EIV 7.0
Instructional
Course
Sponsored by the Department
of Housing and Urban
Development
Wednesday, June 27, 2007
Office of Housing, Housing
Assistance and Grant Administration
(HAGA) 1
Discussion Topics
Securing EIV’s confidential
tenant information
EIV access authorization forms
Safeguarding EIV data
Monitoring
Office of Housing, Office of Housing
and Grant Administration (HAGA) 2
Q&A Call-in Information
At the end of this segment, you
will be given an opportunity to
ask questions of the presenter
for response. Call-in information
is as follows:
202/708-0995
HUDTV@hud.gov
Office of Housing, Office of Housing
and Grant Administration (HAGA) 3
Securing EIV’s
Confidential Tenant
Information
Office of Housing, Housing
Assistance and Grant Administration
(HAGA) 4
Why is it so important to
secure the tenant data
contained in EIV?
Office of Housing, Office of Housing
and Grant Administration (HAGA) 5
Protecting the
Confidentiality of Family
Personal Information
The Income Reports in EIV contain
the SSNs, full dates of birth, first and
last names, and physical address of
tenant families. This is all very
personal information that must not be
handled carelessly.
O/As, CAs, and even HUD staff need
to be careful not to share this
information with anyone who is not
authorized to have it.
Office of Housing, Office of Housing
and Grant Administration (HAGA) 6
Protecting the Confidentiality
of Family Personal Information
(cont.)
A family’s personal information
in the wrong hands can be used
for fraudulent purposes, e.g.,
identity theft.
Office of Housing, Office of Housing
and Grant Administration (HAGA) 7
PRIVACY ACT 5 U.S.C §
552Aof 1974
Privacy Act
§ 552a. Records maintained on
individuals
(a) Definitions
For purposes of this section--
(1) the term "agency" means Complete language available
agency as defined in section on HUD’s website at:
http://www.hud.gov/offices/ogc/foia/privacyact.
552(f) of this title;
(2) the term "individual" means a
citizen of the United States or an
alien lawfully admitted for
permanent residence;
(3) the term "maintain" includes
maintain, collect, use or
disseminate;
(4) the term "record" means any
item, collection, or grouping of Office of Housing
Office of Housing,
and Grant Administration (HAGA) 8
information about an individual
EIV Data for Official HUD
use Only
EIV income data may only be
used for verification of
employment and income at
recertification.
Office of Housing, Office of Housing
and Grant Administration (HAGA) 9
Authorized Disclosure
EIV Data may only disclosed to:
Private owners
Management agents
Service Bureaus
Contract Administrators
HUD staff
HUD Office of Inspector General (OIG) for
investigative purposes
Individual to whom the record pertains
Office of Housing, Office of Housing
and Grant Administration (HAGA) 10
Unauthorized Disclosure
Must not disclose data in any
way that would violate the
privacy of the individuals.
EIV data must not be disclosed
(or re-disclosed) to any third
parties.
Office of Housing, Office of Housing
and Grant Administration (HAGA) 11
Sanctions
Willful disclosure or inspection of
EIV data can result in civil and
criminal penalties.
Unauthorized disclosure – felony
conviction and fine up to $5,000 or
imprisonment up to five (5) years, as well
as civil damages.
Unauthorized inspection –
misdemeanor penalty of up to $1,000
and/or one (1) year imprisonment, as well
as civil damages.
Office of Housing, Office of Housing
and Grant Administration (HAGA) 12
EIV Warning Page
Before accessing the EIV system,
all EIV users must acknowledge
they understand:
The conditions of the Privacy Act
They may have access to EIV for official
purposes only
They are subject to civil criminal penalties
under the Privacy Act of misuse of
information
There must be a signed consent form
on file Office of Housing
(HUD-9887)Office of Housing, before viewing
income data and Grant Administration (HAGA) 13
EIV Warning Page (cont.)
Before accessing the EIV system,
all EIV users must acknowledge
they understand:
The conditions of the Privacy Act
They may have access to EIV for official
purposes only
They are subject to civil criminal penalties
under the Privacy Act of misuse of
information
There must be a signed consent form
on file Office of Housing
(HUD-9887)Office of Housing, before viewing
income data and Grant Administration (HAGA) 14
EIV Legal Warning Page
(cont.)
