Upload
lamdien
View
220
Download
4
Embed Size (px)
Citation preview
U.S. Department of Health and Human Services Assistant Secretary for Administration, Office of the Chief Information Officer
CYBERSECURITY AWARENESS TRAININGIntroduction Objectives Lessons Resources
WELCOME
This training provides the U.S. Department of Health and Human Services (HHS) employees, contractors, interns, and others with the knowledge to protect HHS information and information systems, and to minimize the risks of internal and external cyber threats1. The goal of this training is to inform the HHS workforce of threats to HHS information and information systems, and provide best practices to defend the HHS mission from these threats. Learner’s Corner o The transcript icon on the upper right provides access to the transcript document.o When necessary, the footnote text follows immediately the reference.o Navigation to lessons is provided in the upper right section of the page or in the bookmarks.o Click on the X in the top right corner of the window or ALT+F4 to close forms and pop-up windows.o The training is fully accessible through keyboard and shortcuts.
This training fulfills the Federal Information Security Modernization Act of 2014 requirement and HHS IS2P recommendation for security awareness training for users of federal information systems.
1 2 3 4 YOU ARE THE TARGET T L
What do hackers look for? Hackers and adversaries are constantly seeking personally identifiable information (PII) and protected health information (PHI) stored on HHS information systems for the purpose of committing health insurance fraud, identity theft, and other financial crimes. As an HHS employee, contractor, intern, or Commissioned Corps of the U.S. Public Health Service personnel, you are a target because you have access to what the cybercriminals are looking for—PII, PHI, financial, personnel, grant, research, and patient medical information.
Hackers’ Methods to obtain your information
Unattended devices
Information from your online profiles
Email/ Phone scams
Compromised passwords
TRAINING OBJECTIVES T L
Click on the objective icon below to the left or use the down arrow to advance to the next objective.
Objective 1 Develop and demonstrate foundational-level knowledge of cybersecurity.
TRAINING OBJECTIVES 2 T L
Click on the objective icon below to the left or use the down arrow to advance to the next objective.
Develop and demonstrate foundational-level knowledge of cybersecurity.
Objective 1
Employ best practices to protect privacy and safeguard Controlled Unclassified Information (CUI).
Objective 2
TRAINING OBJECTIVES 3 T L
Click on the objective icon below to the left or use the down arrow to advance to the next objective.
Objective 1 Develop and demonstrate foundational-level knowledge of cybersecurity.
Objective 2 Employ best practices to protect privacy and safeguard Controlled Unclassified Information (CUI).
Objective 3 Recognize cyber threats to information systems.
TRAINING OBJECTIVES 4 T L
Develop and demonstrate foundational-level knowledge of Objective 1 cybersecurity.
Objective 2 Employ best practices to protect privacy and safeguard Controlled Unclassified Information (CUI).
Objective 3 Recognize cyber threats to information systems.
Objective 4 Identify and report potential cybersecurity and privacy incidents promptly.
TABLE OF CONTENTS T
Select a lesson to progress through the training.
In this training, we will discuss why you need cybersecurity in the workplace, how to secure HHS information, and how to identify social engineering tricks often used by cyber criminals. We will also describe different types of cybersecurity breaches and how to report them.
1 CONTROLLED UNCLASSIFIED INFORMATIONDefinitions and examples of CUI, PII and PHI.
2 SECURING INFORMATION Best practices to protect HHS information assets.
3 SOCIAL ENGINEERING Methods used to manipulate people.
4 BREACHES & REPORTING What are breaches and how to report them?
L
1 2 3 4 LESSON 1 — CUI T L
OVERVIEW This lesson describes cybersecurity and the different types of Controlled Unclassified Information (CUI), including PII and PHI. The lesson also identifies best practices for you to apply within your workplace.
OBJECTIVES • Define Cybersecurity.• Describe the different types of CUI.• Define and give examples of PII and PHI.
1 CONTROLLED UNCLASSIFIED INFORMATIONDefinitions and examples of CUI, PII and PHI.
• What is Cybersecurity?
• What is CUI?
• Definitions and examples of
PII and PHI.
1/8
1 2 3 4 WHAT IS CYBERSECURITY? T L
Cybersecurity is the action taken to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
On a daily basis, we use many convenient ways to access information and information systems. They include the use of passwords, personal identity verification (PIV) cards, email, remote access, etc. Using the best practices within this training on a daily basis helps HHS personnel protect HHS information from hackers attempting to gain access.
2/8
1 2 3 4 WHAT IS CUI? T L
Controlled Unclassified Information CUI (sensitive data) is information that has a degree of confidentiality such that its loss, misuse, unauthorized access, or modification could compromise the element of confidentiality and thereby adversely affect national health interests, the operation of HHS programs, or the privacy of the Health Insurance Portability and Accountability Act (HIPAA).
In this training, we will refer to sensitive data as CUI.
Types of CUI
• Personally Identifiable Information (PII)
• Protected Health Information (PHI)
• Intellectual Property
• Financial Data
In this training, we will focus on PII and PHI.
The CUI framework outlined in the NIST SP 800-60 Rev 1 memo is intended to replace common—but inconsistently applied—markings such as For Official Use Only (FOUO) and Sensitive But Unclassified (SBU) with one framework for the federal government to designate, mark, safeguard, and disseminate information.
3/8
1 2 3 4 PII & PHI T L
What is PII? PII is “information which can be used to distinguish or trace an individual's identity, such as their name, social security number (SSN), biometric records, etc. alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.” 1
What is PHI? PHI is defined as any individually identifiable health information that is explicitly linked to a particular individual and health information which can allow individual identification.2
PHI also includes many common identifiers as name, address, birth date, and social security number.
Click on the PII/PHI icon for examples.
PII PHI
1. Defined in OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
2. Defined in the Health Insurance Portability and Accountability Act of 1996 [HIPAA].4/8
1 2 3 4
5
LESSON 1 KNOWLEDGE CHECK T L
Read the following scenario, and then answer the question.
Please select from the
answers below.
Do you think the following information can be used to identify Mr. Rabia?
A dentist office recently provided Ms. Jasmin Smith with a copy of her referral documents for the orthodontist. The following information was accidentally included in the file forwarded to Ms. Smith:
• Applicant name: Mr. Renee Rabia• Height: 6”• Eye color: Brown• Hair color: Brown• Zip Code: 22033• Birthplace: Mozambique Age: 40• City of Residence: Fairfax, VA
Yes
No
5/8
1 2 3 4
LESSON 1 SUMMARY T L
In this lesson, you learned to:
• Define cybersecurity, CUI, PII and PHI.
• Identify CUI, PII and PHI.
Your ability to identify and protect CUI,
including PII and PHI, will help you
integrate a solid foundation of cybersecurity
best practices into your daily work tasks,
and projects.
6/8
1 2 3 4 LESSON 1 – QUIZ 1 T L
Read the scenario below and answer the question. Please select from the answers below.
1) In 2016, a hospital reported to the Department a security breach that affected the
records of up to 405,000 patients, employees, and employees’ beneficiaries. What type of
data was lost?
A. PII B. PHI
C. Both D. None
7/8
1 2 3 4 LESSON 1 – QUIZ 2 T L
Read the scenario below and answer the question. Please select from the answers below.
2) Jane works in a medical facility. Jane’s sister, Sharon, treated in the same facility,asked her to check her lab results. Can Jane give her sister the results?
A. Yes B. No
8/8
1 2 3 4 LESSON 2 — SECURING INFORMATION T L
OVERVIEW All HHS employees, contractors, and personnel have a responsibility to protect HHS information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
OBJECTIVES • Identify the characteristics of a “strong” password.
• Apply GFE protection rules.
• Create and send encrypted email.
• List steps to store and dispose of data.
2 SECURING INFORMATIONBest practices to protect HHS information assets.
• PIV Card and Passwords.
• Wi-Fi Networks.
• GFE during Foreign Travel.
• Email Use and Encryption.
• Data storage and Disposal.
1/16
1 2 3 4 PIV CARDS T L
Personal Identity Verification Card Personal Identity Verification (PIV) cards are official government-issued identification cards that permit you authorized access to HHS government buildings and secured areas based on your job role. You will also use it as an authentication device to access your government-issued computer. PIV cards contain your digital credentials used to encrypt emails, digitally sign documents, and verify physical access privileges.
2/16
1 2 3 4
LESSON 2 BRAIN TEASER 1 T L
Time to tease your brain with a quick
question!
Do you want to learn more? Click on the Tip icon to the right for the best practices to protect your
PIV card.
You received an encrypted email and want
to read it. Do you need your PIV card to
decrypt the email message? Yes or No?
Click on the question mark icon to see the answer.
3/16
1 2 3 4 PASSWORDS 3 T L
Strong Passwords What are “Strong” Passwords1? A strong password includes a random combination of 8 or more numbers, symbols, capital and lower-case letters. Using a variety of character types increases the time it takes to crack the password. Please use an easily remembered phrase and substitute letters and numbers for words. This is called a passphrase. Here’s an example: “I Like To Sing and Take Long Walks” = 1L2$&Tlw. Click on the key image for strong password characteristics.
Do Not… • Create easy-to-remember passwords.
• Use obvious passwords related to commoninformation such as a child’s or pet’s name,or your favorite sports team.
• Use passwords that someone can guess,using your social media information.
• Write down your password in a place that isaccessible to others.
• Share your password with anyone, includingsystems administrators.
1. For additional information, please see the HHS ISP policy on passwords at—OIS Policies, Standards, Memoranda & Guides.4/16
1 2 3 4 LESSON 2 BRAIN TEASER 2 T L
Now that we’ve discussed the topic of
passwords, let’s answer a question.
Do you want to learn more? Click on this Tip icon.
Which of the following is a good way to remember a password?
A. Use a favorite team name.
B. Use a familiar word with your birthdate.
C. Create a word with your child’s name.
D. Create a passphrase.
5/16
1 2 3 4 WI-FI NETWORKS T L
It’s important to remember that malicious actors could be lurking in the free Wi-Fi networks that you may be accustomed to accessing while at your local coffee shop, or while traveling. Do not expose your Government Furnished Equipment (GFE) to unnecessary security risks by connecting to free unsecure Wi-Fi networks. Only use secured Wi-Fi networks such as your home Wi-Fi or Hotspot devices (mobile phone/tablet).
Click on the blue ball to the right for more guidelines.
6/16
1 2 3 4 LESSON 2 KNOWLEDGE CHECK T L
Read the following scenario, and then answer the question.
Please select from the
answers below.
You are a grant management analyst and you’re attending a workshop in a hotel conference center. It’s now during your lunch break and you receive a phone call from your supervisor asking you to email some important grant documents to her. You only have access to the conference center’s guest Wi-Fi, which is open for public use.
Ideally, which action is NOT recommended from the below list?
A. Apologize to your supervisor that you cannot send her the list untilyou are connected to a secure Wi-Fi.
B. Use a secure browser and secure VPN if you have one.
C. Send your supervisor the information using the unsecure Wi-Fi atthe hotel.
D. Do not work on sensitive materials while connected to unsecureWi-Fi.
A
B
C
D
7/16
1 2 3 4 GFE DURING FOREIGN TRAVEL T L
According to the HHS Chief Information Officer, Use of Government Furnished Equipment (GFE) During Foreign Travel memo (dated December 2016), “HHS travelers should not have any expectation of privacy regarding any communication while traveling to foreign countries. Moreover, one may expose and compromise GFE to an increased level of risk during foreign travel. Someone other than the intended recipient may intercept unencrypted email communications and non-secure phone calls and our adversaries overseas and other bad actors, such as international criminal organizations, often target GFE. HHS GFE is not permitted on unofficial, personal foreign travel. All HHS personnel traveling abroad on official business must follow the Office of Security and Strategic Information’s (OSSI) Foreign Travel Checklist guidelines and contact OSSI at [email protected] as early as possible.1”
• Use of GFE during Foreign Travel
• Office of Information Security (OIS) Policies, Standards, Memoranda & Guides8/16
1 2 3 4 EMAIL PROTOCOLS T L
HHS Email Accounts
HHS email accounts are for official
government business; however, employees
may have limited personal use of their HHS
email. Employees should NEVER conduct
official HHS business with their personal
email accounts.1
Do Not… • Use your HHS email address to create
personal commercial accounts for thepurpose of receiving personal notifications,set up a personal business or website, or tosign up for memberships.
• Let your personal emails disrupt yourproductivity, interrupt service, or causecongestion on the network (e.g., sendingspam or large media files), or to engage ininappropriate activities.
