Slide #1 © 2006 Nan McKay & Associates Bob Harmon PIC, WASS & Security © 2006 Nan McKay & Associates
Slide #1©2006 Nan McKay & Associates
Bob Harmon
PIC, WASS & Security
©2006 Nan McKay & Associates
Slide #2©2006 Nan McKay & Associates
PIC, WASS and Security
Topics today:• What is WASS?• How Do PIC and WASS Work Together?• Privacy Act of 1974 – Who Cares?• Some Security Best Practices
Slide #3©2006 Nan McKay & Associates
What is WASS?
What is WASS• Web Authentication Sub System (WASS).• Handles all PIH systems authentication.• Definition of authentication: Confirmation of
the identity of a user.
Slide #4©2006 Nan McKay & Associates
What is WASS?
What WASS does:• Authenticates a user’s identity then passes the
authentication to the appropriate PIH subsystem (chosen from the WASS menu).
• WASS does not: Control the other system (e.g., PIC-IMS EIV). Control the level of access to data in the systems.
Slide #5©2006 Nan McKay & Associates
What is WASS?
WASS authenticates users for:• NASS, PASS, RASS, MASS, FASS-PH• VMS and SAGIS• PIC-IMS and PICTEST• EIV• eLOCCS • (Others to be added)
Slide #6©2006 Nan McKay & Associates
What is WASS?
What do I need for WASS?• A WASS User ID (begins with “M” or “I”)• Coordinator activates roles for HA users• Roles permit access to sub systems• Request an ID from Secure Systems page at:
http://www.hud.gov/offices/reac/online/online_registration.cfm
Slide #7©2006 Nan McKay & Associates
What is WASS?
How Do I Get the User ID?• System overnight creates a User ID • System dispays the new WASS ID to the PHA’s WASS
Coordinator• WASS Coordinator assigns one or more roles to the
User ID (e.g. MASS user, PIC-IMS user, EIV user, etc.)• WASS Coordinator advises user of User ID, password
Slide #8©2006 Nan McKay & Associates
How Do PIC & WASS Work Together?
How Do I Get Access in PIC?• PIC controls its own level and degree of
access• PIC Security Coordinator grants access rights
in PIC as directed by local management
Slide #9©2006 Nan McKay & Associates
How Do PIC & WASS Work Together?
WASS confirms identity then lets user select PIC from the WASS menu
PIC accespts the confirmed identity then controls the level and degree of access in PIC
Slide #10©2006 Nan McKay & Associates
Privacy Act of 1974
What is the Privacy Act of 1974? • It establishes controls and access rules for all
personal data held in government systems Why is it relevant to me?
• It also establishes penalties (civil fines) for unauthorized disclosure of personal data
Slide #11©2006 Nan McKay & Associates
Privacy Act of 1974
“[T]he term “record” means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual,
Slide #12©2006 Nan McKay & Associates
Privacy Act of 1974
• “No agency shall disclose any record … to any person … except … with the prior written consent of the individual … unless disclosure of the record would be:
• to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties;
• for a routine use as defined in subsection (a)(7) of this section.
Slide #13©2006 Nan McKay & Associates
Privacy Act of 1974
“Routine use” means: “use of such record for a purpose which is compatible with the purpose for which it was collected.”
Consequences (for each instance): “… shall be guilty of a misdemeanor and fined not more than $5,000.”
Slide #14©2006 Nan McKay & Associates
Privacy Act of 1974
You are required to protect the personal information of your clients just like you protect the payroll data of your staff.
You are required to take reasonable precautions to protect the “privacy data” which your agency holds.
Slide #15©2006 Nan McKay & Associates
Privacy Act of 1974
Reasonable precautions include:• Keeping written records under lock and key.• Changing locks when keys are lost or stolen.• Changing combination lock combinations when
someone leaves the agency, especially if it is under acrimonious conditions.
Slide #16©2006 Nan McKay & Associates
Privacy Act of 1974
Reasonable precautions include:• Restricting access to electronic records on a need-to-
know basis.• Keeping backups and copies under the same security as
the originals.• Running a strict shredding program for paper copies of
privacy data.
