AppendixE: NYCHMIS SecurityCertificationChecklist
A. Designatea SecurityContact OrganizationName SecurityContact
e.Name
f.Title
g.Phone
h.Email
SecurityContactdutiesinclude,butarenotlimitedto:
•AnnuallyreviewtheSecurityCertificationChecklistdocument,testtheCHO security practicesforcompliance,andworkwithappropriatevendors(whereapplicable)toconfirm securitycomplianceoftheproject-levelHMIS-compliantsystem.
•UsingthisSecurityCertificationChecklistdocument,certifythattheCHOadherestothe SecurityPlanorprovidea planforremediationofnon-compliantsystems,including milestonestodemonstrateeliminationoftheshortfallovertime.
•Communicateanysecurityquestions,requests,orsecuritybreachestotheDHSSystem
AdministratorandSecurityOfficer.
•Communicatesecurity-relatedHMISinformationtotheorganization’sEndUsers.
•CompletesecuritytrainingofferedbytheHMISLead.
•AdditionaldutiesspecifiedintheHMISParticipationAgreement.
CHOSecurityContactsignatureindicatingunderstandingandacceptanceoftheseduties:
YouarerequiredtonotifyDHSwithin15businessdaysifthiscontactchanges.
B.Assurancesof ConsistencywithSecurityPlan
Eachorganizationisrequiredto meetthefollowingsecurityrequirements.Iftherequirementcannotbe metatthetimeofexecutionoftheParticipationAgreement,youmustindicatea datenotlaterthanthree monthsexecutiondateby whichyouwillhavemettherequirement.Atthattime,youwillberequiredto submitanupdatedversionof thisformdemonstratingyourcompliance. .Ifyouachievedfullcompliancelastyearandmaintainsuchcompliancetodate,youmayskipthischecklistandsignbelow.
Requiredpolicy / Meets Requirement (Yes/No) / Ifno,datebywhich compliancewillbe metOrganizationhasa policyregardingconductingbackground
checksandhiringindividualswithcriminaljusticehistories consistentwithSection4.4.1CriminalBackground VerificationoftheHMISpoliciesandprocedures. / Click here to enter a date. /
Documentationison filethateachEndUserhascompleted
securitytrainingpriortogainingsystemaccessconsistent withSection4.4.2 AnnualSecurityTrainingoftheHMIS policiesandprocedures. / Click here to enter a date. /
Organizationhasestablishedproceduresprotectingthe
physicalsecurityofthe facilitiesandmediain whichthedata isstoredorhasprovisionsinitscontractwiththeproviderof theproject-levelHMIS-compliantsystemtomeetthe minimumstandardsestablishedinSection4.6.1Physical Securityofthepoliciesandprocedures(including temperaturecontroland surgesuppressors). / Click here to enter a date. /
AllHMISdataiscopiedtoanothermediumandstoredina
secureoff-sitelocationatleastweeklyortheorganization hasincludedprovisionsinits contractwiththeproviderof theproject-levelHMIS-compliantsystemtomeetthe minimumstandardsestablishedinSection4.6.2Backupof thepoliciesandprocedures. / Click here to enter a date. /
Restorationofbacked-updatahasbeentestedwithinthe
last12months. / Click here to enter a date. /
Organizationhaspoliciesandproceduresthatspecifyhow
thesoftwareproviderorsystemoperatorwilladdressall reportedbugswithinthreebusinessdaysandspecifythat,if customerinterventionisrequired,theCHOisresponsiblefor ensuringthatallenhancements,upgradesandbugfixesare appliedpromptlyuponreleasebythesoftwareprovider, consistentwithSection4.6.3SoftwareSecurityofthe policiesandprocedures. / Click here to enter a date. /
Organizationmaintainsandfollowsprocedurestoinstall,
updateanduseanti-virussoftwareonallCHO-owned devicesusedtoaccesstheproject-levelHMIS-compliant system,consistentwithSection4.6.3SoftwareSecurityof thepoliciesandprocedures. / Click here to enter a date. /
Identifytheanti-virussoftwareinuse
Specifythefrequencywithwhichthesoftwareis
updatedand thefrequencywithwhichthedeviceswill bescanned.At minimum,updateofthesoftwareand scantherelevantdevicesforvirusesandmalware
mustbedonemonthly
Requiredpolicy / Meets
Requirement
(Yes/No) / Ifno,datebywhich
compliancewillbe met
OrganizationhasestablishedproceduresforprotectingHMIS databehinda firewallorhasprovisionsinitscontractwith theprovideroftheproject-levelHMIS-compliantsystemto meettheminimumstandardsestablishedinSection4.6.4
BoundaryProtectionofthepoliciesandprocedures. / Click here to enter a date. /
Theproject-levelHMIS-compliantsystem’spassword
