HMIS Data and Technical Standards
Overview of Security Monitoring
*Important Disclosure*System Monitoring
Certain commercial entities, equipment, or materials may be identified in this document in order to describe a concept adequately or as an example of a type of software. Such identification is not intended to imply recommendation or endorsement by HUD, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
Introduction
System monitoring is key to any organization’s plan for complying with the HUD Data and Technical Standards. The Standard states:
A CHO must use appropriate methods to monitor security systems. Systems that have access to any HMIS data must maintain a user access log. Many new operating systems and web servers are equipped with access logs… Logs must be checked routinely[1]
This handout attempts to provide a framework for communities’ decision making without prescribing any specific activities. Communities should remain current with industry practices to avoid inconsistencies in information security programs. While this handout does not prescribe specific activities, it identifies several likely variables to monitor, two approaches to monitoring them, and some elements of successful responses to unauthorized activities.
The approaches have been broken into 2 sections based on a community’s decision to host an HMIS themselves or host it with a vendor. The variables would be constant across either approach, though responses would vary.
Variables
The variables a community should monitor will vary greatly based on the network environment. A community that is utilizing an application service provider model would have fewer elements to monitor than a community that is hosting their own server. However, both communities have monitoring responsibilities. Some industry standard variables that must be monitored in order to produce an accurate picture of network activity[2] are:
- Excessive Logons
- Excessive Logon Failures
- Excessive Logon attempts from a single IP or user
- Excessive Network Activity on a Network Port
- Excessive FTP Activity
- Excessive Logons After-hours
- Excessive accounts disabled
- Excessive Password Resets
While monitoring can be an incredibly useful tool, in order to be fully utilized communities must first establish a baseline of activity. Defining what is normal for a network can be challenging as traffic on test sites may be very different from a production site. Unfortunately, without a definition for normal, abnormal cannot be defined.
Approach
A community may monitor different variables based on their specific network environment but, their approach will be dependent on whether or not they host their own HMIS or contract with a vendor for hosting services. Communities that are hosting their own systems must become educated on integrated information security methodology in order to provide the best protection to their systems. Most HMIS (90%) are hosted by their HMIS software provider according to the Community Report: Results of the Status Assessment and Evaluation by HUD’s National TA Team. A community that has contracted with a vendor must also become familiar with a methodology for monitoring but their responsibility lies primarily in getting accurate reports from the vendor on the agreed upon variables.
As the Standard states the security section “… defines baseline standards that will be required of any organization (such as a Continuum of Care, homeless assistance provider, or HMIS software company) that records, uses, or processes PPI on homeless clients for an HMIS.” (Column 3, Page 45927, Federal Register/ Vol. 69, No. 146/Friday, July 30 2004) A community that does not host their own system should reach some written understanding with their vendor as to the variables monitored, escalation procedures, and reporting cycles. This agreement, combined with the “normal” profile of an HMIS, and of course the actual reports, can lead to a successful monitoring of the HMIS.
Communities are still responsible under the Standard for systems accessing or processing PPI- which includes local workstations.
A community that hosts their own system has already become expert in many areas. This document could not possibly lay out all of the areas that a community must monitor if they are hosting their own system. Complex, web-enabled, databases offering any level of assurance must monitor each device in their network, including: firewalls, switches, bridges, routers, workstations, data servers, web servers, and workstations.
These devices produce logs that can be very dense and may require expert level knowledge to comprehend. Often the logs from several devices must be correlated in order to promptly identify a security incident. An attempted attack may involve unsuccessful logins on the database and web server or may simply overwhelm the firewall with a denial of service attack. A systems administrator should be able to identify these events and know how to respond.
Response
All of the data collected through consistent, well executed monitoring will not serve anyone if there is no plan in place to respond to security events. Security events are unlikely to only happen during normal business hours- can a vendor get a hold of an authorized staff person after hours to notify them of an event? Who can make the decision to activate a response plan?
Recently Grants.gov, a website operated by HUD, was the target of a denial of service attack ( The attack began on Tuesday May 17th 2005 and on Thursday evening the decision was made to alter the firewall settings to block several hundred IP addresses. This prevented the attack from taking down the site altogether or further degrading performance. Communities must be prepared for security incidents with a plan in place to prevent and manage events. Because of good planning HUD was able to receive over 600 grant applications during the attack and not go down.
Resources to assist with integrating information security into your project are available at and technical assistance is available through the National Technical Assistance Project.
Page 1 of 3
[1]Column 2, Page 45932 Federal Register/ Vol 69, No. 146/ Friday July 30, 2004
[2] Security Monitoring Through Event Consolidation and Correlation, Jagat Shah, NetSec Conference, San Francisco, CA. 2004.