1 ffy2011 eap annual training section 5 (of 6) presented at ffy2011 eap annual training august 11...

1

FFY2011 EAP EAP Annual Annual TrainingTrainingSection 5Section 5 (of 6)(of 6)

Presented at FFY2011 EAP Annual Training August 11 & 12, 2010

Section 5 contents: Chapter 13

Incidents Semcac Flood CAPSH Flood Chapter 14

Data Practices & Records

Security R. Gooley Change Password in

eHEAT Chapter 15 Communication

& Information Various Reports

Chapter Contents Appeals Errors and Fraud Recovery of EAP Benefit Overpayment Due to

Error or Fraud Disaster and Emergency Planning

Combines Fraud & Error chapter

Chapter 13Incidents

No changes to the handling of incidents We have clarified the processes in the manual Highlighting some of the procedures to use Incidents have gone through the ICF evolution Controls to protect program and individuals These can be difficult situations We are your partners and are here to help you

Chapter 13Incidents

Handling Incidents – What to know

An incident is anything that happens outside of normal expected EAP operations.

Incidents can be one of several things: error, fraud, complaints, vendor goes out of business, etc.

When discovered fill out an incident report, provide enough facts to paint the picture for us

Email the report to EAP.mail and copy to monitors DOC staff reviews incident reports every Monday at our staff

meeting, unless expedience is required

Chapter 13Incidents

Handling Incidents – What to know (Continued)

After it’s reported to state continue your investigation as appropriate

DOC may respond with clarifying questions or direction on next steps depending on where we are in the process

Take it one step at a time Don’t think solution first – something unusual has happened:

don’t assume fraud or error when it could be either, get the facts As you investigate, collect facts & document them specifically.

Date, time, talked to, they reported, etc. In general, EAP coordinator and appropriate SP supervisors

should be involved EAP and other SP staff should be on a need to know basis

Chapter 13Incidents

Handling Incidents – What to know (Continued)

Overpayment Due to Household Error or FraudOverpayment Due to Household Error or FraudPages 7 & 8

When Household error or fraud results in overpayment of EAP benefits use the following procedure: Document the facts of the situation. For delivered fuel vendors; recall any EAP credit on the

customer account up to the amount overpaid. For connected energy vendors; recall the entire amount of the

overpayment. The result may be an amount due on the household’s vendor account.

For direct payment to households; recall the entire amount of the overpayment.

Chapter 13Incidents

Overpayment Due to Household Error or FraudOverpayment Due to Household Error or Fraud & 8Write to the client to: Notify them Request repayment of excess funds not recovered Clarify the household’s rights and responsibilities Offer to meet with them Try to agree on a repayment schedule as needed Allow installment payments If the household and you can agree on a reasonable timetable,

include this in your repayment request to the household

Chapter 13Incidents

Overpayment Due to Household Error Overpayment Due to Household Error Page 7 & 8

In the case of household error (not fraud), if repayment by the household poses a hardship for the household, the Service Provider must: Terminate recovery procedures when: The household declares and describes the hardship in

writing. Signs and dates their statement. Place their letter in the household’s file.

Chapter 13Incidents

Fraud

In cases when it is determined that fraud has occurred procedures outlined in the manual for investigating, documenting and ultimately escalating should be followed.

SP staff are encouraged to consult with their attorney DOC will advise and assist as appropriate

Chapter 13Incidents

Disasters – the worst incidencesDisasters – the worst incidences Disasters can and do happen This is why we ask you to include disaster plans in

your local plan So you can think about disasters before they happen Susie Thompson from Semcac Scott Zemke from CAPSH

lessons learned I wish I knew then what I know now….

Chapter 13Incidents

Disasters SharingDisasters Sharing Susie Thompson from Semcac

Chapter 13Incidents

• MHFA Quick Start Loan– 263 loans were processed for housing rehab

or replacement.

– Loans to date total > $9 million.