1- Review the Rules of Behavior for Use of HHS Information Resources for more information.9/16
1 2 3 4 ENCRYPTION T L
Encryption Encryption is the process of encoding messages or information in such a way that only authorized parties can read it. Encryption does not prevent interception, but denies the unauthorized persons and software the ability to interpret the message content. HHS policy requires files containing CUI to have encryption enabled while in transfer and while stored.1 Emails that contain CUI must have encryption enabled before the sender sends them.
1-Be sure to refer to your Operating Division Help Desk for instructions on how to use encryption technology. Encryption information and alternativescan be found by visiting HHS Cybersecurity Program Encryption. 10/16
1 2 3 4 EMAIL ENCRYPTION T L
When encrypting emails using Microsoft (MS) Outlook® and a PIV card, it’s important to remember that the email can only be unencrypted by internal HHS recipients. If the user is sending an encrypted email from an HHS email account to an external recipient, the recipient will not be able to unencrypt or read the content of the email. When the recipients open the email, they will enter their PIN number and MS Outlook ® will decrypt and display the contents of the email.
Click on the red box in the right corner for an example of an encrypted message.
Email Encryption Steps:
1. Insert your PIV card into the PIV cardreader.
2. Under the Home tab, select “New Email.”
3. Under the Options tab, select the “Encrypt”
4. Type your message and hit “Send” button.
11/16
1 2 3 4 LESSON 2 BRAIN TEASER 3 T L
Let’s see if you’ve learned what is needed to
open an encrypted email.
Which of the following items are necessary when opening an encrypted email? A. E-signature.B. Digital certificate.C. User’s PIN.D. PIV Card.
Click on the question mark icon to see the answer.
12/16
1 2 3 4 DATA STORAGE & DISPOSAL T L
Data Storage is maintaining or storing CUI. When safeguarding CUI, back up all stored or transmitted information, encrypt them, and file/archive the encrypted backup information.
Data Disposal: If a media device containing CUI is obsolete or no longer usable or required, it should be disposed in accordance with applicable laws and regulations. Disposal rules apply to information in paper, computer, or any other format.1 Click on the folders icon on the right for data disposal methods.
1- For more information, visit the Record Management webpage.13/16
1 2 3 4 LESSON 2 SUMMARY T L
In this lesson, you learned how to:
• Create and protect strong passwords.
• Protect your PIV card from unauthorizeduse.
• Send an encrypted email.
Applying these best practices will help protect HHS information and information systems from hackers. Cybersecurity starts with you!
14/16
1 2 3 4 LESSON 2 - QUIZ 1 T L
Read the scenario below and answer the question. Please select from the answers below.
Which of the following answers list the correct steps to send an encrypted email in MS Outlook ® 2010?
Choice A
1. Insert your PIV card into the PIV card reader.
2. Under the Home tab, select “New Email.”
3. Under the Options tab, check the “Request aRead Receipt” box.
4. Type your message and hit “Send” button.
Choice B
1. Insert your PIV card into the PIV card reader.
2. Under the Home tab, select “New Email.”
3. Under the Options tab, select the “Encrypt” icon.
4. Type your message and hit the “Send” button.
Choice C
1. Insert your PIV card into the PIV card reader.
2. Under the Home tab, select “New Email.”
3. Under the Options tab, select the “Permission”icon.
4. Type your message and hit the “Send” button.
Choice D
1. Insert your PIV card into the PIV card reader.
2. Under the Home tab, select “New Email.”
3. Under the Options tab, check the “Request aDelivery Receipt” box.
4. Type your message and hit the “Send” button.
15/16
1 2 3 4 LESSON 2 - QUIZ 2 T L
Read the scenario below and answer the question. Please select from the answers below.
2) Mark is a new employee who just joined the Department. He received an email from theHelp Desk to update his profile in the staff directory. The email included a link that Markwas instructed to click for access to his profile. The email also includes a telephonenumber for additional assistance.
What should Mark do?
A. Click on the link to update his profile. B. Call the Help Desk number on theIntranet to verify the email.
C. Delete the email; it’s spam. D. Mark should call the number given inthe email to confirm the request.
16/16
1 2 3 4 LESSON 3 — SOCIAL ENGINEERING T L
OVERVIEW Welcome to Lesson 3! In this lesson, we will identify how social engineers use phishing, phone scams, and social media to bait unsuspecting HHS employees into providing them access to HHS information and information systems.
OBJECTIVES • Define social engineering and the types of attacksassociated with it.
• Identify and report phishing emails.• Determine ways to limit information posted onsocial media.
• Recognize techniques to handle suspicious phonecalls.
• Identify and report Insider Threats.
3 SOCIAL ENGINEERINGMethods used to manipulate people.
• Social Engineering Overview
• Phishing
• Social Media
• Phone Scams
• Insider Threat
1/12
1 2 3 4 SOCIAL ENGINEERING T L
It’s critical that you understand the most common methods used by criminals to manipulate people into providing information. Social engineering (human manipulation) is the use of deception to manipulate individuals into divulging confidential or personal information that the social engineer may use for fraudulent purposes. Malicious actors could appear to be a coworker or a “friend” in an effort to gain your trust so that they can obtain access to HHS information and information systems through you.
2/12
1 2 3 4 PHISHING T L
What’s Phishing? Phishing is a social engineering scam whereby intruders seek access to information and information systems by posing as a real business or organization with legitimate reason to request information.
Phishing emails (or texts) quite often alert you to a problem with your account and ask you to click on a link and provide information to correct the problem. Click on the Hacker’s icon to the right for a phishing example.
How it works? These emails look real and often contain the organization’s logo and trademark. The uniform resource locator (URL) in the email can resemble the authentic URL web address, for example, “Amazons.com” with a very minor spelling error that one can overlook. Links included in phishing emails can download malicious programs onto your computer or mobile device and allow the attacker access to the device, connected devices, and the information stored on those devices.
3/12
1 2 3 4 SUSPICIOUS EMAILS T L
• Forward the email to [email protected] and
then delete it permanently from your Inbox
and Trash folders.
• Do not click on the links provided in theemail.
If you are suspicious of an email:
• Do not open any attachments in the email.
• Do not provide personal information orfinancial data.
4/12
1 2 3 4 LESSON 3 BRAIN TEASER T L
Let’s take a look at the following phishing
brain teaser!
Brian received a phone call at work. “Tech Support” called to verify information on his computer. Brian was instructed to provide network and password information over the phone. Brian obliged and provided the requested information. Did Brian take the correct action? Yes or No?
Click on the question mark icon to see the answer.
5/12
1 2 3 4 SOCIAL MEDIA T L
It’s critical that you understand the threats you may encounter when using your social media accounts. Malicious actors may often pretend to be a coworker, a “friend,” or to have a common social media interest in an effort to gain your trust so that they can obtain unauthorized access to HHS information and information systems. To the right, there are some recommendations to ensure your information security.
•Do not associate your employment at HHS withyour social media accounts.
•A social engineer may aggregate and use multipleposts about your job with malicious intent.
•Be mindful of what you tweet, Instant Message(IM), or post online because once it’s on theInternet it’s on the Internet forever!
6/12
1 2 3 4 PHONE SCAMS T L
Many people think cybercriminals only use phishing and other unethical computer tactics to obtain sensitive information from unsuspecting victims. However, cybercriminals use phone scams too. A cybercriminal could claim to be from a trusted location at work and ask for PII from an HHS employee. The employee may receive an email from "technical support" in which they should call a certain number to ensure that their computer is working correctly, or complete the installation of software. Be aware of these tactics and do not fall prey to social engineers.
Click on the red circle to the left for a phone scam story.
7/12
1 2 3 4 LESSON 3 KNOWLEDGE CHECK T L
Read the following scenario, and then answer the question.
Please select from the
answers below.
Allison received an email from a coworker she does not know regarding the upcoming office Holiday party. Included in the email is an attachment listing the attendees and the food items they are bringing to the party. The coworker has requested that Allison immediately review the list and verify what she will bring to the party.
Based on the answers provided below, what should Allison do next? A. Examine the email and check for red flags indicating that it
may be a phish.B. Call the coworker to verify the legitimacy of the email.C. If the recipient cannot verify the email, forward it to
D. All of the above.
A
B
C
D
8/12
1 2 3 4 INSIDER THREAT T L
Insider threats are the most extreme type
of social engineering. An insider threat is a
malicious threat to an organization that
comes from current or former employees or
contractors within the organization, who
have inside information concerning the
organization's security practices, data, and
computer systems. Instances of insider
threats are rare but very serious.
HHS is a multi-disciplined, geographically distributed public health enterprise whose missions include research, innovation, regulation, prevention, and response. HHS has information of interest to foreign intelligence agents or organizations, and insider threats. If you have significant reason to suspect an employee is an insider threat, report it to the OSSI: Counter-intelligence Directorate at [email protected].
9/12
1 2 3 4 LESSON 3 SUMMARY T L
In this lesson, you learned how to:
• Report suspicious emails to [email protected] andverify links and file attachments before clickingon them;
• Be aware of human manipulation methods usedby cybercriminals to trick you into providingControlled Unclassified Information (CUI); and
• Report suspicious activity to the OSSI: Counter-intelligence Directorate at [email protected]
It’s important for you to identify these methods so that you can help prevent cybersecurity breaches.
10/12
1 2 3 4 LESSON 3 - QUIZ 1 T L
Read the scenario below and answer the question. Please select from the answers below.
1) Updating his social media accounts is one of Trevor’s favorite activities. Trevor likes to telleveryone how lucky he is to work at HHS. One day, Trevor’s old friend Mike from high schoolsent him a “friend” request. Trevor hasn’t spoken to Mike in a while but accepted thefriendship in hopes that they could catch up. Trevor clicks on a link in a social media instantmessage from Mike while working on his HHS laptop. The link went to a blank page. Trevorrealized that the friend request was actually from someone he didn’t know. Trevorimmediately “un-friended” the person.
Should Trevor worry about his HHS laptop being compromised?
A. Yes B. No
11/12
1 2 3 4 LESSON 3 - QUIZ 2 T L
Read the scenario below and answer the question. Please select from the answers below.
2) Lucy sent her coworker an email containing CUI just before the end of her workday. The
next day, Lucy realized she forgot to encrypt the email.
Should Lucy be concerned?
A. Yes B. No
12/12
1 2 3 4 T L
OVERVIEW
LESSON 4 — BREACHES & REPORTING
Welcome to Lesson 4! In this lesson, we will learn how to prevent and limit the impact of a breach by identifying incidents and learning when and how to promptly report them.
OBJECTIVES • Identify the different types of cybersecurity and
privacy incidents.
• Examine information and differentiate public fromprivate use.
• Perform the steps to report a suspected orconfirmed cybersecurity or privacy incident toproper authorities.
4 BREACHES AND REPORTINGWhat are breaches and how to report them?
• Recognize Incidents
• Reporting Incidents
1/8
1 2 3 4 RECOGNIZING INCIDENTS T L
Information Security Incidents Understanding the actions and situations that can cause a security incident is critical to the protection of HHS information and information systems. To the right is a list of incidents that must be reported immediately to the 24-hour Computer Security Incident Response Center (CSIRC) at [email protected] and to your OpDiv’s Incident Response Team.
Types of Incidents: • Loss, damage, or theft, of equipment, media, ordocuments containing PII.
• Accidentally sending a report containing PII to aperson not authorized to view the report or sendingit unencrypted.
• Allowing an unauthorized person to use yourcomputer or credentials to access PII.
• Discussing CUI in a public area.• Accessing the private records of friends, neighbors,celebrities, etc. for casual viewing.
• Any security situation that could compromise HHSinformation or information systems (e.g., virus,phishing email, social engineering attack).
2/8
1 2 3 4 LESSON 4 BRAIN TEASER T L
Time for a question! One day, Katherine realized that she forgot to bring her laptop to work. She needed to finalize a presentation for her meeting at 1PM. Katherine’s coworker, Dan, agreed to let her use his computer once he completed his monthly report. After Dan finished his report, he gave his laptop to Katherine with his PIV card still inside. Katherine completed her presentation, but before giving Dan his computer back, she decided to take a look at a few shared folders that she realized she didn’t have access to on her own laptop. Katherine then returned the laptop and thanked Dan for his help. Should Dan consider this an “incident?”
3/8
1 2 3 4 REPORTING INCIDENTS T L
It’s important to understand what an “incident” is, and how to report one should one occur. Reporting all possible security incidents immediately gives the 24-hour CSIRC and your OpDiv’s Incident Response Team the best chance to minimize the negative impact of the incident. Today’s high-speed internet connections can allow an adversary to steal gigabytes of data in minutes. Every second counts when it comes to reporting security incidents. Failing to report an incident immediately allows the hacker to operate unnoticed in the HHS network for a longer period of time. Ethically, it is your responsibility to report incidents as soon as you identify them. So stay alert! Your quick response can prevent a breach.
