Your SlideShare is downloading. ×
0
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Prepared by Abt Associates for the U.S. Department of Housing ...
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Prepared by Abt Associates for the U.S. Department of Housing ...

324

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
324
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • <number>
    This translates to: Any single computer or network on which a computer can access the HMIS or any PPI must meet baseline requirements.
  • <number>
    Unique username and password
    Must be alphanumeric
    Should not be stored in public place– no sticky notes on monitors or under keyboards
    Password must be:
    At least 8 characters long
    Alphanumeric
    Not found in dictionary forwards or backwards
    Signed receipt of privacy notice
    All HMIS users must commit to all processes described in the agencies privacy notice
    This may include: client notification procedures; disclosures of information; procedures for data collection; etc.
    Page 45931, column 2
  • <number>
    Users should also receive training on the HMIS system.
    Computer requirements apply to any computer accessing the HMIS within a CHO (Covered Homeless Organizations).
    Each of these requirements will be discussed in detail.
    Transmission encryption must be at least 128 bit.
  • <number>
    This model shows utilization of a Certificate server to meet the baseline PKI requirement- this would represent a Verisign model. Organizations may instead limit access to the HMIS through filtering by IP address to meet the PKI requirement.
  • <number>
  • <number>
    The most simple violation to security of any system is a user who writes his username and password on a sticky note and sticks it to his monitor– this reminder should be given in every training session that is conducted on HMIS.
  • <number>
    Users should not be allowed to log onto an HMIS system from multiple locations simultaneously.
    Page 45931, 4.3.1 & 4.3.2
  • <number>
    All computers accessing the HMIS should have up to date virus protection. This is not only a technical solution but it requires procedures to accompany it.
    How many of you have ignored that little pop-up in the right hand corner of your screen to update your virus protection? Updating virus protection is essential to protecting your machine.
    By virus protection, I don’t just mean scanning your computer for viruses, I mean protecting your computer from spy attacks. You would be amazed how many computers have spy software running behind the scenes usually capturing key stroke information that you would never know of unless you are updating your virus protection and scanning your computer on a regular basis.
    Protecting computers is just good practice and procedures should be applied to all computers in your agency, not just those accessing the HMIS.
  • <number>
  • <number>
    Conversion of plain text into encrypted data by scrambling it using a code that masks the meaning of the data to any unauthorized viewer. Computers encrypt data by using algorithms or formulas. Encrypted data are not readable unless they are converted back into plain text via decryption.
  • <number>
    Note: many implementations of Citrix or terminal services utilize only 40 bit encryption which is not sufficient for baseline standards
  • <number>
    As many HMIS applications are accessed via the Internet, HUD felt strongly about the need to require the implementation of access controls.
    What this means? Any HMIS that is accessed via the Internet (i.e. www.hmis.com) must be secured through use of digital certificates or IP filtering that limits HMIS access to approved computers. That is, only computers that have registered certificates or approved IP addresses can actually get to the primary HMIS logon screen and thus use the system.
    Filtering by IP is usually not a viable option for communities who have providers that use dial-up Internet accounts such as AOL or EarthLink or cable modems which typically use DHCP (Dynamic Host Configuration Protocol) utilizing dynamic IP addresses.
  • <number>
    Use Firewalls to protect outsiders from accessing your networks, usernames, passwords, etc.
    Most installations of Windows have individual firewalls that can be turned on. For agencies that have all computers networked together, the network should be protected by a firewall to protect from outside intrusion.
    For individual workstations accessing the HMIS via a direct Internet connection, a personal firewall can be used such as Zone Alarm, Norton Firewall, or the Microsoft built in personal firewall.
  • <number>
    Verisign model: A system administrator would administer a third party trust certificate authority, push out over the Internet certificates for verified users. Once the certificate has been downloaded to the local computer, the user then is verified through the Verisign site before being redirected to the HMIS logon page.
    Seattle: User has to get signed notarized document stating who they are, submitted two proofs of identify, mailed to service provider, verify that person is who they claimed they are—the token and software is mailed to person’s home address, software is installed on local computer by user- before the user opens the browser they have to plug in the USB token to identify themselves- asks for username and password associated with token- goes to Transact Washington that verifies users- the user then gets redirected to HMIS logon. The system administrator is responsible for creating and revoking user access.
