Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Objectives
By the end of this course, you wil l be able to:
• Determine your rights and responsibilities under the program
• Identify Pll in your workplace
• Determine what is required to collect and maintain Pll
• Protect Pll by learning how to identify areas where sensitive data is particularly susceptible and describe measures to mit igate those risks
• Respond to Pll breaches using the appropriate procedures according to policy
• Know where to go to get assistance or more informat ion
Introduction Privacy Act of 1974
• To restrict disclosure of personally identifiable information {Pll )
• To grant individuals access to records maintained on themselves
• To grant individuals the right to correct records that are not accurate, relevant, timely, or complete
• To establish a code of "fair information practices" to regulate the
collection, maintenance, use, and dissemination of Pll on individuals
Introduction
What information is collected about you
How it will be used
Correct if necessary
Have it protected from unauthorized disclosure
individual
rights
Introduction
As DON military, civilian, and contractor personnel, you have responsibilities.
individual
Introduction
Collect Pll only when authorized
Collect only necessary information
Tell the individual why you are collecting Pll, who will see it, and what will happen if they do
not provide the information
Keep the Pll accurate, relevant, timely, and complete
Keep Pll confidential and protect it against misuse or loss or breach
To know what to do if you suspect misuse or if
there is a loss or breach
individual responsibilities
Background Department of Defense (DoD) and Secretary of the Navy
Guidance
DON Privacy Program
./ Privacy of an individual is a personal and fundamental right
./ DON personnel, to include contractors, must protect an individual's privacy when collecting, maintaining, using, or disseminating Pll
./ Failure to protect Pll may result in criminal or civil penalties
Definition of Personally Identifiable Information Any information about an individual maintained by an agency, including but not limited to, education, financial
transactions, medical history, and criminal or employment history and information that can be used to distinguish or
trace an individual's identity, such as his or her name, Social Security Number, or partial SSN, date and place of birth,
mother's maiden name, biometric records, etc., including any other personal information that is linked or linkable to
an individual. .....
Department of the Navy Privacy Program
SECNAVISNT 5211.5 Series implements the Department of the Navy Privacy Program
Mobile Computing Devices and Removable Storage Media
All DoD Components:
Breach notification policies in place
Guidance on mobile computing devices
Mobile Computing Devices and Removable Storage Media
DoD Chief Information Officer
Unclassified DoD information in computer storage
Must be encrypted
Applies to:
• DoD components
Data At Rest
• Supporting commercial contractors that process sensitive DoD information
Safeguarding Pll
Common Breaches:
Laptops, external hard drives, and other electronic devices are not properly protected, resulting in loss or theft
Shared drive folders containing Pll are not protected with the proper permissions
Emails containing Pll are sent to individuals without an official need-to-know
Knowledge Check r Question 1 of 2 ;") Point Value: 10
In the list below, check those elements that are considered Pll. Select all that apply.
0 Biometric records
0 Personnel records
0 Place of birth
0 Social Security Numbers
n Medical records
Score so far: 0 points out of 0 SUBMIT
Knowledge Check r Question 1 of 2 :"\ Point Value: 10
In the list below, check those elements that are considered Pll. Select all that apply.
~ Place of birth
~ Biometric records
~ Social Security Numbers
~ Medical records
~ Personnel records
Knowledge Check r Question 1 of 2 :"\ Point Value: 10
~
In the list below, check those elements that are considered Pll. Select all that apply.
~ Place of birth
~ Biometri
~ Social Se
~ Medical
~ PersonnE
Correct
That's right! All of these elements are considered to be Pll.
Next Question
Knowledge Check ( Question 2 of 2 .) Point Value: 10
Match each of the terms with its appropriate definition. Drag and drop the terms into place.
A means to obtain Pll to commit fraud
Law that requires the government to safeguard Pll
Senior Military Component Official for Privacy
Information (i.e., data, files, folders) stored on a computer
Data At Rest
Phishing
DON CIO
Privacy Act
Knowledge Check ( Question 2 of 2 ~ Point Value: 10
Match each o f the terms with its appropriate definition. Drag and drop the terms into place.
