HomeMy WebLinkAboutEx. 2 HA ANNLPLAN, EIV
Housing Authority of the City of Santa Ana
HOUSING CHOICE VOUCHER PROGRAM
Enterprise Income Verification (EIV)
Security Policy and Procedures
The Enterprise Income Verification System (EIV)
The EIV system is intended to provide a single source of income-related data to PHAs for use in
verifying the income reported by tenants in the various assisted housing programs. The office of
Public and Indian Housing (PIH) is responsible for administering and maintaining the EIV
system.
Types of Upfront Verification of Income Provided by EIV
The EIV system compares the tenant income data obtained from various sources including:
Tenant-supplied income data captured on Form HUD-50058 and maintained in the PIC
databases;
U.S. Department of Health and Human Services, National Directory of New Hires
(NDNH) data. NDNH becomes the single source for wage, unemployment insurance
benefit information, and the new hire (employment) information;
Social Security and Supplemental Security income from the Social Security
Administration (information formerly accessed through TASS); and
User profile information from the PIC database.
What EIV Tenant Data Is Used For
EIV data is the first level in the hierarchy of upfront income verification. The EIV data may be
used in the following way:
program and to determine the level of assistance the applicant/participant is entitled to
receive.
No adverse action can be taken against an applicant/participant until the PHA has
note below) and the applicant/participant has been granted an opportunity to contest any
adverse findings through the established grievance, hearing, or other legal procedures.
Applicability
The procedures in this document apply to all Housing Authority of the City of Santa Ana
(SAHA) staff that access EIV data.
1
Exhibit 2
Purpose
The purpose of this document is to set forth SAHA policies and procedures governing the use of
the EIV system and associated documents. The practices, controls and safeguards described in
this document have been established to ensure compliance with the Federal laws regarding the
protection of this information.
Privacy Act
The data provided via the EIV system will be protected to ensure that it is only used for official
purposes and not disclosed in any way that would violate the privacy of the individuals
represented in the system data. Privacy of data and data security for computer systems are
covered by a variety of Federal laws and regulations. The Privacy Act of 1974 as amended, 5
U.S.C. 552 (a) is one such regulation.
The full text of the Privacy Act can be accessed at http://www.usdoj.gov/fois/privstat.htm.
Examples of Privacy Act Violations
SAHA will not rely entirely upon staff to read and understand the Privacy Act. To ensure that
staff has a complete understanding of the Privacy Act and how seemly harmless actions may be
violations, examples of a Privacy Act violations will be provided annually during security
awareness training. The following example of a security violation was explained during the
HUD Satellite Broadcast introducing the EIV system:
EIV data can only be viewed by authorized PHA staff and the individual adult who the
information pertains to. This means that EIV data for an adult household member in a resident
family cannot be shared with another adult household member of the resident family (even the
head of household) unless that family member is present or signs a waiver authorizing the other
family member to view their EIV information. The Privacy Act protects the privacy of each adult
family member from any unauthorized person viewing their EIV data, even another family
member. However, EIV data for minor children may be viewed by the Head of Household.
Security Officer(s)
An EIV Security Officer(s), appointed by the Housing & Neighborhood Development Manager
technical, physical, administrative
is responsible for ensuring that proper and safeguards are in
place and enforced. The duties of the security officer are as follows:
Conducts quarterly reviews of all User IDs issued to determine if the users still have a
valid need to access the EIV data and modifies or revokes access rights as appropriate
At the request of the Housing & Neighborhood Development Manager or her designee,
updates the EIV Security Policy and Procedures
Coordinates or conducts file audits, at least annually, to assure that a copy of Form HUD-
9886 has been signed by each member of the household age 18 years or older and is in
the household file
2
Exhibit 2
Ensures compliance with SAHA security policies and procedures outlined in this
document
Communicates security information and requirements to appropriate personnel, including
coordinating and conducting annual security awareness training sessions
Ensures that any infractions of security procedures are promptly reported to the Housing
& Neighborhood Development Manager or her designee for investigation and
enforcement
Ensures that all EIV records and forms (i.e., signed user agreements) are kept and
updated as needed.