Disaster Recovery Efforts~Housing~

Disaster Recovery Efforts~Housing~

• GMHF Loan and Grant– 54 loans (totaling > $270,000) and 15 grants

have been processed for income-eligible households.

• Weatherization– Performed weatherization 9 homes.

– Replaced furnaces/water heaters at 23 homes.

Disaster Recovery Efforts ~Agency Facilities~

Affected facilities–Main Building–4-plex–Senior Dining’s equipment and

supplies at the Tenborg Center–Semcac Housing—Rushford, Inc.’s

Rush Creek Apartments

Main Office Damage

Main Office Clean-up

Rushford/Winona Bus Route

Temporary Main Office

Disaster Recovery Efforts ~Agency Facilities~

Resources for recovery– Insurance—auto and partial property– Federal and State Aid applications (FEMA, SBA,

MIF)– OEO, SMIF grant, Medtronic donation, Hunger

Solutions (through OEO) other Community Action Agencies, WSU nursing students’ fundraiser, other contributions from businesses and individuals. • Direct program

disaster recovery aid for Head Start, EAP, Weatherization, and Transportation

We made it back to Rushford—We made it back to Rushford—Never Give Up!Never Give Up!

Disasters SharingDisasters Sharing Scott Zemke from CAPSH

Chapter 13Incidents

35

CAPSH Office Flood 2008CAPSH Office Flood 2008

Building owner failed to shut off and bleed outdoor spigot.

Pipe froze and burst overnight on MLK holiday. Found by building maintenance. 2 inches of standing water. Administrative functions of agency shut down for

about two weeks

Results of PlanningResults of Planning

Server and computing capability remained All computer equipment raised up off of the floor at all times

Other program staff able to work remotely from home or other partner facilities

EAP largely unaffected Shut down for 2 days while walls/carpet dried (no

reconstruction needed). No access to rest of office (admin support, copier, etc.). No application processing for 2 days.

Results of PlanningResults of Planning (cont.)

Did not need to implement full disaster plan that involves co-locating at a partner organization Would have been more time consuming to move files and

equipment twice than simply wait for ability to return. Changed EAP VM to state the problem, asked for patience

and provided our emergency phone number EAP staff checked VM and returned calls from home

Collection and Maintenance of Private Data Application Documentation Sharing EAP Private Data

Chapter ContentsChapter Contents

Chapter 14Data Practices and Records

Third Party Requests for InformationThird Party Requests for Information Minnesota Statues (Minn. Stat.) §216C.266 says, “Data on

individuals collected, maintained, or created because an individual applies for benefits or services provided by the Energy Assistance and Weatherization programs is private data on individuals and must not be disseminated except pursuant to section 13.05, subdivisions 3 and 4”

Information about a data subject may only be released to a third party if the data subject consents by submitting a signed Informed Consent to Release Private Data form Service Providers commonly deny verbal requests received from the

Department of Revenue and attorneys working to garnish wages

Pages 2 & 9-11


E-Mail Data PrivacyTo maintain data privacy on e-mails Use only household numbers for identification when possible Use secure e-mail practices when private household data is

included Use secure e-mail practices to send New Vendor information

containing Tax IDs and/or Social Security Numbers Remind vendors to use only household numbers when

communication via e-mail about a customer Contact DOC for help if a vendor does not cooperate with data

privacy requirements, as required by the vendor agreement

Page 2


Social Security Number for LIHEAP and WAP Applications Social Security numbers (SSNs) are used in the administration of EAP

and to assure that only eligible applicants and their household members receive allowable benefits

Federal law allows States to require applicants to disclose their SSN to prevent, detect, and correct fraud and abuse. See Chapter 5 – Program Eligibility Requirements for details

Safe at Home (SAH) Participant SSN A participants in the State’s Safe at Home (SAH) program is one

exception to the policy requiring primary household applicants to provide a verifiable SSN for the household to be eligible for EAP services Providers should neither require nor request the SSN for SAH participants.