Office of Housing, Office of Housing
and Grant Administration (HAGA) 15
Tenant or Family Consent
Must have signed consent from
individual.
Form HUD-9887 must be on file
The signed form HUD-9887 must
not be older than 15 months.
Available on HUDClips at:
www.hudclips.org
Office of Housing, Office of Housing
and Grant Administration (HAGA) 16
Tenant’s Right to Dispute EIV
Data
Must permit individual to have
access to information pertaining
to them and to request
information be amended.
Must independently verify
disputed information.
Tenant must be notified of findings
O/A cannot suspend, terminate, reduce
or make final denial of assistance or
tenancy until tenant has opportunity to
discuss (24 CFR
dispute and Office of Housing, Office of Housing Part 5.236)
and Grant Administration (HAGA) 17
EIV Access
Authorization
Forms
Office of Housing, Housing
Assistance and Grant Administration
(HAGA) 18
EIV Coordinator and User
Access Authorization Forms
The Coordinator Access
Authorization Form (CAAF) and
User Access Authorization Form
(UAAF) can be found at:
http://www.hud.gov/offices/hs
g/mfh/rhiip/eiv/eivhome.cfm
Office of Housing, Office of Housing
and Grant Administration (HAGA) 19
Screen Shot MF EIV
Downloada
ble CAAF
and UAAF
forms
Office of Housing, Office of Housing
and Grant Administration (HAGA) 20
EIV Coordinator and User
Access Authorization Forms
(cont.)
When signing the CAAF or UAAF,
EIV users agree to:
The Rules of Behavior
User Agreement
Office of Housing, Office of Housing
and Grant Administration (HAGA) 21
Rules of Behavior
Delineates responsibilities of,
and expectations for, individuals
with access to the EIV system.
Holds users accountable for their actions
and responsibilities
Enhances other HUD policies
already in place.
Outlines application rules.
Office of Housing, Office of Housing
and Grant Administration (HAGA) 22
PART II. RULES OF BEHAVIOR
A. Introduction
The U.S. Department of Housing and Urban Development (HUD) is
actively involved in implementing and maintaining Departmental
policies and procedures to keep its Systems secure from
unauthorized access and inappropriate use. In compliance with
various security-related Federal laws and regulations, HUD
created these Rules of Behavior for the EIV system. This document
was created to ensure that EIV system users comply with HUD
security policies. In addition, this document ensures that system
accountsremain secure and are used in the appropriate manner.
HUD may grant limited system access to Coordinators who have a
need to utilize the HUD information resources. These include:
PHAs, O/A and service bureau staff, CAs, HUD employees, and
HUD contractors. EIV resources are for official use only. As a
condition of receiving access, you are required to understand and
abide by the HUD and EIV system security policies and
procedures. The purpose of these policies and procedures is to
safeguard HUD’s valuable information resources. All EIV
Coordinators must adhere to the Rules of Behavior outlined in this
document. The rules clearly delineate responsibilities of, and
expectations for, all individuals with access to the EIV system.
Non-compliance with these rules will be disciplined through
sanctions commensurate with the level of infraction. This may
include removal of system access for a specific period of time or
termination depending on the severity of the violation. See Part III.
Office of Housing, Office of Housing
and Grant Administration (HAGA)
for potential civil and criminal penalties… 23
User Agreement
The EIV Coordinator or EIV User
Understands all of HUD’s
standards, policies and
procedures, and
agrees to follow all of HUD’s
standards, policies and
procedures.
Office of Housing, Office of Housing
and Grant Administration (HAGA) 24
III. USER AGREEMENT
I have read the above policy regarding system security awareness and
practices when accessing HUD’s information technology resources. I
understand the policies and procedures as set forth above, and I agree
to comply with these requirements as a condition of being granted
limited access to the EIV system and its data. As an authorized user of
the EIV system, I, the undersigned, understand the information
obtained may only be used for official HUD business. I also understand
that I may access, disclose, inspect and use these data only within the
scope of my official duties. I understand further that if I abuse my
access privileges, these privileges and other access rights may be
removed. I also understand that willful disclosure or inspection of EIV
data can result in civil and criminal penalties, as follows:
• Unauthorized disclosure can result in a felony conviction and a
fine of up to $5,000 and/or imprisonment up to five (5) years, as well
as civil penalties.
