Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

CyberSecurity > PII > Flashcards

PII Flashcards

Identify the aspects of Personally Identifiable Information (PII) and the proper handling of PII, consequences of compromise, and handling of incidents.

1
Q

What is Personally Identifiable Information (PII)

A

All information that can be used by any person to distinguish, trace, or identify another individual. This includes private telephone numbers, personal electronic mail (email) addresses, home residence, a person’s name, social security number, driver’s license number, date and place of birth, a mother’s maiden name and the names of family members. It also includes financial information such as payroll data, banking accounts, and credit/debit card information. Additional topics include other sensitive private data related to health, education, medical conditions, private relationships, and marital status.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

What is a Breach?

A

The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for other than authorized purposes have access or potential access to PII or covered information, whether physical or electronic.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Describe Executive Order 13402

A

Issues the requirement for agencies to develop and implement breach notification policy/procedures.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

HOw does FISMA address PII?

A

The Federal Information Security Management Act assigns specific responsibilities to Federal agencies to strengthen Information Technology (IT) system security and requires the head of each agency to implement policies and procedures to cost-effectively reduce information security risks to an acceptable level.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

ROLES AND RESPONSIBILITIES-CECOM Commanding General (CG)

A

Sign breach notification letters to affected individuals as soon as the extent of the risk is determined, but no later than 10 days after the breach is discovered and the identities of the individuals compromised are ascertained.

Notifications shall be made in writing and sent via U.S. Postal Service, first-class mail with a return receipt, or will be hand delivered to affected personnel,

Notifications will include

  • A brief description of what happened
  • Date(s) of occurrence and discovery;
  • A description of the types of personal information involved;
  • A statement of whether the information was encrypted or protected by other means;
  • Steps individuals should take to protect themselves from potential harm;
  • What the Command is doing to investigate the breach, to mitigate losses, and to protect against further breaches.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

ROLES AND RESPONSIBILITIES-CECOM Chief Information Office (CIO)/G6

A
  • Be the proponent for the CECOM PII policy.
  • Appoint, in writing, a Privacy Act Officer and alternate Privacy Act Officer.
  • Establish a PII checklist as part of the CECOM G8 Management Control Program (MCP):
  • Establish a PII awareness program to include the creation and distribution of PII Awareness posters to Privacy Act Coordinators (PACs) for display within office areas.
  • Establish a PII breach incident response team
  • Provide breach notification for suspected or confirmed compromise or breach of PII
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Providing breach notification for suspected or confirmed compromise or breach of PII

A
  • Notify CECOM HQs.
  • Notify the Provost Marshall Office when theft occurs on an installation and civilian law enforcement agencies, such as the local police, when incidents occur outside of an installation.
  • Report to US-CERT within one hour of discovery.
  • Email, simultaneously, a report to pii.reporting@us.army.mil, which will notify Army leadership of the initial report to US-CERT.
  • Notify the CECOM Emergency Operations Center.
  • Notify the HQAMC Operations Center and AMC’s Privacy Act Official.
  • Notify the CECOM PAO.
  • Report to the Army Freedom of Information Act - Privacy Act (FOIA PA) Office within 24 hours of discovery.
  • Prepare breach notification letters for signature by the CG or designee, where required. Notification letters should be reviewed by the Chief Counsel’s office prior to forwarding for signature.
  • Solicit confirmation from notified individuals affected by the breach, who were notified by the CG or designee, and provide CECOM HQ with a report.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

ROLES AND RESPONSIBILITIES-CECOM G1

A

The CECOM G1 will provide the Secretary of the General Staff (SGS) with contact information for breach notification letters.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

ROLES AND RESPONSIBILITIES-CECOM Secretary of General Staff (SGS)

A

The SGS, or designee, will mail or email breach notification letters to affected individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

ROLES AND RESPONSIBILITIES-CECOM G8

A

The CECOM G8 will provide the MCP PII checklist to CECOM organizations as part of the annual MCP process.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

ROLES AND RESPONSIBILITIES-Heads of CECOM Organizations

A

The Heads of CECOM Organizations will:

  • Ensure that all military, civilian, and supporting contractor personnel complete annual web-based PII training and are adequately instructed in their responsibilities related to PII.
  • Appoint, in writing, a PAC and alternate, whose duties will be to ensure the protection of PII within their organization, as well as those outlined in Section 3.8. A copy of the appointment letter will be provided to the CECOM CIO/G6 Privacy Act Officer.
  • Ensure that compromised PII is reported to the CECOM CIO/G6 Privacy Act Officer as soon as the breach is discovered.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

ROLES AND RESPONSIBILITIES-CECOM Supervisors

A

The CECOM Supervisors will:

Ensure that their employees are adequately instructed in their responsibilities related to PII.

Review all requests to remove copies, not originals, of PII from the workplace following PAC review and recommendation. PII originals shall not be taken from the workplace. The supervisor will also determine the length of time that copies of PII may be removed from the workplace.

Report compromised PII to the head of the organization.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Risk Impact Levels - Low Impact.

A

Potential impact is LOW if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Risk Impact Levels - Moderate Impact.

A

The potential impact is MODERATE if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Risk Impact Levels - High Impact.

A

The potential impact is HIGH if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

Any Defense-wide, organizational (e.g., unit or office), or program or project level compilation of electronic records containing PII on 500 individuals stored on a single device or accessible through a single application service, whether or not the compilation is subject to the Privacy Act is considered high impact.

