Loading...
HomeMy WebLinkAboutEx. 2 HA ANNLPLAN, EIV Housing Authority of the City of Santa Ana HOUSING CHOICE VOUCHER PROGRAM Enterprise Income Verification (EIV) Security Policy and Procedures The Enterprise Income Verification System (EIV) The EIV system is intended to provide a single source of income-related data to PHAs for use in verifying the income reported by tenants in the various assisted housing programs. The office of Public and Indian Housing (PIH) is responsible for administering and maintaining the EIV system. Types of Upfront Verification of Income Provided by EIV The EIV system compares the tenant income data obtained from various sources including: Tenant-supplied income data captured on Form HUD-50058 and maintained in the PIC databases; U.S. Department of Health and Human Services, National Directory of New Hires (NDNH) data. NDNH becomes the single source for wage, unemployment insurance benefit information, and the new hire (employment) information; Social Security and Supplemental Security income from the Social Security Administration (information formerly accessed through TASS); and User profile information from the PIC database. What EIV Tenant Data Is Used For EIV data is the first level in the hierarchy of upfront income verification. The EIV data may be used in the following way: program and to determine the level of assistance the applicant/participant is entitled to receive. No adverse action can be taken against an applicant/participant until the PHA has note below) and the applicant/participant has been granted an opportunity to contest any adverse findings through the established grievance, hearing, or other legal procedures. Applicability The procedures in this document apply to all Housing Authority of the City of Santa Ana (SAHA) staff that access EIV data. 1 Exhibit 2 Purpose The purpose of this document is to set forth SAHA policies and procedures governing the use of the EIV system and associated documents. The practices, controls and safeguards described in this document have been established to ensure compliance with the Federal laws regarding the protection of this information. Privacy Act The data provided via the EIV system will be protected to ensure that it is only used for official purposes and not disclosed in any way that would violate the privacy of the individuals represented in the system data. Privacy of data and data security for computer systems are covered by a variety of Federal laws and regulations. The Privacy Act of 1974 as amended, 5 U.S.C. 552 (a) is one such regulation. The full text of the Privacy Act can be accessed at http://www.usdoj.gov/fois/privstat.htm. Examples of Privacy Act Violations SAHA will not rely entirely upon staff to read and understand the Privacy Act. To ensure that staff has a complete understanding of the Privacy Act and how seemly harmless actions may be violations, examples of a Privacy Act violations will be provided annually during security awareness training. The following example of a security violation was explained during the HUD Satellite Broadcast introducing the EIV system: EIV data can only be viewed by authorized PHA staff and the individual adult who the information pertains to. This means that EIV data for an adult household member in a resident family cannot be shared with another adult household member of the resident family (even the head of household) unless that family member is present or signs a waiver authorizing the other family member to view their EIV information. The Privacy Act protects the privacy of each adult family member from any unauthorized person viewing their EIV data, even another family member. However, EIV data for minor children may be viewed by the Head of Household. Security Officer(s) An EIV Security Officer(s), appointed by the Housing & Neighborhood Development Manager technical, physical, administrative is responsible for ensuring that proper and safeguards are in place and enforced. The duties of the security officer are as follows: Conducts quarterly reviews of all User IDs issued to determine if the users still have a valid need to access the EIV data and modifies or revokes access rights as appropriate At the request of the Housing & Neighborhood Development Manager or her designee, updates the EIV Security Policy and Procedures Coordinates or conducts file audits, at least annually, to assure that a copy of Form HUD- 9886 has been signed by each member of the household age 18 years or older and is in the household file 2 Exhibit 2 Ensures compliance with SAHA security policies and procedures outlined in this document Communicates security information and requirements to appropriate personnel, including coordinating and conducting annual security awareness training sessions Ensures that any infractions of security procedures are promptly reported to the Housing & Neighborhood Development Manager or her designee for investigation and enforcement Ensures that all EIV records and forms (i.e., signed user agreements) are kept and updated as needed. Other Quality Control Reviews Lead Staff Persons routinely conduct audits on completed transactions. As part of any file audit, they will check for a current HUD-9886 The Supervisor(s) will conduct an