requirementshavebeentestedwithinthelast12months andmeettheminimumstandardsestablishedinSection
4.6.5SystemAccessUserAuthenticationandPasswordsof
thepoliciesandprocedures. / Click here to enter a date. /
Thefollowingusernameprotectionshavebeenformalizedin
a writtenprocedureandtestedwithinthelast12months: / Click here to enter a date. /
Definesa periodofinactivityafterwhichtheuser’s
workstationmustbeautomaticallyloggedoutofthe
systemand/orlockedoutofthecomputer,requiringa usernameandpasswordtoresumeuseoftheproject- levelHMIS-compliantsystem. / Click here to enter a date. /
Requiresthatanydefaultpasswordsprovidedfor initialentryintotheapplicationbechangedon first use. / Click here to enter a date. /
Defineshowindividualusers’forgottenpasswordswill
beresetandcommunicatedtotheuser. / Click here to enter a date. /
Specifieshowunsuccessfulloginattemptswillbe
handledandconfirmthattheproject-levelHMIS- compliantsystemwillmaintainanauditablerecordof allattemptedlogins.At maximum,5consecutive unsuccessfulloginattemptsmustlocka useroutof thesystemforatleast30minutes. / Click here to enter a date. /
Organizationhasa procedureforaccessingitsproject-level
HMIS-compliantsystemthroughnetworksanddevicesnot ownedormanagedbytheCHOconsistentwithSection4.6.5
SystemAccessUserAuthenticationandPasswordsofthe policiesandprocedures. / Click here to enter a date. /
Organization’sproject-levelHMIS-compliantsystem
maintainsauditrecordsofuseractivity,includingattempted logins,searchesconductedby eachuser,recordsalteredby eachuser,andrecordsaddedby eachuser. / Click here to enter a date. /
Organizationhasapolicyto monitorauditrecordsregularly
forsecuritybreachesatleast monthly,consistentwith
Section4.6.6 AuditControlsofthepoliciesandprocedures. / Click here to enter a date. /
Organizationhasa policyspecifyingthatEndUsersmaynot
electronicallytransmitanyunencryptedclient-leveldata acrossa publicnetwork,consistentwithSection4.7 PII ManagementandDisposalof thepoliciesandprocedures. / Click here to enter a date. /
Organizationhasa policyspecifyinganyharddrivesor
removablemediaon whichPIIisstoredwillbe encryptedand thatusersareprohibitedfromstoringclient-leveldataon
anypersonallyownedmedia,consistentwithSection4.7PII
ManagementandDisposalof thepoliciesandprocedures. / Click here to enter a date. /
Requiredpolicy / Meets
Requirement
(Yes/No) / Ifno,datebywhich
compliancewillbe met
Organizationhasa policydescribinghowhard-copyand electronicclient-leveldatawillbeprotectedanddisposedof, consistentwithSection4.7PIIManagementandDisposalof thepoliciesandprocedures. / Click here to enter a date. /
Organizationhasa policyspecifyingthethresholdsand processforsecurityincidentreporting,consistentwith Section4.8SecurityIncidentsofthepoliciesand procedures. / Click here to enter a date. /
Organizationmaintainsrecordsofanyandallsecurity breachestotheproject-levelHMIS-compliantsystem. / Click here to enter a date. /
EachCHOwillhavea planinplaceformaintainingand
recoveringaccesstoitsowndata,consistentwithSection5
DisasterRecoveryofthepoliciesandprocedures. / Click here to enter a date. /
Weaffirmandcertifythatthisorganization, _, achievedfullcompliancelast year(andhasa completedcheckliston file withDHS)forallrequirementslistedas“CHO”(ContributingHMISOrganization) responsibilitiesintheU.S.DepartmentofHousingandUrbanDevelopmentHomelessManagementInformation System(HMIS)DataandTechnicalStandardsFinalNoticeandwiththeNYCCCoCHMISPoliciesandProcedures. ThiscertificationisincorporatedintotheHMISParticipationAgreement.Anymisrepresentationoftheforegoing mayresultinterminationoftheParticipationAgreement.
OR
Weaffirmandcertifytheaboveinformationistrueandthatthisorganization, _, isin full compliancewithallrequirementslistedas“CHO”(ContributingHMISOrganization)responsibilitiesintheU.S. DepartmentofHousingandUrbanDevelopmentHomelessManagementInformationSystem(HMIS)Dataand TechnicalStandardsFinalNoticeandwiththeNYCCCoCHMISPoliciesandProceduresorwillbeincompliance withinthetimeframesstatedabove.ThiscertificationisincorporatedintotheHMISParticipationAgreement.Any misrepresentationoftheforegoingmayresultinterminationoftheParticipationAgreement.
CHOHMISSecurityContact
Signature
Date
Executing Officer
Signature
Date