Government Data Security Procedures

Overview

As a government contractor, Wonderlic is required to maintain the security of all information collected from job applicants for government agency positions. Each year, our employees must be trained in the specific security procedures related to requests from agency personnel or their job applicants. 

The following self-administered lesson will help you learn these procedures at your own pace. You may review information as many times as you like. Segments of instructions will be followed by questions to help you review what you've learned. At the end of each section there will be questions to verify that you've understood that part of the lesson.

Upon completion of all instruction, a short assessment will be administered. It's mandatory that you successfully complete the assessment before serving Wonderlic clients.                             

 Portions of this class include audio elements. Before beginning, enable your computer's speakers or use headphones, if necessary. 

This class involves approximately one hour of learning material. We recommend you go to a quiet area, free of distractions. You may complete the class in one sitting, or you may pause the class and resume later where you left off.

Use the  navigation buttons at the bottom of each page to proceed through the class. At the end of each sections you will return "Home." Select the next section to continue.

Preview material using the table of contents in the bar on the left side of each page.

 

Overview

Introduction

Office of Personnel Management Data Breach

In June 2015, the United States Office of Personnel Management (OPM) announced that a data breach targeting the records of as many as four million people had occurred. The data included personally identifiable information, such as Social Security Numbers, names, dates and places of birth, and addresses.

 By July 9, 2015, the estimated number of stolen records had increased to 21.5 million. This included records of people who had undergone background checks, but who were not necessarily current or former government employees. Soon after, Katherine Archuleta, the Director of OPM, resigned.

From Wikipedia, the free encyclopedia

To see a brief news report, click the link.

http://www.nbcnews.com/nightly-news/video/opm-director-katherine-archuleta-resigns-amid-hacking-scandal-482298947980

Why Should We Care?

Wonderlic - Past and Future

  • Since WWII, Wonderlic has helped various government agencies and branches of the military select the best people for their jobs.
  • Today, providing continued services depends on the security of our systems and the skills and integrity of our employees.

Americans Care About Privacy

The PEW Research Center reported that 74% of Americans they surveyed in 2016 said it was "very important" to them to be in control of who could get their information, while 65% said it was “very important” to control what information was collected." 

Test takers rely on Wonderlic to keep their information safe and secure at all times.

http://www.pewresearch.org/fact-tank/2016/09/21/the-state-of-privacy-in-america/

It's Up to All of Us

It's every Wonderlic employee's job to ensure that the test taker data we maintain are private and secure. By special contract, we must take extra steps to limit access to government agency information, and to train every sales and service professional to handle requests for this information correctly. 

Section 1 - Privacy and Data Security

Section 1 - Privacy and Data Security

Introduction to Privacy and Security

To provide reliable data privacy and security, there are some common terms for different types of information you need to thoroughly understand. The official definitions of these terms come from the Department of Homeland Security. The terms are used to identify the types of personal information collected by agencies and their contractors, such as Wonderlic, that must be carefully guarded from unauthorized release or use.

In the following section, you will learn these terms and the critical concepts they represent.

Section 1 - PII

Personally Identifiable Information (PII)

 

"Personally Identifiable Information (PII) means any information that permits the identity of an individual to be directly or indirectly inferred, including any other information that is linked or linkable to that individual regardless of whether the individual is a citizen of the United States. legal permanent resident, or visitor to the United States. Sensitive PII is a subset of PII which requires additional precautions to prevent exposure or compromise."

Handbook for Safeguarding
Sensitive Personally Identifiable
Information
Department of Homeland Security

Note: Wonderlic representatives must add "All Test Scores and any related information" to their list of PII.

Section 1 - PII - Exercise 1

Personally Identifiable Information - Exercise 1

Which of the following items does NOT qualify as Personally Identifiable Information (PII)?

Section 1 - SPII

Sensitive Personally Identifiable Information (SPII)

"Sensitive Personally Identifiable Information (SPII) is a subset of Personally Identifiable Information which, if lost, compromised or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual."

Handbook for Safeguarding Sensitive Personally Identifiable Information - Department of Homeland Security

Do we really need to know all of this detail?

Wonderlic may not collect all of the information listed above, but representatives are required to understand the full regulations. It is important to remember that Wonderlic Test Scores paired with another identifier is (SPII), because their disclosure "could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual."


Section 1 - SPII - Exercise 1

Is it PII or SPII?

Which one of the following would be considered Sensitive Personally Identifiable Information (SPII)?

  • Last four number of a Social Security Number
  • Passport photo and number
  • Date of Birth
  • Citizenship or Immigration Status

Section 1 - SPII - Exercise 2

Is it PII or SPII?

Which of the following information, available to Wonderlic representatives, would be considered Sensitive Personally Identifiable Information (SPII)? Select all that apply.

