The U.S. Department of Housing and Urban Development (HUD) is actively involved in implementing and maintaining departmental policies and procedures to keep its systems secure from unauthorized access and inappropriate use. In compliance with various security-related federal laws and regulations, HUD created these Rules of Behavior for the EIV system.
The purpose of the rules is to safeguard HUD’s valuable information resources. All EIV Coordinators and Users must adhere to the Rules of Behavior. The rules clearly spell out the responsibilities of, and expectations for, all individuals with access to the EIV system. To that end, the “EIV Rules of Behavior” have been added to the EIV Security Policy.
Should HUD determine noncompliance with these rules, there will be discipline through sanctions which will commensurate with the level of infraction. This may include removal of system access for a specific period of time or termination depending on the severity of the violation.
The system user identification (USERID) and password issued to you are your means to access EIV.
The user ID is to be used solely in connection with the performance of your responsibilities as set forth in your job description.
Your “User ID” IS NOT to be used by anyone other than yourself as this is expressly prohibited.
You agree to be responsible for the confidentiality of the assigned information and accountable for all activity with your user identification (USERID).
You agree that you will not provide this confidential USERID/password to another user nor will you sign on to HUD systems so that another person may access or operate the workstation in your absence or on your behalf.
NOTE: Allowing another person to use your ID constitutes a breach of system security and will result in immediate termination of your assigned USERID/password from the system
EIV Coordinators and Users agree to the following procedures:
Log-off the system when leaving the system/workstation area;
Refrain from leaving written passwords in the workstation area;
Avoid creating a personal password that can be easily associated with you;
Avoid posting printouts of sensitive output data on bulletin boards;
Avoid leaving system output reports unattended or unsecured;
Control input documents by returning them to files or forwarding them to the appropriate contact person in your office;
Avoid violation of the Privacy Act which requires confidentiality of personal data contained in government and contractor data files;
Immediately contact the HUD Inspector General's Office, as appropriate, regarding any suspected violation or breach of system security;
Cooperate in providing personal background information to be used in conducting security background checks to the extent required by Federal regulations;
Respond to any inquiries and requests for information you may receive from either the HUD Headquarters or management officials regarding system security practices.
Protect all electronic/optical media and hardcopy documentation containing sensitive information and properly dispose of it by shredding hardcopy documentation, or by contacting the HITS Help Desk to dispose of electronic/optical media.
Avoid saving sensitive HUD information on the local drive of a laptop, personally owned computer, or other mobile or portable technology ("flash drives", removable/external hard drives, etc.).
If sensitive data must be stored on any type of HUD-approved mobile/portable technology (laptops, removable hard drives, "flash drives", etc.), ensure that it is protected via encryption.
Individuals who telework or remotely access HUD information should do so only through approved remote access solutions (such as hudmobile.hud.gov), and should safeguard all sensitive information accessed in this manner.
Use EIV information only in the performance of official HUD business.
Not disclose (willfully or otherwise) EIV information in any way that would violate the privacy of individuals.
Ensure there is a signed and valid form HUD-9887, Notice and Consent for the Release of Information, on file before reviewing an individual’s confidential EIV income information.
Report incidents or suspected incidents which involve breach of EIV information to the HUD National Help Desk at 1-888-297-8689.
Only be accessed and reviewed within hardcopy files and only within the offices of the O/A or CA.
Data will not be transmitted or transported in any form not authorized by HUD.
Data will not be entered on any portable media not authorized by HUD.
Data will not be duplicated or re-disclosed to any individual not authorized by HUD.
Data will be used only for the purpose of the audit.
Always return EIV print-out to the appropriate file or appropriate person in your office when you have finished with the information;
Never disclose confidential personal applicant or tenant files to avoid a violation of the Privacy Act;
Contact your supervisor or designated “security officer” immediately regarding any suspected violation or breach of system security;
To cooperate in providing personal background information which would be used in conducting security background checks to the extent required by Federal regulations;
To respond to inquiries and requests for information from either HUD Headquarters regarding system security practices;
Always protect the electronic media and hardcopy documentation containing sensitive information;
Always properly dispose of sensitive information by shredding the hardcopy documentation;
Not to save sensitive EIV information on the local drive of a laptop, personally owned computer, or other mobile or portable technology ("flash drives", removable/external hard drives, etc.);
Always safeguard all sensitive information.
Unauthorized disclosure of EIV information can result in civil and criminal penalties, as follows:
Unauthorized disclosure can result in a felony conviction and a fine of up to $5,000 and/or imprisonment up to five (5) years, as well as civil penalties.
Unauthorized inspection can result in a misdemeanor penalty of up to $1,000 and/or one (1) year imprisonment, as well as civil damages.
NOTE: The EIV system is programmed to log every time any one accesses tenant data. This is part of the effort to protect the data and provide traceability should a questionable event occur. Before accessing the EIV System, all employee users must acknowledge, each time that they sign on, that they understand:
Non-Authorized Staff Usage- Authorized EIV Coordinators or EIV Users are permitted to run EIV reports, print them out, and provide to staff members at the property who need the reports to perform their job function(s). Staff members who view EIV reports on printouts do not need to be an EIV user.
They must agree to the conditions of the of the Privacy Act:
They may have access to EIV for official purposes only
They are subject to civil and/or criminal penalties under the Privacy Act of misuse of information
There must be a signed consent form (HUD 9887 & 9887A) on file before viewing income data from the individual (every family member 18 or older, whether they have income or not must sign these forms)
The signed HUD 9887 & 9887A must not be older than 15 months
Criminal Penalties Associated with the Violation of the Privacy Act - The Privacy Act of 1974 as amended, 5 U.S.C. § 552 (a) (i):
1. CRIMINAL PENALTIES.--Any officer or employee of an agency, who by virtue of his employment or official position, has possession of, or access to, agency records which contain individually identifiable information the disclosure of which is prohibited by this section or by rules or regulations established there under, and who knowing that disclosure of the specific material is so prohibited, willfully discloses the material in any manner to any person or agency not entitled to receive it, shall be guilty of a misdemeanor and fined not more than $5,000.
2. Any officer or employee of any agency who willfully maintains a system of records without meeting the notice requirements of subsection (e)(4) of this section shall be guilty of a misdemeanor and fined not more than $5,000.
3. Any person who knowingly and willfully requests or obtains any record concerning an individual from an agency under false pretenses shall be guilty of a misdemeanor and fined not more than $5,000.
Warnings in the EIV system welcome page provide a reminder
Attachments;
History______________________________________________________________
Gabrielle Harris composed this Policy/Procedure on 02/09/2011 03:08:47 PM.