The scenarios in this lesson will help you understand how to quickly take action when incidents happen. If any privacy or data incidents occur (as listed in the “Recognizing Incidents” section), please report them at once!
Click on the image to the right for the list of HHS OpDiv Incident Response Teams.
4/8
1 2 3 4 LESSON 4 KNOWLEDGE CHECK T L
Read the following scenario, and then answer the question.
Please select from the
answers below.
Tammy and Jill went to a local coffee shop for a short break. Over coffee, they discussed client details and other CUI relating to their department. At the end of their discussion, they realized that someone from another department had been watching them and listening to their discussion a few tables away. This person should not have heard any of their private discussion. What should they do?
A. Ignore the eavesdropper…maybe this person didn’t hear thediscussion after all.
B. Ask the eavesdropper not to disclose any information thats/he overheard.
C. Immediately report the “incident” to the 24-hour CSIRC([email protected]) and to your OpDiv’s Incident Response Team.
D. None of the above.
A
B
C
D
5/8
1 2 3 4 LESSON 4 SUMMARY T L
In this lesson, you learned how to:
• Define and identify types of cybersecurity incidents.
• Report an incident.
Being able to identify and report an “incident” is imperative in a workplace that deals with highly sensitive information. The impact of some incidents can be minimized by simply encrypting emails containing CUI, and/or by your quick action to report an incident. These are all simple actions, yet imperative and mandated. Remember, report all breaches to the 24-hour CSIRC ([email protected]) and to your OpDiv’s Incident Response Team. Report malicious/spam emails to [email protected].
6/8
1 2 3 4 LESSON 4 - QUIZ 1 T L
Read the scenario below and answer the question. Please select from the answers below.
1) Carol realized that she forwarded a sensitive HHS email to the wrong person.
What should she do?
A. Immediately report the “incident” tothe 24-hour CSIRC ([email protected]) and toyour OpDiv’s Incident Response Team.
B. Inform the recipient to disregard anddelete the contents of the email that wassent erroneously.
C. Both. D. None of the above.
7/8
1 2 3 4 LESSON 4 - QUIZ 2 T L
Read the scenario below and answer the question. Please select from the answers below.
2) An OpDiv experienced laptop thefts. What should the manager on site do?
A. Immediately report the “incident” [email protected].
B. No rush…but report the “incident” atsome point this week.
C. Immediately report the “incident” tothe 24-hour CSIRC ([email protected]) and toyour OpDiv’s Incident Response Team.
D. None of the above.
8/8
1 2 3 4 TRAINING WRAP-UP T L
Understanding how to protect HHS CUI, PII, and PHI is critical to ensuring the mission of HHS. Training you to effectively apply cybersecurity best practices is the focus of this training. Identifying cybersecurity incidents and understanding how to report them will improve the security posture of HHS information and information systems. You are encouraged to immediately apply the best practices you learned from this training into your daily work habits.
In this training, you learned to: • Define cybersecurity and ControlledUnclassified Information (CUI).
• Define privacy and PII and means to protectPII in different contexts and formats.
• Create strong passwords and protect your PIVcard from unauthorized use.
• Safeguard GFE during foreign travel.• Define encryption and determine how andwhen to encrypt.
• Describe human manipulation methods oftenused by hackers.
• Report suspicious emails and activities toreporting authorities.
• Identify the different types of incidentsincluding insider threats, and how to reportthem.
1/7
1 2 3 4 TRAINING QUIZ - 1 T L
Read the scenario below and answer the question. Please select from the answers below.
1) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS laptop. Fredis an HHS contractor. His laptop contained pictures of his children; five HHS granteeapplications with grantees full names, home addresses, work addresses, SSN’s, employeridentification numbers (EIN), and a couple of case files containing patient full name, address,gender, date of birth, medical record number, medical notes, address, and health carefacility name.
Does Fred’s laptop contain PII?
A. Yes B. No
2/7
1 2 3 4 TRAINING QUIZ - 2 T L
Read the scenario below and answer the question. Please select from the answers below.
2) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS laptop. Fredis an HHS contractor. His laptop contained pictures of his children; five HHS granteeapplications with grantees full names, home addresses, work addresses, SSN’s, employeridentification numbers (EIN), and a couple of case files containing patient full name,address, gender, date of birth, medical record number, medical notes, address, and healthcare facility name.
In the previous scenario, which of the following is not HHS PII?
A. Grantee’s social security number B. Patient’s date of birth
C. Pictures of Fred’s children D. Patient’s gender
3/7
1 2 3 4 TRAINING QUIZ - 3 T L
Read the scenario below and answer the question. Please select from the answers below.
3) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS laptop. Fredis an HHS contractor. His laptop contained pictures of his children; five HHS granteeapplications with grantees full names, home addresses, work addresses, SSN’s, employeridentification numbers (EIN), and a couple of case files containing patient full name,address, gender, date of birth, medical record number, medical notes, address, and healthcare facility name.
Should Fred report this incident? Why or why not?
A. Yes, Fred should report the incidentbecause he lost personal information.
B. Yes, Fred does need to report this incidentbecause it involved HHS information. AllHHS employees, contractors, and personnelare responsible for reporting cybersecuritybreaches.
C. No, Fred does not need to report theincident because the computer is replaceable.
D. No, Fred should not report the incidentbecause he is a contractor.
4/7
1 2 3 4 TRAINING QUIZ - 4 T L
Read the scenario below and answer the question. Please select from the answers below.
4) Alan works on the third floor at a medical clinic. Alan’s coworker, Debby, cannot get intothe electronic health record (EHR) system, because she has failed to enter the correctpassword. In order to reset the password, Debby would have to go see a representativefrom the Password Distribution Center (PDC), on the first floor of the building, leaving thesecured floor where she is located. Debby is unable to go to the PDC, because she cannotfind her PIV card and believes she has misplaced it. Debby asks Alan for his logincredentials, so that she may access the EHR system.
Should Alan allow Debby to use his credentials?
A. Yes, she is Alan’s trusted coworker. B. Yes, if Alan’s manager gives himpermission.
C. No, sharing user credentials is a privacyviolation. D. A and B
5/7
1 2 3 4 TRAINING QUIZ - 5 T L
Read the scenario below and answer the question. Please select from the answers below.
5) Alan decides not to share his credentials with Debby. Debby now asks to borrow Alan’s PIVcard, so that she may leave the secured floor, and get her password reset at the PDC.
What should Alan do?
A. Give Debby his PIV so she can leave thefloor to reset her password.
B. Alan should tell her to ask anothercoworker for their PIV card.
C. Alan should escort Debby to the PDC soshe can get her password reset since shedoesn’t have her PIV card.
D. B and C
6/7
1 2 3 4 TRAINING QUIZ - 6 T L
Read the scenario below and answer the question. Please select from the answers below.
6) This time Alan decides not to let Debby borrow his PIV card, because it would create a privacyincident.
What other privacy incident has already occurred?
A. Debby asked to borrow Alan’s credentials. B. Debby has misplaced her PIV card andcannot find it.
C. Debby asked to borrow Alan’s PIV card. D. A and C
7/7
1 2 3 4 RESOURCES T L
Training Resources
Learn more about the Federal
and Departmental laws and
regulations that guide your
cyber activities.
Additional Resources
Additional Guidance
Additional resources and full
URLs for useful links relating
to information security are
provided in the links below.
Federal Rules & Guidance Departmental Guidance
Acknowledge & Complete
Click the below link to learn how
to complete the training and
receive the Certificate of
Completion.
Acknowledge & Feedback
HHS CATE Resources: The HHS Cybersecurity Awareness Training and Education (CATE) team has also developed CyberCare and Healthy Technology as additional resources for you. We hope that you find them helpful. At the end of the training, you will be asked to provide feedback relating to CyberCare.
Thank you for completing
The Cybersecurity Awareness Training
DEPARTMENTAL GUIDANCE
Click on each title below to learn more.
In order to understand Information Security Policy
and Governance, it’s important to first take a look
at guidance on the departmental level.
Office of Secretary
HHS CybersecurityProgram
Operating Divisions(OpDivs)
Click Alt+F4 to close this window
DEPARTMENTAL GUIDANCE — Part 3
Operating Divisions
Operating Divisions (OpDivs)
OpDivs implement programs that meet specific
business needs, provide business/domain
expertise, and manage implementation at
the OpDiv level.
The OpDivs also develop policies and procedures
specific to the operating environment, and help
to manage ongoing operations.
Click Alt+F4 to close this window
DEPARTMENTAL GUIDANCE — Part 2
HHS Cybersecurity Program
It is the Department’s information security
program. Oversight is provided by the Office
of the Chief Information Officer (CIO) and
Chief Information Security Officer (CISO).
The Program is led by these policies:
• HHS-OCIO Policy for Information SystemsSecurity and Privacy.
• HHS-OCIO Policy for Responding toBreaches of Personally IdentifiableInformation.
• Rules of Behavior for Use of HHSInformation Resources.
The hyperlinks for the program’s policies are provided in slide notes.
HHS-OCIO Policy & Privacy
Provides direction on developing, managing, and
operating an IT security program to the OpDivs
and Staff Divisions (StaffDivs).
HHS-OCIO Policy for Breaches
Establishes actions taken to identify, manage, and
respond to suspected or confirmed incidents
involving Personally Identifiable Information (PII).
Rules of Behavior
Provides the rules that govern the appropriate use
of all HHS information resources for Department
users. Click Alt+F4 to close this window
DEPARTMENTAL GUIDANCE — Part 1
Office of Secretary Office of Secretary
Sets programmatic direction by providing an
enterprise-wide perspective, and coordinating
among key stakeholders.
The Department also sets standards and
provides guidance, to support streamlined
reporting and metrics capabilities.
Click Alt+F4 to close this window
STRONG PASSWORD CHARACTERISTICS
• At least eight characters in length
• Contains upper-case letter(s)
• Contains lower-case letter(s)
• Contains number(s)
• Contains special character(s): (%,^,*,?,<,>)
Click Alt+F4 to close this window
LESSON 2 - QUIZ 2 KEY
2) Mark is a new employee who just joined the Department. He received an email from the
Help Desk to update his profile in the staff directory. The email included a link that Mark
was instructed to click for access to his profile. The email also includes a telephone number
for additional assistance. What should Mark do?
B. Call the Help Desk number on the Intranet to verify the email.
Explanation: Sometimes the Help Desk sends email notifications regarding network enhancements, outages, and inventory updates. If you ever doubt the validity of a Help Desk email, consult a trusted source like the Intranet, a coworker, or call the Help Desk to verify the legitimacy of the email before clicking on any links or opening attachments. Remember the Help Desk will never ask for your password.
Click Alt+F4 to close this window
LESSON 4 - QUIZ 1 KEY
1) Carol realized that she forwarded a sensitive HHS email to the wrong person. What
should she do?
C. Both
Explanation: While the recipient of the email may or may not adhere to a request to disregard the contents of the email, it never h urts to m ake the request anyway, just in case. Definitely report this as an “incident” to th e 24-hour CSIRC ([email protected]) and to y our OpDiv’s Incident Response Team.
Click Alt+F4 to close this window
EXAMPLE OF AN ENCRYPTED MESSAGE - OUTLOOK 2007
Click Alt+F4 to close this window
Click here to view message encryptions in Outlook 2010, 2013 and 2016
LESSON 1 – QUIZ 2 KEY
2) Jane works in a medical facility. Jane’s sister, Sharon, treated in the same facility, asked
her to check her lab results. Can Jane give her sister the results?
B. No
Explanation: Checking medical records of any patient without a “need to know” is strictly prohibited. Although Jane is an employee and has access to medical records, she is not authorized to provide her sister with this information. CUI in the form of PHI must only be disclosed to authorized personnel.
Click Alt+F4 to close this window
LESSON 3 - QUIZ 2 KEY
2) Lucy sent her coworker an email containing CUI just before the end of her workday. The
next day, Lucy realized she forgot to encrypt the email.
Should Lucy be concerned?
A. Yes
Explanation: Lucy should have taken more time to be sure that she sent her email with
the proper precautions. One must always encrypt emails with CUI first. It’s important to
report this as an “incident” immediately.
Click Alt+F4 to close this window
LESSON 2 BRAIN TEASER 1
Time to tease your brain with a quick
question!
You received an encrypted email and want
to read it. Do you need your PIV card to
decrypt the email message? Yes or No?
Answer: Yes
Explanation: Your PIV card contains the digital credentials required to encrypt and decrypt HHS emails; and must connect to your laptop to decrypt emails and digitally sign emails.
Click Alt+F4 to close this window
TRAINING QUIZ - 4 KEY
4) Alan works on the third floor at a medical clinic. Alan’s coworker, Debby, cannot get into theelectronic health record (EHR) system, because she has failed to enter the correct password. In order to reset the password, Debby would have to go see a representative from the Password Distribution Center (PDC), on the first floor of the building, leaving the secured floor where she is located. Debby is unable to go to the PDC, because she cannot find her PIV card and believes she has misplaced it. Debby asks Alan for his login credentials, so that she may access the EHR system.
