1 ffy2011 eap annual training section 5 (of 6) presented at ffy2011 eap annual training august 11...
TRANSCRIPT
1
FFY2011 EAP EAP Annual Annual TrainingTrainingSection 5Section 5 (of 6)(of 6)
Presented at FFY2011 EAP Annual Training August 11 & 12, 2010
Section 5 contents: Chapter 13
Incidents Semcac Flood CAPSH Flood Chapter 14
Data Practices & Records
Security R. Gooley Change Password in
eHEAT Chapter 15 Communication
& Information Various Reports
Chapter Contents Appeals Errors and Fraud Recovery of EAP Benefit Overpayment Due to
Error or Fraud Disaster and Emergency Planning
Combines Fraud & Error chapter
Chapter 13Incidents
No changes to the handling of incidents We have clarified the processes in the manual Highlighting some of the procedures to use Incidents have gone through the ICF evolution Controls to protect program and individuals These can be difficult situations We are your partners and are here to help you
Chapter 13Incidents
Handling Incidents – What to know
An incident is anything that happens outside of normal expected EAP operations.
Incidents can be one of several things: error, fraud, complaints, vendor goes out of business, etc.
When discovered fill out an incident report, provide enough facts to paint the picture for us
Email the report to EAP.mail and copy to monitors DOC staff reviews incident reports every Monday at our staff
meeting, unless expedience is required
Chapter 13Incidents
Handling Incidents – What to know (Continued)
After it’s reported to state continue your investigation as appropriate
DOC may respond with clarifying questions or direction on next steps depending on where we are in the process
Take it one step at a time Don’t think solution first – something unusual has happened:
don’t assume fraud or error when it could be either, get the facts As you investigate, collect facts & document them specifically.
Date, time, talked to, they reported, etc. In general, EAP coordinator and appropriate SP supervisors
should be involved EAP and other SP staff should be on a need to know basis
Chapter 13Incidents
Handling Incidents – What to know (Continued)
Overpayment Due to Household Error or FraudOverpayment Due to Household Error or FraudPages 7 & 8
When Household error or fraud results in overpayment of EAP benefits use the following procedure: Document the facts of the situation. For delivered fuel vendors; recall any EAP credit on the
customer account up to the amount overpaid. For connected energy vendors; recall the entire amount of the
overpayment. The result may be an amount due on the household’s vendor account.
For direct payment to households; recall the entire amount of the overpayment.
Chapter 13Incidents
Overpayment Due to Household Error or FraudOverpayment Due to Household Error or FraudPage 7 & 8Write to the client to: Notify them Request repayment of excess funds not recovered Clarify the household’s rights and responsibilities Offer to meet with them Try to agree on a repayment schedule as needed Allow installment payments If the household and you can agree on a reasonable timetable,
include this in your repayment request to the household
Chapter 13Incidents
Overpayment Due to Household Error Overpayment Due to Household Error Page 7 & 8
In the case of household error (not fraud), if repayment by the household poses a hardship for the household, the Service Provider must: Terminate recovery procedures when: The household declares and describes the hardship in
writing. Signs and dates their statement. Place their letter in the household’s file.
Chapter 13Incidents
Fraud
In cases when it is determined that fraud has occurred procedures outlined in the manual for investigating, documenting and ultimately escalating should be followed.
SP staff are encouraged to consult with their attorney DOC will advise and assist as appropriate
Chapter 13Incidents
Disasters – the worst incidencesDisasters – the worst incidences Disasters can and do happen This is why we ask you to include disaster plans in
your local plan So you can think about disasters before they happen Susie Thompson from Semcac Scott Zemke from CAPSH
lessons learned I wish I knew then what I know now….
Chapter 13Incidents
Disasters SharingDisasters Sharing Susie Thompson from Semcac
Chapter 13Incidents
• MHFA Quick Start Loan– 263 loans were processed for housing rehab
or replacement.
– Loans to date total > $9 million.
Disaster Recovery Efforts~Housing~
Disaster Recovery Efforts~Housing~
• GMHF Loan and Grant– 54 loans (totaling > $270,000) and 15 grants
have been processed for income-eligible households.
• Weatherization– Performed weatherization 9 homes.
– Replaced furnaces/water heaters at 23 homes.
