Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks

EIV Security

for office training
by

Larry Dillenbeck

on 9 February 2011

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of EIV Security

EIV
SECURITY
TRAINING Protecting the Confidentiality
of EIV Information Income Information reports contain sensitive data, including:
Social Security Number (SSN)
Full Dates of Birth (DOB)
First and Last Names
Physical Address of Tenant Families

Do not share EIV information with anyone not authorized to have it.

You must prevent its use for faudulent purposes. PRIVACY ACT
5 U.S.C para. 552a para 552a. Records maintained on individuals
(a) Definitions for purposes of this section
(1) the term "agency" means agency as defined in section 552(f) of this title;
(2) the term "individual" means a citizen of the United States or an...alien lawfully admitted for permanent residence;... Complete Language Available on HUD website. Individual Notice: Individuals must be informed of the authority, principal purpose(s) for which the information is being collected and used, and the effect on the individual for not providing the requested information (Privacy Act Notice)
This is achieved through form HUD-9887. The public must be informed, by Federal Register Notice, of the system of records housing confidential individual information, routine uses of such information, and the policies and procedures of the agency regarding storage, retrieval, controls, retention, and disposal of records.
(See EIV System of Records Notice,
71 FR 45066, dated 8/8/06) The agency must establish administrative, technical, and physical safeguards, to be implemented at their properties to ensure the security and confidentiality of tenant records. EIV Data is for Official HUD Use Only! EIV data IS only to be disclosed to authorized individuals,and used in connection with the administration of HUD rental assistance programs. www.hud.gov/offices/hsg/mfh/rhiip/eiv/security verification of employment and income at recertification and as a tool to reduce subsidy errors.
can be used at other times but must be described in O/A policies and procedures;
monitoring and auditing O/A operations; and
preventing and investigating cases of fraud, waste and abuse in HUD rental assistance programs. EIV IS NOT to be used to police tenants. For example, random checks of EIV data on a particular tenant must not be done. Authorized Disclosure EIV Data may only be disclosed to:
Owners and Management Agents
Service Bureaus (considered extension of O/As)
Contract Administrators (including HUD staff)
Independent Public Auditors (IPS)
HUD Staff
HUD Office of Inspector General (OIG) for investigative purposes
Individual to whom the record pertains (at their request) EIV data must not be disclosed in any way that would violate the privacy of the individuals.

For example, to any third parties such as government agencies, friends and relatives, or to parties participating in IRS Tax Credit and Rural Housing Sectin 515 programs. Unauthorized Disclosure Sanctions Willful, and even unintentional, disclosure or inspection of EIV data can result in civil and criminal penalties. felony conviction and fine up to $5,000 or imprisonment up to five (5) years, as well as civil damages. misdemeanor penalty of up to $1,000 and/or one (1) year imprisonment, as well as civil damages. EIV Warning Page Before accessing the EIV system, all EIV users must acknowledge they understand:
Conditions of the Privacy Act of 1974
Access is for official use only
Users are subject to civil and criminal penalties under the Privacy Act of 1974 for misuse of information
A signed consent form (form HUD-9887) must be on file to view/use EIV income reports. Security Safeguards Safeguard Categories:

Technical
Access to the EIV system

Administrative
Use of the EIV system

Physical
Handling of information originating from EIV, whether online or in print. Technical Safeguards Identify and authenticate all users seeking access to the EIV system data. Have a valid WASS User ID and password.
Not access system using another user's identity.
IDs and passwords must not be shared.
The user has agreed to this when checking the Rules of Behavior acceptance box when applying for Coordinator or User access to the system.
Complete the EIV Security Awareness Training Questinnaire for Multifamily Housing Programs. All users must apply and be approved for access to EIV Administrative Safeguards O/A need to establish policies and procedures governing use of EIV.

Policies and procedures for using EIV reports and search options will need to be described and provded to staff at the property or agency.

For example, if used as a method for screening applicants, use of the "Existing Tenant Search" must be described in the Tenant Selection Plan (TSP), as applicant screening criteria is a requirement for TSP.