Page 2


Responsibility for Data PrivacyResponsibility for Data Privacy Individuals with access to private data must be aware of their

responsibilities under the MGDPA A best practice is to document regular training on data practices to

each staff with access to applications or household information

The Minnesota Department of Administration Information Policy Analysis Division assists individuals and entities with Minnesota’s Data Practices Act. Website http://www.ipad.state.mn.us


Copies of any correspondence with the applicant not documented by eHEAT Documentation of research and responses to a question, complaint or appeal

not maintained in eHEAT Pertinent program forms A signed signature page from the application (or, rarely, a copy) The application Documentation of income Income calculations not completed in eHEAT Case notes if they are not kept on eHEAT

Pages 3 & 4Documents that must be in the household’s hard copy file or easily identified and accessed electronic file include


Sharing Private Data with Vendors EAP data provided to vendors is limited to information necessary to obtain vendor

account and consumption information and allow vendors to apply EAP benefits to customer accounts The household data required is available to vendors through their access to eHEAT The information verifies the household’s EAP eligibility and the amount to apply to

their or their landlord’s account

To illustrate, EAP collects household data on income and household size, but the data is not required to apply EAP payments to customer accounts. Therefore, this data is not to be provided to the vendor With the exception that EAP allows vendor employees working with affordability

programs to request additional EAP private data if the household has agreed to participate in an affordability program

The vendor must obtain an Informed Consent for Release of Data form signed by the household before requesting EAP household data for any other use or program

Page 6


Sharing Private Data for Delivery of ERR ServicesSharing private data with Weatherization Assistance Program (WAP) staff and contractors providing ERR services for EAP householdsrequires both EAP and WAP programs to be responsible for protectingprivate data ERR participants (Auditors, Inspectors, Heating Contractors and etc.)

must be informed of data privacy requirements and provided with only the household data necessary to deliver services and do their jobs

Both EAP and WAP eHEAT users export household data from eHEAT for specific business uses

The eHEAT system’s security is designed for the local eHEAT Administrator(s) to assign authorized users to perform only the tasks and processes necessary to deliver services and perform assigned duties.

Pages 6 & 7


The Debtor’s Exemption Claim Notice Is a type of Informed Consent Form Minn. Stat. §13.05, Subd. 4 prescribes the content of

the form and is consistent with the required content of the Informed Consent Request Form, as long as it is on the letterhead or otherwise names the third party recipient of the information

Page 10

Debtor's Exemption Claim Notice


Have new users fill out agreement before access Make sure users have only the functions they need Disable users who no longer need access

Managing eHEAT Security Agreements for Admin & Users


Questionnaires & surveys used for referralsQuestionnaires & surveys used for referrals Keep them clearly separate from EAP

Do not include with the Energy Programs Application

Make sure the household knows the form and individual questions are optional

Best Practices Ask households to check services/programs of interest Do not ask invasive questions that allow staff to recommend drug

treatment, anger management, etc.


56

Security talk and tacticsSecurity talk and tactics

Richard GooleyChief Information Security Officer

Minnesota Department of Commerce

Presenter

Sec-UR-rity - You are at the center The only totally secure computer is offline There is no “Set it and Forget it©” in security

57

58

Today's ProgramToday's Program

• Protecting Your Information• Protecting Your Computer• Staying Safe Online• Passwords and Pass Phrases• Technical Risk Assessment• Free Stuff and Reference Material• Stump the geek

Protecting Your InformationProtecting Your Information

What information are you protecting?– Social Security Number– Addresses– Children– Household income– Private financial information

59


Paper– Applications, Hand written notes, Memos, Printed emails

Electronic data– PC’s, Laptops– Hand held Devices, Phones, – Flash Drives, Dvds, CDs, Diskette, Tapes

60


What are you protecting the information from:– Unauthorized use – Modification– Destruction– Temporary or permanent loss

61

62

Protecting Your ComputerProtecting Your Computer


Who wants the information?– Hi-Tech cyber criminals– Worldwide Cyber crime

63


64

65


Vulnerabilities - How They Attack– Vulnerabilities are flaws in computer software that

create weaknesses in the overall security of the computer or network. Vulnerabilities can also be created by improper computer or security configurations. Threats exploit the weaknesses of vulnerabilities resulting in potential damage to the computer or personal data.