annual review of tenant files to ensure that HUD-9886 forms are in tenant files. Files will be randomly selected. Sample size will be the same as sample size outlined in SEMAP regulations for indicator #3 Adjusted Income. Security Awareness Training Security Awareness Training is a crucial aspect of ensuring the security of the EIV system and data. EIV users and potential users will be made aware of the importance of respecting the privacy of data, following established procedures to maintain privacy and security, and notifying management in the event of a security of privacy violation. In addition to annual Security Awareness Training, the Security Officer(s) will communicate security information and requirements to appropriate personnel using various methods such as: E-mail reminders Discussions at group and managerial meetings Security bulletins posted throughout the work areas Security Awareness Training will be provided to each employee upon granting access to the EIV system. Thereafter, annual security awareness refresher training will be provided to each employee with EIV access. Annual Security Awareness Training will be conducted through HUD Webcasts or by the Security Officer. The trainer and the employee will both sign a certification that EIV security training has been provided. The training certification and a record of the training material provided at Security Awareness Training the awareness training will be kept in the section of the EIV file. At the end of the training, each employee will also sign the EIV Rules of Behavior and User Agreement form. One copy will be given to the employee to be placed in their desk 3 Exhibit 2 User Agreement manual and one copy will be retained in the section of the EIV file. The forms will be updated once a year at the refresher training. Examples of potential Privacy Act and security violations will be provided during the training. Technical Safeguards The purpose of these technical safeguards is as follows: applications To identify and authenticate all users seeking access to the EIV system To deter and detect attempts to access the system without authorization To monitor the user activity of the EIV system. Various technical safeguards have been built into the EIV system to mitigate the risk of security violations. However, SAHA will ensure that the physical and administrative safeguards are also in pl protection of private data. Description of Built-In Technical Safeguards The following describes the technical controls built into the EIV system: Each user is required to have their own User ID and Password The User ID identifies the PHA and tenant information that the user is authorized to access User IDs are confidential and maintained by the Security Officer The system forces all users to change their password periodically and limit the reuse of previous passwords After three unsuccessful attempts to log in, the User ID is locked and the user must contact the HUD System Administrator to have the password reset Online warning messages that inform the user of the civil and criminal penalties associated with unauthorized use of the EIV system will be displayed. The following describes additional SAHA Technical Safeguards: Each user is required to have their own User ID and Password The individual User ID is attached to specific access rights System (network) users are granted limited access rights and given a password to access the Network system Warning messages when users log in inform the user of City of Santa Ana policy governing the use of City systems. 4 Exhibit 2 In addition to the built-in technical safeguards, SAHA will follow the following technical security requirement: SAHA staff will not save EIV data to a computer hard drive or any other automated information system (i.e., network drive, disk or CD) SAHA staff will not leave their computer unattended with EIV data displayed on the screen Administrative Safeguards The SAHA EIV Security Officer(s) will maintain security-related records and monitor programmatic security issues. The EIV Security Officer(s) will adhere to the following administrative safeguards: Ensure that all users who have access to EIV data have an Access Authorization/Rules of Behavior/User Agreement form on file signed by the user and the Security Officer on her designee on file; Conduct quarterly reviews of all User IDs to determine if the user still has a valid need to access the EIV data; and Ensure the access rights are modified or revoked as appropriate. The EIV Security Officer(s) will maintain the following EIV security records and forms: EIV Rules of Behavior and User Agreement forms EIV Access Authorization Forms EIV Security violation information EIV Security Awareness Training Records Records of internal audits to ensure that the Form HUD-9886 has been signed by each adult member of the household and is kept in the Confidential Resident File A record of all users who have approved access to EIV data including the date the access was granted and the date access was terminated. Physical Safeguards The purpose of physical safeguards is to provide barriers between unauthorized persons and documents containing private data. Access to Work Space The doors to the SAHA work area are locked at