Another example, use of the "Income Discrepancy Report" monthly, quarterly, etc. as polcies and procedures must be consistently and equally applied to participating families. Access rights and responsibilities for users must be appropriate.
Rights should be modified or revoked, as appropriate; for example, in cases where an employee has a change in duties or employment is terminated. EIV data/reports are destroyed at end of retention period.
At this time the retention period is term of tenancy plus three (3) years. Conduct training at initial access and at least annually thereafter.
Maintain a record of all personnel who attend EIV security training.
All Personal Identifiers MUST be masked on training slides. Display Posters
Security Bulletins
Hold Discussion Groups
Distribute EIV Manuals to employees Everyone is responsible to detect, deter, and report improper disclosures, unauthorized access or security breaches to:

Notify your supervisor; or
HUD's Multifaily Helpdesk via email to: MF_EIV@hud.gov or phone at 1-800-767-7588; or
HUD's Security Officer MF_TRACSSecurity@hud.gov; or
Send Mail to (marked confidential)
Dept. of Housing and Urban Development
Office of Multifaily Housing
Attention: MF TRACS/EIV Security
451 7th St. SW, Room 6128
Washington, DC 20410; or
Notify the Office of Inspector General (OIG) Physical Safeguards Designate secure areas
Control access to area
Restrict use of printers, copiers, facsimile machines, etc. to only those individuals who are authorized to use EIV.
Secure computer systems and output
Store downloaded EIV data in a separate, restricted access directory
Label CD's containing EIV data "Confidential" or "For Official Use Only"
Lock in secure place (locked file cabinet) Do not leave EIV data unattended
Retrieve as soon as printed
Keep printouts locked up
Prevent identity theft. Do not leave computer unattended with EIV data displayed on screen
Exit the system/lock computer when not at desk or when finished for the day
EIV will time-out after 30 minutes of inactivity
Use a password-protected screensaver Secure disposal of EIV information: destroy as soon as it has served its purpose as prescribed by HUD's policies and procedures.

Burning and shredding are two examples of acceptable ways to destroy EIV data. Security Awareness Training Questionnaire Increase awareness for protecting third party verification data contained in EIV and all data covered by the Privacy Act of 1974.
Reinforce EIV user responsibility for using and/or sharing the EIV data.

Completion is voluntary, but necessary to receive EIV access. New users - at time of application for access.
Existing users - both Coordinators and Users must complete the questionnaire annually.

The user will be prompted once a year to complete the Security Awareness Questionnaire online to be able to access the system.

There are separate questionnaires for EIV Coordinators and Users. Statutory Provisions Public Notice: Security Safeguards Official HUD use includes: EIV users must: EIV Access Requirements Certification Level of Access Data Retention Security Awareness Training Communication Security Breaches Call Hotline toll-free Monday through Friday,10:00am to 4:30pm,
ET at 1-800-347-3735
Fax information to (202 708-4829
Email informatino to Hotline@hudoig.gov
Write to the Hotline at:
HUD OIG Hotline, GFI
421 7th St. S.W.
Washington, DC 20410 Printouts Sign Off Computer Disposal of Information Purpose Who must complete the Questionnaire? Be Certified:
EIV Coordinators - Annually
EIV Users - Bi-Annually

Access is terminated by the system should user not be certified within 30 days after each annual or bi-annual period. When a tenant requests EIV data be provided to an unauthorized third party (i.e. service coordinators, other household members):
The O/A must NOT provide EIV data to any unauthorized third party.
Even if the tenant signs a consent authorizing the O/A.
The tenant may request the EIV data from the O/A and then the data becomes the tenant's responsibility.
It is strongly recommended for the O/A to keep a signed (by tenant and O/A) record of what EIV data was released to the tenant. Unauthorized Disclosure Unauthorized Inspection Tenant or Family Consent The signed form HUD-9887 must not be older than 15 months.
The form HUD-9887 is available on HUD Clips at www.hudclips.org Name
SSN
DOB
Address Data Encryption Use a NIST Compliant Vendor
http://crc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm

Encrypt all emails that contain EIV data

Encrypt all CDs, DVDs, USB Drives, or any other media that contains EIV data. Electronic Data The downloading of EIV data to mobile devices is not allowed for Independent Public Auditors. Ensure person receiving fax is waiting and ready to retrieve as soon as printed. Faxing EIV data Do not select "Back to Secure Systems" to log out of EIV. Using this option to log out of EIV leaves the WASS active, making it possible for unauthorized users to re-enter EIV without entering a password. Use the "x" in the upper right hand corner to exit. The End
Full transcript