Going Paperless & Remote File Sharing Mary Twitty Family Services Director Earnest L. Hunt-Director of Sub-recipient Monitoring Tammy Smith Program Director
Introduction Define the subject matter Move from paper files to electronic files Protection/security of electronic information State what the audience will learn Understanding of electronic filing Planning to move paperless Find out if audience members have relevant backgrounds or interests
Agenda Why go paperless TDHCA Compliance Federal Guidance Planning Who needs to get involved Security Remote File Sharing
Overview Give the big picture of the subject Explain how all the individual topics fit together TDHCA TAC Board Auditor Planning Capacity Timeline What Next
Why Would You Go Paperless Benefits Challenges
TAC(Compliance) This is the current guidance on TDHCA website for information security. It s not codified: http://www.tdhca.state.tx.us/security -guidelines.htm
TAC 10 Part 1 Chapter 5 SubChapter Rule 5.18 (a) Subrecipients are encouraged to follow the Information Technology Security Practices and Guidelines to help protect and control financial and performance data associated with the Texas Department of Housing and Community Affairs (TDHCA) programs. (b) Information Technology Security Practices and Guidelines may be obtained by accessing the TDHCA Web site at www.tdhca.state.tx.us.
TAC Title 10 Part 1 Chapter 1 Subchapter A Rule 1.25 (a) Definitions. The following words and terms, when used in this subchapter, shall have the following meanings, unless the context clearly indicates otherwise. (1) Affiliate--Shall have the meaning assigned by the specific program or programs described in this title. (2) Department--The Texas Department of Housing and Community Affairs. (3) Protected Health Information--As defined in 45 CFR 160.103. (4) Subrecipient--Includes any entity receiving funds or awards from the Department. (b) If Subrecipients or Affiliates collect or receive Protected Health Information in the course of administering Department programs, they are required to follow the procedures in Texas Health and Safety Code, Subtitle I, Chapter 181. (c) A nonprofit agency is exempt from this subchapter, unless the nonprofit's primary business is the provision of health care or reimbursement for health care services.
Paperless Process Develop a plan of action with timelines to ensure that you obtain the needed outcomes, including: Stakeholders Technological capacity New operating procedures Protection of information
Stakeholders Auditor Discuss testing requirements Board Develop a plan of action for the Board Staff Create a training plan and operating procedures.
Stakeholders-cont. Funding Sources Approval needed? Clients/participants Notification of the change in storing their information. Lose of information Commercial software vendor
Agency Capacity Technology Capacity Computers Network Software Storage Information Security
Information Technology (IT) Security Practices and Guidelines The Texas Department of Housing and Community Affairs (TDHCA) created this set of IT practices to provide subrecipients with guidance on how to safeguard financial and performance data associated with TDHCA programs. For additional information, please contact the TDHCA Information Systems Division.
Security Practices and Guidelines Disclaimer: TDHCA is responsible for safeguarding the data you enter into TDHCA systems. TDHCA is in not responsible for the hardware, software, or data owned or maintained by other organizations.
Identify Critical IT Assets First, ensure that the inventory of the software, hardware, systems, and data in your organization is up to date. Then determine what components constitute your critical IT assets. At a minimum, those components that are used to track financial and performance data associated with TDHCA programs will be considered critical IT assets.
Risk Assessment Perform a Risk Assessment: Find and document the vulnerabilities associated with critical IT assets. Some examples of vulnerabilities include: Theft or disaster. Accidental deletion of files; terminated employees purposely destroying data. Internet exploits, system hackers, viruses. Critical data stored on individual PCs, without redundant hard drives or backups maintained offsite.
Risk Assessment Site-specific vulnerabilities (i.e. available hardware, software, and personnel) dependent on an organization s cost constraints. Loss of portable computing devices such as USB flash drives, laptops, memory cards, and PDAs. Vulnerabilities associated with wireless networking.
Risk Assessment Measure your ability to control the vulnerabilities that you document, and identify areas that have a high risk of compromise Estimate the costs of minimizing risks, and conduct a cost/benefit analysis to make a determination of where you will implement security controls and where there are acceptable risks.
Establish a Written IT Security Policy Apply a written IT security policy to your software, hardware, systems, networks, data, and personnel. At a minimum, your written IT security policy should address your critical IT assets and factor in the results of your risk assessment.
IT Security Policy Your IT security policy should be tailored to the size and resources of your organization. Some policies that apply to organizations maintaining networked resources that share an Internet connection may not apply or may be different for an organization that consists of one or two people using a PC with an Internet connection. The key elements that should be considered in your IT security policy:
IT Security Policy Physical Security Account Management Passwords Patching Servers and Workstations Virus Protection Firewalls Wireless Portable Computing Devices Backup and Recovery
Federal Guidance Office of Management and Budget Memorandum # M-17-12 Preparing for and responding to a breach of Personally Identifiable Information
Breach of Information Personally Identifiable Information (PII) Information that can be used to distinguish or trace and individual's identity either alone or when combined with other information, e.g. name, address, phone number, email address, social security number, or any other identifying number or code etc.
Breach of PII The loss of control, comprise, unauthorized disclosure, acquisition or any similar occurrence where a person other than an authorized user accesses or potentially accesses personally identifiable information An authorized user accesses or potentially accesses personally identifiable information for an other that authorized purpose
Breach of PII Network intrusion Lost or stolen laptop or portable device E-mail sent to the wrong person Documents lost or stolen Selling of information by an authorized person for personal again or embarrassment.
Breach of PII Develop a Breach Response Plan A formal document that includes the agency s policies and procedures for reporting, investigating and managing a breach. Review your contract with your commercial software vendor.
Remote File Sharing Select File Sharing site Google Drive Microsoft One Drive Apple icloud Drive Idrive SugarSync Dropbox
Remote File Sharing Free Vs. Paid Free Account Size Limitations on storage Limitations on size of files, Good for a time based trial Editing Rights Cloud Based Document Search by file name Paid Account User Selects options for storage 24/7 Support No ads Multi Level Security Version Control Full text and context search
Remote File Sharing What could possibly go wrong? Human error accounts for a good deal of cloud storage tragedies, but the dropped internet connection is another common troublemaker. Ask around (or just look through our review comments), and you'll hear sad stories of how cloud storage can go wrong. One of the benefits of paying for an account is that it usually comes with additional support from the provider, so if anything does go wrong, you can get someone on the phone to help you resolve the issue.
Remote File Sharing There are many other reasons to pay for cloud storage, from getting a lot more space (a terabyte really doesn't cost all that much anymore) to being able to upload really big files. That last benefit is relevant to graphic designers, video editors, and other visual artists who often host enormous files. Other perks of paying for your cloud storage often include increased access to file-version history
Remote File Sharing (meaning you can restore an important business proposal to the version you had before your colleague made a bunch of erroneous changes), more security, or more features for collaboration and working with teams.
Implementation of Timeline Take 6-8 months to plan Develop a written plan with policies and procedures Train, Train, Train staff and Board Hire a certified IT specialist
Summary Questions