– Used to be emails now it’s websites.

How can I tell if my computer is infected? How can I tell if my computer is infected? Signs of infection

– My computer is running extremely slowly– Applications won't start– I cannot connect to the Internet or it runs very slowly– When I connect to the Internet, all types of windows open

or the browser displays pages I have not requested– Where have my files gone?– My antivirus has disappeared, my firewall is disabled– My computer is speaking a strange language– Programs have disappeared from my computer– My computer has gone mad... literally

66


What can we do to protect your computer?– Number one Computer Security Risk

Computers remain unpatched

– Move to Windows 7– Use a profile that isn’t the “Administrator”

67


What is a patch?– A patch is a piece of software designed to fix problems

with, or update a computer program or its supporting data

68

Java and QuickTimeJava and QuickTime

69

JavaJava

Click Start– Control Panel

• Java

70

Adobe ReaderAdobe Reader

71

Apple QuickTimeApple QuickTime

Click Start– Control Panel

• QuickTime

72

Windows UpdateWindows Update

73

74

Windows UpdateWindows Update


Microsoft Windows 7 or XP operating system?– Exploits using Windows XP as an attack vector will grow

this year– Windows XP is nine years old and some patches will no

longer be supported– Threat detections are down against Windows 7

75


User Profiles– For everyday use have a profile that is a “User” or “Power

User” Group. Instead of the default “Administrators” Group.

• “Administrator” is All Powerful… I can install programs. • “Power User” Powerful… I can install a printer• “User”… I can run applications

76

77

Staying Safe OnlineStaying Safe Online

Spoofed emails – Email to me.. From me? Phishing – Nigerian email scams Spear Phishing- Your local bank wants you

password

78

Staying Safe OnlineStaying Safe Online

Spyware Typosquatter

– www.examlpe.com – www.example.co– www.example.com – How many ways can you spell freecreditreport.com?

• Netcorp registered 1,017 domain name variations on FreeCreditReport.com

79

Passwords: Longer is StrongerPasswords: Longer is Stronger

Examples of passwords– eX@mp13s – No longer a good password– What's my uncles phone number?

• wMUp#?6125356519

– Do you know my address?• DUKma?45410akland

80

Pass Phrase: Longer is StrongerPass Phrase: Longer is Stronger

Pass Phrases – Long and complex– What's my uncles phone number?

• What's my uncl3s phon3 numb3r? 6513246519

– Do you know my address?• D0 y0u kn0w my address? 45410akland

Risk AssessmentRisk Assessment

What is a Risk Assessment?– A report that shows assets, vulnerabilities, likelihood of

damage, estimates of the costs of recovery, summaries of possible defensive measures and their costs and estimated probable savings from better protection.

81

Risk AssessmentRisk Assessment

Determine a risk assessment strategy that best suits the needs of your organization.

A risk assessment is a useful tool. Non-profit has special needs to consider when devising

a risk assessment. Know and address these needs to allow for a more

accurate and detailed risk assessment.

82

83

Tools and Reference MaterialTools and Reference Material

84

Useful ToolsUseful Tools Tools to wipe drives when disposing computer

– www.killdisk.com/– www.diskwipe.org/

Free tools– http://www.fileinspect.com/task-manager/– http://www.wireshark.org/– http://www.solarwinds.com/

Restore disks– http://www.restoredisks.com

85

Reference ResourcesReference Resources

www.msisac.org - Information Sharing and Analysis Center

www.drj.com - Disaster Recovery Journal

www.ready.gov - Family Emergency Preparations

www.sans.org – Security Training, Certification and Research

www.itsecurity.com –Help Choosing Security Products

http://technet.microsoft.com – Microsoft Technical Information

[email protected]

86

ConclusionConclusion

Security is a daily practice Patch your computer at work and home Thank you!