C. No, sharing user credentials is a privacy violation.
Click Alt+F4 to close this window
FEEDBACK AND ACKNOWLEDGMENT
What do you Think?
Thank you for completing the Cybersecurity
Awareness Training. Please provide your
feedback in the form below. Your feedback
provides valuable insight used to improve
HHS computer-based trainings. Please
follow the instructions on the form to
submit it.
Acknowledge the Rules & Complete the Training
Employees and contractors without access to the HHS Learning Management System (LMS) can certify completion of this training by:
1) Reading the HHS Rules of Behavior;2) Printing and signing the Cybersecurity Awareness Training Certificate below. Submit the form to your cybersecurity awareness training Point of Contact.(All other employees/contractors with LMS access must complete the training through their LMS account.)
Click Alt+F4 to close this window
1. The training is outlined in a way that increases my interest and awareness of
cybersecurity and privacy threats.
2. The training helped me develop skills to recognize cybersecurity incidents and
privacy threats.
3. The training activities, interaction, and knowledge checks helped me
understand the content more clearly.
Delivery
4. The online delivery had the right level of user interaction and involvement.
5. The length of the training is appropriate to learn the information presented.
6. Navigation and links are easily accessible and helped me learn more about
cyber security.
7.
CyberCARE
Are you familia r with CyberCARE awareness articles? Yes No
8. I have read _____CyberCARE awareness articles.
9. I have found CyberCARE articles to be helpful.
Cybersecurity Awareness Training
Office of the Chief Information OfficerAssistant Secretary for AdministrationU.S. Department of Health and Human Services
A. Strongly Agree; B. Agree; C. Neutral; D. Disagree; E. Strongly Disagree.
Feedback is optional, but needed for the continuous improvement of the training. If you decide to complete the form, please click on Submit Form to send it to [email protected]. Please use the following scale to answer the questions below:
Content
(A. 0 B. 1-5 C. 6-10 D. 10 E. More than 10)
(A. Strongly Agree; B. Agree; C. Neutral; D. Disagree; E. Strongly Disagree.)
LESSON 4 - QUIZ 2 KEY
2) An OpDiv experienced laptop thefts. What should the manager on site do?
Explanation: It’s imperative to report stolen Government Furnished Equipment (GFE) like laptops immediately to the 24-hour CSIRC ([email protected]) and to your OpDiv’s Incident Response Team.
While the laptops are replaceable, the loss of information co ntained on them is not.
Click Alt+F4 to close this window
C. Immediately report the “incident” to the 24-hour CSIRC ([email protected]) and to your OpDiv’s Incident Response Team.
LESSON 1- KNOWLEDGE CHECK - ANSWER KEY
Answer: Yes
Explanation: The file forwarded to Ms. Smith
contains some PII details that can identify Mr.
Rabia easily if complemented with other details
from social media or public directories.
Click Alt+F4 to close this window
DATA DISPOSAL METHODS
Records
Any information deemed a record should be disposed in accordance with approved records disposition schedules and departmental policies. Consult the HHS records retention policy or contact the HHS Record Management office before disposal of any information to prevent destruction of records that employees should preserve.
Non- Digital
If CUI is on non-digital media, such as paper, and is not a record, one should take the following measure: • Refrain from
disposing in the trashbin.
• Shred paper usingcross cut shredders.
Digital
Electronic or digital media are hard drives, disks, floppies, tapes, flash memory, Universal Serial Bus (USB), phones, mobile computing devices, networking devices, etc. If CUI is on electronic media and is not a record, submit the media to the Operating Division (OpDiv) Help Desk for sanitization.
Click Alt+F4 to close this window
TRAINING QUIZ - 3 KEY
3) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS laptop. Fred is
an HHS contractor. His laptop contained pictures of his children; five HHS grantee applications
with grantees full names, home addresses, work addresses, SSN’s, employer identification
numbers (EIN), and a couple of case files containing patient full name, address, gender, date of
birth, medical record number, medical notes, address, and health care facility name.
B. Yes, Fred does need to report this incident because it involved HHS information. All HHS employees, contractors, and p ersonnel are responsible for reporting cybersecurity breaches.
Click Alt+F4 to close this window
LESSON 1 – QUIZ 1 KEY
1) In 2016, a hospital reported to the Department a security breach that affected the
records of up to 405,000 patients, employees, and employees’ beneficiaries. What type of
data was lost?
C. Both
Explanation: Along with the PHI that had been stolen, the malicious actors gained access
to the PII of employees and their beneficiaries. PII includes social security numbers,
addresses, dates of birth, etc.
Click Alt+F4 to close this window
1
2
3
4
5
PIV PROTECTION PRACTICES
Never allow someone physical access to a secured area without a PIV card.
Keep your PIV card on you at all times as you move around your office, and/or office buildings.
Never leave your PIV card unattended.
Lock your computer and remove your PIV card from your computer when you are not at your desk.
Never allow someone else to use your PIV card to access a computer system.
Click Alt+F4 to close this window
PASSWORD PROTECTION TIPS
Mandatory practices: Best practices:
NEVER share your password with anyone. Report anyone who asks for your password to the 24-hour CSIRC ([email protected]) and to your OpDiv’s Incident Response Team
Create a different password for each system, application, financial institution, or social website.
If you suspect your password is compromised, change it immediately and report the compromised password as an incident.
Change your password periodically in accordance with HHS policy.
Commit passwords to memory. One way to do this is to use an easily remembered song or phrase and substitute letters and numbers for words. Example: “I Like To Sing and Take Long Walks” = 1L2$&Tlw.
Do not reuse passwords until after using at least six other passwords.
Click Alt+F4 to close this window
LESSON 2 - QUIZ 1 KEY
1) Which of the following answers list the correct steps to send an encrypted email in MS
Outlook ® 2010?
Choice B 1. Insert your PIV card into the PIV card reader.2. Under the Home tab, select “New Email.”3. Under the Options tab, select the “Encrypt” icon.4. Type your message and hit the “Send” button.
Explanation: The “Encrypt” button is under the “Option” tab in Outlook ®. You need to
encrypt every email containing CUI.
Click Alt+F4 to close this window
LESSON 3 - QUIZ 1 KEY
1) Updating his social media accounts is one of Trevor’s favorite activities. Trevor likes to telleveryone how lucky he is to work at HHS. One day, Trevor’s old friend Mike from high schoolsent him a “friend” request. Trevor hasn’t spoken to Mike in a while but accepted thefriendship in hopes that they could catch up. Trevor clicks on a link in a social media instantmessage from Mike while working on his HHS laptop. The link went to a blank page. Trevorrealized that the friend request was actually from someone he didn’t know. Trevor immediately“un-friended” the person. Should Trevor worry about his HHS laptop being compromised?
A. Yes
Explanation: Trevor put his HHS laptop at risk by visiting a social media website and clicking on
an unverified link. In doing so, he unsuspectingly downloaded a virus onto his HHS laptop.
Trevor should worry th at his action compromised the HHS laptop, and he must immediately report
the incident to the 24-hour CSIRC ([email protected]) and to his OpDiv’s Incident Response Team.
Click Alt+F4 to close this window
LESSON 2- KNOWLEDGE CHECK - ANSWER KEY
Answer: C
Explanation: CUI information shall not be
transferred using unsecured public Wi-Fi. CUI
must only be transmitted through secured network
environments.
Click Alt+F4 to close this window
TRAINING LEGEND PREVIEW
Click Alt+F4 to close this window
Office of the Chief Information Officer Assistant Secretary for AdministrationDepartment of Health and Human Services
FY18 Cybersecurity Awareness Training Training Transcripts
Security Governance, Risk Management, and Compliance (GRC)
Office of the Chief Information Officer
Assistant Secretary for Administration
U.S. Department of Health and Human Services
Click Alt+F4 to close this window
Table of Contents Section 1 - Introduction .................................................................................... 3
Welcome! ..................................................................................................... 3
Lesson 4 – Breaches and Reporting.................................................................32
Learner’s Corner ............................................................................................ 3You are the Target ......................................................................................... 4Training Objectives ........................................................................................ 4Table of Contents .......................................................................................... 5
Section 2 - Lessons .......................................................................................... 6Lesson 1 – Controlled Unclassified Information .................................................. 6
Overview ................................................................................................... 6Objectives ................................................................................................. 6Topics ....................................................................................................... 6Lesson Summary ...................................................................................... 11Lesson Quiz ............................................................................................. 11
Lesson 2- Securing Information ......................................................................12Overview ................................................................................................. 12Objectives ............................................................................................... 12Topics ..................................................................................................... 12Lesson 2 Summary ................................................................................... 20Lesson Quiz ............................................................................................. 21
Lesson 3- Social Engineering ..........................................................................23Overview ................................................................................................. 23Objectives ............................................................................................... 23Topics ..................................................................................................... 23Lesson Summary ...................................................................................... 30Lesson Quiz ............................................................................................. 31
Overview ................................................................................................. 32Objectives ............................................................................................... 32Topics ..................................................................................................... 32Lesson Summary ...................................................................................... 35Lesson Quiz ............................................................................................. 36
Section 3 - Conclusion .................................................................................... 37Training Wrap Up ..........................................................................................37Training Quiz ...............................................................................................38Resources ....................................................................................................40
Training Resources ................................................................................... 40Additional Guidance .................................................................................. 40
Acknowledgment and Feedback ......................................................................42
What Do You Think? ................................................................................. 42
Acknowledge & Complete It .......................................................................... 42
Feedback Form ...........................................................................................44
2
Section 1 - Introduction
Welcome!
This training provides the U.S. Department of Health and Human Services (HHS)
employees, contractors, interns, and others with the knowledge to protect HHS
information and information systems, and to minimize the risks of internal and
external cyber threats1. The goal of this training is to inform the HHS workforce of
threats to HHS information and information systems, and provide best practices to
defend the HHS mission from these threats.
Learner’s Corner
o The transcript icon on the upper right provides access to the transcript
document.
o The slide notes contain answers to the knowledge checks and any additional
information accessible through a pop-up window.
1 This training fulfills the Federal Information Security Modernization Act (FISMA) of 2014 requirement and HHS IS2P recommendation for security awareness training for users of federal information systems.
3
o Navigation to lessons is provided in the upper right section of the Powerpoint
or in the bookmarks in the PDF version.
o Click on the X in the top right corner of the window to close forms and pop-
up windows.
o The training is fully accessible through keyboard and shortcuts.
You are the Target
What do hackers look for?
Hackers and adversaries are constantly seeking personally identifiable information
(PII) and protected health information (PHI) stored on HHS information systems for
the purpose of committing health insurance fraud, identity theft, and other financial
crimes. As an HHS employee, contractor, intern, or Commissioned Corps of the U.S.
Public Health Service personnel, you are a target because you have access to what
the cybercriminals are looking for—PII, PHI, financial, personnel, grant, research, and
patient medical information.
Hackers’ methods to obtain your information:
• Unattended devices
• Information from your online profile
• Email/ phone scams
• Compromised passwords
Training Objectives
Click on the icon on the left below or use the shortcut Alt+H to advance to the next objective.
1- Develop and demonstrate foundational-level knowledge of cybersecurity.
2- Employ best practices to protect privacy and safeguard Controlled Unclassified
Information (CUI).
3- Recognize cyber threats to information systems.
4- Identify and report potential cybersecurity and privacy incidents promptly.
4
Table of Contents Select a lesson to progress through the training.
In this training, we will discuss why you need cybersecurity in the workplace, how to
secure HHS information, and how to identify social engineering tricks often used by
cyber criminals. We will also describe different types of cybersecurity breaches and
how to report them.
Lesson 1 — Controlled Unclassified Information— Definitions and examples of CUI,
PII and PHI.
Lesson 2 — Securing information— Best practices to protect HHS information assets.
Lesson 3 — Social Engineering— Methods used to manipulate people.
Lesson 4 — Breaches and Reporting — What are breaches and how to report them?
5
Section 2 - Lessons
Lesson 1 – Controlled Unclassified Information Definitions and examples of CUI, PII and PHI
Overview
This lesson describes cybersecurity and the different types of Controlled Unclassified
Information (CUI), including PII and PHI. The lesson also identifies best practices for
you to apply within your workplace.
Objectives
• Define cybersecurity.
• Describe the different types of CUI.
• Define and give examples of PII and PHI.
Topics
• What is Cybersecurity?
• What is CUI?
• Definitions and examples of PII and PHI
What is Cybersecurity?