Other Quality Control Reviews
Lead Staff Persons routinely conduct audits on completed transactions. As part of any
file audit, they will check for a current HUD-9886
The Supervisor(s) will conduct an annual review of tenant files to ensure that HUD-9886
forms are in tenant files. Files will be randomly selected. Sample size will be the same
as sample size outlined in SEMAP regulations for indicator #3 Adjusted Income.
Security Awareness Training
Security Awareness Training is a crucial aspect of ensuring the security of the EIV system and
data. EIV users and potential users will be made aware of the importance of respecting the
privacy of data, following established procedures to maintain privacy and security, and notifying
management in the event of a security of privacy violation.
In addition to annual Security Awareness Training, the Security Officer(s) will communicate
security information and requirements to appropriate personnel using various methods such as:
E-mail reminders
Discussions at group and managerial meetings
Security bulletins posted throughout the work areas
Security Awareness Training will be provided to each employee upon granting access to the EIV
system. Thereafter, annual security awareness refresher training will be provided to each
employee with EIV access.
Annual Security Awareness Training will be conducted through HUD Webcasts or by the
Security Officer.
The trainer and the employee will both sign a certification that EIV security training has
been provided. The training certification and a record of the training material provided at
Security Awareness Training
the awareness training will be kept in the section of the
EIV file.
At the end of the training, each employee will also sign the EIV Rules of Behavior and
User Agreement form. One copy will be given to the employee to be placed in their desk
3
Exhibit 2
User Agreement
manual and one copy will be retained in the section of the EIV file. The
forms will be updated once a year at the refresher training.
Examples of potential Privacy Act and security violations will be provided during the
training.
Technical Safeguards
The purpose of these technical safeguards is as follows:
applications
To identify and authenticate all users seeking access to the EIV system
To deter and detect attempts to access the system without authorization
To monitor the user activity of the EIV system.
Various technical safeguards have been built into the EIV system to mitigate the risk of security
violations. However, SAHA will ensure that the physical and administrative safeguards are also
in pl
protection of private data.
Description of Built-In Technical Safeguards
The following describes the technical controls built into the EIV system:
Each user is required to have their own User ID and Password
The User ID identifies the PHA and tenant information that the user is authorized to
access
User IDs are confidential and maintained by the Security Officer
The system forces all users to change their password periodically and limit the reuse of
previous passwords
After three unsuccessful attempts to log in, the User ID is locked and the user must
contact the HUD System Administrator to have the password reset
Online warning messages that inform the user of the civil and criminal penalties
associated with unauthorized use of the EIV system will be displayed.
The following describes additional SAHA Technical Safeguards:
Each user is required to have their own User ID and Password
The individual User ID is attached to specific access rights
System (network) users are granted limited access rights and given a password to access
the Network system
Warning messages when users log in inform the user of City of Santa Ana policy
governing the use of City systems.
4
Exhibit 2
In addition to the built-in technical safeguards, SAHA will follow the following technical
security requirement:
SAHA staff will not save EIV data to a computer hard drive or any other automated
information system (i.e., network drive, disk or CD)
SAHA staff will not leave their computer unattended with EIV data displayed on the
screen
Administrative Safeguards
The SAHA EIV Security Officer(s) will maintain security-related records and monitor
programmatic security issues. The EIV Security Officer(s) will adhere to the following
administrative safeguards:
Ensure that all users who have access to EIV data have an Access Authorization/Rules of
Behavior/User Agreement form on file signed by the user and the Security Officer on her
designee on file;
Conduct quarterly reviews of all User IDs to determine if the user still has a valid need to
access the EIV data; and
Ensure the access rights are modified or revoked as appropriate.
The EIV Security Officer(s) will maintain the following EIV security records and forms:
EIV Rules of Behavior and User Agreement forms
EIV Access Authorization Forms
EIV Security violation information
EIV Security Awareness Training Records
Records of internal audits to ensure that the Form HUD-9886 has been signed by each
adult member of the household and is kept in the Confidential Resident File
A record of all users who have approved access to EIV data including the date the access
was granted and the date access was terminated.
Physical Safeguards
The purpose of physical safeguards is to provide barriers between unauthorized persons and
documents containing private data.
