The practices and controls used by HUD and program administrators to secure Upfront Income Verification (UIV) data that is contained in the EIV system may be grouped into three categories: technical, administrative, and physical safeguards.
This policy has been implemented as a combination of technical, administrative, and physical safeguards that meet acceptable standards for the protection provided by the specific measures to accomplish the purpose of protecting all personal data of applicants and residents.
Security Training
Company Name EIV users are required to complete online security training annually. To meet this requirement, EIV users must complete the online Federal ISS Awareness training program. At the end of the training, EIV users must print and maintain the Certificate of Completion provided.
To complete online Security Awareness Training:
Open your web browser.
Type http://iase.disa.mil/eta/index.html#onlinetraining
Press Enter.
Click on Federal ISS Awareness icon on the IA Education, Training and Awareness Screen.
Click on Launch New Information Systems Security Awareness on the Information Systems Security Awareness screen.
Proceed with the training.
When the training is complete, print and maintain the Certificate of Completion.
Note: The Security Awareness Training described above is the same training required for those individuals who transmit TRACS files. If the training has been completed to satisfy TRACS security training requirements, this will also satisfy EIV security training requirements as well provided the completion date represented on the Certificate of Completion is not older than one year.
EIV users authorized by the owners of Company Name to have access to the EIV system on their behalf must also complete the applicable online Security Awareness Training Questionnaire for Multifamily Housing Programs upon initial access to the system and annually thereafter.
4. O/A staff of Company Name who do not have access to the EIV system but who use EIV reports to perform their job function must have security training annually as described in this section.
NOTE: The most recent EIV Webcast will no longer satisfy the security training requirement.
Technical Safeguards
Only the management personnel that have been trained and certified in the EIV system will have access rights to applicant and resident personal information to reduce the risk of a security violation related to the EIV system's software, network, or applications. Users are required to use only approved HUD software, software settings, and comply with vendor software license agreements. Users are allowed to access the system only using the mechanisms specified by HUD.
Administrative Safeguards
Management is trained based on federal and state laws regarding privacy. Written policies and procedures include but are not limited to making sure that the HUD required 9887, 9887-A and consents are updated and in place. File audits completed internally as well as HUD and PBCA reviews help to ensure compliance with these policies.
These administrative procedures will:
Ensure that access rights, roles, and responsibilities are appropriately and adequately assigned.
Protect copies of sensitive data and destroy system-related records to prevent reconstruction of the contents.
Ensure authorized “release of resident information consent forms” for everyone over 18 years of age and older are included in all resident files, before accessing and using data.
Maintain, communicate, and enforce standard operating procedures related to securing EIV data.
Train staff on security measures and awareness, preventing the unauthorized accessibility and use of data.
Physical Safeguards
Physical safeguarding of EIV data refers to steps that must be taken to help ensure the data is safe when stored electronically or in hardcopy and when transmitting data electronically. All users are required to notify their Coordinator of any breaches and penetration by unauthorized users. It is the policy of EBMC that each apartment community to keep all applicant and resident personal information in a locked file cabinet. It is also policy to designate which printer/fax/electronic equipment is to receive confidential information to help ensure there are no security breaches.
These physical safeguards will include but are not limited to the following:
Only authorized persons will have access to EIV information in the resident file or within the actual EIV system
Restricted areas will be identified with signage designating “authorized personnel only”.
Storing and Transmitting of Electronic EIV Data
o (1) EIV data stored electronically must be in a restricted access directory or, if placed on portable media, labeled appropriately and encrypted using a NIST compliant vendor. Similarly, all emails containing EIV data must be encrypted using a NIST compliant vendor. A list of compliant vendors can be found at: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm
The full nine-digit SSN for a tenant must not be included in emails or other electronic communications.
Note: The downloading of EIV data to mobile devices is not allowed for IPAs.
Hardcopy EIV Data
EIV data that is printed out must not be left unattended. The documents should be retrieved as soon as they are printed and, if possible, use a restricted printer, copier, or facsimile machine. When faxing EIV data, ensure there is someone waiting and ready to retrieve the fax as soon as it is received (printed). When mailing EIV data, the data must be sent to an office of the O/A. EIV data must not be mailed to Independent Public Auditor offices.
Computer Security
The EIV system is set up to time out after 30 minutes of inactivity. This automatic safeguard should not be the only security measure taken. Individuals who use the EIV system should use a password protected screensaver and lock their computer when leaving their workspace. A user should not leave a computer unattended with EIV data displayed on the screen. It is also recommended that the EIV system be exited using the “X” at the top right of the screen which will remove the user from the entire WASS system.
Destroying EIV data
EIV data must be destroyed as soon as it has served its purpose as prescribed by HUD’s policies and procedures and in accordance with HUD’s prescribed retention period. Shredding, burning or pulverizing are all examples of acceptable ways to destroy EIV data.
Sharing of Records: THE SHARING OF EIV DATA WITH OTHER AGENCIES PROHIBITED. Official use does not include O/As using the EIV data for certifying tenants under the Low Income Housing Tax Credit (LIHTC) or Rural Housing Services (RHS) Section 515 programs since neither the Internal Revenue Service (IRS) nor RHS are a party to the computer matching agreements the Department has with the Department of Health and Human Services (HHS) and with the Social Security Administration (SSA).
Attachments;
History______________________________________________________________
Gabrielle Harris composed this Policy/Procedure on 02/09/2011 03:10:18 PM.
Gabrielle Harris edited this Policy/Procedure on 09/19/2011 08:56:36 AM.
Gabrielle Harris edited this Policy/Procedure on 09/19/2011 08:57:22 AM.