Awareness - USNA - Docs/Training/PII Presentation1.pdfCollect Pll only when authorized Collect only...

t

Awareness

Objectives

By the end of this course, you wil l be able to:

• Determine your rights and responsibilities under the program

• Identify Pll in your workplace

• Determine what is required to collect and maintain Pll

• Protect Pll by learning how to identify areas where sensitive data is particularly susceptible and describe measures to mit igate those risks

• Respond to Pll breaches using the appropriate procedures according to policy

• Know where to go to get assistance or more informat ion

Introduction Privacy Act of 1974

• To restrict disclosure of personally identifiable information {Pll )

• To grant individuals access to records maintained on themselves

• To grant individuals the right to correct records that are not accurate, relevant, timely, or complete

• To establish a code of "fair information practices" to regulate the

collection, maintenance, use, and dissemination of Pll on individuals

Introduction

What information is collected about you

How it will be used

Correct if necessary

Have it protected from unauthorized disclosure

individual

rights

Introduction

As DON military, civilian, and contractor personnel, you have responsibilities.

individual

Introduction

Collect Pll only when authorized

Collect only necessary information

Tell the individual why you are collecting Pll, who will see it, and what will happen if they do

not provide the information

Keep the Pll accurate, relevant, timely, and complete

Keep Pll confidential and protect it against misuse or loss or breach

To know what to do if you suspect misuse or if

there is a loss or breach

individual responsibilities

Background Department of Defense (DoD) and Secretary of the Navy

Guidance

DON Privacy Program

./ Privacy of an individual is a personal and fundamental right

./ DON personnel, to include contractors, must protect an individual's privacy when collecting, maintaining, using, or disseminating Pll

./ Failure to protect Pll may result in criminal or civil penalties

Background

In FY 2006: 15 Agencies 338 incidents

Background

Definition of Personally Identifiable Information Any information about an individual maintained by an agency, including but not limited to, education, financial

transactions, medical history, and criminal or employment history and information that can be used to distinguish or

trace an individual's identity, such as his or her name, Social Security Number, or partial SSN, date and place of birth,

mother's maiden name, biometric records, etc., including any other personal information that is linked or linkable to

an individual. .....

Department of the Navy Privacy Program

SECNAVISNT 5211.5 Series implements the Department of the Navy Privacy Program

Mobile Computing Devices and Removable Storage Media

All DoD Components:

Breach notification policies in place

Guidance on mobile computing devices


DoD Chief Information Officer


DoD Chief Information Officer

Unclassified DoD information in computer storage

Must be encrypted

Applies to:

• DoD components

Data At Rest

• Supporting commercial contractors that process sensitive DoD information

Safeguarding Pll

Safeguarding Pll

Common Breaches:

Laptops, external hard drives, and other electronic devices are not properly protected, resulting in loss or theft

Shared drive folders containing Pll are not protected with the proper permissions

Emails containing Pll are sent to individuals without an official need-to-know

Safeguarding Pll

Phishing

Safeguarding Pll

Knowledge Check r Question 1 of 2 ;") Point Value: 10

In the list below, check those elements that are considered Pll. Select all that apply.

0 Biometric records

0 Personnel records

0 Place of birth

0 Social Security Numbers

n Medical records

Score so far: 0 points out of 0 SUBMIT

Knowledge Check r Question 1 of 2 :"\ Point Value: 10


~ Place of birth

~ Biometric records

~ Social Security Numbers

~ Medical records

~ Personnel records


~


~ Place of birth

~ Biometri

~ Social Se

~ Medical

~ PersonnE

Correct

That's right! All of these elements are considered to be Pll.

Next Question

Knowledge Check ( Question 2 of 2 .) Point Value: 10

Match each of the terms with its appropriate definition. Drag and drop the terms into place.

A means to obtain Pll to commit fraud

Law that requires the government to safeguard Pll

Senior Military Component Official for Privacy

Information (i.e., data, files, folders) stored on a computer

Data At Rest

Phishing

DON CIO

Privacy Act

Knowledge Check ( Question 2 of 2 ~ Point Value: 10

Match each o f the terms with its appropriate definition. Drag and drop the terms into place.

A means to obtain Pll to commit fraud

Law that requires the government to safeguard Pll

Senior Military Component Official for Privacy

Information (i.e., data, files, folders) stored on a computer

~ Phishing

~ Privacy Act

( ooN CIO

e Data At Rest

Knowledge Check Question 2 of 2 • PointValue: 10

Match each of the terms with its appropriate definition. Drag and drop the terms into l place.

A means 1 commit fr Correct

Law that That's right! You matched each term with its correct governmE description or definition.

Senior Mi Official fc Finish Retry Quiz

_J

~

~ Information (i.e., data, files, folders) stored on a computer

Data At Rest , I (,______ _ _.._

Your Organization's Privacy Responsibilities

Your Organization's Privacy Responsibilities Current DON Policy

Regular compliancy ~otehe-eks

• semi-annual • auditable reGord main ainea by the cor,mand Privacy Act

Coordinato or ot~er designated official

•• spot check sheet a~~i'.".ble on ~~f CIO l.vebsite

Assigned per onnel (c1v 1t1air,-m1fltarr,an djcontractors) must be trained 01 privacy and security responsibilities

• Annual t~aining • Remedial training

Report any loss or suspected loss of Pll


plaintextplaintext plaintextplaintext plaintextplaiotext plaintextplaintext plaintextplaintext plaintextplaintext plaintextpla1ntext plaintextplaintext

Encryption


G~vernment furnished devices must be protected wrth a DON-provided DAR solution

~ .