Cybersecurity is the action taken to protect information and information systems
from unauthorized access, use, disclosure, disruption, modification, or destruction.
On a daily basis, we use many convenient ways to access information and
information systems. They include the use of passwords, personal identity
verification (PIV) cards, email, remote access, etc. Using the best practices within
this training on a daily basis helps HHS personnel protect HHS information from
hackers attempting to gain access.
6
What is CUI?
Controlled Unclassified Information
CUI (sensitive data) is information that has a degree of confidentiality such that its
loss, misuse, unauthorized access, or modification could compromise the element of
confidentiality and thereby adversely affect national health interests, the operation of
HHS programs, or the privacy of the Health Insurance Portability and Accountability
Act (HIPAA). In this training, we will refer to sensitive data as CUI.2
Types of CUI
• Personally Identifiable Information (PII)
• Protected Health Information (PHI)
• Intellectual Property
• Financial Data
In this training, we will focus on PII and PHI.
2 The CUI framework outlined in the NIST SP 800-60 Rev 1 memo is intended to replace common—but inconsistently applied—markings such as For Official Use Only (FOUO) and Sensitive But Unclassified (SBU) with one framework for the federal government to designate, mark, safeguard, and disseminate information.
7
PII & PHI
What is PII?
PII is “information which can be used to distinguish or trace an individual's identity,
such as their name, social security number (SSN), biometric records, etc. alone or
when combined with other personal or identifying information which is linked or
linkable to a specific individual, such as date and place of birth, mother’s maiden
name, etc.”3
What is PHI?
PHI is defined as any individually identifiable health information that is explicitly
linked to a particular individual and health information which can allow individual
identification. PHI also includes many common identifiers as name, address, birth
date, and social security number.4
Click on the PII/ PHI icon for examples.
PII
Personally Identifiable Information (PII)
The following list contains examples of information that may be considered PII:
• Name, such as full name, maiden name, mother’s maiden name, or alias.
• Personal identification number, such as SSN, passport number, driver‘s
license number, taxpayer identification number, patient identification
number, and financial account or credit card number.
• Address information, such as street address or email address.
• Telephone numbers, including mobile, business, and personal numbers.
• Information identifying personally owned property, such as vehicle
registration number or title number and related information.
3 Defined in Office of Management and Budget (OMB) M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.
4 (Defined in the Health Insurance Portability and Accountability Act of 1996 [HIPAA.])
8
• Asset information, such as Internet Protocol (IP) or Media Access Control
(MAC) address.
• Personal characteristics, including photographic image (especially of face or
other distinguishing characteristic), x-rays, fingerprints, or other biometric
image or template data (e.g., retina scan, voice signature, facial
geometry).
• Information about an individual that is linked or linkable to one of the
above (e.g., date of birth, place of birth, race, religion, weight, activities,
geographical indicators, employment information, medical information,
education information, financial information).
PHI
PHI is information, including demographic data that relates to the following:
• The individual’s past, present, or future physical or mental health or condition;
• The provision of health care to the individual; and
• The past, present, or future payment for the provision of health care to the
individual.
9
Knowledge Check
Read the following , and then answer the question.
Do you think the following information can be used to identify Mr. Rabia?
A dentist office recently provided Ms. Jasmin Smith with a copy of her referral
documents for the orthodontist. The following information was accidentally included
in the file forwarded to Ms. Smith:
Applicant name: Mr. Renee Rabia
Height: 6”
Eye color: Brown
Hair color: Brown
Zip Code: 22033
Birthplace: Mozambique Age: 40
City of Residence: Fairfax, VA
Do you think this information can help identify Mr. Rabia?
• Yes
• No
Answer: Yes
Explanation: The file forwarded to Ms. Smith contains some PII details that can
identify Mr. Rabia easily if complemented with other details from social media or
public directories.
10
Lesson Summary
In this lesson, you learned to—
• Define cybersecurity, CUI, PII and PHI.
• Identify CUI, PII and PHI.
Your ability to identify and protect CUI, including PII and PHI, will help you integrate
a solid foundation of cybersecurity best practices into your daily work tasks, and
projects.
Lesson Quiz
Read the scenarios below and answer the question. Click on the “?” or use the
shortcut Alt+H for the answer key.
1) In 2016, a hospital reported to the Department a security breach that affected
the records of up to 405,000 patients, employees, and employees’
beneficiaries. What type of data was lost?
A. PII
B. PHI
C. Both
D. None
Answer: C
Explanation: Along with the PHI that had been stolen, the malicious actors gained
access to the PII of employees and their beneficiaries. PII includes social security
numbers, addresses, dates of birth, etc.
2) Jane works in a medical facility. Jane’s sister, Sharon, treated in the same
facility, asked her to check her lab results. Can Jane give her sister the
results?
• Yes
• No
Answer: No
Explanation: Checking medical records of any patient without a “need to know” is
strictly prohibited. Although Jane is an employee and has access to medical records,
she is not authorized to provide her sister with this information. CUI in the form of
PHI must only be disclosed to authorized personnel.
11
Lesson 2- Securing Information Best practices to protect HHS information assets.
Overview
All HHS employees, contractors, and personnel have a responsibility to protect HHS
information and information systems from unauthorized access, use, disclosure,
disruption, modification, or destruction.
Objectives
• Identify the characteristics of a “strong” password.
• Apply GFE Protection Rules.
• Create and send encrypted email.
• List steps to store and dispose of data.
Topics
• PIV Card and Passwords
• Wi-Fi Networks.
• GFE during Foreign Travel.
• Email Use and Encryption.
• Data storage and Disposal.
PIV Cards
Personal Identity Verification Cards
Personal Identity Verification (PIV) cards are official government-issued identification
cards that permit you authorized access to HHS government buildings and secured
areas based on your job role. You will also use it as an authentication device to
access your government-issued computer. PIV cards contain your digital credentials
used to encrypt emails, digitally sign documents, and verify physical access
privileges.
12
Brain Teaser
The Brain Teaser question, answer key, and explanation are provided in the slide
notes.
Time to tease your brain with a quick question!
Click on the Q icon below for a brain teaser.
You received an encrypted email and want to read it. Do you need your PIV card to
decrypt the email message?
• Yes
• No
Answer: Yes
Explanation: Your PIV card contains the digital credentials required to encrypt and
decrypt HHS emails; and must connect to your laptop to decrypt emails and digitally
sign emails.
Do you want to learn more? Click on the Tip icon to the right for the best practices to
protect your PIV card.
PIV Protection Practices
1. Lock your computer and remove your PIV card from your computer when you
are not at your desk.
2. Never leave your PIV card unattended.
3. Keep your PIV card on you at all times as you move around your office, and/or
office buildings.
4. Never allow someone physical access to a secured area without a PIV card
5. Never allow someone else to use your PIV card to access a computer system.
13
Passwords5
Strong Passwords
What are “strong” passwords?
A strong password includes a random combination of 8 or more numbers, symbols,
capital and lower-case letters. Using a variety of character types increases the time
it takes to crack the password. Please use an easily remembered phrase and
substitute letters and numbers for words. This is called a passphrase. Here’s an
example: “I Like To Sing and Take Long Walks” = 1L2$&Tlw.
Do Not…
• Create easy-to-remember passwords.
• Use obvious passwords related to common information such as a child’s or
pet’s name, or your favorite sports team.
• Use passwords that someone can guess, using your social media information.
• Write down your password in a place that is accessible to others.
• Share your password with anyone, including systems administrators.
Click on the Key image for strong passwords characteristics.
Strong Passwords Characteristics
• At least eight characters in length
• Contains upper-case letter(s)
• Contains lower-case letter(s)
• Contains number(s)
• Contains special character(s): (%,^,*,?,<,>)
5 For additional information, please see the HHS ISP policy on passwords at—OIS Policies, Standards, Memoranda & Guides
14
Brain Teaser
The Brain Teaser question, answer key, and explanation are provided in the slide
notes.
Now that we’ve discussed the topic of passwords, let’s answer a question.
Click on the Q icon below for a quick brain teaser.
1. Which of the following is a good way to remember a password?
A. Use a favorite team name.
B. Use a familiar word with your birthdate.
C. Create a word with your child’s name.
D. Create a passphrase.
Answer: D.
Explanation: A passphrase is a phrase used to help you to remember a password.
It’s known only to you. It contains at least one upper-case letter, one lower-case
letter, one number, and a special character.
Do you want to learn more? Click on this Tip icon.
Password Protection Tips
Mandatory practices:
• NEVER share your password with anyone. Report anyone who asks for your
password to the 24-hour CSIRC ([email protected]) and to your OpDiv’s Incident
Response Team.
• If you suspect your password is compromised, change it immediately and
report the compromised password as an incident.
• Commit passwords to memory. One way to do this is to use an easily
remembered song or phrase and substitute letters and numbers for words.
Example: “I Like To Sing and Take Long Walks” = 1L2$&Tlw.
Best practices:
• Create a different password for each system, application, financial institution,
or social website.
• Change your password periodically in accordance with HHS policy.
• Do not reuse passwords until after using at least six other passwords.
15
Wi-Fi Networks It’s important to remember that malicious actors could be lurking in the free Wi-Fi
networks that you may be accustomed to accessing while at your local coffee shop,
or while traveling. Do not expose your Government Furnished Equipment (GFE) to
unnecessary security risks by connecting to free unsecure Wi-Fi networks. Only use
secured Wi-Fi networks such as your home Wi-Fi or Hotspot devices (mobile
phone/tablet).
Click on the Blue Ball to the right for more guidelines.
Guidelines on the secure use of Wi-Fi
• Ensure the proper configuration of the wireless security options on your
computing wireless devices and the router or the modem used to connect to
the Internet.
• Do not access or transmit Controlled Unclassified Information (CUI) when
using an unsecure connection.
Knowledge Check Read the following scenario, and then answer the question. You are a grant management analyst and you’re attending a workshop in a hotel
conference center. It’s now during your lunch break and you receive a phone call
from your supervisor asking you to email some important grant documents to her.
You only have access to the conference center’s guest Wi-Fi, which is open for
public use.
Ideally, which action is NOT recommended from the below list?
A. Apologize to your supervisor that you cannot send her the list until you are
connected to a secure Wi-Fi.
B. Use a secure browser and secure VPN if you have one.
C. Send your supervisor the information using the unsecure Wi-Fi at the hotel.
D. Do not work on sensitive materials while connected to unsecure Wi-Fi.
Answer: C
Explanation: CUI information shall not be transferred using unsecured public Wi-Fi.
CUI must only be transmitted through secured network environments.
16
GFE during Foreign Travel
According to the HHS Chief Information Officer, Use of Government Furnished
Equipment (GFE) During Foreign Travel memo (dated December 2016), “HHS
travelers should not have any expectation of privacy regarding any communication
while traveling to foreign countries. Moreover, one may expose and compromise GFE
to an increased level of risk during foreign travel. Someone other than the intended
recipient may intercept unencrypted email communications and non-secure phone
calls and our adversaries overseas and other bad actors, such as international
criminal organizations, often target GFE. HHS GFE is not permitted on unofficial,
personal foreign travel. All HHS personnel traveling abroad on official business must
follow the Office of Security and Strategic Information’s Foreign Travel Checklist
guidelines and contact OSSI at [email protected] as early as possible.6”
Email Protocols
HHS Email Accounts
HHS email accounts are for official government business; however, employees may
have limited personal use of their HHS email. Employees should NEVER conduct
official HHS business with their personal email accounts7.
Do Not …
• Use your HHS email address to create personal commercial accounts for the
purpose of receiving personal notifications, set up a personal business or
website, or to sign up for memberships.
• Let your personal emails disrupt your productivity, interrupt service, or cause
congestion on the network (e.g., sending spam or large media files), or to
engage in inappropriate activities.
6 Use of Government Furnished Equipment (GFE) During Foreign Travel OIS Policies, Standards, Memoranda & Guides
7 Review the Rules of Behavior for Use of HHS Information Resources for more information.
17
Encryption
Encryption is the process of encoding messages or information in such a way that
only authorized parties can read it. Encryption does not prevent interception, but
denies the unauthorized persons and software the ability to interpret the message
content. HHS policy requires files containing CUI to have encryption enabled while in
transfer and while stored8. Emails that contain CUI must have encryption enabled
before the sender sends them.
When encrypting emails using MS Outlook and a PIV card, it’s important to
remember that the email can only be unencrypted by internal HHS recipients. If the
user is sending an encrypted email from an HHS email account to an external
recipient, the recipient will not be able to unencrypt or read the content of the email.
When the recipients open the email, they will enter their PIN number and MS Outlook
will decrypt and display the contents of the email.
Email Encryption Steps:
1. Insert your PIV card into the PIV card reader.
2. Under the Home tab, select “New E-mail.”
3. Under the Options tab, select the “Encrypt”
4. Type your message and hit “Send” button.
Click on the Red box in the right corner for an example of an encrypted message.
