacy Program B. FOIA C. OMB-M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information D. The Privacy Act of 1974
A. DoD 5400.11-R: DoD Privacy Program
T or F? Information that can be combined with other information to link solely to an individual is considered PII.
True
T or F? Misuse of PII can result in legal liability of the individual.
True
T or F? Misuse of PII can result in legal liability of the organization.
True
Which of the following must privacy impact assessments (PIAs) do?
all of the above
Within what timeframe must DoD organizations report PII breaches to the United States Computer Emergency Readiness Team (US-CERT) once discovered? A. 1 Hour B. 24 Hours C. 48 Hours D. 12 Hours
A. 1 Hour
Which type of safeguarding measure involves restricting PII access to people with a need-to-know? A. Administrative B. Physical C. Technical D. All of the above
A. Administrative
Which of the following is an example of a physical safeguard that individuals can use to protect PII?
All of the above
What is the purpose of a Privacy Impact Assessment (PIA)? A. Determine whether paper-based records are stored securely B. Determine whether information must be disclosed according to the Freedom of Information Act (FOIA) C. Determine whether the collection and maintenance of PII is worth the risk to individuals D. Determine whether Protected Health Information (PHI) is held by a covered entity
C. Determine whether the collection and maintenance of PII is worth the risk to individuals
Which action requires an organization to carry out a Privacy Impact Assessment? A. Storing paper-based records B. Collecting PII to store in a new information system C. Collecting any CUI. including but not limited to PII D. Collecting PII to store in a National Security System
B. Collecting PII to store in a new information system
Officials or employees who knowingly disclose PII to someone without a need-to-know may be subject to which of the following? A. Civil penalties B. Criminal penalties C. Both civil and criminal penalties D. Neither civil nor criminal penalties
B. Criminal penalties
An organization with existing system of records decides to start using PII for a new purpose outside the "routine use" defined in the System of Records Notice (SORN). Is this a permitted use? A. Yes B. No
B. No
Your organization has a new requirement for annual security training. To track training completion, they are using employee Social Security Numbers as a record identification. Is this compliant with PII safeguarding procedures? A. Yes B. No
B. No
individuals, who maintain a system of records without publishing the required public notice in the federal register may be subject to which of the following? A. Civil penalties B. Criminal penalties C. Both civil and criminal penalties D. Neither civil nor criminal penalties
C. Both civil and criminal penalties
Which of the following is not an example of an administrative safeguard that organizations use to protect PII? A. Conduct risk assessments B. Reduce the volume and use of Social Security Numbers C. List all potential future uses of PII in the System of Records Notice (SORN) D. Ensure employees are trained to properly use and protect electronic records
C. List all potential future uses of PII in the System of Records Notice (SORN)
What guidance identifies federal information security controls? A. DoD 5400.11-R: DoD Privacy Program B. The Freedom of Information Act (FOIA) C. OMB Memorandum M-17-12: Preparing for and Responding to a Breach of Personally Identifiable Information D. The Privacy Act of 1974
C. OMB Memorandum M-17-12: Preparing for and Responding to a Breach of Personally Identifiable Information
Which of the following is responsible for the most recent PII data breaches? A. Physical breaking and entry B. Insider threat C. Phishing D. Reconstruction of improperly disposed documents
C. Phishing
What law establishes the federal government's legal responsibility for safeguarding PII? A. OMB Memorandum M-12-12: Preparing for and Responding to a Breach of Personally Identifiable Information B. DoD 5400.11-R: DoD Privacy Program C. The Privacy Act of 1974 D. The Freedom of Information Act (FOIA)
C. The Privacy Act of 1974
ORGANIZATIONS THAT FAIL TO MAINTAIN ACCURATE, RELEVANT, TIMELY, AND COMPLETE INFORMATION MAY BE SUBJECT TO WHICH OF THE FOLLOWING?
CIVIL PENALTIES
An organization that fails to protect PII can face consequences including: A. Remediation costs B. Loss of trust C. Legal liability D. All of the above
D. All of the above
If someone tampers with or steals and individual's PII, they could be exposed to which of the following? A. Embarrassment B. Fraud C. Identity theft D. All of the above
D. All of the above
Which of the following is not an example of PII? A. Fingerprints B. Driver's license number C. Social Security number D. Pet's nickname
D. Pet's nickname
What law establishes the public's right to access federal government information? A. OMB Memorandum M-12-12: Preparing for and Responding to a Breach of Personally Identifiable Information B. DoD 5400.11-R: DoD Privacy Program C. The Privacy Act of 1974 D. The Freedom of Information Act (FOIA)
D. The Freedom of Information Act (FOIA)
Identify if a PIA is required: A. PII records are only in paper form. B. PII records are being converted from paper to electronic. C. A National Security System is being used to store records. D. A new system is being purchased to store PII. E. All of the above. F. B and D G. A, B, and D
F. B and D
T or F? Using a social security number to track individuals' training requirements is an acceptable use of PII.
False