  • Applicant Name
  • Applicant Name and Wonderlic Test Score
  • Wonderlic Test Score
  • Applicant Name and Ethnic Group Affiliation
  • Applicant Name and Citizenship or Immigration Status
  • Ethnic Group Affiliation and Test Score

Section 1 - Security Breach

Definition

A security "Breach" (may be used interchangeably with "Privacy Incident") means the loss of control, compromise, unauthorized disclosure, acquisition and/or access, or any other similar situation where persons other than authorized users, and for other than authorized purpose, have access or potential access to Personally Identifiable Information, in usable form whether physical or electronic.

From Wonderlic Contract.

What types of Security Breaches are Common?

Verizon's 2015 study of security incidents reports that Miscellaneous Errors are the most common cause of security incidents. 

The second largest category is "Privilege Misuse." "Privileged Users" are people with authorized access to sensitive data. They "misuse" data when they share it with unauthorized people, whether by accident or not.

http://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf

Section 1 - Security Guidelines

Guidelines from Homeland Security

Here are some guidelines to consider when working with PII, even briefly, in the office.

  • Ensure privacy while having intra-office or telephone conversations regarding Sensitive PII.
  • Be alert to phone calls or emails from individuals claiming to be government employees attempting to gather or verify personal or non-public information.
  • Ensure that casual visitors, passersby, and other individuals without an official need to know cannot view documents on your computer screen that contain Sensitive PII.

Privacy Incidents with Teleworkers

If you work from home, be sure that you never make any of the following errors:

  • Sending an email containing Sensitive PII to your personal email account
  • Sending unencrypted Sensitive PII outside of the Wonderlic network
  • Allowing family members access to documents with Sensitive PII
  • Printing documents containing Sensitive PII to your personal printer.

Section 1 - Security Breach - Exercise 1

True or False

Mark each of the following statements as either True or False.

  • If an unauthorized caller is given government agency test taker information, that is a security breach or incident.
  • If a person overhears you talking about a government agency matter and uses that information for unauthorized purposes, that is NOT a security breach or incident because it wasn't your fault.
  • "Privilege Misuse" is defined as someone in authority purposefully exposing Sensitive PII to an unauthorized person.
  • Anyone at Wonderlic who has been given access to government agency data, or telephone and email requests, would be defined as a "Privileged User" of that information.

Section 1 - Privacy and Data Security Review

Summary

We covered a lot of information in this opening section, but it's the foundation for everything else in the lesson. This knowledge will also help you understand the security concerns of the thousands of businesses and schools Wonderlic serves each year.

Read the summaries below, and carefully review the lists of PII and SPII, before continuing on to the final test questions in this section.

PII and SPII

  • Personally Identifiable Information (PII) means any information that permits the identity of an individual to be directly or indirectly inferred.
  • Sensitive Personally Identifiable Information (SPII) is a subset of PII which, if compromised, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
  • Click here to see and print a combined list of PII and SPII.

Security Breaches and Incidents

A Security Breach or Incident occurs when persons other than authorized users, and for other than authorized purpose, have access or potential access to Personally Identifiable Information

Section 1 - Check Your Understanding - Question 1

PII is the acronym for . SPII is a of PII. Wonderlic are to be handled as  SPII when combined with other information that can be linked to the individual test taker.

Section 1 - Check Your Understanding - Question 2

Terms and Definitions

Read each definition, then drag it to the term it best describes.

  • PII
    Any information that permits the identity of an individual to be directly or indirectly inferred.
  • Privilege User
    An authorized person with access to sensitive data.
  • Security Breach or Incident
    When persons other than authorized users, and for other than authorized purpose, have access or potential access to Personally Identifiable Information.
  • SPII
    Personally Identifiable Information which, if lost, compromised or disclosed, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
  • Unauthorized Disclosure
    A person with access to sensitive data shares it with an unauthorized person, either by accident or on purpose.

Section 1 - Check Your Understanding - Question 3

PII or SPII?

If an item qualifies as SPII, click and drag it to that category. If not, drag it to the PII column. Keep items in each column in numerical order, from lowest to highest.

  • 1. Social Security Number
  • 2. Wonderlic Test Score
  • 3. Applicant Name and Ethnic Group
  • 4. Date of Birth
  • 5. Zip code
  • 6. Email address and Name

Section 2 - Support Procedures

Section 2 - Wonderlic Agency Personnel

Section 2 - General Security Guidelines

Guidelines from Homeland Security

Here are some guidelines to consider when working with PII, even briefly, in the office.

  • Ensure privacy while having intra-office or telephone conversations regarding Sensitive PII.
  • Be alert to phone calls or emails from individuals claiming to be government employees attempting to gather or verify personal or non-public information.
  • Ensure that casual visitors, passersby, and other individuals without an official need to know cannot access or view documents containing Sensitive PII.  

Privacy Incidents with Teleworkers

If you work from home, be sure that you never make any of the following errors:

  • Sending an email containing Sensitive PII to your personal email account
  • Sending unencrypted Sensitive PII outside of the Wonderlic network
  • Allowing family members access to documents with Sensitive PII
  • Printing documents containing Sensitive PII to your personal printer.
  • Using a thumb drive to transfer data (i.e. Sensitive PII) to your personal computer.

Section 2 - Supporting Client Personnel

Section 2 - Supporting Test Takers