Disaster Recovery Efforts ~Agency Facilities~
Affected facilities–Main Building–4-plex–Senior Dining’s equipment and
supplies at the Tenborg Center–Semcac Housing—Rushford, Inc.’s
Rush Creek Apartments
Main Office Damage
Main Office Damage
Main Office Damage
Main Office Damage
Main Office Damage
Main Office Damage
Main Office Damage
Main Office Clean-up
Main Office Clean-up
Rushford/Winona Bus Route
Temporary Main Office
Temporary Main Office
Temporary Main Office
Disaster Recovery Efforts ~Agency Facilities~
Resources for recovery– Insurance—auto and partial property– Federal and State Aid applications (FEMA, SBA,
MIF)– OEO, SMIF grant, Medtronic donation, Hunger
Solutions (through OEO) other Community Action Agencies, WSU nursing students’ fundraiser, other contributions from businesses and individuals. • Direct program
disaster recovery aid for Head Start, EAP, Weatherization, and Transportation
We made it back to Rushford—We made it back to Rushford—Never Give Up!Never Give Up!
Disasters SharingDisasters Sharing Scott Zemke from CAPSH
Chapter 13Incidents
35
CAPSH Office Flood 2008CAPSH Office Flood 2008
Building owner failed to shut off and bleed outdoor spigot.
Pipe froze and burst overnight on MLK holiday. Found by building maintenance. 2 inches of standing water. Administrative functions of agency shut down for
about two weeks
36
Results of PlanningResults of Planning
Server and computing capability remained All computer equipment raised up off of the floor at all times
Other program staff able to work remotely from home or other partner facilities
EAP largely unaffected Shut down for 2 days while walls/carpet dried (no
reconstruction needed). No access to rest of office (admin support, copier, etc.). No application processing for 2 days.
Results of PlanningResults of Planning (cont.)
Did not need to implement full disaster plan that involves co-locating at a partner organization Would have been more time consuming to move files and
equipment twice than simply wait for ability to return. Changed EAP VM to state the problem, asked for patience
and provided our emergency phone number EAP staff checked VM and returned calls from home
Collection and Maintenance of Private Data Application Documentation Sharing EAP Private Data
Chapter ContentsChapter Contents
Chapter 14Data Practices and Records
Third Party Requests for InformationThird Party Requests for Information Minnesota Statues (Minn. Stat.) §216C.266 says, “Data on
individuals collected, maintained, or created because an individual applies for benefits or services provided by the Energy Assistance and Weatherization programs is private data on individuals and must not be disseminated except pursuant to section 13.05, subdivisions 3 and 4”
Information about a data subject may only be released to a third party if the data subject consents by submitting a signed Informed Consent to Release Private Data form Service Providers commonly deny verbal requests received from the
Department of Revenue and attorneys working to garnish wages
Pages 2 & 9-11
Chapter 14Data Practices and Records
E-Mail Data PrivacyTo maintain data privacy on e-mails Use only household numbers for identification when possible Use secure e-mail practices when private household data is
included Use secure e-mail practices to send New Vendor information
containing Tax IDs and/or Social Security Numbers Remind vendors to use only household numbers when
communication via e-mail about a customer Contact DOC for help if a vendor does not cooperate with data
privacy requirements, as required by the vendor agreement
Page 2
Chapter 14Data Practices and Records
Social Security Number for LIHEAP and WAP Applications Social Security numbers (SSNs) are used in the administration of EAP
and to assure that only eligible applicants and their household members receive allowable benefits
Federal law allows States to require applicants to disclose their SSN to prevent, detect, and correct fraud and abuse. See Chapter 5 – Program Eligibility Requirements for details
Safe at Home (SAH) Participant SSN A participants in the State’s Safe at Home (SAH) program is one
exception to the policy requiring primary household applicants to provide a verifiable SSN for the household to be eligible for EAP services Providers should neither require nor request the SSN for SAH participants.
