1 / 41

EAP Data Security: Ensuring Compliance and Protecting Sensitive Information

Learn about the security policies, practices, and requirements for the Minnesota Energy Assistance Program (EAP) data security, including data practices, SSA requirements, and MN.IT security policies.

cartermichael
Télécharger la présentation

EAP Data Security: Ensuring Compliance and Protecting Sensitive Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Energy Assistance Program FFY20 Annual Training EAP Data Security, Data Practices

  2. EAP Data Security Tracy Smetana Minnesota Energy Assistance Program

  3. EAP Data Security Topics • MN.IT Security Policies and Standards • Social Security Administration (SSA) Requirements

  4. EAP Data Security MN.IT Security Policies and Standards • One of eHEAT Next Generation’s expected benefits is to improve program compliance & integrity by • Improving auditability and traceability • Enabling more effective budget management • Improving data accuracy • Improving data and system security • Improving user access management • Improving person identification

  5. EAP Data Security MN.IT Security Policies and Standards • Roles in eHEAT • Unique user IDs • Must document requests to create or modify accounts and privileges • Accounts and privileges no longer required must be removed or disabled • Within 8 hours for voluntary changes • Within 1 hour for involuntary changes, including lost or compromised accounts

  6. EAP Data Security MN.IT Security Policies and Standards • Segregation of duties • Group accounts prohibited • Multiple concurrent active sessions for individual user accounts prohibited • Requires changes: policy, eHEAT security agreement

  7. EAP Data Security SSA Requirements • eHEAT Next Generation will obtain data from SSA to verify EAP HH members’ identity • SSA has detailed security requirements for state agencies and their contractors

  8. EAP Data Security SSA Requirements • eHEAT Next Gen sends SSA first name, last name, DOB, and SSN • SSA sends back a verification field stating the info is correct – or, if not correct, a code detailing which field is incorrect • Since SSA attests to the accuracy of the information we supplied, data becomes SSA-provided information (SSA data)

  9. EAP Data Security SSA Requirements • Procedural documents to describe methods and controls to safeguard SSA data while… • In use • At rest • During transmission • After archiving

  10. EAP Data Security SSA Requirements Restrict access to SSA data to authorized users who need it to perform their official duties • Physical – examples include • Secure building with badge access • Visitor sign-in • Guards • Photo credential badges • 24 hour security

  11. EAP Data Security SSA Requirements Restrict access to SSA data to authorized users who need it to perform their official duties • Technological – examples include • Remote wipe for mobile devices/laptops • Mobile device/laptop encryption • Mobile device/laptop locks • Access management

  12. EAP Data Security SSA Requirements • Remote access and work from home security measures • Recording, photographing, capturing screen shots of any SSA data prohibited • Includes cell phones, tablets, laptops, video cameras, security cameras, family member access to workstations • Safeguard SSA data during remote connections • Printing media containing SSA data prohibited

  13. EAP Data Security SSA Requirements Information system contingency plan • Address internal and external threats • Address security of SSA data if a disaster occurs • Include details regarding business continuity plan • Protect SSA data in the event of a natural disaster or system disabling cyber-attack • Perform a disaster recovery exercise at least once annually

  14. EAP Data Security SSA Requirements Disposal/destruction of case files with SSA data • Must have written policy and procedures for periodic disposal/destruction of any media containing SSA data • Paper documents must be destroyed by burning, pulping, shredding, macerating, or other similar means that ensure the information is unrecoverable • Personnel who will encounter SSA data must sign non-disclosure agreement

  15. EAP Data Security SSA Requirements Data breach containing SSA data is a “reportable incident” • If hard copy or electronic information containing SSA data left our custody • Or was disclosed to an unauthorized entity or individual

  16. EAP Data Security SSA Requirements Security awareness training • Required safeguards to protect SSA data • Civil and criminal sanctions for noncompliance • Sensitivity of SSA data • Privacy Act and other Federal and State laws governing use and misuse of SSA data • Rules of behavior concerning use and security in systems processing SSA data

  17. EAP Data Security SSA Requirements Security awareness training • Restrictions on viewing and/or copying SSA data • Responsibility for proper use and protection of SSA data • Proper disposal of SSA data • Security incident reporting procedures • Basic understanding of procedures to protect the network from malware attacks • Spoofing, phishing, and pharming scam prevention • Must maintain security awareness training records for employees

  18. EAP Data Security SSA Requirements Compliance reviews • Commerce must do compliance reviews once every 3 years

  19. Data Practices Emily Kelnberger Minnesota Department of Commerce

  20. Data Practices Act:What Service Providers Need to Know mn.gov/commerce

  21. WELCOME Emily Kelnberger Legal Analyst & Data Management – Legal Services Emily.Kelnberger@state.mn.us mn.gov/commerce