    Los Angeles: Each provider agency participating in the HMIS has to purchase a static (stable) IP address from their local ISP. The system administrator limits access to the HMIS to only those agencies whose IP address has been assigned and verified.
  • <number>
    Shelter or homeless service organizations are busy environments, especially at times with clients awaiting appointments or waiting for beds. A case manager can frequently be called away from their desk or PC to deal with an emergency potentially leaving sensitive client data on their screen.
  • <number>
  • <number>
  • <number>
    Refer further questions to Security Monitoring handout.
  • <number>
    This list is not exhaustive nor is it all applicable. If communities host their own systems, additional details may need to be logged. Differences in hardware, software, HMIS product, and operating platform would all affect the way a system is monitored.
  • <number>
    As this broadcast today only detailed the baseline requirements for compliance with the final notice, it should be noted that there are additional privacy and security protocols recommended throughout the notice to further protect the system.
    Communities are encouraged to meet and discuss whether any of these additional protocols as listed are an additional protections the community should implement.
  • Transcript

    • 1. Prepared by Abt Associates for the U.S. Department of Housing and Urban Development Homeless Management Information System (HMIS) Data and Technical Standards: Comply with the Security Requirements in the Final Notice
    • 2. Prepared by Abt Associates for the U.S. Department of Housing and2 HMIS Data and Technical Standards Training • This is training module 4 of a 4 part series addressing the following components of the Final HMIS Data and Technical Standards – Training 1: Overview – Training 2: Participation and Data Collection Requirements – Training 3: Privacy Standards – Training 4: Security and Technical Standards • Other training modules are available at: www.hmis.info
    • 3. Prepared by Abt Associates for the U.S. Department of Housing and3 Companion Training Materials • This training module features an accompanying set of training materials that includes: – Data Standards Compliance Checklist for Agencies – CoC/Implementing Jurisdictions Data Standards Compliance Assessment Checklist – System Monitoring Guidelines
    • 4. Prepared by Abt Associates for the U.S. Department of Housing and4 Overview • Security standards for HMIS users • Security standards for HMIS computers • System/Server level security standards • Monitoring security at the system level
    • 5. Prepared by Abt Associates for the U.S. Department of Housing and5 Defining Security • Security refers to the protection of client personal protected information and sensitive program information from unauthorized access, use or modification.
    • 6. Prepared by Abt Associates for the U.S. Department of Housing and6 Security Standards Framework • Two-tiered: required baseline standards and additional recommended protocols • Provide for technical controls to protect client data • Require covered homeless organizations (CHO) to assess their current technical infrastructure and make changes as needed
    • 7. Prepared by Abt Associates for the U.S. Department of Housing and7 Applicability • All workstations, desktops, laptops, and servers that connect to the CHO network or access the HMIS through a Virtual Private Network (VPN) must comply with the baseline security requirements. • Handout: Agency Data Standards Checklist
    • 8. Prepared by Abt Associates for the U.S. Department of Housing and8 What is a Virtual Private Network (VPN)? • A private communications network that uses a public network to connect remote sites or users • VPN allows an employee to access his/her agency’s local network from an off-site location using the Internet. • VPN users typically have software that allows them to access their network through the internet using a secure site • Learn more about VPNs: http://computer.howstuffworks.com/vpn.htm
    • 9. Prepared by Abt Associates for the U.S. Department of Housing and9 Baseline HMIS Agency Security Requirements • HMIS users – Unique username and password – Signed receipt of privacy notice • HMIS computers and networks – Secure location – Workstation username and password – Virus protection with automatic update – Locking password protected screen saver – Individual or network firewall – Public Key Infrastructure (PKI) to prevent unauthorized access
    • 10. Prepared by Abt Associates for the U.S. Department of Housing and10 Baseline HMIS User and HMIS Computer Requirements
    • 11. Prepared by Abt Associates for the U.S. Department of Housing and11 HMIS Computer Requirements • Computers in public areas used to collect and store HMIS data must be staffed at all times • Password protected screen savers must be automatically enabled when workstation is not in use • CHOs may decide to automatically log users off the system after a period of inactivity
    • 12. Prepared by Abt Associates for the U.S. Department of Housing and12 HMIS Computer Requirements • Virus protection – Must automatically scan files; and – User must regularly update software to detect new viruses. – Free virus protection is available at: • www.free-av.com • www.nonprofit-tech.org • Individual or network firewall: – Network firewall = baseline requirement if internet is accessed through central server; and – Individual firewall needed if internet is accessed through a modem. • Additional spyware software is strongly recommended
    • 13. Prepared by Abt Associates for the U.S. Department of Housing and13 User Training (Strongly Recommended) • Although not a baseline requirement, all users should participate in: – Data and Technical Standards Training • Participation and Data Collection Requirements; and • Privacy and Security Protocols to Protect Client Data. – Software training • How to enter, edit, change, and delete data; and • User and computer security requirements. – Ethics and privacy training • Consent protocol and privacy protocols; and • How to interview clients in a sensitive manner. – User groups are strongly encouraged to develop peer support opportunities
    • 14. Prepared by Abt Associates for the U.S. Department of Housing and14 Baseline HMIS System / Server Requirements • Authentication; • Multiple Access; • Virus Protection with Auto Update; • Firewalls - Individual workstations or network; • Encryption transmission; • Public Access – PKI – Public Key Infrastructure; • Location Control; • Back Up and Disaster Recovery; • System Monitoring; and • Secure Disposal.
