Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 1
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
PRIVACY AND SECURITY STANDARDS EXAM
Topic - 1: Final Assessment
Page - 1: Final Assessment Q1
Question:
True or False: Security is an individual’s right to control the use or disclosure of personal
information.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: B
Topic - 1: Final Assessment
Page - 2: Final Assessment Q2
Question:
True or False: Security refers to the mechanisms in place to protect the confidentiality and
privacy of personal information.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: A
Topic - 1: Final Assessment
Page - 4: Final Assessment Q3
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 2
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Question:
Which of the following is NOT an example of personally identifiable information?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Address
B. Social Security number
C. Family composition
D. Date of birth
Correct Answer: C
Topic - 1: Final Assessment
Page - 5: Final Assessment Q4
Question:
True or False: Personally identifiable information refers to information that can be used to
distinguish or trace an individual’s identity, either alone or when combined with other
information that is linked or linkable to a specific individual.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: A
Topic - 1: Final Assessment
Page - 6: Final Assessment Q5
Question:
Which of the following is a reason the Marketplace needs to collect personally identifiable
information from consumers?
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 3
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. To create consumer profiles used to inform future guidance on the essential health benefits
B. To determine consumer eligibility for enrollment in a qualified health plan and for
insurance affordability programs
C. To allow qualified health plan issuers to market additional products or services once a
consumer has selected and enrolled in a qualified health plan
D. To certify that each consumer has filed a federal income tax return for the previous year
Correct Answer: B
Topic - 1: Final Assessment
Page - 7: Final Assessment Q6
Question:
Who is responsible for understanding which privacy laws and regulations an agent or broker
is subject to?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. It is the Marketplace's responsibility.
B. It is the state Department of Insurance’s responsibility.
C. It is the agent’s or broker’s responsibility.
D. It is the consumer’s responsibility.
Correct Answer: C
Topic - 1: Final Assessment
Page - 8: Final Assessment Q7
Question:
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 4
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
True or False: The privacy and security provisions of the Affordable Care Act supersede all
other state and federal law related to the privacy and confidentiality of personally identifiable
information.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: B
Topic - 1: Final Assessment
Page - 9: Final Assessment Q8
Question:
Agents and brokers operating in which kind of Marketplace or Program must enter into a
Privacy and Security Agreement with the Centers for Medicare & Medicaid Services?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. The Individual Marketplace
B. The Small Business Health Options Program (SHOP)
C. Both the Individual Marketplace and the Small Business Health Options Program (SHOP)
D. None; the Privacy and Security Agreement is optional for agents and brokers operating in
either the Individual Marketplace or the Small Business Health Options Program (SHOP).
Correct Answer: C
Topic - 1: Final Assessment
Page - 10: Final Assessment Q9
Question:
Which of the following topics is NOT covered in the Privacy and Security Agreement with
the Centers for Medicare & Medicaid Services that agents and brokers must sign?
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 5
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. The types of personally identifiable information that may be collected or received
B. How an agent or broker can reuse personally identifiable information collected or received
for marketing purposes
C. The authorized uses of personally identifiable information collected or received
D. The requirements for destruction of personally identifiable information collected or
received
Correct Answer: B
Topic - 1: Final Assessment
Page - 11: Final Assessment Q10
Question:
True or False: Agents or brokers must decide to grant or deny an individual access to
personally identifiable information pertaining to the individual within 30 days of receipt of
the access request.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: A
Topic - 1: Final Assessment
Page - 12: Final Assessment Q11
Question:
Which of the following is NOT a condition an agent or broker may apply when providing an
individual access to personally identifiable information (PII)?
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 6
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. May require the individual to pay a fee to recoup costs for labor for copying the PII,
supplies for creating a paper copy or a copy on electronic media, and/or postage if the PII is
mailed
B. May require the individual to be specific in which PII he or she would like to access
C. May refuse to provide a paper copy and require the individual to accept electronic copies
that can be sent to the individual’s personal email address
D. May limit the access to only PII that pertains to the consumer and/or the person the
individual represents
Correct Answer: C
Topic - 1: Final Assessment
Page - 13: Final Assessment Q12
Question:
Prior to collecting personally identifiable information (PII), agents and brokers must provide a
Privacy Notice Statement that is prominently and conspicuously displayed. Which of the
following is NOT an acceptable way to communicate the Privacy Notice Statement?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. On a public-facing website
B. On the electronic form used to collect PII
C. On the paper form used to collect PII
D. Over the phone
Correct Answer: D
Topic - 1: Final Assessment
Page - 14: Final Assessment Q13
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 7
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Question:
True or False: The Privacy Notice Statement must be written in plain language and provided
in a manner that is accessible and timely to people living with disabilities and with limited
English proficiency.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: A
Topic - 1: Final Assessment
Page - 15: Final Assessment Q14
Question:
Which of the following is an allowable use and disclosure of personally identifiable
information (PII) specified in Appendix A in both Privacy and Security Agreements: the
"Agreement Between Agent or Broker and the Centers for Medicare & Medicaid Services for
the Individual Market Federally-facilitated Exchanges and the State-based Exchanges on the
Federal Platform" and the "Agreement Between Agent or Broker and CMS for the Small
Business Health Options Programs of the Federally-facilitated Exchanges and State-based
Exchanges on the Federal Platform?"
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Requesting information regarding the citizenship of an individual who is not seeking
coverage for himself or herself on any application
B. Requesting a Social Security number of any individual who is not seeking coverage for
himself or herself on any application
C. Requesting any individual’s PII to discriminate or discourage the enrollment of individuals
with significant health needs in qualified health plans
D. Requesting an individual’s PII to obtain an assessment of his or her eligibility to enroll in a
Marketplace qualified health plan
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 8
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Correct Answer: D
Topic - 1: Final Assessment
Page - 16: Final Assessment Q15
Question:
Which of the following is NOT an authorized function for which an agent or broker may
create, collect, disclose, access, maintain, store, and use personally identifiable information in
the Marketplace?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Assisting with applications for qualified health plan eligibility
B. Informing colleagues about an individual’s potential additional insurance needs
C. Providing assistance in communicating with qualified health plan issuers
D. Assisting with filing appeals of eligibility determinations
Correct Answer: B
Topic - 1: Final Assessment
Page - 17: Final Assessment Q16
Question:
If an agent, broker, or the Marketplace wishes to use or disclose an individual’s personally
identifiable information (PII) outside of the functions and purposes listed in the Privacy
Notice Statement, informed consent must be obtained from the individual. Which of the
following is NOT a requirement for any such consent?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Must be provided in specific terms and in plain language
B. Must identify the entity collecting or using the PII, and/or making the disclosure and
identify the specific collections, use(s), and disclosure(s) of specified PII with respect to a
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 9
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
specific recipient(s)
C. Must provide notice of an individual’s ability to revoke the consent at any time
D. Must list the functions and purposes listed in the Privacy Notice Statement
Correct Answer: D
Topic - 1: Final Assessment
Page - 18: Final Assessment Q17
Question:
How many years must informed consent documents be appropriately secured and retained?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. One year
B. Five years
C. Seven years
D. 10 years
Correct Answer: D
Topic - 1: Final Assessment
Page - 19: Final Assessment Q18
Question:
True or False: The Marketplace may use or disclose personally identifiable information for
undisclosed reasons.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: B
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 10
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Topic - 1: Final Assessment
Page - 20: Final Assessment Q19
Question:
True or False: The accounting for personally identifiable information disclosure shall be
retained for at least 10 years after the disclosure, or the life of the record, whichever is longer.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: A
Topic - 1: Final Assessment
Page - 21: Final Assessment Q20
Question:
True or False: An agent or broker must account for all disclosures of an individual’s
personally identifiable information (PII), except for disclosures made to members of the
agent’s or broker’s workforce who have a need for the PII to perform their duties and
disclosures needed to carry out the required functions of the agent or broker.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: A
Topic - 1: Final Assessment
Page - 22: Final Assessment Q21
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 11
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Question:
True or False: The Department of Health & Human Services may impose a civil money
penalty of not more than $28,195 per person or entity, per use or disclosure against any person
who knowingly and willfully uses or discloses personally identifiable information in violation
of section 1411(g) of the Affordable Care Act.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: A
Topic - 1: Final Assessment
Page - 23: Final Assessment Q22
Question:
Which of the following violations of the Federally-facilitated Marketplace privacy and
security standards may result in the imposition of a civil money penalty?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Failure to provide a Privacy Notice Statement to an individual prior to the collection of
personally identifiable information
B. Knowing and willful use or disclosure of personally identifiable information in violation of
section 1411(g) of the Affordable Care Act
C. Failure to report a privacy incident consistent with the Centers for Medicare & Medicaid's
Incident and Breach Notification Procedures
D. Not meeting the 30-day deadline for deciding whether to grant or deny an individual’s
request for access to personally identifiable information pertaining to the individual
Correct Answer: B
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 12
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Topic - 1: Final Assessment
Page - 24: Final Assessment Q23
Question:
True or False: Agents and brokers can refuse to amend, correct, substitute, or delete
personally identifiable information (PII) maintained and/or stored by the agent or broker
unless an individual offers evidence that the PII is not accurate, timely, complete, relevant, or
necessary to accomplish a function related to the Marketplace.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: B
Topic - 1: Final Assessment
Page - 25: Final Assessment Q24
Question:
How many days does an agent or broker have to grant or deny a request for amendment,
correction, substitution, or deletion of personally identifiable information that is maintained
and/or stored by the agent or broker?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. 30 business days
B. 10 business days
C. 90 business days
D. 45 business days
Correct Answer: B
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 13
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Topic - 1: Final Assessment
Page - 26: Final Assessment Q25
Question:
True or False: A breach is the loss of control, compromise, unauthorized disclosure,
unauthorized acquisition, or any similar occurrence where (1) a person other than an
authorized user accesses or potentially accesses personally identifiable information or (2) an
authorized user accesses personally identifiable information for an other than authorized
purpose.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: A
Topic - 1: Final Assessment
Page - 27: Final Assessment Q26
Question:
Which of the following is NOT considered a privacy incident?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Receipt of an email phishing for personally identifiable information
B. Loss of hard copy documents containing personally identifiable information
C. Emailing or faxing documents containing personally identifiable information to
inappropriate recipients, whether intentionally or unintentionally
D. Leaving documents containing personally identifiable information exposed in an area
where individuals without approved access could read, copy, or move for future use
Correct Answer: A
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 14
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Topic - 1: Final Assessment
Page - 28: Final Assessment Q27
Question:
True or False: Security incidents are NOT a potential threat to the integrity of personally
identifiable information.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: B
Topic - 1: Final Assessment
Page - 29: Final Assessment Q28
Question:
True or False: Agents and brokers must have written procedures for incident handling and
breach notification.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: A
Topic - 1: Final Assessment
Page - 30: Final Assessment Q29
Question:
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 15
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Which of the following incidents is considered a privacy incident?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. An incident that involves sharing personally identifiable information with an authorized
person
B. An incident where a consumer asks for enrollment assistance
C. An incident that involves the actual or even suspected loss of personally identifiable
information
D. An incident where an agent or broker leaves blank paper applications on the copy machine
Correct Answer: C
Topic - 1: Final Assessment
Page - 31: Final Assessment Q30
Question:
Which of the following should NOT be included as part of written procedures for incident
handling and breach notification?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Determine whether breach notification is required and, if so, identify the appropriate
notification methods, timing, source, and contents
B. Report suspected or confirmed incidents
C. Determine if personally identifiable information is involved in the incident
D. Become a certified incident investigator
Correct Answer: D
Topic - 1: Final Assessment
Page - 32: Final Assessment Q31
Question:
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 16
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
If an agent or broker has a business partner that assists in performing Marketplace functions
involving personally identifiable information, the business partner is not legally obligated to
meet or exceed the same set of standards.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: B
Topic - 1: Final Assessment
Page - 33: Final Assessment Q32
Question:
Which of the following best describes information security?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. The protection of information from access or use by any authorized person
B. The protection of information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction in order to provide confidentiality,
integrity, and availability
C. Authorized access to protected information for enrollment purposes in a Health Insurance
Marketplace
D. Authorized access to information for use, disclosure, disruption, modification, or
destruction in order to provide confidentiality, integrity, and availability
Correct Answer: B
Topic - 1: Final Assessment
Page - 34: Final Assessment Q33
Question:
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 17
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
The security controls described in the Privacy and Security Agreement with the Centers for
Medicare & Medicaid Services require agents and brokers to ensure that personally
identifiable information is protected against which of the following?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Use of such information to perform any of the Marketplace authorized functions
B. Any reasonably anticipated threats or hazards to the confidentiality, integrity, and
availability of such information
C. Destruction or disposal of such information in accordance with retention schedules
D. Storage of such information on secure information technology (IT) resources
Correct Answer: B
Topic - 1: Final Assessment
Page - 35: Final Assessment Q34
Question:
Which of the following is NOT a proper use of a Centers for Medicare & Medicaid Services
(CMS) system?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Refusing to share your log-in credentials with a colleague
B. Conducting person searches for consumers who have given you consent to work with them
for purposes of applying for and enrolling in a Marketplace plan
C. Using scripts or automation tools to conduct person searches or to complete applications
and submit enrollments on CMS websites
D. Maintaining an active state license in every state where you are assisting consumers
Correct Answer: C
Topic - 1: Final Assessment
Page - 35: Final Assessment Q35
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 18
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Question:
True or False: Individuals are allowed to have only one Centers for Medicare & Medicaid
Services Portal account.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: A
Topic - 1: Final Assessment
Page - 35: Final Assessment Q36
Question:
Which of the following is NOT a consequence of noncompliance with the terms and
conditions of accessing Centers for Medicare & Medicaid Services (CMS) systems when
assisting consumers with enrollments in Marketplace plans?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Requirement to use a colleague’s log-in credentials so you can continue to assist
consumers with eligibility determinations and enrollments through the Marketplace
B. Civil and/or criminal penalties
C. Immediate and permanent disabling of your CMS Portal account
D. Termination of your Marketplace Agreement(s) with CMS
Correct Answer: A
Topic - 1: Final Assessment
Page - 35: Final Assessment Q37
Question:
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 19
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Which of the following is NOT a key element to protecting information?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Availability: Defending information systems and resources from malicious, unauthorized
users to ensure accessibility by authorized users
B. Accountability: Ensuring that accurate information is provided by consumers
C. Confidentiality: Protecting information from unauthorized disclosure to people or
processes
D. Integrity: Assuring the reliability and accuracy of information and information technology
resources
Correct Answer: B
Topic - 1: Final Assessment
Page - 36: Final Assessment Q38
Question:
True or False: Information security is achieved through implementing technical, managerial,
and operational measures designed to protect the confidentiality, integrity, and availability of
information.
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. True
B. False
Correct Answer: A
Topic - 1: Final Assessment
Page - 37: Final Assessment Q39
Question:
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 20
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Which of the following is NOT a type of threat that has the potential to cause unauthorized
disclosure, changes, or destruction to an information asset?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Natural (e.g., severe weather that could cause a power outage)
B. Manmade (e.g., a thief looking to steal a laptop left unattended in a public place)
C. Environmental (e.g., failure to encrypt an email containing personally identifiable
information)
D. Schedule (e.g., delay in receipt of management's approval for a planned system upgrade)
Correct Answer: D
Topic - 1: Final Assessment
Page - 38: Final Assessment Q40
Question:
Which of the following would be considered a vulnerability to a system’s security?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Failing to install and regularly run an anti-virus program on a computer system
B. Requiring all staff to complete an annual security awareness training program
C. Using badge readers at each physical entrance to an office
D. Following robust password protection protocols
Correct Answer: A
Topic - 1: Final Assessment
Page - 39: Final Assessment Q41
Question:
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 21
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Who is primarily responsible for ensuring that the computer an agent or broker uses to access
the Marketplace is regularly updated with the latest security software to protect against any
cyber-related security threats?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. The agent or broker
B. The computer manufacturer
C. The Department of Health & Human Services
D. The state Department of Insurance
Correct Answer: A
Topic - 1: Final Assessment
Page - 40: Final Assessment Q42
Question:
Which of the following data formats must be protected according to the Department of Health
& Human Services’ information policy?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Electronic format only
B. Paper format only
C. Oral format only
D. Electronic, paper, and oral formats
Correct Answer: D
Topic - 1: Final Assessment
Page - 41: Final Assessment Q43
Question:
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 22
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
Which of the following is NOT a best practice related to patch management, a critical
business function for effective data risk management?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Ensure the operating systems and computer applications remain patched with the latest
security updates
B. Pay attention to security alerts and implement regularly scheduled patching activities
C. Allow flexibility for emergencies
D. Only perform patch updates in case of an emergency, so as not to interrupt regular
business activities
Correct Answer: D
Topic - 1: Final Assessment
Page - 42: Final Assessment Q44
Question:
Which of the following is NOT a step agents and brokers should take to help promote
information security?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Allow clients to share their private log-in credentials with them
B. Change their passwords often
C. Use a different password for each system or application
D. Change their password immediately if they suspect it has been compromised
Correct Answer: A
Topic - 1: Final Assessment
Page - 43: Final Assessment Q45
Question:
Draft as of June 6, 2019
CLOSE HOLD – DO NOT SHARE. INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW. 23
This information has not been publicly disclosed and may be privileged and confidential. It is for internal government use only and must not be disseminated,
distributed, or copied to persons not authorized to receive the information. Unauthorized disclosure may result in prosecution to the full extent of the law.
To achieve accountability for privacy and security standards, including appropriate
monitoring and breach reporting, agents and brokers should NOT consider using which of the
following methods?
Directions:
Select the best answer and then select Check Your Answer.
Options:
A. Establishing a workforce compliance plan that is efficient to implement
B. Establishing a workforce compliance plan that adheres to federal and state regulations
C. Developing self-assessment checklists for use by the agent’s and broker’s workforce
D. Developing an inventory of where all of the personally identifiable information that the
agent or broker is responsible for is stored
Correct Answer: A
Topic - 1: Final Assessment
Page - 1000: Congratulations
Congratulations! You have completed the assessment for the Privacy and Security Standards
course!
To exit this assessment and return to the learning management system for further training,
select the Exit button in the upper right corner.