• Unauthorized inspection of UIV data can result in a misdemeanor
penalty of up to $1,000 and/or one (1)-year imprisonment, as well as
civil damages.
I understand that my user ID and password are to be used only by me.
Office of Housing, Office of Housing
Under no circumstances will I and or allow use of (HAGA)
reveal Grant Administration my password by 25
h N ill I h ’ d d ID
EIV Coordinator
Certification of Owner
Approval
Requires the EIV Coordinator
applicant to certify that he/she has
receive approval from the authorized
official of the owner entity to obtain
access to EIV data on his/her behalf.
EIV Coordinator applicants must not
submit the CAAF for Multifamily Help
Desk approval if the EIV Coordinator
has not received the owner’s approval
for EIV access for the property.
Office of Housing, Office of Housing
and Grant Administration (HAGA) 26
Security
How many security breaches can
you identify???????
When you see a ☺ next to materials
on a slide you will know a security
breach should have been identified
Office of Housing, Office of Housing
and Grant Administration (HAGA) 27
Safeguarding EIV
Data
Office of Housing, Housing
Assistance and Grant Administration
(HAGA) 28
Safeguard Categories
Technical
Administrative
Physical
Office of Housing, Office of Housing
and Grant Administration (HAGA) 29
Technical Safeguards
Identify and authenticate all users
seeking access to the EIV system data
Must have a valid WASS User ID and password
IDs and passwords must not be shared
Must not access system using another users identity ☺
Must provide application access authorization
form
Access to data restricted based on EIV role (EIV
Coordinator or EIV User
Access limited based on need to know
Access and activity monitored and audited
Office of Housing, Office of Housing
and Grant Administration (HAGA) 30
Technical Safeguards
(cont.)
Certification of users
EIV Coordinators must be certified
annually
EIV Users must be certified quarterly
Not certified within 30 days after the end of
the current quarter, access to EIV is
terminated
Office of Housing, Office of Housing
and Grant Administration (HAGA) 31
EIV User Certification Schedule
Access
Certify Terminat
QTR Quarter Dates
By ed 12:00
A.M. EST
1 Jan. 1 – Mar. Apr. 29 April 30
31
2 Apr. 1 – June Jul. 30 Jul. 31
30
3 Jul. 1 – Sept. Oct. 30 Oct. 31
30
4 Oct. 1 – Dec. Jan. 30 Jan. 31
31 Office of Housing, Office of Housing
and Grant Administration (HAGA) 32
Administrative Safeguards
Establish standard operating
procedures for use of data
Using employment and income data for
recertification processing only
Not sharing data with others who do
not have a need to know☺
Checking to see if applicant/tenant is
receiving assistance under another
program at a different location
Office of Housing, Office of Housing
and Grant Administration (HAGA) 33
Administrative Safeguards
(cont.)
Monitor access
Owner approval letters ☺
Approved/current signed access
authorization form
Conduct periodic reviews to see if user
still has a valid need to access the EIV
data
Modify or revoke rights as appropriate
Office of Housing, Office of Housing
and Grant Administration (HAGA) 34
Administrative Safeguards
(cont.)
Assign Access
Ensure access rights and responsibilities
are appropriate
Tenant consent on file
Ensure that a signed copy of form HUD-
9887 is on file
Office of Housing, Office of Housing
and Grant Administration (HAGA) 35
Administrative Safeguards
(cont.)
Destroy EIV information no
longer needed
Conduct training
Ensure all EIV users receive security
training at time of implementation and at
least annually thereafter
Maintain a record of all personnel who
attend EIV security training
Office of Housing, Office of Housing
and Grant Administration (HAGA) 36
Administrative Safeguards
(cont.)
Communicate security
information
Posters
Security bulletins
Discussion groups
Distribution of EIV manuals
Office of Housing, Office of Housing
and Grant Administration (HAGA) 37
Administrative Safeguards
(cont.)
Detect, deter, and report
improper disclosures,
unauthorized access, or security
breaches to:
Your supervisor
HUD’s Multifamily Help Desk
Email to: MF-EIV@hud.gov
Call: 1-800-767-7588
Office of Housing, Office of Housing
and Grant Administration (HAGA) 38
Administrative Safeguards
(cont.)