8 Be sure to refer to your Operating Division helpdesk for instructions on how to use encryption technology. Encryption information and alternatives can be found by visiting HHS Cybersecurity Program Encryption
18
An email image with “Big secrets inside” in the subject line. The message body
reads, “This message contains TOP SECRET information!”
An arrow in the Outlook points to the “Encrypt” button. A text box below the arrow
reads, “Encrypt this message to make it harder for unauthorized people to read it.”
This text box message is viewable when hovering over the “Encrypt” button as shown
in the image. Click here for message encryption in Outlook 2010, 2013 and 2016.
Brain Teaser
The Brain Teaser question, answer key, and explanation are provided in the slide
notes.
Let’s see if you've learned what is needed to open an encrypted email.
Click on the “Q” icon for a quick brain teaser.
Which of the following items are necessary when opening an encrypted email?
A. E-signature.
B. Digital certificate.
C. User’s PIN.
D. PIV Card.
Answer: C and D.
Explanation: Remember, both PIN number and PIV card are required to decrypt
and read an email sent from an HHS email account. If the user is sending an
encrypted email from an HHS email account to an external recipient, the recipient will
not be able to unencrypt or read the content of the email.
Data Storage & Disposal
Data Storage is maintaining or storing CUI. When safeguarding CUI, back up all stored or transmitted information, encrypt them, and file/archive the encrypted backup information.
Data Disposal: If a media device containing CUI is obsolete or no longer usable or required, it should be disposed in accordance with applicable laws and regulations. Disposal rules apply to information in paper, computer, or any other format.
19
Click on the folders icon on the right for data disposal methods.
Records
Any information deemed a record should be disposed in accordance with approved
records disposition schedules and departmental policies. Consult the HHS records
retention policy or contact the HHS Record Management office before disposal of any
information to prevent destruction of records that employees should preserve.9
Digital
Electronic or digital media are hard drives, disks, floppies, tapes, flash memory,
Universal Serial Bus (USB), phones, mobile computing devices, networking devices,
etc. If CUI is on electronic media and is not a record, submit the media to the
Operating Division (OpDiv) Help Desk for sanitization.
Non-Digital
If CUI is on non-digital media, such as paper, and is not a record, one should take
the following measure:
• Refrain from disposing in the trash bin.
• Shred paper using cross cut shredders.
Lesson 2 Summary
In this lesson, you learned how to:
• Create and protect strong passwords.
• Protect your PIV card from unauthorized use.
• Send an encrypted email.
Applying these best practices will help protect HHS information and information
systems from hackers. Cybersecurity starts with you!
9 For more information, visit Record Management webpage.
20
Lesson Quiz Read the scenario below and answer the question. Please select from the answers below or use the shortcut Alt+H for the answer key.
1) Which of the following options list the correct steps to send an encrypted email
in MS Outlook 2010?
Choice A
1. Insert your PIV card into the PIV card reader.
2. Under the Home tab, select “New Email.”
3. Under the Options tab, check the “Request a Read Receipt” box.
4. Type your message and hit “Send” button.
Choice B (Correct Answer)
1. Insert your PIV card into the PIV card reader.
2. Under the Home tab, select “New Email.”
3. Under the Options tab, select the “Encrypt” icon.
4. Type your message and hit the “Send” button.
Choice C
1. Insert your PIV card into the PIV card reader.
2. Under the Home tab, select “New Email.”
3. Under the Options tab, select the “Permission” icon.
4. Type your message and hit the “Send” button.
Choice D
1. Insert your PIV card into the PIV card reader.
2. Under the Home tab, select “New Email.”
3. Under the Options tab, check the “Request a Delivery Receipt” box.
4. Type your message and hit the “Send” button.
Answer: B
Explanation: The “Encrypt” button is under the “Option” tab in Outlook. You need
to encrypt every email containing CUI.
21
2) Mark is a new employee who just joined the Department. He received an
email from the Help Desk to update his profile in the staff directory. The email
included a link that Mark was instructed to click for access to his profile. The
email also includes a telephone number for additional assistance.
What should Mark do?
A. Click on the link to update his profile.
B. Call the Help Desk number on the Intranet to verify the email.
C. Delete the email; it’s spam.
D. Mark should call the number given in the email to confirm the request.
Answer: B
Explanation: Sometimes the Help Desk sends email notifications regarding network
enhancements, outages, and inventory updates. If you ever doubt the validity of a
Help Desk email, consult a trusted source like the Intranet, a coworker, or call the
Help Desk to verify the legitimacy of the email before clicking on any links or opening
attachments. Remember the Help Desk will never ask for your password.
22
Lesson 3- Social Engineering Methods used to manipulate people.
Overview
Welcome to Lesson 3! In this lesson, we will identify how social engineers use
phishing, phone scams, and social media to bait unsuspecting HHS employees
into providing them access to HHS information and information systems.
Objectives
• Define social engineering and the types of attacks associated with it.
• Identify and report phishing emails.
• Determine ways to limit information posted on social media.
• Recognize techniques to handle suspicious phone calls.
• Identify and report Insider Threats.
Topics
• Social Engineering Overview
• Phishing
• Social Media
• Phone Scams
• Insider Threat
23
Social Engineering
It’s critical that you understand the most common methods used by criminals to
manipulate people into providing information. Social engineering (human
manipulation) is the use of deception to manipulate individuals into divulging
confidential or personal information that the social engineer may use for fraudulent
purposes.
Malicious actors could appear to be a coworker or a “friend” in an effort to gain your
trust so that they can obtain access to HHS information and information systems
through you.
Phishing
What’s phishing?
Phishing is a social engineering scam whereby intruders seek access to information
or information systems by posing as a real business or organization with legitimate
reason to request information.
Phishing emails (or texts) quite often alert you to a problem with your account and
ask you to click on a link and provide information to correct the problem.
How it works?
These emails look real and often contain the organization’s logo and trademark. The
uniform resource locator (URL) in the email can resemble the authentic URL web
address, for example, “Amazons.com” with a very minor spelling error that one can
overlook.
Links included in phishing emails can download malicious programs onto your
computer or mobile device and allow the attacker access to the device, connected
devices, and the information stored on those devices.
Click on the hacker’s icon to the right for a phishing example.
24
Email message description:
From: Katanabank <[email protected]>
Sub: Online Access Confirmation
Start of Message
URGENT PLEASE
We are updating our online banking system and we need you to immediately access
information to enroll in the new system. Please click on the link below to update your
account.
Erroneous link
Misspelled line that quotes: verify your account immediately or it will be deleted.
2016 Katanabank Ltd.
End of Message
Ask yourself, "What's wrong with this email?"
25
Phishing Red flags:
1. Do you recognize the sender?
2. Does the email give a sense of urgency and immediate action is required?
3. Is the email asking you to follow a link?
4. Is it poorly written?
5. Does the email provide the sender’s contact information? Legitimate messages
provide a way for recipient to validate it (contact person/ department and
phone number)
6. Check the validity of the link by holding the mouse on the link for a moment.
Does the destination match the link text? Most email programs and web
browsers will display the actual destination of a link in a popup box. Fake
websites infect your computer with malware or steal your login credentials.
Check the web address by hovering your mouse pointer over the link in the
email to reveal the true website location.
Applying those flags to our e-mail image, there are few phishing signs that can be
found here:
1. Does the email give a sense of urgency and immediate action is required?
Flag: the email contains words like: Urgent Please, immediately, will be
deleted.
2. Is the email asking you to follow a link? Flag: the email has a link that is
different from the destination when user hovers on it.
3. Is it poorly written? Flag: the email has spelling mistakes in words like: verify,
immediately, deleted.
4. Does the email provide the sender’s contact information? Flag: the email ends
with 2016 Katanabank Ltd. and does not provide any contact information.
5. Check the validity of the link by holding the mouse on the link for a moment.
Does the destination match the link text? Flag: Hovering over the link shows a
destination that does not match with the link that users are required to follow.
26
Suspicious e-mails
If you are suspicious of an email:
• Forward the email to [email protected] and then delete it permanently from your
Inbox and Trash folders.
• Do not click on the links provided in the email.
• Do not open any attachments in the email.
• Do not provide personal information or financial data.
Brain Teaser
The Brain Teaser question, answer key, and explanation are provided in the slide
notes.
Let’s take a look at the following phishing brain teaser!
Click on the Q icon below for a quick brain teaser.
Brian received a phone call at work. “Tech Support” called to verify information on
his computer. Brian was instructed to provide network and password information
over the phone. Brian obliged and provided the requested information. Did Brian
take the correct action?
• Yes
• No
Answer: No
Explanation: It’s never a good idea to provide Controlled Unclassified Information
(CUI) over the phone. Think about it for a second… “Why would Tech Support need
to verify information that they should already have?” A more appropriate response
would be to either call Tech Support back on a verified number, or to walk over to
their department to determine if the request is legitimate. Always find a way to
verify before providing sensitive information in any form.
27
Social Media
It’s critical that you understand the threats you may encounter when using your
social media accounts. Malicious actors may often pretend to be a coworker, a
“friend,” or to have a common social media interest in an effort to gain your trust so
that they can obtain unauthorized access to HHS information and information
systems.
To the right, there are some recommendations to ensure your information security.
• Do not associate your employment at HHS with your social media accounts.
• A social engineer may aggregate and use multiple posts about your job with
malicious intent.
• Be mindful of what you tweet, Instant Message (IM), or post online because
once it’s on the Internet it’s on the Internet forever!
Phone Scams
Many people think cybercriminals only use phishing and other unethical computer
tactics to obtain sensitive information from unsuspecting victims. However,
cybercriminals use phone scams too. A cybercriminal could claim to be from a
trusted location at work and ask for PII from an HHS employee. The employee may
receive an email from "technical support" in which they should call a certain number
to ensure that their computer is working correctly, or complete the installation of
software. Be aware of these tactics and do not fall prey to social engineers.
Click on the red circle to the left for a phone scam story.
David is at work and receives a phone call. The caller tells him that he is with the
Internet Service Provider for HHS and has received a notification indicating that
David needs service on her computer. The caller explains to David that there is no
need to visit the Help Desk office, and that he can quickly assist her by using remote
access. He then sends David an email and asks him to click the link provided so that
he can service her computer right away. David finds the email and clicks on the link
as instructed. Unfortunately, David has just become the victim of a phone scam.
The caller is actually a hacker. Because David didn’t question or investigate the
intent of the caller, the hacker has just gained access to an HHS information system.
28
Knowledge Check Read the following scenario, and then answer the question. Allison received an email from a coworker she does not know regarding the
upcoming office Holiday party. Included in the email is an attachment listing the
attendees and the food items they are bringing to the party. The coworker has
requested that Allison immediately review the list and verify what she will bring to
the party.
Based on the options provided below, what should Allison do next?
A. Examine the email and check for red flags indicating that it may be a phish.
B. Call the coworker to verify the legitimacy of the email.
C. If the recipient cannot verify the email, forward it to [email protected].
D. All of the above.
The answer is D
Explanation: It’s critical to evaluate emails prior to opening attachments even
when they appear to be coming from someone you may know. The red flags in this
email include:
(1) someone you don’t know, asking you to (2) immediately (3) open the attached
file. You should be suspicious of any email from an unknown person asking you to
click on a link or open an attachment. Taking the correct action will ensure the
privacy of HHS information and information systems.
Insider Threats
Insider threats are the most extreme type of social engineering. An insider threat is
a malicious threat to an organization that comes from current or former employees
or contractors within the organization, who have inside information concerning the
organization's security practices, data, and computer systems. Instances of insider
threats are rare but very serious.
HHS is a multi-disciplined, geographically distributed public health enterprise whose
missions include research, innovation, regulation, prevention, and response. HHS
has information of interest to foreign intelligence agents or organizations, and insider
threats. If you have significant reason to suspect an employee is an insider threat,
report it to the OSSI: Counter-intelligence Directorate at [email protected].
29
Lesson Summary
In this lesson, you learned how to:
• Report suspicious emails to [email protected] and verify links and file
attachments before clicking on them;
• Be aware of human manipulation methods used by cybercriminals to trick you
into providing Controlled Unclassified Information (CUI); and
• Report suspicious activity to the OSSI: Counter-intelligence Directorate at
It’s important for you to identify these methods so that you can help prevent
cybersecurity breaches.
30
Lesson Quiz Read the scenario below and answer the question. Please select from the answers below or use the shortcut Alt+H for the answer key.