No PU should be stored on non-government computer systems, including laptops and personal electronic devices.

'


80% of Pll breaches in 2011 involved Social Security Numbers


SSN Reduction Plan

All commands and units:

• Evaluate how SSNs are used

• Eliminate unnecessary use


SSN Reduction Plan

../ Remove the SSN from barcodes and display on DoD ID cards

../ Reduce the electronic display, storage and transmission of SSNs and Pll

../ Ensure 100 percent of forms and IT systems that collect SSNs and other Pll have justified the continued collection of SSNs

../ Remove truncated SSNs (last 4) from public facing websites

../ Where possible, replace the SSN with the DoD ID number


SSN Reduction Plan


// Pll lost

- Breach


I --

Policy: When breach occurred How breach occurred

Whom to notify, when directed


~

No need to notify -


Breach - Notify

'

Leaving a document contain ing Pl l in an open area

http://

I


DON Policy: Loss, Theft, or Compromise of Pll

Within 1 hour:

Report using Form OPNAV 5211/13

United States Computer Emergency Readiness Team (US-CERT)

DON CIO Privacy Team Chief of Information (CHINFO) Marine Corps Privacy Act Officer

HQ Marine Corps C4 Cyber Security Division



Within 1 hour:

For government credit cards, otify the issuing bank, and the command's government credit card manager



Within 24 hours:

DON CIO Privacy Office will re~1ew the initial breach report and determine the potential risk of harm to impacted individuals

Knowledge Check ( Question 1 of 1 ;) Point Value: 10

Of the scenarios listed below, select those that would be considered a breach. Select all that apply.

0 Sending an encrypted roster (list of names and full SSNs) to a list of people with a need to know.

0 Leaving a document containing Pll in an open area.

0 Attaching someone's medical information in a letter going to the wrong recipient.

0 Posting a truncated SSN to a public website.


Of the scenarios listed below, select those that would be considered a breach . Select all that apply.

0 Sending an encrypted roster (list of names and full SSNs) t o a list of people with a need to know.

~ Leaving a document containing Pll in an open area.

~ Attaching someone's medical information in a letter going to the wrong recipient.

~ Posting a truncated SSN to a public website.


Of the scenarios listed below, select those that would be considered a breach. Select all that apply.

O Sending an enervated ro~ter (list of namP.,.s and full _SSNs) to a list of oeople with a need t<

~ Leaving

~ Attachin recipien1

~ Posting<

Correct

That's right! All of the scenarios you selected are considered to be breaches.

Finish Retry Quiz

>ng

Your Individual Privacy Responsibilities

Emailing

• Digitally signed and encrypted before sending

• Sent to those recipients with an official need-to-know

• Body:

FOUO - Privacy Sensitive. Any misuse or

unauthorized disclosure may result in both civil and criminal penalties.

• Subject line:

FOUO- Privacy Sensitive


Disposing

• Always use a burn bag or a shredder

• Whenever possible, use a cross-cut shredder over a single-cut shredder


Disposing

• Ensure that no residual data is able to be recovered on any hard drive

• Physically destroy all magnetic hard drives

,/servers

,/desktops and laptops

,/printers

,/scanners

,/copiers

,/multi-function devices

,/external hard drives


Mailing Best Practices

• Double-wrap contents

• Mark inner container

• Be able to track it

• Send only to those with official need-to-know

• Hand carrying: use Privacy Act data cover sheet (DD Form 2923)


Collecting

• Minimize collection

• Recall and social rosters:

- Safeguard t he information

- Provide only to those w ith a need-to-know

- Never collect the SSN

Knowledge Check ( Question 1 of 2 :"\ Point Value: 10

Of the following, which statement best represents what you can do as an individual to protect privacy information?

0 Submit a Pll breach report

0 Allow access to Pll to all persons within your command

0 Keep a personal audit trail of privacy information accessed

Mark documents "FOUO-Privacy Sensitive. Any misuse or unauthorized 0 disclosure may result in both criminal and civil penalties. ", encrypt emails, and

al low Pll access to only those with an official need-to-know



0 Submit a Pll breach report

0 Allow access to Pll to all persons within your command

0 Keep a personal audit trail of privacy information accessed

Mark documents "FOUO-Privacy Sensitive. Any misuse or unauthorized @ disclosure may result in both criminal and civil penalties. ", encrypt emails, and

allow Pll access to only those with an official need-to-know


-....,


0 Submit a Pll breach reoort

0 Allow ac Correct

0 Keep a p

Mark do• @ disclosur

al low Pll

Correct! All are important when safeguarding Pll.

~d

1ails, and


-..,,

New DON policy, with a few exceptions, requires hard drives to be physically destroyed.

0 True

0 False

Knowledge Check Question 2 of 2 • Point Value: 10


@ True

0 False

y

Knowledge Check ( Question 2 of 2 :"\ Point Value: 10


@ True

0 False Correct

That's right! You selected the correct response.

Finish Retry Quiz

Summary

Now that you have finished this course, you should be able to:

• Determine your rights and responsibilities under the program

• Identify Pll in your workplace

• Determine what is required to collect and maintain Pll

• Safeguard Pll and describe ways to mitigate risks

• Respond to Pll breaches using the appropriate procedures according to policy

• Know where to go for assistance or more information

Awareness - USNA - Docs/Training/PII Presentation1.pdfCollect Pll only when authorized Collect only...

Documents

Transcript of Awareness - USNA - Docs/Training/PII Presentation1.pdfCollect Pll only when authorized Collect only...