EIV 7.0 Instructional Course
Wednesday, June 27, 2007
Sponsored by the Department of Housing and Urban Development
Office of Housing, Housing Assistance and Grant Administration (HAGA)
1
�Discussion Topics
Securing EIV’s confidential tenant information EIV access authorization forms Safeguarding EIV data Monitoring
Office of Housing, Office of Housing and Grant Administration (HAGA)
2
�Q&A Call-in Information
At the end of this segment, you will be given an opportunity to ask questions of the presenter for response. Call-in information is as follows:
202/708-0995 HUDTV@hud.gov
Office of Housing, Office of Housing and Grant Administration (HAGA) 3
�Securing EIV’s Confidential Tenant Information
Office of Housing, Housing Assistance and Grant Administration (HAGA)
4
�Why is it so important to secure the tenant data contained in EIV?
Office of Housing, Office of Housing and Grant Administration (HAGA)
5
�Protecting the Confidentiality of Family Personal Information
The Income Reports in EIV contain the SSNs, full dates of birth, first and last names, and physical address of tenant families. This is all very personal information that must not be handled carelessly. O/As, CAs, and even HUD staff need to be careful not to share this information with anyone who is not authorized to have it.
Office of Housing, Office of Housing and Grant Administration (HAGA) 6
�Protecting the Confidentiality of Family Personal Information (cont.)
A family’s personal information in the wrong hands can be used for fraudulent purposes, e.g., identity theft.
Office of Housing, Office of Housing and Grant Administration (HAGA)
7
�PRIVACY ACT 5 U.S.C § 552Aof 1974 Privacy Act
§ 552a. Records maintained on individuals (a) Definitions For purposes of this section-(1) the term "agency" means Complete language available on HUD’s website at: agency as defined in section http://www.hud.gov/offices/ogc/foia/privacyact. 552(f) of this title; (2) the term "individual" means a citizen of the United States or an alien lawfully admitted for permanent residence; (3) the term "maintain" includes maintain, collect, use or disseminate; (4) the term "record" means any Office of Housing, item, collection, or grouping of Office of Housing 8 and Grant Administration (HAGA) information about an individual
�EIV Data for Official HUD use Only
EIV income data may only be used for verification of employment and income at recertification.
Office of Housing, Office of Housing and Grant Administration (HAGA)
9
�Authorized Disclosure
EIV Data may only disclosed to:
Private owners Management agents Service Bureaus Contract Administrators HUD staff HUD Office of Inspector General (OIG) for investigative purposes Individual to whom the record pertains
Office of Housing, Office of Housing and Grant Administration (HAGA) 10
�Unauthorized Disclosure
Must not disclose data in any way that would violate the privacy of the individuals. EIV data must not be disclosed (or re-disclosed) to any third parties.
Office of Housing, Office of Housing and Grant Administration (HAGA)
11
�Sanctions
Willful disclosure or inspection of EIV data can result in civil and criminal penalties.
Unauthorized disclosure – felony conviction and fine up to $5,000 or imprisonment up to five (5) years, as well as civil damages. Unauthorized inspection – misdemeanor penalty of up to $1,000 and/or one (1) year imprisonment, as well as civil damages.
Office of Housing, Office of Housing and Grant Administration (HAGA) 12
�EIV Warning Page
Before accessing the EIV system, all EIV users must acknowledge they understand:
The conditions of the Privacy Act They may have access to EIV for official purposes only They are subject to civil criminal penalties under the Privacy Act of misuse of information There must be a signed consent form (HUD-9887)Office of Housing, before viewing on file Office of Housing 13 income data and Grant Administration (HAGA)
�EIV Warning Page (cont.)
Before accessing the EIV system, all EIV users must acknowledge they understand:
The conditions of the Privacy Act They may have access to EIV for official purposes only They are subject to civil criminal penalties under the Privacy Act of misuse of information There must be a signed consent form (HUD-9887)Office of Housing, before viewing on file Office of Housing 14 income data and Grant Administration (HAGA)
�EIV Legal Warning Page (cont.)
Office of Housing, Office of Housing and Grant Administration (HAGA)
15
�Tenant or Family Consent
Must have signed consent from individual.
Form HUD-9887 must be on file
The signed form HUD-9887 must not be older than 15 months. Available on HUDClips at: www.hudclips.org
Office of Housing, Office of Housing and Grant Administration (HAGA)
16
�Tenant’s Right to Dispute EIV Data
Must permit individual to have access to information pertaining to them and to request information be amended. Must independently verify disputed information.
Tenant must be notified of findings O/A cannot suspend, terminate, reduce or make final denial of assistance or tenancy until tenant has opportunity to dispute and Office of Housing, Office of Housing Part 5.236) discuss (24 CFR
and Grant Administration (HAGA)
17
�EIV Access Authorization Forms
Office of Housing, Housing Assistance and Grant Administration (HAGA)
18
�EIV Coordinator and User Access Authorization Forms
The Coordinator Access Authorization Form (CAAF) and User Access Authorization Form (UAAF) can be found at: http://www.hud.gov/offices/hs g/mfh/rhiip/eiv/eivhome.cfm
Office of Housing, Office of Housing and Grant Administration (HAGA)
19
�Screen Shot MF EIV
Downloada ble CAAF and UAAF forms
Office of Housing, Office of Housing and Grant Administration (HAGA)
20
�EIV Coordinator and User Access Authorization Forms (cont.)
The Rules of Behavior User Agreement
When signing the CAAF or UAAF, EIV users agree to:
Office of Housing, Office of Housing and Grant Administration (HAGA)
21
�Rules of Behavior
Delineates responsibilities of, and expectations for, individuals with access to the EIV system. Enhances other HUD policies already in place. Outlines application rules.
Office of Housing, Office of Housing and Grant Administration (HAGA)
Holds users accountable for their actions and responsibilities
22
�PART II. RULES OF BEHAVIOR
A. Introduction The U.S. Department of Housing and Urban Development (HUD) is actively involved in implementing and maintaining Departmental policies and procedures to keep its Systems secure from unauthorized access and inappropriate use. In compliance with various security-related Federal laws and regulations, HUD created these Rules of Behavior for the EIV system. This document was created to ensure that EIV system users comply with HUD security policies. In addition, this document ensures that system accountsremain secure and are used in the appropriate manner. HUD may grant limited system access to Coordinators who have a need to utilize the HUD information resources. These include: PHAs, O/A and service bureau staff, CAs, HUD employees, and HUD contractors. EIV resources are for official use only. As a condition of receiving access, you are required to understand and abide by the HUD and EIV system security policies and procedures. The purpose of these policies and procedures is to safeguard HUD’s valuable information resources. All EIV Coordinators must adhere to the Rules of Behavior outlined in this document. The rules clearly delineate responsibilities of, and expectations for, all individuals with access to the EIV system. Non-compliance with these rules will be disciplined through sanctions commensurate with the level of infraction. This may include removal of system access for a specific period of time or Office of Housing, Office of Housing termination depending on the severity of the violation. See Part III. and Grant Administration (HAGA) for potential civil and criminal penalties…
23
�User Agreement
The EIV Coordinator or EIV User Understands all of HUD’s standards, policies and procedures, and agrees to follow all of HUD’s standards, policies and procedures.
Office of Housing, Office of Housing and Grant Administration (HAGA)
24
�III. USER AGREEMENT
I have read the above policy regarding system security awareness and practices when accessing HUD’s information technology resources. I understand the policies and procedures as set forth above, and I agree to comply with these requirements as a condition of being granted limited access to the EIV system and its data. As an authorized user of the EIV system, I, the undersigned, understand the information obtained may only be used for official HUD business. I also understand that I may access, disclose, inspect and use these data only within the scope of my official duties. I understand further that if I abuse my access privileges, these privileges and other access rights may be removed. I also understand that willful disclosure or inspection of EIV data can result in civil and criminal penalties, as follows: • Unauthorized disclosure can result in a felony conviction and a fine of up to $5,000 and/or imprisonment up to five (5) years, as well as civil penalties. • Unauthorized inspection of UIV data can result in a misdemeanor penalty of up to $1,000 and/or one (1)-year imprisonment, as well as civil damages. I understand that my user ID and password are to be used only by me. Under no circumstances will I h N ill I
Office of Housing, Office of Housing and or allow use of (HAGA) reveal Grant Administration my password
by ID
25
h
’
d
d
�EIV Coordinator Certification of Owner Approval
Requires the EIV Coordinator applicant to certify that he/she has receive approval from the authorized official of the owner entity to obtain access to EIV data on his/her behalf. EIV Coordinator applicants must not submit the CAAF for Multifamily Help Desk approval if the EIV Coordinator has not received the owner’s approval for EIV access for the property.
Office of Housing, Office of Housing and Grant Administration (HAGA) 26
�Security
How many security breaches can you identify???????
When you see a ☺ next to materials on a slide you will know a security breach should have been identified
Office of Housing, Office of Housing and Grant Administration (HAGA)
27
�Safeguarding EIV Data
Office of Housing, Housing Assistance and Grant Administration (HAGA)
28
�Safeguard Categories
Technical Administrative Physical
Office of Housing, Office of Housing and Grant Administration (HAGA)
29
�Technical Safeguards
Identify and authenticate all users seeking access to the EIV system data
Must have a valid WASS User ID and password
IDs and passwords must not be shared Must not access system using another users identity ☺
Must provide application access authorization form
Access to data restricted based on EIV role (EIV Coordinator or EIV User Access limited based on need to know
Access and activity monitored and audited
Office of Housing, Office of Housing and Grant Administration (HAGA) 30
�Technical Safeguards (cont.)
Certification of users
EIV Coordinators must be certified annually EIV Users must be certified quarterly
Not certified within 30 days after the end of the current quarter, access to EIV is terminated
Office of Housing, Office of Housing and Grant Administration (HAGA)
31
�EIV User Certification Schedule
QTR Quarter Dates 1 2 3 4 Certify By Access Terminat ed 12:00 A.M. EST April 30 Jul. 31 Oct. 31 Jan. 31
32
Jan. 1 – Mar. Apr. 29 31 Apr. 1 – June Jul. 30 30 Jul. 1 – Sept. Oct. 30 30 Oct. 1 – Dec. Jan. 30 Office of Housing, Office of Housing 31 and Grant Administration (HAGA)
�Administrative Safeguards
Establish standard operating procedures for use of data
Using employment and income data for recertification processing only Checking to see if applicant/tenant is receiving assistance under another program at a different location
Office of Housing, Office of Housing and Grant Administration (HAGA)
Not sharing data with others who do not have a need to know☺
33
�Administrative Safeguards (cont.)
Monitor access
Owner approval letters ☺ Approved/current signed access authorization form Conduct periodic reviews to see if user still has a valid need to access the EIV data Modify or revoke rights as appropriate
Office of Housing, Office of Housing and Grant Administration (HAGA)
34
�Administrative Safeguards (cont.)
Assign Access
Ensure access rights and responsibilities are appropriate
Tenant consent on file
Ensure that a signed copy of form HUD9887 is on file
Office of Housing, Office of Housing and Grant Administration (HAGA)
35
�Administrative Safeguards (cont.)
Destroy EIV information no longer needed Conduct training
Ensure all EIV users receive security training at time of implementation and at least annually thereafter Maintain a record of all personnel who attend EIV security training
Office of Housing, Office of Housing and Grant Administration (HAGA)
36
�Administrative Safeguards (cont.) Communicate security information
Posters Security bulletins Discussion groups Distribution of EIV manuals
Office of Housing, Office of Housing and Grant Administration (HAGA)
37
�Administrative Safeguards (cont.)
Detect, deter, and report improper disclosures, unauthorized access, or security breaches to:
Your supervisor HUD’s Multifamily Help Desk Email to: MF-EIV@hud.gov Call: 1-800-767-7588
Office of Housing, Office of Housing and Grant Administration (HAGA)
38
�Administrative Safeguards (cont.)
HUD’s Security Officer MFTRACSSecurity@hud.gov Mail to:
Department of Housing and Urban Development Office of Multifamily Housing Attention: MF TRACS/EIV Security 451-7th Street SW, Room 6128 Washington, DC 20410 (Envelope should be marked as “Confidential”)
Office of Housing, Office of Housing and Grant Administration (HAGA) 39
TRACS/EIV mailbox:
�Administrative Safeguards (cont.)
Office of Inspector General (IG)
Call the Hotline toll-free Monday through Friday, from 10:00 a.m. to 4:30 p.m., Eastern Time, at 1-800-347-3735. Fax information to (202) 708-4829 E-mail it to Hotline@hudoig.gov. You can Write the Hotline at:
HUD OIG Hotline, GFI 451 7th Street, SW Washington, DCHousing, Office of Housing Office of 20410
and Grant Administration (HAGA)
40
�Physical Safeguards
Designate secure areas
Restrict use of printers, copiers, facsimile machines, etc. Controlled access to area
Secure computer systems and output
Store downloaded EIV data in a separate, restricted access directory Label CDs containing EIV data “confidential” or “For Official Use Only” Lock in secure place
Office of Housing, Office of Housing and Grant Administration (HAGA)
41
�Physical Safeguards (cont.)
Retrieve all computer printouts as soon as they are generated so that EIV data is not left unattended ☺
Keep printouts locked up Printouts should not be transported from premises Prevent identity theft ☺
Office of Housing, Office of Housing and Grant Administration (HAGA) 42
�Physical Safeguards (cont.)
Avoid leaving a computer unattended with EIV data displayed on screen ☺
Lock computer/Log off/Exit the system when not going to be at desk or when finished for the day
EIV will time-out after 30 minutes of inactivity Use a password-protected screensaver
Office of Housing, Office of Housing and Grant Administration (HAGA)
43
�Physical Safeguards: Logging Out/Exiting System
Selecting “Back to Secure Systems” to log out of EIV leaves WASS active
Possible to re-enter EIV or another system without entering a password The safest and quickest way to close EIV and WASS is to click on the “X” in the upper right-hand corner of the screen while in EIV
Office of Housing, Office of Housing and Grant Administration (HAGA)
44
�Welcome Page in EIV
Click “Back to Secure Systems”
Office of Housing, Office of Housing and Grant Administration (HAGA)
45
�Click “X” to exit out of WASS
Office of Housing, Office of Housing and Grant Administration (HAGA)
46
�Physical Safeguards (cont.)
Secure disposal of EIV information
Destroy as soon as it has served its purpose or as prescribed by HUD’s policies and procedures Keep log of destroyed data
Date destroyed How destroyed Burn/shred
Office of Housing, Office of Housing and Grant Administration (HAGA)
47
�Monitoring
Office of Housing, Housing Assistance and Grant Administration (HAGA)
48
�Ensuring the Integrity of EIV Data
HUD accountability for compliance Audit Reports (discussed in later session) Management and Occupancy Reviews (MORs)
Currently only limited number of questions related to security of data Future – Security Checklist for EIV will be Office of Housing, Office of Housing a part of form Grant Administration (HAGA) 49 and HUD-9834
�Non-compliance with HUD Program Requirements and Privacy Act
EIV users found in noncompliance will be disciplined through sanctions commensurate with the level of infraction
HUD staff
Verbal or written warning Removal of access for specified period of time Reassignment to other duties Termination depending on severity of of Housing, Office of Housing violation OfficeGrant Administration (HAGA) 50 and
�Non-compliance with HUD Program Requirements and Privacy Act
Privacy Act violations may result in civil or criminal prosecution HUD contractors Owners/management agents/service bureaus
Removal of access for specified period of time or indefinitely Removal of access for specified period of time, indefinitely or permanently
Office of Housing, Office of Housing and Grant Administration (HAGA) 51
�Questions??
Office of Housing, Office of Housing and Grant Administration (HAGA)
52