Page 2
Chapter 14Data Practices and Records
Responsibility for Data PrivacyResponsibility for Data Privacy Individuals with access to private data must be aware of their
responsibilities under the MGDPA A best practice is to document regular training on data practices to
each staff with access to applications or household information
The Minnesota Department of Administration Information Policy Analysis Division assists individuals and entities with Minnesota’s Data Practices Act. Website http://www.ipad.state.mn.us
Chapter 14Data Practices and Records
Copies of any correspondence with the applicant not documented by eHEAT Documentation of research and responses to a question, complaint or appeal
not maintained in eHEAT Pertinent program forms A signed signature page from the application (or, rarely, a copy) The application Documentation of income Income calculations not completed in eHEAT Case notes if they are not kept on eHEAT
Pages 3 & 4Documents that must be in the household’s hard copy file or easily identified and accessed electronic file include
Chapter 14Data Practices and Records
Sharing Private Data with Vendors EAP data provided to vendors is limited to information necessary to obtain vendor
account and consumption information and allow vendors to apply EAP benefits to customer accounts The household data required is available to vendors through their access to eHEAT The information verifies the household’s EAP eligibility and the amount to apply to
their or their landlord’s account
To illustrate, EAP collects household data on income and household size, but the data is not required to apply EAP payments to customer accounts. Therefore, this data is not to be provided to the vendor With the exception that EAP allows vendor employees working with affordability
programs to request additional EAP private data if the household has agreed to participate in an affordability program
The vendor must obtain an Informed Consent for Release of Data form signed by the household before requesting EAP household data for any other use or program
Page 6
Chapter 14Data Practices and Records
Sharing Private Data for Delivery of ERR ServicesSharing private data with Weatherization Assistance Program (WAP) staff and contractors providing ERR services for EAP householdsrequires both EAP and WAP programs to be responsible for protectingprivate data ERR participants (Auditors, Inspectors, Heating Contractors and etc.)
must be informed of data privacy requirements and provided with only the household data necessary to deliver services and do their jobs
Both EAP and WAP eHEAT users export household data from eHEAT for specific business uses
The eHEAT system’s security is designed for the local eHEAT Administrator(s) to assign authorized users to perform only the tasks and processes necessary to deliver services and perform assigned duties.
Pages 6 & 7
Chapter 14Data Practices and Records
The Debtor’s Exemption Claim Notice Is a type of Informed Consent Form Minn. Stat. §13.05, Subd. 4 prescribes the content of
the form and is consistent with the required content of the Informed Consent Request Form, as long as it is on the letterhead or otherwise names the third party recipient of the information
Page 10
Debtor's Exemption Claim Notice
Chapter 14Data Practices and Records
Have new users fill out agreement before access Make sure users have only the functions they need Disable users who no longer need access
Managing eHEAT Security Agreements for Admin & Users
Chapter 14Data Practices and Records
Questionnaires & surveys used for referralsQuestionnaires & surveys used for referrals Keep them clearly separate from EAP
Do not include with the Energy Programs Application
Make sure the household knows the form and individual questions are optional
Best Practices Ask households to check services/programs of interest Do not ask invasive questions that allow staff to recommend drug
treatment, anger management, etc.
Chapter 14Data Practices and Records
56
Security talk and tacticsSecurity talk and tactics
Richard GooleyChief Information Security Officer
Minnesota Department of Commerce
Presenter
Sec-UR-rity - You are at the center The only totally secure computer is offline There is no “Set it and Forget it©” in security
57
58
Today's ProgramToday's Program
• Protecting Your Information• Protecting Your Computer• Staying Safe Online• Passwords and Pass Phrases• Technical Risk Assessment• Free Stuff and Reference Material• Stump the geek
Protecting Your InformationProtecting Your Information
What information are you protecting?– Social Security Number– Addresses– Children– Household income– Private financial information
59
Protecting Your InformationProtecting Your Information
Paper– Applications, Hand written notes, Memos, Printed emails
Electronic data– PC’s, Laptops– Hand held Devices, Phones, – Flash Drives, Dvds, CDs, Diskette, Tapes
60
Protecting Your InformationProtecting Your Information
What are you protecting the information from:– Unauthorized use – Modification– Destruction– Temporary or permanent loss
61
62
Protecting Your ComputerProtecting Your Computer
Protecting Your ComputerProtecting Your Computer
Who wants the information?– Hi-Tech cyber criminals– Worldwide Cyber crime
63
Protecting Your ComputerProtecting Your Computer
64
65
Protecting Your ComputerProtecting Your Computer
Vulnerabilities - How They Attack– Vulnerabilities are flaws in computer software that
create weaknesses in the overall security of the computer or network. Vulnerabilities can also be created by improper computer or security configurations. Threats exploit the weaknesses of vulnerabilities resulting in potential damage to the computer or personal data.