Access to Work Space
The doors to the SAHA work area are locked at all times. To enter into the workspace, you must
access a coded door lock. Employees are only granted access to a workspace that is appropriate
based on their employment assignment. Hours of access to the workspace are also controlled. In
general, staff is allowed access to the workspace Monday-Friday, from 7:00 a.m. to 6:00 p.m.
Management approval is required for weekend or after hours work.
5
Exhibit 2
Confidential Resident Files/Central Filing Room
All EIV data will be viewed for each adult. If printed to assist with a fraud investigation it will
be
EIV Security Procedures Manual). Policy prior to April 2008 allowed for EIV to be printed and
imaged. The main door to the imaging area will remain locked and files not already imaged will
be released only when the file clerk who oversees the area is present. Some files are not yet
imaged. As necessary, staff may maintain a file at their workstation. However, tenant files
containing EIV may not be left unattended or open on the desktop when staff is away from their
desk. Any tenant files containing EIV held at workstations must be properly stored in locked
overhead bins or locked desk drawers when not in use. Once a transaction is completed, and if
the EIV documents were printed to investigate fraud, they will be destroyed by shredding to a
Hard Copy Security Requirement
When EIV is printed, staff will retrieve computer printouts as soon as they are generated so that
EIV data is not left lying unattended in printers where unauthorized users may access them.
Hard Copy Security Violations
SAHA will handle EIV data in such a manner that it does not become misplaced or available to
unauthorized personnel. Any confidential resident file should be assumed to contain EIV data.
any personnel
Therefore, the participant file cannot be viewed by that are not expressly
authorized (examples of authorized staff: staff in charge of that file, the supervisor of the staff in
charge of the file, or approved/authorized auditors) and who do not have both an Access
Authorization Form/Rules of Behavior/User Agreement on file with the EIV Security Officer.
considered a security violation for both the staff viewing the EIV information and for the staff
that left the information unattended. Unless a supervisor has specifically authorized staff to view
Disposal of EIV Information
EIV Reports must be disposed of under the following circumstances:
EIV report was incorrectly requested.
Reporting Improper Disclosures
Recognition, reporting and disciplinary action in response to security violations are crucial to
successfully maintaining the security and privacy of the EIV system.
6
Exhibit 2
Security Violations may include the following:
Disclosure of private data
Attempts to access unauthorized data
Sharing of User IDs and passwords
Upon discovery of a possible improper disclosure of EIV information or another security
violation by a SAHA Employee or any other person, the individual making the observation or
receiving the information should contact their immediate supervisor or the EIV Security
Officer(s). If the incident is reported to a supervisor, the supervisor must immediately inform the
EIV Security Officer. The EIV Security Officer(s) will document all improper disclosures in
writing on a security disclosure form providing details including who was involved what was
disclosed, how the disclosure occurred, and where it occurred.
The following contacts will be made:
The EIV Security Officer(s) will contact and provide the written documentation of the
security violation. The Security Officer(s) is responsible for informing the Housing &
Neighborhood Development Manager of any security breaches.
The Housing & Neighborhood Development Manager or her designee will provide the
HUD Field Office Public Housing Director with the written documentation; and,
The HUD Field Office Public Housing Director, upon receipt of the documentation, will
make a determination regarding the referral and provision of the written documentation to
the Headquarters EIV Coordinator and/or EIV Security Officer(s) for further review and
follow-up action.
Appendix 1. Safeguards Provided by the Privacy Act
The Privacy Act provides safeguards for individuals against invasion of privacy by requiring
Federal agencies, except as otherwise provided by law or regulation to:
1.Permit individuals to know what records pertaining to them are collected, maintained,
used or disseminated;
2.Allow individuals to prevent records pertaining to them, obtained for a particular purpose
from being used or made available for another purpose without their consent;
3.Permit individuals to gain access to information pertaining to them, obtain a copy of all
or any portions thereof, and correct or amend such records;
4.Collect, maintain, use or disseminate personally identifiable information in a manner that
ensure the information is current and accurate, and that adequate safeguards are provided
to prevent misuses of such information;
5.Permit exemption from the requirements of the Act only where an important public
policy need exists as determined by specific statutory authority; and
6.Be subject to a civil suit for any damages that occur as a result of action that violates any
rights under this Act.
7
Exhibit 2