Password ResetPassword Reset


All entered info must match what is in eHEATAll entered info must match what is in eHEATPassword Reset Password Reset (Continued)(Continued)


Keep User Profile CurrentKeep User Profile Current


90

Chapter StructureChapter Structure

Information and Reporting Federal Leveraging Incentive Fund DOC Communication Tools Service Provider Communication Requirements

Chapter 15Chapter 15Communication, Information & Communication, Information & ReportsReports

91

General Chapter ChangesGeneral Chapter Changes

Chapter combines former Information & Reporting chapter with Communication information from the former Overview of Service Provider Admin Responsibility chapter

Federal Leveraging chapter also part of this new chapter


92

Specific Chapter ChangesSpecific Chapter Changes

Due Date Change: FSR submission date is now the 5th of the monthThe due date for FSR submission was 5th of the month in WAP contract last year, so EAP FSR due date has been changed for DOC consistency.


Page 3

93


Addition: Service Provider staff members who provide back-up during a coordinator’s absence must know under what circumstances it is necessary to contact their Field Representative, [email protected] or [email protected]


Page 7

94

Specific Chapter ChangesSpecific Chapter ChangesNew Section

Service Provider’s Other Reportable Conditions If SP becomes aware of the existence (or apparent existence) of fraud, waste, or abuse related to the organization’s activities, grants or use of grant funds including non-DOC grants, it must report this information to DOCThe purpose of this is to inform DOC of situations that may impact the SP general administrative capability


Page 8

95


Report Name Change

Expenditure Detail Report is the new name for the Budget Summary


Appendix 15B

96

Related ChangesRelated Changes Added "Leveraged Activities" to Advocacy Services

reason list in A16 in eHEAT to help with tracking (thanks to suggestion from Gayle at Inter-County)

Reminder that the Leveraging Report is coming up. Mailed September 24 Due to DOC October 22


97

Related ChangesRelated ChangesIncreasing use of the DOC website for SP For forms & appendices that used to be attached to

the Policy Manual Increasingly we’ll direct you to the web to find

documents, as we did with the Local Plan Check website first


Crisis Benefit Report Agency Application Count Comparison SP Payments By County Household Additional Info Application Search

eHEAT

Report Highlights/ReviewReport Highlights/Review

Crisis Benefit ReportCrisis Benefit Report

eHEAT


Crisis Benefit ReportCrisis Benefit Report Export includes fields not shown on screen Both mailing address and hh address included in

export Vendor information is included if criteria is checked CRISISAWARDEDAMT and CRISISPAIDAMT field is

for application and are the totals awarded and paid for application not event

eHEAT


Agency Application Count ComparisonAgency Application Count Comparison

eHEAT


Agency Application Count ComparisonAgency Application Count Comparison Counts of states at point in time Compares to previous years on the same date Data is live

eHEAT


SP Payments By CountySP Payments By County

eHEAT


SP Payments By CountySP Payments By County Can not span program years with dates Definitions of $ are on hover note Data is live Previous program data is available

eHEAT


Household Additional InfoHousehold Additional Info

eHEAT


Household Additional InfoHousehold Additional Info Allows access to letters to Denied households Includes Request Date and Processed Date

eHEAT


Application SearchApplication Search ROFW added Both Addresses included in export Label

Refund ProcessRefund Process Address added to export

eHEAT


1 ffy2011 eap annual training section 5 (of 6) presented at ffy2011 eap annual training august 11...

Documents

incidents slide

continued slide

incidents handling incidents

household chapter

handling of incidents

temporary main office

main office cleanup

main office damage slide