all times. To enter into the workspace, you must access a coded door lock. Employees are only granted access to a workspace that is appropriate based on their employment assignment. Hours of access to the workspace are also controlled. In general, staff is allowed access to the workspace Monday-Friday, from 7:00 a.m. to 6:00 p.m. Management approval is required for weekend or after hours work. 5 Exhibit 2 Confidential Resident Files/Central Filing Room All EIV data will be viewed for each adult. If printed to assist with a fraud investigation it will be EIV Security Procedures Manual). Policy prior to April 2008 allowed for EIV to be printed and imaged. The main door to the imaging area will remain locked and files not already imaged will be released only when the file clerk who oversees the area is present. Some files are not yet imaged. As necessary, staff may maintain a file at their workstation. However, tenant files containing EIV may not be left unattended or open on the desktop when staff is away from their desk. Any tenant files containing EIV held at workstations must be properly stored in locked overhead bins or locked desk drawers when not in use. Once a transaction is completed, and if the EIV documents were printed to investigate fraud, they will be destroyed by shredding to a Hard Copy Security Requirement When EIV is printed, staff will retrieve computer printouts as soon as they are generated so that EIV data is not left lying unattended in printers where unauthorized users may access them. Hard Copy Security Violations SAHA will handle EIV data in such a manner that it does not become misplaced or available to unauthorized personnel. Any confidential resident file should be assumed to contain EIV data. any personnel Therefore, the participant file cannot be viewed by that are not expressly authorized (examples of authorized staff: staff in charge of that file, the supervisor of the staff in charge of the file, or approved/authorized auditors) and who do not have both an Access Authorization Form/Rules of Behavior/User Agreement on file with the EIV Security Officer. considered a security violation for both the staff viewing the EIV information and for the staff that left the information unattended. Unless a supervisor has specifically authorized staff to view Disposal of EIV Information EIV Reports must be disposed of under the following circumstances: EIV report was incorrectly requested. Reporting Improper Disclosures Recognition, reporting and disciplinary action in response to security violations are crucial to successfully maintaining the security and privacy of the EIV system. 6 Exhibit 2 Security Violations may include the following: Disclosure of private data Attempts to access unauthorized data Sharing of User IDs and passwords Upon discovery of a possible improper disclosure of EIV information or another security violation by a SAHA Employee or any other person, the individual making the observation or receiving the information should contact their immediate supervisor or the EIV Security Officer(s). If the incident is reported to a supervisor, the supervisor must immediately inform the EIV Security Officer. The EIV Security Officer(s) will document all improper disclosures in writing on a security disclosure form providing details including who was involved what was disclosed, how the disclosure occurred, and where it occurred. The following contacts will be made: The EIV Security Officer(s) will contact and provide the written documentation of the security violation. The Security Officer(s) is responsible for informing the Housing & Neighborhood Development Manager of any security breaches. The Housing & Neighborhood Development Manager or her designee will provide the HUD Field Office Public Housing Director with the written documentation; and, The HUD Field Office Public Housing Director, upon receipt of the documentation, will make a determination regarding the referral and provision of the written documentation to the Headquarters EIV Coordinator and/or EIV Security Officer(s) for further review and follow-up action. Appendix 1. Safeguards Provided by the Privacy Act The Privacy Act provides safeguards for individuals against invasion of privacy by requiring Federal agencies, except as otherwise provided by law or regulation to: 1.Permit individuals to know what records pertaining to them are collected, maintained, used or disseminated; 2.Allow individuals to prevent records pertaining to them, obtained for a particular purpose from being used or made available for another purpose without their consent; 3.Permit individuals to gain access to information pertaining to them, obtain a copy of all or any portions thereof, and correct or amend such records; 4.Collect, maintain, use or disseminate personally identifiable information in a manner that ensure the information is current and accurate, and that adequate safeguards are provided to prevent misuses of such information; 5.Permit exemption from the requirements of the Act only where an important public policy need exists as determined by specific statutory authority; and 6.Be subject to a civil suit for any damages that occur as a result of action that violates any rights under this Act. 7 Exhibit 2