HUD’s Security Officer
TRACS/EIV mailbox:
MFTRACSSecurity@hud.gov
Mail to:
Department of Housing and Urban Development
Office of Multifamily Housing
Attention: MF TRACS/EIV Security
451-7th Street SW, Room 6128
Washington, DC 20410
(Envelope should be marked as “Confidential”)
Office of Housing, Office of Housing
and Grant Administration (HAGA) 39
Administrative Safeguards (cont.)
Office of Inspector General
(IG)
Call the Hotline toll-free Monday through
Friday, from 10:00 a.m. to 4:30 p.m.,
Eastern Time, at 1-800-347-3735.
Fax information to (202) 708-4829
E-mail it to Hotline@hudoig.gov. You can
Write the Hotline at:
HUD OIG Hotline, GFI
451 7th Street, SW
Office of 20410
Washington, DCHousing, Office of Housing
and Grant Administration (HAGA) 40
Physical Safeguards
Designate secure areas
Restrict use of printers, copiers, facsimile
machines, etc.
Controlled access to area
Secure computer systems and output
Store downloaded EIV data in a separate,
restricted access directory
Label CDs containing EIV data “confidential” or
“For Official Use Only”
Lock in secure place
Office of Housing, Office of Housing
and Grant Administration (HAGA) 41
Physical Safeguards (cont.)
Retrieve all computer
printouts as soon as they are
generated so that EIV data is
not left unattended ☺
Keep printouts locked up
Printouts should not be transported
from premises
Prevent identity theft ☺
Office of Housing, Office of Housing
and Grant Administration (HAGA) 42
Physical Safeguards (cont.)
Avoid leaving a computer
unattended with EIV data
displayed on screen ☺
Lock computer/Log off/Exit the
system when not going to be at desk
or when finished for the day
EIV will time-out after 30 minutes of
inactivity
Use a password-protected screensaver
Office of Housing, Office of Housing
and Grant Administration (HAGA) 43
Physical Safeguards:
Logging Out/Exiting System
Selecting “Back to Secure
Systems” to log out of EIV leaves
WASS active
Possible to re-enter EIV or another
system without entering a password
The safest and quickest way to close EIV
and WASS is to click on the “X” in the
upper right-hand corner of the screen
while in EIV
Office of Housing, Office of Housing
and Grant Administration (HAGA) 44
Welcome Page in EIV
Click “Back to
Secure
Systems”
Office of Housing, Office of Housing
and Grant Administration (HAGA) 45
Click “X” to
exit out of
WASS
Office of Housing, Office of Housing
and Grant Administration (HAGA) 46
Physical Safeguards (cont.)
Secure disposal of EIV
information
Destroy as soon as it has served its
purpose or as prescribed by HUD’s
policies and procedures
Burn/shred
Keep log of destroyed data
Date destroyed
How destroyed
Office of Housing, Office of Housing
and Grant Administration (HAGA) 47
Monitoring
Office of Housing, Housing
Assistance and Grant Administration
(HAGA) 48
Ensuring the Integrity of EIV
Data
HUD accountability for
compliance
Audit Reports (discussed in later session)
Management and Occupancy
Reviews (MORs)
Currently only limited number of
questions
related to security of data
Future – Security Checklist for EIV will be
and HUD-9834
a part of form Grant Administration (HAGA)
Office of Housing, Office of Housing
49
Non-compliance with HUD
Program Requirements and
Privacy Act
EIV users found in non-
compliance will be disciplined
through sanctions commensurate
with the level of infraction
HUD staff
Verbal or written warning
Removal of access for specified period of time
Reassignment to other duties
Termination depending on severity of
violation OfficeGrant Administration (HAGA)
and
of Housing, Office of Housing
50
Non-compliance with HUD
Program Requirements and
Privacy Act
Privacy Act violations may result
in civil or criminal prosecution
HUD contractors
Removal of access for specified period of
time or indefinitely
Owners/management
agents/service bureaus
Removal of access for specified period of
time, indefinitely or permanently
Office of Housing, Office of Housing
and Grant Administration (HAGA) 51
Questions??
Office of Housing, Office of Housing
and Grant Administration (HAGA) 52