– Used to be emails now it’s websites.
How can I tell if my computer is infected? How can I tell if my computer is infected? Signs of infection
– My computer is running extremely slowly– Applications won't start– I cannot connect to the Internet or it runs very slowly– When I connect to the Internet, all types of windows open
or the browser displays pages I have not requested– Where have my files gone?– My antivirus has disappeared, my firewall is disabled– My computer is speaking a strange language– Programs have disappeared from my computer– My computer has gone mad... literally
66
Protecting Your ComputerProtecting Your Computer
What can we do to protect your computer?– Number one Computer Security Risk
Computers remain unpatched
– Move to Windows 7– Use a profile that isn’t the “Administrator”
67
Protecting Your ComputerProtecting Your Computer
What is a patch?– A patch is a piece of software designed to fix problems
with, or update a computer program or its supporting data
68
Java and QuickTimeJava and QuickTime
69
JavaJava
Click Start– Control Panel
• Java
70
Adobe ReaderAdobe Reader
71
Apple QuickTimeApple QuickTime
Click Start– Control Panel
• QuickTime
72
Windows UpdateWindows Update
73
74
Windows UpdateWindows Update
Protecting Your ComputerProtecting Your Computer
Microsoft Windows 7 or XP operating system?– Exploits using Windows XP as an attack vector will grow
this year– Windows XP is nine years old and some patches will no
longer be supported– Threat detections are down against Windows 7
75
Protecting Your ComputerProtecting Your Computer
User Profiles– For everyday use have a profile that is a “User” or “Power
User” Group. Instead of the default “Administrators” Group.
• “Administrator” is All Powerful… I can install programs. • “Power User” Powerful… I can install a printer• “User”… I can run applications
76
77
Staying Safe OnlineStaying Safe Online
Spoofed emails – Email to me.. From me? Phishing – Nigerian email scams Spear Phishing- Your local bank wants you
password
78
Staying Safe OnlineStaying Safe Online
Spyware Typosquatter
– www.examlpe.com – www.example.co– www.example.com – How many ways can you spell freecreditreport.com?
• Netcorp registered 1,017 domain name variations on FreeCreditReport.com
79
Passwords: Longer is StrongerPasswords: Longer is Stronger
Examples of passwords– eX@mp13s – No longer a good password– What's my uncles phone number?
• wMUp#?6125356519
– Do you know my address?• DUKma?45410akland
80
Pass Phrase: Longer is StrongerPass Phrase: Longer is Stronger
Pass Phrases – Long and complex– What's my uncles phone number?
• What's my uncl3s phon3 numb3r? 6513246519
– Do you know my address?• D0 y0u kn0w my address? 45410akland
Risk AssessmentRisk Assessment
What is a Risk Assessment?– A report that shows assets, vulnerabilities, likelihood of
damage, estimates of the costs of recovery, summaries of possible defensive measures and their costs and estimated probable savings from better protection.
81
Risk AssessmentRisk Assessment
Determine a risk assessment strategy that best suits the needs of your organization.
A risk assessment is a useful tool. Non-profit has special needs to consider when devising
a risk assessment. Know and address these needs to allow for a more
accurate and detailed risk assessment.
82
83
Tools and Reference MaterialTools and Reference Material
84
Useful ToolsUseful Tools Tools to wipe drives when disposing computer
– www.killdisk.com/– www.diskwipe.org/
Free tools– http://www.fileinspect.com/task-manager/– http://www.wireshark.org/– http://www.solarwinds.com/
Restore disks– http://www.restoredisks.com
85
Reference ResourcesReference Resources
www.msisac.org - Information Sharing and Analysis Center
www.drj.com - Disaster Recovery Journal
www.ready.gov - Family Emergency Preparations
www.sans.org – Security Training, Certification and Research
www.itsecurity.com –Help Choosing Security Products
http://technet.microsoft.com – Microsoft Technical Information
86
ConclusionConclusion
Security is a daily practice Patch your computer at work and home Thank you!