Any compilation of electronic records containing PII on less than 500 individuals identified by the Information or Data Owner as requiring additional protection measures is high impact.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

NOTIFICATION PROCEDURES-Notification Requirements

A

Notification Letters are required when records containing personal information are lost, stolen, or compromised and the potential exists that the records may be used for unlawful purposes, such as identity theft, fraud, stalking, etc. The personal impact on the affected individual may be serious or severe if the records are misused.

17
Q

NOTIFICATION PROCEDURES-Notification Timeframe

A

Notifications shall be made as soon as possible, but not later than 10 working days after the loss, theft, or compromise is discovered and the identities of the individuals are determined. If only some, but not all of the affected individuals can be identified, notifications shall be given to those identified with follow-up notifications made to those subsequently identified.

18
Q

CONSUMER WEBSITE FOR IDENTITY THEFT

A

The Federal Trade Commission (FTC) provides a consumer website containing resources to assist individuals having a potential risk for identity theft. The website provides information to help deter, detect, and defend against identity theft. It can be found at The FTC’s Identity Theft Site. http://www.consumer.gov/idtheft/

19
Q

Assessing Risk Factors

A

* Nature of the Data Elements Breached. * Number of individuals Affected. * Likelihood the Information is Accessible and Usable. * Likelihood the Breach May Lead to Harm. * Ability of the Agency to Mitigate the Risk of Harm.

20
Q

Nature of the Data Elements Breached

A

The nature of the data elements compromised is a key factor to consider in determining when and how notifications should be provided to affected individuals. For example, theft of a database containing individuals’ names in conjunction with SSNs, and/or dates of birth may pose a high level of risk or harm, while a theft of a database containing only the names of individuals may pose a lower risk, depending on its context. It is difficult to characterize data elements as creating low, moderate, or high risk simply based on the type of data because the sensitivity of the data element is contextual. A name in one context may be less sensitive than in another context. In assessing the level of risk and harm, consider the data element(s) in light of their context and the broad range of potential harms flowing from their disclosure to unauthorized individuals.

21
Q

Number of individuals Affected.

A

The magnitude of the number of affected individuals may dictate the method(s) you choose for providing notification, but should not be the only determining factor for whether an agency should provide notification.

22
Q

Likelihood the Information is Accessible and Usable.

A

Upon learning of a breach, agencies should assess the likelihood PII will be or has been used by unauthorized individuals. An increased risk that the information will be used by unauthorized individuals should influence the agency’s decision to provide notification. Depending upon a number of physical, technological, and procedural safeguards employed by the agency, the fact the information has been lost or stolen does not necessarily mean it has been or can be accessed by unauthorized individuals. If the information is properly protected by encryption, for example, the risk of compromise may be low to non-existent. In this context, proper protection means encryption has been validated by NIST. Agencies will first need to assess whether the breach involving PII is at a low, moderate, or high risk of being used by unauthorized persons to cause harm to an individual or group of individuals. The assessment should be guided by NIST security standards and guidance. Other considerations may include the likelihood any unauthorized individual will know the value of the information and either use or sell the information to others.

23
Q

Likelihood the Breach May Lead to Harm - Broad Reach of Potential Harm

A

The Privacy Act requires agencies to protect against any anticipated threats or hazards to the security or integrity of records which could result in “substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.” Additionally, agencies should consider a number of possible harms associated with the loss or compromise of information. Such harm may include the effect of a breach of confidentiality or fiduciary responsibility, the potential for blackmail, the disclosure of private facts, mental pain and emotional distress, the disclosure of address information for victims of abuse, the potential for secondary uses of the information which could result in fear or uncertainty, or the unwarranted exposure leading to humiliation or loss of self-esteem.

24
Q

Likelihood the Breach May Lead to Harm - Likelihood Harm Will Occur

A

The likelihood a breach may result in harm will depend on the manner of the actual or suspected breach and the type(s) of data involved in the incident. SSNs and account information are useful to committing identity theft, as are date of birth, passwords, and mother’s maiden name. If the information involved, however, is a name and address or other personally identifying information, the loss may also pose a significant risk of harm if, for example, it appears on a list of recipients patients at a clinic for treatment of a contagious disease.

25
Q

Ability of the Agency to Mitigate the Risk of Harm.

A

Within an IS, the risk of harm will depend on how the agency is able to mitigate further compromise of the system(s) affected by a breach. In addition to containing the breach, appropriate countermeasures, such as monitoring system(s) for misuse of the personal information and patterns of suspicious behavior, should be taken. Such mitigation may not prevent the use of the personal information for identity theft, but it can limit the associated harm. Some harm may be more difficult to mitigate than others, particularly where the potential injury is more individualized and may be difficult to determine.

26
Q

PROCEDURES FOR REPORTING PII INCIDENTS

A

When a PII breach occurs, it should be immediately reported to your Supervisor and to the CIO/G6 Privacy Act Officer through the CECOM CIO/G6 official Outlook mailbox at AMSEL-CIO.

27
Q

Information Required for PII Report

A

Name, phone number, and Directorate/Office of person involved with the incident

Date/time the incident occurred

Location where the incident occurred

Short description of the incident

What was the impact
• How many information systems were involved (if applicable) • How many sites were involved (if applicable)
• How many people were affected (government civilian, military and contractor broken out separately) (if applicable)

Was email involved • Was email encrypted (if applicable) • Was email sent outside of DoD (if applicable)

What type of PII was involved:
• SSN • Names • Personal home address • Personal phone numbers • Personal email addresses
• Protected health information • Financial information containing PII • Passwords

What actions have been taken to mitigate the risk

CyberSecurity (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions