1 / 21

Enterprise Income Verification System Security Procedures

Page 1. Introduction. Privacy Act RequirementsOverview of Policies and Controls for Securing EIV System's DataAdministrativeTechnical Physical Department of Health and Human Services' National Directory of New Hires Data and Agreement . Page 2. Privacy Act Requirements. Whenever HUD or a PHA

mieko
Download Presentation

Enterprise Income Verification System Security Procedures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Enterprise Income Verification System Security Procedures October 2005

    2. Page 1 Introduction Privacy Act Requirements Overview of Policies and Controls for Securing EIV System’s Data Administrative Technical Physical Department of Health and Human Services’ National Directory of New Hires Data and Agreement

    3. Page 2 Privacy Act Requirements Whenever HUD or a PHA requests information about a tenant they should ensure the following: The data is only used for verification of tenant income to determine: a tenant’s eligibility for participation in a rental assistance program the level of assistance that they are entitled to receive It is not disclosed in any way that would violate the privacy of the individuals represented in the system The tenant is notified of the following: HUD or the PHA’s authorization and purpose for collecting the information the uses that may be made of the data collected, and the consequences to the individual for failing to provide the information On request, the tenant is provided with access to records pertaining to them and an opportunity to correct or challenge the contents of the records

    4. Page 3 Privacy Act Requirements All users will be required to acknowledge their understanding of requirements imposed under the Privacy Act before continuing to use the EIV system to access the upfront income verification data All users will be required to acknowledge that a form HUD-9886 or equivalent consent form is on file for the household whose income information is being accessed before the user can have access to the EIV system All screens and/or pages containing tenant information contains a Privacy Act statement that indicates: “Confidential Privacy Act Data. Civil and criminal penalties apply to misuse of this data.”

    5. Page 4 Civil Penalties Associated with the Privacy Act A tenant may take legal action against HUD or a PHA for the following agency actions: Refusal to grant access to a record Refusal to amend or correct a record Failure to maintain a record with accuracy, relevancy, timeliness or completeness Failure to comply with any other provision of the Privacy Act, where there is an adverse effect on the tenant If found liable, HUD or the PHA will be required to pay the tenant: Damages sustained as a result of the agency’s action The costs of the lawsuit, including reasonable attorney fees

    6. Page 5 Criminal Penalties Associated with the Privacy Act A HUD or PHA employee can be found guilty of a misdemeanor or a felony if that employee, knowingly and willfully: Discloses a tenant or tenants records to an unauthorized party Maintains a system of records without publishing a public notice Fraudulently represents him/herself to obtain another individual’s record

    7. Page 6 Administrative Safeguards Purposes of the administrative safeguards: Ensure that access rights, roles, and responsibilities within the agency are appropriately and adequately assigned Maintain security-related records Monitor programmatic security issues Maintain, communicate, and enforce standard operating procedures related to securing EIV system's data

    8. Page 7 Administrative Safeguards, cont’d HUD Field Offices and PHAs should implement administrative safeguards to address the following: Assigning and Monitoring Access Rights Determine which users should have access to EIV system’s information Maintain a record of all users who have approved access to EIV system’s data Conduct a quarterly review of all User IDs to determine if the user still has a valid need to access the EIV system’s data Ensure that access rights are modified or revoked as appropriate

    9. Page 8 Administrative Safeguards, cont’d Rules of Behavior and User Agreement The Rules of Behavior must be adhered to by all EIV users. The rules explain the responsibilities of the EIV users who have access to the system. If the user does not comply, the user will be disciplined. This could involve verbal or written warnings, removal of system access for a period of time, reassignment to other duties, or termination of employment. The User Agreement provisions have been added to the Rules of Behavior. The provisions specify the civil and criminal penalties if there is willful unauthorized use of the upfront income verification data. Access Authorization The Access Authorization Form provides the type of function required by the user, the access level, the role to be assigned the user. Quarterly Validation of User Access (every three months) Effective after the first full quarter of EIV operations (January 2006), users will be required to certify each quarter. Users cannot certify if their documentation is not on file. If the user account is not certified within 30 days, access to EIV system will be denied.

    10. Page 9 Administrative Safeguards, cont’d Keeping Records and Monitoring Security Issues Assure that a copy of Form HUD-9886 has been signed by each adult member of the household and is kept in the household file Maintain a key control log to track the inventory of keys available, the number of keys issued and to whom the keys are issued Ensure that all employees and contractors who have been issued keys to secure areas complete a form acknowledging the receipt of the key Maintain a log of all users who access designated secure areas including the date and time of entry and exit and the purpose of the access Ensure that combination locks are reset regularly, including whenever an employee leaves the HUD Field Office or PHA Ensure that EIV system’s information is disposed of in an appropriate manner and maintain a log of all documents that have been burned or shredded

    11. Page 10 Administrative Safeguards, cont’d Conducting Security Awareness Training Ensure that all users of EIV system’s data receive training in EIV system's security policies and procedures at the time of employment and at least annually afterwards Maintain a record of all personnel who have attended training sessions Communicate security information and requirements to appropriate personnel Distribute all User Guides and Security Procedures to personnel using EIV system's data Reporting Improper Disclosures Report any evidence of unauthorized access or known security breaches to the PHA Executive Director or the Director of Public Housing Document all improper disclosures in writing Report all security violations regardless of whether the security violation was intentional or unintentional

    12. Page 11 Technical Safeguards Purposes of the technical safeguards: Reduce the risk of a security violation related to the EIV systems’ software, network, or applications Identify and authenticate all users seeking access to the EIV system’s data Deter and detect attempts to access the system without authorization Monitor the user activity on the EIV system Online User Alerts

    13. Page 12 Technical Safeguards The technical controls that have been built into the EIV systems address the following: User Identification and Authentication Each user is required to have their own User ID and Password The User ID identifies the PHA(s) or HUD Field Office and tenant information that the user is authorized to access Passwords are encrypted and the password file is protected from unauthorized access All EIV users need to have Secure System – WASS – User IDs to access the EIV online application. All users logging into the EIV system and their user certification transactions will be logged – this is an effort to protect the tenant data and provide traceability in the event some questionable actions occur. Online warning messages that inform the user of the civil and criminal penalties associated with unauthorized use of the EIV system’s data The system forces all users to change their password every 21 days and limits the reuse of previous passwords

    14. Page 13 Technical Safeguards, cont’d User Identification and Authentication, cont’d All EIV users will need Secure System WASS User IDs to access the EIV Online System website Review the Guidance on the EIV website For User support please contact PIH-REAC's Technical Assistance Center (TAC). Hours of operation are Monday to Friday, 7:00AM to 8:30PM Eastern Standard Time. Contact Details: TAC toll-free line: (888) 245-4860 TAC Fax Number: (202) 485-0288 TAC Email Address: REAC_TAC@hud.gov Mailing Address: Office of Public and Indian Housing Real Estate Assessment Center Technical Assistance Center (TAC) 550 12th Street, SW, Suite 100 Washington, DC 20410

    15. Page 14 Physical Safeguards Purposes of the physical safeguards: Provide barriers between unauthorized persons and documents or computer media containing private data Prevent undetected entry to protected areas and/or to protected documents Provide immediate notification, noticeable under normal operating conditions, if the barrier is penetrated by unauthorized persons Prevent viewing of private information by any person by any means from outside the area confined by the barrier Allow authorized persons to have monitored and controlled access to protected private data

    16. Page 15 Physical Safeguards, cont’d HUD Field Offices and PHAs may implement any combination of the following physical safeguards: Locked and monitored buildings, offices, or storage rooms Locked and monitored metal file cabinets Designated secure areas and equipment Security rooms or locked office space with limited points of entry (e.g., doors) and means of entry (e.g., keys) Restricted areas with prominently posted signs or other indicators identifying them and limited points of entry Physical and administrative means for monitoring access to the secure areas and access and use of the protected data Restricted use printers, copiers, facsimile machines, etc.

    17. Page 16 Physical Safeguards, cont’d Secure computer systems and output Store EIV system’s data in a separate, restricted-access directory if files are saved to local machine Label all diskettes containing EIV system’s data “Confidential” or “For Official Use Only” Retrieve all computer printouts as soon as they are generated so that EIV system’s data is not left lying unattended in printers Avoid leaving a computer unattended with EIV system’s data displayed on the screen Disposal of EIV system’s information Destroy as soon as it has served its purpose or as prescribed by the Field Office’s or PHA’s policy and procedures All EIV system’s originals and copies should either be burned or shredded

    18. Page 17 Implementing Safeguards Technical safeguards alone, without complementary physical safeguards and/or administrative safeguards do not meet HUD’s standard for the protection of private data. HUD Field Offices and PHAs are strongly encouraged to take all reasonable steps to implement a combination of technical, physical, and administrative safeguards. The physical and administrative safeguards that are implemented by a Field Office or PHA must be appropriate when considered in combination with the technical safeguards available to the Field Office or PHA through the EIV system.

    19. Page 18 Security Impact of the HUD/HHS Agreement The agreement between HUD and HHS: Stipulate the security requirements for accessing wage and unemployment data Permit HHS to conduct onsite monitoring of the security procedures used by PHAs and HUD for safeguarding the National Directory of New Hires data To ensure compliance with the security requirements each Field Office and PHA should: Appoint a Security Officer/Administrator/Coordinator Review and implement the security measures outlined in the EIV Security Procedures for UIV Data Guide which is applicable to PHA and HUD staff.

    20. Page 19 EIV Websites Privacy Act Information at: http://www.usdoj.gov/fola/privstat.htm   The EIV Access Authorization Form, EIV Rules of Behavior and User Agreement Form and EIV Security Procedures for UIV Data Guide at: http://www.hud.gov/offices/pih/programs/ ph/rhiip/uivsystem.cfm EIV Assistance: EIV_Help@HUD.GOV PIC Help/EIV Help Call Center: 1-800-366-6827 9:00 a.m. - 8:00 p.m. on Business Days

    21. Page 20 Contact Information Myra Newbill EIV system's Security Officer Phone: 202-475-8988 Fax: 202-485-0275 Email: Myra_E. _Newbill@hud.gov

More Related