Password ResetPassword Reset
Chapter 14Data Practices and Records
All entered info must match what is in eHEATAll entered info must match what is in eHEATPassword Reset Password Reset (Continued)(Continued)
Chapter 14Data Practices and Records
Keep User Profile CurrentKeep User Profile Current
Chapter 14Data Practices and Records
90
Chapter StructureChapter Structure
Information and Reporting Federal Leveraging Incentive Fund DOC Communication Tools Service Provider Communication Requirements
Chapter 15Chapter 15Communication, Information & Communication, Information & ReportsReports
91
General Chapter ChangesGeneral Chapter Changes
Chapter combines former Information & Reporting chapter with Communication information from the former Overview of Service Provider Admin Responsibility chapter
Federal Leveraging chapter also part of this new chapter
Chapter 15Chapter 15Communication, Information & Communication, Information & ReportsReports
92
Specific Chapter ChangesSpecific Chapter Changes
Due Date Change: FSR submission date is now the 5th of the monthThe due date for FSR submission was 5th of the month in WAP contract last year, so EAP FSR due date has been changed for DOC consistency.
Chapter 15Chapter 15Communication, Information & Communication, Information & ReportsReports
Page 3
93
Specific Chapter ChangesSpecific Chapter Changes
Addition: Service Provider staff members who provide back-up during a coordinator’s absence must know under what circumstances it is necessary to contact their Field Representative, [email protected] or [email protected]
Chapter 15Chapter 15Communication, Information & Communication, Information & ReportsReports
Page 7
94
Specific Chapter ChangesSpecific Chapter ChangesNew Section
Service Provider’s Other Reportable Conditions If SP becomes aware of the existence (or apparent existence) of fraud, waste, or abuse related to the organization’s activities, grants or use of grant funds including non-DOC grants, it must report this information to DOCThe purpose of this is to inform DOC of situations that may impact the SP general administrative capability
Chapter 15Chapter 15Communication, Information & Communication, Information & ReportsReports
Page 8
95
Specific Chapter ChangesSpecific Chapter Changes
Report Name Change
Expenditure Detail Report is the new name for the Budget Summary
Chapter 15Chapter 15Communication, Information & Communication, Information & ReportsReports
Appendix 15B
96
Related ChangesRelated Changes Added "Leveraged Activities" to Advocacy Services
reason list in A16 in eHEAT to help with tracking (thanks to suggestion from Gayle at Inter-County)
Reminder that the Leveraging Report is coming up. Mailed September 24 Due to DOC October 22
Chapter 15Chapter 15Communication, Information & Communication, Information & ReportsReports
97
Related ChangesRelated ChangesIncreasing use of the DOC website for SP For forms & appendices that used to be attached to
the Policy Manual Increasingly we’ll direct you to the web to find
documents, as we did with the Local Plan Check website first
Chapter 15Chapter 15Communication, Information & Communication, Information & ReportsReports
Crisis Benefit Report Agency Application Count Comparison SP Payments By County Household Additional Info Application Search
eHEAT
Report Highlights/ReviewReport Highlights/Review
Crisis Benefit ReportCrisis Benefit Report
eHEAT
Report Highlights/ReviewReport Highlights/Review
Crisis Benefit ReportCrisis Benefit Report Export includes fields not shown on screen Both mailing address and hh address included in
export Vendor information is included if criteria is checked CRISISAWARDEDAMT and CRISISPAIDAMT field is
for application and are the totals awarded and paid for application not event
eHEAT
Report Highlights/ReviewReport Highlights/Review
Agency Application Count ComparisonAgency Application Count Comparison
eHEAT
Report Highlights/ReviewReport Highlights/Review
Agency Application Count ComparisonAgency Application Count Comparison Counts of states at point in time Compares to previous years on the same date Data is live
eHEAT
Report Highlights/ReviewReport Highlights/Review
SP Payments By CountySP Payments By County
eHEAT
Report Highlights/ReviewReport Highlights/Review
SP Payments By CountySP Payments By County Can not span program years with dates Definitions of $ are on hover note Data is live Previous program data is available
eHEAT
Report Highlights/ReviewReport Highlights/Review
Household Additional InfoHousehold Additional Info
eHEAT
Report Highlights/ReviewReport Highlights/Review
Household Additional InfoHousehold Additional Info Allows access to letters to Denied households Includes Request Date and Processed Date
eHEAT
Report Highlights/ReviewReport Highlights/Review
Application SearchApplication Search ROFW added Both Addresses included in export Label
Refund ProcessRefund Process Address added to export
eHEAT
Report Highlights/ReviewReport Highlights/Review