Slide #17©2006 Nan McKay & Associates
Privacy Act of 1974
Reasonable precautions include:• Restricting public access to desk top computers, file
cabinets, copiers, file rooms, and trash containers (unless material is shredded),
• Not permitting staff to leave materials on their desk during lunch, at night, or when they are otherwise away from their desks.
Slide #18©2006 Nan McKay & Associates
Privacy Act of 1974
Reasonable precautions include:• When transporting files between offices, take extra
precautions by: Putting the files in a locked briefcase or box placed in the
locked trunk of the car, or Sending them by U.S. Mail or other carrier, and If in electronic form, encrypting with a “strong” password.
Slide #19©2006 Nan McKay & Associates
Privacy Act of 1974
Reasonable precautions include: Not permitting staff to leave privacy data on their
monitor screens while they are away from their desks (Use <Windows>-L to lock the screen).
Training staff annually in the requirements and penalties included in the Privacy Act of 1974.
Slide #20©2006 Nan McKay & Associates
Security Best Practices
Security has been required since 1974 with the implementation of the Privacy Act
Security affects the PHA’s ops in 3 areas:• Technical• Administrative• Physical
Slide #21©2006 Nan McKay & Associates
Security Best Practices
Technical safeguards:• Reduce the risk of a security violation related to the PHA
systems’ software, network, or applications• Authentication and Authorization all users seeking access to
secure data• Deter and detect attempts to access the system without
authorization• Monitor the user activity on any HUD secure system
Slide #22©2006 Nan McKay & Associates
Security Best Practices
Physical safeguards:• Provide barriers between unauthorized persons and
documents or computer media containing private data• Prevent undetected entry to protected areas and/or to
protected documents• Provide immediate notification, noticeable under normal
operating conditions, if the barrier is penetrated by unauthorized persons
Slide #23©2006 Nan McKay & Associates
Security Best Practices
Administrative safeguards:• Ensure that access rights and responsibilities are properly
assigned. Only give access to people who need it.• Maintain security-related records in a safe for backup.• Maintain, communicate, and enforce standard operating
procedures related to securing data Written procedures (for hires, fires, and transfers). Security plan.
Slide #24©2006 Nan McKay & Associates
Security Best Practices
What does this mean?• File rooms are secured from visitors.• Shred all copies after use.• Change passwords when any staff are fired.• Keep written records of access authorizations
Slide #25©2006 Nan McKay & Associates
Security Best Practices
What does this mean - continued?• Establish a key control system• Record all security breaches, whether
intentional or unintentional.• Use security compliance in performance
reviews.
Slide #26©2006 Nan McKay & Associates
Security Best Practices
What does this mean - continued?• Test your backup – can you restore from it?• Do you let staff take home paper copies?• Do you let staff put privacy data on a laptop?• Do staff share User IDs and passwords?• Does everyone have the same access?
Slide #27©2006 Nan McKay & Associates
Security Best Practices
What does this mean - continued?• A comprehensive plan covering physical,
technical and administrative requirements.• Annual written security assessments.• RIM/EIV reviews may address security.• Train staff: Security is serious business.
Slide #28©2006 Nan McKay & Associates
Closing
Today’s Handouts• Today’s Presentation (MS PowerPoint)• The Privacy Act of 1974 (MS Word)
Slide #29©2006 Nan McKay & Associates
Closing
Today’s Topics• What is WASS?• How Do PIC and WASS Work Together?• Privacy Act of 1974 – Who Cares?• Some Security Best Practices
Questions?
Slide #30©2006 Nan McKay & Associates
Closing
NMA can provide: • Security audits • Security assessments• Model security plans
Next L ‘n’ L
Slide #31©2006 Nan McKay & Associates
Thank you for attending!Please join us again…
Upcoming Lunch ‘n’ Learns May 4th – Violence Against Women Act
» Hosted by Emily Wilcox May 18th – Evaluating Your PHA’s Efficiency
» Hosted by Jerry Benoit May 25th – The NEW Procurement Handbook
» Hosted by Carrol Vaughan