  22. COURSE OVERVIEW Course Overview The Minnesota Government Data Practices Act Responsibilities as a Commerce contractor (Service Providers) Classification of data Data breaches mn.gov/commerce

  23. Minnesota Government Data Practices Act Minnesota Statutes, Chapter 13 Applies to EAP Service Providers mn.gov/commerce

  24. THE LAW • Minnesota Statutes, Chapter 13 • Defines government data • Presumes government data are public • Classifies data that are not public • Requires that data on individuals are accurate, complete, current, and secure • Minnesota Rules, Chapter 1205 mn.gov/commerce

  25. WHAT ARE GOVERNMENT DATA? Information that is collected, created, stored, maintained, or disseminated • Minn. Stat. § 13.02, subd. 7 • Examples: • Emails • Notes • Applications • Statistics mn.gov/commerce

  26. THE LAW • Application Data • Data on individuals collected, maintained, or created because an individual applies on behalf of a household for benefits or services provided by the energy assistance and weatherization programs are private data on individuals and must not be disseminated except pursuant to section 13.05, subdivisions 3 and 4. • Minn. Stat. § 216C.266, subd. 1 mn.gov/commerce

  27. A Balance Public right to know Government duty to keep accurate records Individual right to privacy mn.gov/commerce

  28. Other Related Laws and Policy Service Providers mn.gov/commerce

  29. Other Related Laws mn.gov/commerce

  30. Other Related Laws • The Records Management Statute (Minn. Stat. § 138.17) • EAP records must be maintained for at least 6 years after the program year has ended, per Minn. Stat. § 16C.05, subd. 5. • However, in order to protect applicants, EAP record retention should not exceed 6 years after the program year has ended. mn.gov/commerce

  31. COMMERCE Data PRACTICE Policy • Policy • Commerce is committed to securing and protecting the privacy of the citizens and businesses of Minnesota. Therefore, access to Not-Public Data will only be granted: • To perform your job • Prior approval in writing for access mn.gov/commerce

  32. PENALTY • Penalty • From EAP Policy Manual: Government entities and their contractors may be subject to penalties when violations of the MGDPA occur. Minn. Stat. § 13.08 states: “[A] responsible authority or government entity which violates any provision of this chapter is liable to a person or representative of a decedent who suffers any damage as a result of the violation, and the person damaged or a representative in the case of private data on decedents…may bring an action against the responsible authority or government entity to cover any damages sustained, plus costs and reasonable attorney fees. In the case of a willful violation, the government entity shall, in addition, be liable to exemplary damages of not less than $1,000, nor more than $15,000 for each violation.” mn.gov/commerce

  33. BE A GOOD STEWARD • Part of your job is to be a good steward of the information you come into contact with for your job. • Be responsible for the data you share or transfer to others – internally and externally • For questions, contact either: • eap.mail@state.mn.us, or • your PPA. mn.gov/commerce

  34. What is a data practices request? Service Providers mn.gov/commerce

  35. WHAT IS A DATA PRACTICES REQUEST? + OR Data Requests vs. Other Inquiries mn.gov/commerce

  36. Data Classifications • Those in entity whose work requires access • Entities authorized by law • Not available to data subject Classifications Who has access to the data? Confidential • Data subject • Those in entity whose work requires access • Entities authorized by law • Those authorized by the data subject Private Available to anyone for any reason Public mn.gov/commerce

  37. Examples Classifications Examples Verification information from SSA Confidential • All EAP records about an individual or household • Hard and electronic copies of the application • Application summary on eHEAT Private Aggregate data with no way to identify individuals: • Number of HHs served • Number of HH with wages Public mn.gov/commerce

  38. Data Breach Minn. Stat. §§ 13.055, 13.08 and 13.09 mn.gov/commerce

  39. DATA BREACH • What do I do if I am involved in or witness a data breach? • Contact your supervisor immediately. • Notify Commerce if a breach in security or inadvertent disclosure of private data is discovered. • Complete an Incident Report and submit to Commerce at eap.mail@state.mn.us • Fixes are easier if we can act quickly • When in doubt, check it out • We can evaluate the situation and identify next steps mn.gov/commerce

  40. RECAP – YOUR RESPONSIBILITIES Become familiar with data retention policies Ensure the data you access is for business purposes only Understand the classifications of data Ensure the data you use or come into contact with is maintained in a matter that is easily accessible If you are a party to or witness a data breach, contact your supervisor immediately mn.gov/commerce

  41. Thank You! mn.gov/commerce

More Related