    • 15. Prepared by Abt Associates for the U.S. Department of Housing and15 Web Security Model
    • 16. Prepared by Abt Associates for the U.S. Department of Housing and16 User Authentication • Every user accessing the HMIS system must have a unique username and password. • Passwords must: – Include at least one number and one letter; – Be at least 8 characters long; – Not be based on user’s name, organization, or software; and – Not be based on common words. • Good: [Na$car#39] • Bad: bobclark99 • Terrible: hmis
    • 17. Prepared by Abt Associates for the U.S. Department of Housing and17 User Authentication (cont.) • Both the workstation and the software used to access HMIS data should require user authentication (e.g., username/passwords). • Logging on to the HMIS computer alone is not sufficient. • Written information pertaining to user access should not be stored or displayed in any publicly accessible location.
    • 18. Prepared by Abt Associates for the U.S. Department of Housing and18 Multiple Access • An individual user must NOT be allowed access to the HMIS from multiple workstations on the network at the same time. • An individual user must NOT be allowed to log onto the local network from more than one location at a time.
    • 19. Prepared by Abt Associates for the U.S. Department of Housing and19 System Level Virus Protection • All systems on the network (including remote and VPN users) must have anti-virus software installed and updated regularly that automatically scans files. Old Anti-Virus Software = No Anti-Virus Software
    • 20. Prepared by Abt Associates for the U.S. Department of Housing and20 Firewalls • All machines accessing HMIS must have firewall protection from public networks (i.e., the Internet), typically via hardware. • Any machines accessing the Internet via dial-up modem must have a personal firewall. • Individual or network firewall: – If you use Windows XP you can install a firewall using Windows XP Service Pack 2; and – Free or low cost firewall software can be downloaded at: • www.zonelabs.com • www.techsoup.org
    • 21. Prepared by Abt Associates for the U.S. Department of Housing and21 Firewall Behind a Network Image found at: http://www.integration1.com.au/pages/default.cfm?page_id=21925
    • 22. Prepared by Abt Associates for the U.S. Department of Housing and22 Encryption • A CHO must encrypt all HMIS data that are electrically transmitted over the internet • Encryption is the conversion of plain text into encrypted data (code) • Encryption is used to protect a client’s sensitive personal information from unauthorized viewing
    • 23. Prepared by Abt Associates for the U.S. Department of Housing and23 Data Transmission Encryption • Two options – 128 bit encryption over the wire; and • Secure Socket Layer (SSL): A communications protocol used to secure all sensitive data. SSL is normally described as wrapping an encrypted envelope around message transmissions over the Internet. – Secure direct connections. • Virtual Private Network (VPN)
    • 24. Prepared by Abt Associates for the U.S. Department of Housing and24 Public Access • HMIS that use public forums for data collection/reporting must have additional security to limit access using Public Key Infrastructure (PKI) or through IP filtering. • Translation: Any Web-based HMIS accessed over the Internet, needs digital certificates installed on all browsers on all computers accessing the HMIS (PKI) or an extranet to limit access based on IP address.
    • 25. Prepared by Abt Associates for the U.S. Department of Housing and25 IP Addresses • Everything on the internet (servers, desktops, blackberries) is assigned an internet protocol (IP) address; • The internet uses IP addresses to move information from one place to another; • An IP address looks like this: 10.141.215.223; and • Firewalls block suspicious IP addresses from accessing your computer.