A means to obtain Pll to commit fraud
Law that requires the government to safeguard Pll
Senior Military Component Official for Privacy
Information (i.e., data, files, folders) stored on a computer
~ Phishing
~ Privacy Act
( ooN CIO
e Data At Rest
Knowledge Check Question 2 of 2 • PointValue: 10
Match each of the terms with its appropriate definition. Drag and drop the terms into l place.
A means 1 commit fr Correct
Law that That's right! You matched each term with its correct governmE description or definition.
Senior Mi Official fc Finish Retry Quiz
_J
~
~ Information (i.e., data, files, folders) stored on a computer
Data At Rest , I (,______ _ _.._
Your Organization's Privacy Responsibilities Current DON Policy
Regular compliancy ~otehe-eks
• semi-annual • auditable reGord main ainea by the cor,mand Privacy Act
Coordinato or ot~er designated official
•• spot check sheet a~~i'.".ble on ~~f CIO l.vebsite
Assigned per onnel (c1v 1t1air,-m1fltarr,an djcontractors) must be trained 01 privacy and security responsibilities
• Annual t~aining • Remedial training
Report any loss or suspected loss of Pll
Your Organization's Privacy Responsibilities
plaintextplaintext plaintextplaintext plaintextplaiotext plaintextplaintext plaintextplaintext plaintextplaintext plaintextpla1ntext plaintextplaintext
Encryption
Your Organization's Privacy Responsibilities
G~vernment furnished devices must be protected wrth a DON-provided DAR solution
~ .
Your Organization's Privacy Responsibilities
No PU should be stored on non-government computer systems, including laptops and personal electronic devices.
'
Your Organization's Privacy Responsibilities
80% of Pll breaches in 2011 involved Social Security Numbers
Your Organization's Privacy Responsibilities
SSN Reduction Plan
All commands and units:
• Evaluate how SSNs are used
• Eliminate unnecessary use
Your Organization's Privacy Responsibilities
SSN Reduction Plan
../ Remove the SSN from barcodes and display on DoD ID cards
../ Reduce the electronic display, storage and transmission of SSNs and Pll
../ Ensure 100 percent of forms and IT systems that collect SSNs and other Pll have justified the continued collection of SSNs
../ Remove truncated SSNs (last 4) from public facing websites
../ Where possible, replace the SSN with the DoD ID number
Your Organization's Privacy Responsibilities
I --
Policy: When breach occurred How breach occurred
Whom to notify, when directed
Your Organization's Privacy Responsibilities
Breach - Notify
'
Leaving a document contain ing Pl l in an open area
http://
I
Your Organization's Privacy Responsibilities
DON Policy: Loss, Theft, or Compromise of Pll
Within 1 hour:
Report using Form OPNAV 5211/13
United States Computer Emergency Readiness Team (US-CERT)
DON CIO Privacy Team Chief of Information (CHINFO) Marine Corps Privacy Act Officer
HQ Marine Corps C4 Cyber Security Division
Your Organization's Privacy Responsibilities
DON Policy: Loss, Theft, or Compromise of Pll
Within 1 hour:
For government credit cards, otify the issuing bank, and the command's government credit card manager
Your Organization's Privacy Responsibilities
DON Policy: Loss, Theft, or Compromise of Pll
Within 24 hours:
DON CIO Privacy Office will re~1ew the initial breach report and determine the potential risk of harm to impacted individuals
Knowledge Check ( Question 1 of 1 ;) Point Value: 10
Of the scenarios listed below, select those that would be considered a breach. Select all that apply.
0 Sending an encrypted roster (list of names and full SSNs) to a list of people with a need to know.
0 Leaving a document containing Pll in an open area.
0 Attaching someone's medical information in a letter going to the wrong recipient.
0 Posting a truncated SSN to a public website.
Knowledge Check ( Question 1 of 1 .) Point Value: 10
Of the scenarios listed below, select those that would be considered a breach . Select all that apply.
