Slide #1 © 2006 Nan McKay & Associates Bob Harmon PIC, WASS & Security © 2006 Nan McKay & Associates.

Slide #1©2006 Nan McKay & Associates

Bob Harmon

PIC, WASS & Security

©2006 Nan McKay & Associates


PIC, WASS and Security

Topics today:• What is WASS?• How Do PIC and WASS Work Together?• Privacy Act of 1974 – Who Cares?• Some Security Best Practices


What is WASS?

What is WASS• Web Authentication Sub System (WASS).• Handles all PIH systems authentication.• Definition of authentication: Confirmation of

the identity of a user.


What is WASS?

What WASS does:• Authenticates a user’s identity then passes the

authentication to the appropriate PIH subsystem (chosen from the WASS menu).

• WASS does not: Control the other system (e.g., PIC-IMS EIV). Control the level of access to data in the systems.


What is WASS?

WASS authenticates users for:• NASS, PASS, RASS, MASS, FASS-PH• VMS and SAGIS• PIC-IMS and PICTEST• EIV• eLOCCS • (Others to be added)


What is WASS?

What do I need for WASS?• A WASS User ID (begins with “M” or “I”)• Coordinator activates roles for HA users• Roles permit access to sub systems• Request an ID from Secure Systems page at:

http://www.hud.gov/offices/reac/online/online_registration.cfm


What is WASS?

How Do I Get the User ID?• System overnight creates a User ID • System dispays the new WASS ID to the PHA’s WASS

Coordinator• WASS Coordinator assigns one or more roles to the

User ID (e.g. MASS user, PIC-IMS user, EIV user, etc.)• WASS Coordinator advises user of User ID, password


How Do PIC & WASS Work Together?

How Do I Get Access in PIC?• PIC controls its own level and degree of

access• PIC Security Coordinator grants access rights

in PIC as directed by local management


How Do PIC & WASS Work Together?

WASS confirms identity then lets user select PIC from the WASS menu

PIC accespts the confirmed identity then controls the level and degree of access in PIC


Privacy Act of 1974

What is the Privacy Act of 1974? • It establishes controls and access rules for all

personal data held in government systems Why is it relevant to me?

• It also establishes penalties (civil fines) for unauthorized disclosure of personal data


Privacy Act of 1974

“[T]he term “record” means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual,


Privacy Act of 1974

• “No agency shall disclose any record … to any person … except … with the prior written consent of the individual … unless disclosure of the record would be:

• to those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties;

• for a routine use as defined in subsection (a)(7) of this section.


Privacy Act of 1974

“Routine use” means: “use of such record for a purpose which is compatible with the purpose for which it was collected.”

Consequences (for each instance): “… shall be guilty of a misdemeanor and fined not more than $5,000.”


Privacy Act of 1974

You are required to protect the personal information of your clients just like you protect the payroll data of your staff.

You are required to take reasonable precautions to protect the “privacy data” which your agency holds.


Privacy Act of 1974

Reasonable precautions include:• Keeping written records under lock and key.• Changing locks when keys are lost or stolen.• Changing combination lock combinations when

someone leaves the agency, especially if it is under acrimonious conditions.


Privacy Act of 1974

Reasonable precautions include:• Restricting access to electronic records on a need-to-

know basis.• Keeping backups and copies under the same security as

the originals.• Running a strict shredding program for paper copies of

privacy data.


Privacy Act of 1974

Reasonable precautions include:• Restricting public access to desk top computers, file

cabinets, copiers, file rooms, and trash containers (unless material is shredded),

• Not permitting staff to leave materials on their desk during lunch, at night, or when they are otherwise away from their desks.


Privacy Act of 1974

Reasonable precautions include:• When transporting files between offices, take extra

precautions by: Putting the files in a locked briefcase or box placed in the

locked trunk of the car, or Sending them by U.S. Mail or other carrier, and If in electronic form, encrypting with a “strong” password.


Privacy Act of 1974

Reasonable precautions include: Not permitting staff to leave privacy data on their

monitor screens while they are away from their desks (Use <Windows>-L to lock the screen).

Training staff annually in the requirements and penalties included in the Privacy Act of 1974.


Security Best Practices

Security has been required since 1974 with the implementation of the Privacy Act

Security affects the PHA’s ops in 3 areas:• Technical• Administrative• Physical



Technical safeguards:• Reduce the risk of a security violation related to the PHA

systems’ software, network, or applications• Authentication and Authorization all users seeking access to

secure data• Deter and detect attempts to access the system without

authorization• Monitor the user activity on any HUD secure system



Physical safeguards:• Provide barriers between unauthorized persons and

documents or computer media containing private data• Prevent undetected entry to protected areas and/or to

protected documents• Provide immediate notification, noticeable under normal

operating conditions, if the barrier is penetrated by unauthorized persons



Administrative safeguards:• Ensure that access rights and responsibilities are properly

assigned. Only give access to people who need it.• Maintain security-related records in a safe for backup.• Maintain, communicate, and enforce standard operating

procedures related to securing data Written procedures (for hires, fires, and transfers). Security plan.



What does this mean?• File rooms are secured from visitors.• Shred all copies after use.• Change passwords when any staff are fired.• Keep written records of access authorizations



What does this mean - continued?• Establish a key control system• Record all security breaches, whether

intentional or unintentional.• Use security compliance in performance

reviews.



What does this mean - continued?• Test your backup – can you restore from it?• Do you let staff take home paper copies?• Do you let staff put privacy data on a laptop?• Do staff share User IDs and passwords?• Does everyone have the same access?



What does this mean - continued?• A comprehensive plan covering physical,

technical and administrative requirements.• Annual written security assessments.• RIM/EIV reviews may address security.• Train staff: Security is serious business.


Closing

Today’s Handouts• Today’s Presentation (MS PowerPoint)• The Privacy Act of 1974 (MS Word)


Closing

Today’s Topics• What is WASS?• How Do PIC and WASS Work Together?• Privacy Act of 1974 – Who Cares?• Some Security Best Practices

Questions?


Closing

NMA can provide: • Security audits • Security assessments• Model security plans

Next L ‘n’ L


Thank you for attending!Please join us again…

Upcoming Lunch ‘n’ Learns May 4th – Violence Against Women Act

» Hosted by Emily Wilcox May 18th – Evaluating Your PHA’s Efficiency

» Hosted by Jerry Benoit May 25th – The NEW Procurement Handbook

» Hosted by Carrol Vaughan

Slide #1 © 2006 Nan McKay & Associates Bob Harmon PIC, WASS & Security © 2006 Nan McKay & Associates.

Documents