    • 26. Prepared by Abt Associates for the U.S. Department of Housing and26 What is Public Key Infrastructure? • Each user is issued a private key to encrypt messages and a public key to decode messages; • Private key is kept secret and known only to user; • Public key uses a digital certificate to authenticate the identity of the user; • Digital certificates must be issued by a recognized Certificate Authority; and • Secure socket layer “SSL” encryption does not meet the baseline PKI requirements.
    • 27. Prepared by Abt Associates for the U.S. Department of Housing and27 PKI: Public Key Infrastructure • Options for implementing PKI: – Self issued certificate authority-Example: Microsoft Certification Authority; – Third party certificate authority Example: Verisign or Thawte; – Seattle USB token; or • Alternative to PKI: Limiting access to HMIS through IP filtering. Community examples: – Los Angeles-filtering by IP address.
    • 28. Prepared by Abt Associates for the U.S. Department of Housing and28 Physical Access/Location • Access to workstations must be controlled and monitored. – Options: locked offices, privacy screens, etc. • Access to servers must be controlled to a greater degree. – Options: locked cabinet or cage; secure facilities.
    • 29. Prepared by Abt Associates for the U.S. Department of Housing and29 Backup and Disaster Recovery • All HMIS data must be regularly backed up and stored in a secure off-site location: – Backup your data and applications; – Save them to tape; – Test the tapes; – A Backup tape laying next to a server won’t help if the server room catches fire!; and – Alternatively, consider secure network-based offsite backup solutions.
    • 30. Prepared by Abt Associates for the U.S. Department of Housing and30 Secure Disposal • Tapes, disks and hard drives must be properly formatted and erased before disposal. – At least two erasure passes (three or more is recommended). • Free and commercial software is available to prepare old workstation hard drives, tapes, and floppies before discarding.
    • 31. Prepared by Abt Associates for the U.S. Department of Housing and31 System Monitoring • Most security breaches are carried out by authorized users of client record systems. • All systems including central servers must be monitored and “routinely” reviewed by staff. • Monitoring decisions: – Who monitors?; – What is normal and what is abnormal usage and access?; – How do I access the information?; and – What variables to monitor? • Handout: Security Monitoring
    • 32. Prepared by Abt Associates for the U.S. Department of Housing and32 System Monitoring (cont.) • What variables to monitor: – Logon success/failure; – Account management; – Policy changes; – Privilege use; – Process tracking; – System events; and – Connection attempts (IP and port).
    • 33. Prepared by Abt Associates for the U.S. Department of Housing and33 Additional security protocols • Options: – Designating a Chief Security Officer to supervise implementation; – Applying a firewall to all HMIS workstations where a network firewall is installed; and – Destroying HMIS media at a bonded vendor.
    • 34. Prepared by Abt Associates for the U.S. Department of Housing and34 Key Security Points • Applies to all machines on the CHO network or accessing the network through a VPN; • All computers must have virus protection; • All servers or computers directly accessing the internet must be protected by a firewall; • Web-based HMIS must use PKI or IP filtering to limit public access to data; • Physical access to computers and servers must be restricted; • Regular back-up and storage of HMIS data; and • Regular monitoring of HMIS at the system level.
    • 35. Prepared by Abt Associates for the U.S. Department of Housing and35 Summary • HMIS Data and Technical Standards set requirements for: – Data Elements and Data Collection Requirements (Training 2); – Privacy Standards (Training 3); and – Security and Technical Standards (Training 4).
    • 36. Prepared by Abt Associates for the U.S. Department of Housing and36 Security Resources • National Institute of Standards and Technology Computer and Security Resource Center – http://csrc.ncsl.nist.gov • Carnegie Mellon/CERT: Connecting to the Internet – http://www.cert.org/tech_tips/before_you_plug_in.html • CERT Implementation Tips for Servers and Networks – http://www.cert.org/tech_tips/ • National Institutes of Health Center for Information Technology Security Site – http://www.alw.nih.gov/Security/security.html • Forum of Incident Response and Security Reform – http://first.org
    • 37. Prepared by Abt Associates for the U.S. Department of Housing and37 Additional Resources • Final Notice: – http://www.hud.gov/offices/cpd/homeless/hmis/standards/index.cfm • HMIS Related Info: – http://www.hud.gov/offices/cpd/homeless/hmis/index.cfm – www.hmis.info

    ×