0 Sending an encrypted roster (list of names and full SSNs) t o a list of people with a need to know.
~ Leaving a document containing Pll in an open area.
~ Attaching someone's medical information in a letter going to the wrong recipient.
~ Posting a truncated SSN to a public website.
Knowledge Check ( Question 1 of 1 .) Point Value: 10
Of the scenarios listed below, select those that would be considered a breach. Select all that apply.
O Sending an enervated ro~ter (list of namP.,.s and full _SSNs) to a list of oeople with a need t<
~ Leaving
~ Attachin recipien1
~ Posting<
Correct
That's right! All of the scenarios you selected are considered to be breaches.
Finish Retry Quiz
>ng
Your Individual Privacy Responsibilities
Emailing
• Digitally signed and encrypted before sending
• Sent to those recipients with an official need-to-know
• Body:
FOUO - Privacy Sensitive. Any misuse or
unauthorized disclosure may result in both civil and criminal penalties.
• Subject line:
FOUO- Privacy Sensitive
Your Individual Privacy Responsibilities
Disposing
• Always use a burn bag or a shredder
• Whenever possible, use a cross-cut shredder over a single-cut shredder
Your Individual Privacy Responsibilities
Disposing
• Ensure that no residual data is able to be recovered on any hard drive
• Physically destroy all magnetic hard drives
,/servers
,/desktops and laptops
,/printers
,/scanners
,/copiers
,/multi-function devices
,/external hard drives
Your Individual Privacy Responsibilities
Mailing Best Practices
• Double-wrap contents
• Mark inner container
• Be able to track it
• Send only to those with official need-to-know
• Hand carrying: use Privacy Act data cover sheet (DD Form 2923)
Your Individual Privacy Responsibilities
Collecting
• Minimize collection
• Recall and social rosters:
- Safeguard t he information
- Provide only to those w ith a need-to-know
- Never collect the SSN
Knowledge Check ( Question 1 of 2 :"\ Point Value: 10
Of the following, which statement best represents what you can do as an individual to protect privacy information?
0 Submit a Pll breach report
0 Allow access to Pll to all persons within your command
0 Keep a personal audit trail of privacy information accessed
Mark documents "FOUO-Privacy Sensitive. Any misuse or unauthorized 0 disclosure may result in both criminal and civil penalties. ", encrypt emails, and
al low Pll access to only those with an official need-to-know
Knowledge Check r Question 1 of 2 :"\ Point Value: 10
Of the following, which statement best represents what you can do as an individual to protect privacy information?
0 Submit a Pll breach report
0 Allow access to Pll to all persons within your command
0 Keep a personal audit trail of privacy information accessed
Mark documents "FOUO-Privacy Sensitive. Any misuse or unauthorized @ disclosure may result in both criminal and civil penalties. ", encrypt emails, and
allow Pll access to only those with an official need-to-know
Knowledge Check ( Question 1 of 2 .) Point Value: 10
-....,
Of the following, which statement best represents what you can do as an individual to protect privacy information?
0 Submit a Pll breach reoort
0 Allow ac Correct
0 Keep a p
Mark do• @ disclosur
al low Pll
Correct! All are important when safeguarding Pll.
~d
1ails, and
Knowledge Check ( Question 2 of 2 .) Point Value: 10
-..,,
New DON policy, with a few exceptions, requires hard drives to be physically destroyed.
0 True
0 False
Knowledge Check Question 2 of 2 • Point Value: 10
New DON policy, with a few exceptions, requires hard drives to be physically destroyed.
@ True
0 False
y
Knowledge Check ( Question 2 of 2 :"\ Point Value: 10
New DON policy, with a few exceptions, requires hard drives to be physically destroyed.
@ True
0 False Correct
That's right! You selected the correct response.
Finish Retry Quiz
Summary
Now that you have finished this course, you should be able to:
• Determine your rights and responsibilities under the program
• Identify Pll in your workplace
• Determine what is required to collect and maintain Pll
• Safeguard Pll and describe ways to mitigate risks
• Respond to Pll breaches using the appropriate procedures according to policy
• Know where to go for assistance or more information