1) Updating his social media accounts is one of Trevor’s favorite activities. Trevor
likes to tell everyone how lucky he is to work at HHS. One day, Trevor’s old
friend Mike from high school sent him a “friend” request. Trevor hasn’t spoken
to Mike in a while but accepted the friendship in hopes that they could catch
up. Trevor clicks on a link in a social media instant message from Mike while
working on his HHS laptop. The link went to a blank page. Trevor realized
that the friend request was actually from someone he didn’t know. Trevor
immediately “un-friended” the person.
Should Trevor worry about his HHS laptop being compromised?
Answer: Yes
Explanation: Trevor put his HHS laptop at risk by visiting a social media website
and clicking on an unverified link. In doing so, he unsuspectingly downloaded a virus
onto his HHS laptop. Trevor should worry that his action compromised the HHS
laptop, and he must immediately report the incident to the 24-hour CSIRC
([email protected]) and to his OpDiv’s Incident Response Team.
2) Lucy sent her coworker an email containing CUI just before the end of her
workday. The next day, Lucy realized she forgot to encrypt the email. Should
Lucy be concerned?
Answer: Yes
Explanation: Lucy should have taken more time to be sure that she sent her email
with the proper precautions. One must always encrypt emails with CUI first. It’s
important to report this as an “incident” immediately.
31
Lesson 4 – Breaches and ReportingWhat are breaches and how to report them?
Overview
Welcome to Lesson 4! In this lesson, we will learn how to prevent and limit the
impact of a breach by identifying incidents and learning when and how to promptly
report them.
Objectives
• Identify the different types of cybersecurity and privacy incidents.
• Examine information and differentiate public from private use.
• Perform the steps to report a suspected or confirmed cybersecurity or privacy
incident to proper authorities.
Topics • Recognizing incidents
• Reporting incidents
Recognize IncidentsInformation Security Incidents
Understanding the actions and situations that can cause a security incident is critical
to the protection of HHS information and information systems. To the right is a list of
incidents that must be reported immediately to the 24-hour Computer Security
Incident Response Center (CSIRC ) at [email protected] and to your OpDiv’s Incident
Response Team. • Loss, damage, or theft, of equipment, media, or documents containing PII.
• Accidentally sending a report containing PII to a person not authorized to view
the report or sending it unencrypted.
• Allowing an unauthorized person to use your computer or credentials to access
PII.
• Discussing CUI in a public area.
• Accessing the private records of friends, neighbors, celebrities, etc. for casual
viewing.
• Any security situation that could compromise HHS information or information
systems (e.g., virus, phishing email, social engineering attack).
32
Brain Teaser
The Brain Teaser question, answer key, and explanation are provided in the slide
notes.
Time for a question!
Click on the “Q” icon to complete a short Brain Teaser.
One day, Katherine realized that she forgot to bring her laptop to work. She needed
to finalize a presentation for her meeting at 1PM. Katherine’s coworker, Dan,
agreed to let her use his computer once he completed his monthly report. After Dan
finished his report, he gave his laptop to Katherine with his PIV card still inside.
Katherine completed her presentation, but before giving Dan his computer back, she
decided to take a look at a few shared folders that she realized she didn’t have
access to on her own laptop. Katherine then returned the laptop and thanked Dan
for his help. Should Dan consider this an “incident?”
Answer: Yes
Explanation: Dan should have logged out of his computer and removed his PIV
card prior to allowing Katherine to use it. It was okay that Dan helped Katherine.
However, Katherine should have logged in with her own credentials and PIV card. If
she had logged in correctly, she would have not had access to the folders on Dan’s
computer. Once Dan realizes that he allowed Katherine to use his computer under
his login, he should report it as an “incident.”
33
35
Reporting Incidents
It’s important to understand what an “incident” is, and how to report one should one
occur. Reporting all possible security incidents immediately gives the 24-hour CSIRC
and your OpDiv’s Incident Response Team the best chance to minimize the negative
impact of the incident. Today’s high-speed internet connections can allow an
adversary to steal gigabytes of data in minutes. Every second counts when it comes
to reporting security incidents. Failing to report an incident immediately allows the
hacker to operate unnoticed in the HHS network for a longer period of time.
Ethically, it is your responsibility to report incidents as soon as you identify them. So
stay alert! Your quick response can prevent a breach.
The scenarios in this lesson will help you understand how to quickly take action when
incidents happen. If any privacy or data incidents occur (as listed in the
“Recognizing Incidents” section), please report them at once!
Click on the image to the right for the list of HHS OpDiv Incident Response Teams.
Name Email Address HHS CSIRC [email protected]
AHRQ [email protected]
HRSA [email protected], [email protected]
SAMHSA [email protected]
Knowledge Check Read the following scenario, and then answer the question.
Tammy and Jill went to a local coffee shop for a short break. Over coffee, they
discussed client details and other CUI relating to their department. At the end of
their discussion, they realized that someone from another Department had been
watching them and listening to their discussion a few tables away. This person
should not have heard any of their private discussion.
What should they do?
A. Ignore the eavesdropper…maybe this person didn’t hear the discussion after all
B. Ask the eavesdropper not to disclose any information that s/he overheard.
C. Immediately report the “incident” to the 24-hour CSIRC ([email protected]) and
to your OpDiv’s Incident Response Team.
D. None of the above.
Answer: C
Explanation: Remember, immediately reporting the “incident” gives the 24-hour
CSIRC and your OpDiv’s Incident Response Team the best chance to minimize the
negative impact of the incident. Report all breaches as soon as they occur to the
24-hour CSIRC ([email protected]) and to your OpDiv’s Incident Response Team.
Lesson Summary
In this lesson, you learned how to:
• Define and identify types of cybersecurity incidents.
• Report an incident.
Being able to identify and report an “incident” is imperative in a workplace that deals
with highly sensitive information. The impact of some incidents can be minimized by
simply encrypting emails containing CUI, and/or by your quick action to report an
incident. These are all simple actions, yet imperative and mandated. Remember,
report all breaches to the 24-hour CSIRC ([email protected]) and to your OpDiv’s
Incident Response Team.
35
Lesson Quiz Read the scenario below and answer the question. Please select from the answers below or use the shortcut Alt+H for the answer key.
1) Carol realized that she forwarded a sensitive HHS email to the wrong person.
What should she do?
A. Immediately report the “incident” to the 24-hour CSIRC ([email protected])and to your OpDiv’s Incident Response Team.
B. Inform the recipient to disregard and delete the contents of the email
that was sent erroneously.
C. Both.
D. None of the above.
Answer: C
Explanation: While the recipient of the email may or may not adhere to a request
to disregard the contents of the email, it never hurts to make the request anyway,
just in case. Definitely report this as an “incident” to the 24-hour CSIRC
([email protected]) and to your OpDiv’s Incident Response Team.
2) An OpDiv experienced laptop thefts. What should the manager on site do?
a. Immediately report the “incident” to [email protected].
b. No rush…but report the “incident” at some point this week.
c. Immediately report the “incident” to the 24-hour CSIRC ([email protected])
and to your OpDiv’s Incident Response Team.
d. None of the above.
Answer: C
Explanation: It’s imperative to report stolen Government Furnished Equipment
(GFE) like laptops immediately to the 24-hour CSIRC ([email protected]) and to
your OpDiv’s Incident Response Team. While the laptops are replaceable, the
loss of information contained on them is not.
36
Section 3 - Conclusion Understanding how to protect HHS CUI, PII, and PHI is critical to ensuring the
mission of HHS. Training you to effectively apply cybersecurity best practices is the
focus of this training. Identifying cybersecurity incidents and understanding how to
report them will improve the security posture of HHS information and information
systems. You are encouraged to immediately apply the best practices you learned
from this training into your daily work habits.
Training Wrap Up In this training, you learned to:
• Define cybersecurity and Controlled Unclassified Information (CUI).
• Define privacy and PII and means to protect PII in different contexts and
formats.
• Create strong passwords and protect your PIV card from unauthorized use.
• Safeguard GFE during foreign travel.
• Define encryption and determine how and when to encrypt.
• Describe human manipulation methods often used by hackers.
• Report suspicious emails and activities to reporting authorities.
• Identify the different types of incidents including insider threats, and how to
report them.
37
Training Quiz Read the scenario below and answer the question. Please select from the answers below or use the shortcut Alt+H for the answer key.
1) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS
laptop. Fred is an HHS contractor. His laptop contained pictures of his
children; five HHS grantee applications with grantees full names, home
addresses, work addresses, SSN’s, employer identification numbers (EIN), and
a couple of case files containing patient full name, address, gender, date of
birth, medical record number, medical notes, address, and health care facility
name.
Does Fred’s laptop contain PII?
• Yes
• No
Answer: Yes, Fred’s laptop contains PII.
2) In the previous scenario, which of the following is not HHS PII?
A. Grantee’s social security number
B. Patient’s date of birth
C. Pictures of Fred’s children
D. Patient’s gender
Answer: C. Pictures of Fred’s children.
3) Should Fred report this incident? Why or why not?
A. Yes, Fred should report the incident because he lost personal information.
B. Yes, Fred does need to report this incident because it involved HHS
information. All HHS employees, contractors, and personnel are
responsible for reporting cybersecurity breaches.
C. No, Fred does not need to report the incident because the computer is
replaceable.
D. No, Fred should not report the incident because he is a contractor.
Answer: B. Yes, Fred does need to report this incident because it involved HHS
information. All HHS employees, contractors, and personnel are responsible for
reporting cybersecurity breaches.
38
4) Alan works on the third floor at a medical clinic. Alan’s coworker, Debby,
cannot get into the electronic health record (EHR) system, because she has
failed to enter the correct password. In order to reset the password, Debby
would have to go see a representative from the Password Distribution Center
(PDC), on the first floor of the building, leaving the secured floor where she is
located. Debby is unable to go to the PDC, because she cannot find her PIV
card and believes she has misplaced it. Debby asks Alan for his login
credentials, so that she may access the EHR system.
Should Alan allow Debby to use his credentials?
A. Yes, she is Alan’s trusted coworker.
B. Yes, if Alan’s manager gives him permission.
C. No, sharing user credentials is a privacy violation.
D. A and B.
Answer: C. No, sharing user credentials is a privacy violation.
5) Alan decides not to share his credentials with Debby. Debby now asks to
borrow Alan’s PIV card, so that she may leave the secured floor, and get her
password reset at the PDC. What should Alan do?
A. Give Debby his PIV so she can leave the floor to reset her password.
B. Alan should tell her to ask another coworker for their PIV card.
C. Alan should escort Debby to the PDC so she can get her password reset
since she doesn’t have her PIV card.
D. B and C.
Answer: C. Alan should escort Debby to the PDC so she can get her password reset
since she doesn’t have her PIV card.
6) This time Alan decides not to let Debby borrow his PIV card, because it would
create a privacy incident. What other privacy incident has already occurred?
A. Debby asked to borrow Alan’s credentials.
B. Debby has misplaced her PIV card and cannot find it.
C. Debby asked to borrow Alan’s PIV card.
D. A and C.
Answer: B. Debby has misplaced her PIV card and cannot find it.
39
Resources Training Resources
Additional resources and full URLs for useful links relating to information security are
available in slide notes and the links below.
[Resources Window]
HHS Rules of Behavior
Personal Use Policy
HHS Cybersecurity and Privacy Policies
Use of GFE during Foreign Travel
Additional Guidance
Learn more about the Federal and Departmental laws and regulations that guide your
cyber activities.
1- Federal Laws and Guidance:
Acts:
• E-Government Act of 2002
• Clinger-Cohen Act of 1996
• Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Privacy Legislation:
• Privacy Act of 1974
• Paperwork Reduction Act
• Children’s Online Privacy Protection Act (COPPA)
OMB Circulars:
• OMB Circular A-130
• OMB-07-16
National Institute of Standards and Technology (NIST):
• Cybersecurity Framework
• NIST Special Publications
40
2- Departmental Guidance
In order to understand Information Security Policy and Governance, it’s important to
first take a look at guidance on the departmental level.
1) Office of Secretary:
Sets programmatic direction by providing an enterprise-wide perspective, and
coordination among key stakeholders.
The Department also sets standards and provides guidance, to support streamlined
reporting and metrics capabilities.
2) HHS Cybersecurity Program:
This is the Department’s information security program. The CIO and CISO provide
oversight. These policies lead the program:
A. HHS-OCIO Policy and Privacy:
Provides direction on developing, managing, and operating an IT security program
to the OpDivs and Staff Divisions (StaffDivs).
B. HHS-OCIO Policy for Breaches:
Establishes actions taken to identify, manage, and respond to suspected or
confirmed incidents involving PII.
C. Rules of Behavior:
Provides the rules that govern the appropriate use of all HHS information
resources for Department users
3) Operating Divisions (OpDivs):
41
OpDivs implement programs that meet specific business needs, provide business/ domain expertise, and manage implementation at the OpDiv level.
The OpDivs also develop policies and procedures specific to the operating environment, and help to manage ongoing operations.
3. HHS CATE Resources
The HHS Cybersecurity Awareness Training and Education team has also developed
CyberCare and Healthy Technology as additional resources for you. We hope that you find
helpful. At the end of the training, you will be asked to provide feedback relating to
CyberCare.
42
Acknowledgment and Feedback What Do You Think?
Thank you for completing the Cybersecurity Awareness Training. Please provide
your feedback in the form below. Your feedback provides valuable insight used to
improve HHS computer-based trainings. Please follow the instructions on the form
to submit it.
Acknowledge ROB and Complete Training
Employees and contractors without access to the HHS Learning Management
System (LMS) can certify completion of this training by: 1) Reading the HHS Rules
of Behavior;2) Printing and signing the below Cybersecurity Awareness Training
Certificate in this link: https://www.hhs.gov/about/agencies/asa/ocio/
cybersecurity/security-awareness-training/index.html. Submit the form to your
cybersecurity awareness training Point of Contact.
(All other employees/contractors with LMS access must complete the training
through their LMS account.)
Thank you for completing
FY18 Cybersecurity Awareness
Training
44
1
2
GUIDELINES ON THE SECURE USE OF WI-FI
Do not access or transmit Controlled Unclassified Information (CUI) when
using an unsecure connection.
Ensure the proper configuration of the wireless security options on your
computing wireless devices and the router or the modem used to connect to
the Internet.
Click Alt+F4 to close this window
TRAINING QUIZ - 2 KEY
2) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS laptop. Fred isan HHS contractor. His laptop contained pictures of his children; five HHS grantee applications with grantees full names, home addresses, work addresses, SSN’s, employer identification numbers (EIN), and a couple of case files containing patient full name, address, gender, date of birth, medical record number, medical notes, address, and health care facility name.
C. Pictures of Fred’s Children.
Click Alt+F4 to close this window
Guidance Laws
FEDERAL LAWS & GUIDANCE
Acts: • E-Government Act of 2002• Clinger-Cohen Act of 1996• Health Insurance Portability and
Accountability Act of 1996 (HIPAA)
Privacy Legislation: • Privacy Act of 1974• Paperwork Reduction Act• Children’s Online Privacy Protection
Act (COPPA)
OMB Circulars: • Office of Management and Budget
(OMB) Circular A-130• OMB-07-16
NIST Special Publications: • Cybersecurity Framework• NIST Special Publications
Click Alt+F4 to close this window
TRAINING QUIZ - 6 KEY
6) This time Alan decides not to let Debby borrow his PIV card, because it would create a privacyincident.
B. Debby has misplaced her PIV card and cannot find it.
Click Alt+F4 to close this window
LESSON 2 BRAIN TEASER 3
Let’s see if you’ve learned what is needed to
open an encrypted email.
Which of the following items are necessary when opening an encrypted email? A. E-signature. B. Digital certificate. C. User’s PIN. D. PIV Card.
Answer: C and D.
Explanation: Remember, both PIN number and PIV card are required to decrypt and read an email sent from an HHS email account. If the user is sending an encrypted email from an HHS email account to an external recipient, the recipient will not be able to unencrypt or read the content of the email.
PHONE SCAMS STORY
David is at work and he receives a phone call. The caller tells him that he is with the Internet Service Provide for HHS and has received a notification indicating to him that David needs service on his computer. The caller explains to David that there is no need to visit the Help Desk office, and that he can quickly assist him by using remote access. He then sends David an email and asks him to click the link provided so that he can service David’s computer right away. David finds the email and clicks on the link as instructed. Unfortunately, David has just become the victim of a phone scam. The caller is actually a hacker. Because David didn’t question or investigate the intent of the caller, the hacker has just gained access to an HHS information system.
Click Alt+F4 to close this window
TRAINING QUIZ - 1 KEY
1) While at dinner with friends, a thief broke into Fred’s car and stole Fred’s HHS laptop. Fred is an HHS contractor. His laptop contained pictures of his children; five HHS grantee applications with grantees full names, home addresses, work addresses, SSN’s, employer identification numbers (EIN), and a couple of case files containing patient full name, address, gender, date of birth, medical record number, medical notes, address, and health care facility name.
Yes, Fred’s laptop contains PII.
Click Alt+F4 to close this window
LESSON 3- KNOWLEDGE CHECK - ANSWER KEY
Answer: D
Explanation: It’s critical to evaluate emails prior to opening attachments even when they appear to be coming from someone you may know. The red flags in this email include: Receiving an email from a person you do not know; and opening an attachment from someone that you do not know. You should be suspicious of any email from a person whom you do not know that asks you to click on a link or open an attachment. Taking the correct action will ensure the privacy of HHS information and information systems.
Click Alt+F4 to close this window
PERSONALLY IDENTIFIABLE INFORMATION (PII) The following list contains examples of information that may be considered PII:
• Name, such as full name, maiden name,mother‘s maiden name, or alias.
• Personal identification number, such as socialsecurity number (SSN), passport number,driver‘s license number, taxpayeridentification number, patient identificationnumber, and financial account or credit cardnumber.
• Address information, such as street addressor email address.
• Telephone numbers, including mobile,business, and personal numbers.
• Information identifying personally ownedproperty, such as vehicle registration numberor title number and related information.
• Asset information, such as Internet Protocol(IP) or Media Access Control (MAC) address.
• Personal characteristics, includingphotographic image (especially of face orother distinguishing characteristic), x-rays,fingerprints, or other biometric image ortemplate data (e.g., retina scan, voicesignature, facial geometry).
• Information about an individual that is linkedor linkable to one of the above (e.g., date ofbirth, place of birth, race, religion, weight,activities, geographical indicators,employment information, medicalinformation, education information, financialinformation).
PHI Click Alt+F4 to close this window
PROTECTED HEALTH INFORMATION (PHI)
PHI is information, including demographic data, that relates to the
following:
• The individual’s past, present, or future physical or mental health
or condition;
• The provision of health care to the individual; and
• The past, present, or future payment for the provision of health
care to the individual.
PII Click Alt+F4 to close this window
PERSONALLY IDENTIFIABLE INFORMATION (PII) The following list contains examples of information that may be considered PII:
• Name, such as full name, maiden name,mother‘s maiden name, or alias.
• Personal identification number, such as socialsecurity number (SSN), passport number,driver‘s license number, taxpayeridentification number, patient identificationnumber, and financial account or credit cardnumber.
• Address information, such as street addressor email address.
• Telephone numbers, including mobile,business, and personal numbers.
• Information identifying personally ownedproperty, such as vehicle registration numberor title number and related information.
• Asset information, such as Internet Protocol(IP) or Media Access Control (MAC) address.
• Personal characteristics, includingphotographic image (especially of face orother distinguishing characteristic), x-rays,fingerprints, or other biometric image ortemplate data (e.g., retina scan, voicesignature, facial geometry).
• Information about an individual that is linkedor linkable to one of the above (e.g., date ofbirth, place of birth, race, religion, weight,activities, geographical indicators,employment information, medicalinformation, education information, financialinformation).
PHI Click Alt+F4 to close this window
PROTECTED HEALTH INFORMATION (PHI)
PHI is information, including demographic data, that relates to the
following:
• The individual’s past, present, or future physical or mental health
or condition;
• The provision of health care to the individual; and
• The past, present, or future payment for the provision of health
care to the individual.
PII Click Alt+F4 to close this window
PHISHING RED FLAGS EXAMPLE
Ask yourself what is wrong with this email?
Click Alt+F4 to close this window
LESSON 4- KNOWLEDGE CHECK - ANSWER KEY
Answer: C
Explanation: Remember, immediately reporting the
“incident” gives the 24-hour CSIRC and your OpDiv’s
Incident Response Team the best chance to minimize the
negative impact of the incident. Report all breaches as
soon as they occur to the 24-hour CSIRC ([email protected])
and to your OpDiv’s Incident Response Team.
Click Alt+F4 to close this window
LESSON 2 BRAIN TEASER 2
Now that we’ve discussed the topic of
passwords, let’s answer a question.
Which of the following is a good way to remember a password?
A. Use a favorite team name.
B. Use a familiar word with your birthdate.
C. Create a word with your child’s name.
D. Create a passphrase.
Answer: D.
Explanation: A passphrase is a phrase used to help you to remember a password. It’s known only to you. It contains at least one upper-case letter, one lower-case letter, one number, and a special character.
Click Alt+F4 to close this window
RESOURCE PAGE
Resources in This Module
• HHS Rules of Behavior
• Personal Use Policy
• HHS cybersecurity and privacy policies
• Use of GFE during Foreign Travel
Click Alt+F4 to close this window
TRAINING QUIZ - 5 KEY
5) Alan decides not to share his credentials with Debby. Debby now asks to borrow Alan’s PIV card, so that she may leave the secured floor, and get her password reset at the PDC.
C. Alan sh ould escort Debby to the PDC so she can get her password reset since she doesn’t haveher PIV card.
Click Alt+F4 to close this window
LESSON 4 BRAIN TEASER
Time for a question! One day, Katherine realized that she forgot to bring her laptop to work. She needed to finalize a presentation for her meeting at 1PM. Katherine’s coworker, Dan, agreed to let her use his computer once he completed his monthly report. After Dan finished his report, he gave his laptop to Katherine with his PIV card still inside. Katherine completed her presentation, but before giving Dan his computer back, she decided to take a look at a few shared folders that she realized she didn’t have access to on her own laptop. Katherine then returned the laptop and thanked Dan for his help. Should Dan consider this an “incident?”
Answer: Yes
Explanation: Dan should have logged out of his computer and removed his PIV card prior to allowing Katherineto use it. It was okay that Dan helped Katherine. However, Katherine should have logged in with her own credentials and PIV card. If she had logged in correctly, she would have not had access to the folders on Dan’s computer. Once Dan realizes that he allowed Katherine to use his computer under his login, he should report it as an “incident.”
Click Alt+F4 to close this window
[email protected], [email protected]
Office of the Chief Information Officer Assistant Secretary for Administration Department of Health and Human Service
Incident Response Team e-mail Addresses
Name Email Address HHS CSIRC [email protected] ACF [email protected] ACL [email protected] AHRQ [email protected] CDC [email protected] CMS [email protected] FDA [email protected] HRSA IHS [email protected] NIH [email protected] OIG [email protected] OS [email protected] SAMHSA [email protected]
Print List
Click Alt+F4 to close this window
LESSON 3 BRAIN TEASER
Let’s take a look at the following phishing
brain teaser!
Brian received a phone call at work. “Tech Support” called to verify information on his
computer. Bri an was instructe d to provide network and password information over the phone. Bria n obliged an d provi ded the
requested information. Did Brian take the correct action? Yes or No?
Answer: No Explanation: It’s never a good idea to provide Controlled Unclassified Information (CUI) over the phone. Think about it for a second… “Why would Tech Support need to verify information that they should already have?” A more appropriat e respons e would be to eithe r call Tech Support back on a verified number, or to walk over to the ir departmen t to determine if the request is legitimate. Always find a way to verify before providing sensitive information in any form.
Click Alt+F4 to close this window
PROTECTED HEALTH INFORMATION (PHI)
PHI is information, including demographic data, that relates to the
following:
• The individual’s past, present, or future physical or mental health
or condition;
• The provision of health care to the individual; and
• The past, present, or future payment for the provision of health
care to the individual.
PII Click Alt+F4 to close this window
PERSONALLY IDENTIFIABLE INFORMATION (PII) The following list contains examples of information that may be considered PII:
• Name, such as full name, maiden name,mother‘s maiden name, or alias.
• Personal identification number, such as socialsecurity number (SSN), passport number,driver‘s license number, taxpayeridentification number, patient identificationnumber, and financial account or credit cardnumber.
• Address information, such as street addressor email address.
• Telephone numbers, including mobile,business, and personal numbers.
• Information identifying personally ownedproperty, such as vehicle registration numberor title number and related information.
• Asset information, such as Internet Protocol(IP) or Media Access Control (MAC) address.
• Personal characteristics, includingphotographic image (especially of face orother distinguishing characteristic), x-rays,fingerprints, or other biometric image ortemplate data (e.g., retina scan, voicesignature, facial geometry).
• Information about an individual that is linkedor linkable to one of the above (e.g., date ofbirth, place of birth, race, religion, weight,activities, geographical indicators,employment information, medicalinformation, education information, financialinformation).
PHI Click Alt+F4 to close this window
PROTECTED HEALTH INFORMATION (PHI)
PHI is information, including demographic data, that relates to the
following:
• The individual’s past, present, or future physical or mental health
or condition;
• The provision of health care to the individual; and
• The past, present, or future payment for the provision of health
care to the individual.
PII Click Alt+F4 to close this window