General

• SSA provided information is sensitive data and as such must be protected and guarded with utmost care.
• SSA Provided information can not be shared with other agencies, states or entities.

Remote access and SSA-provided information

• Users with access to SSA provided information are forbidden from recording, taking pictures of, or capturing screenshots of any SSA-provided information, on any, but not limited to, of the following devices: cell phones, tablets, laptops, video cameras, security cameras, family members with access to workstations that can view PII, etc.

Access management and administration

• Only the person(s) designated by the Agency Director for the purposes of SSA Ticket to Work Reimbursement program will have access to SSA provided information.  
• The Agency Director will authorize access to SSA provided information based on staff member’s position and duties, and will ensure that only the persons who need to have access will be granted it.
• It is strictly prohibited for any official to issue credentials or access authority to themselves or other individuals within their job-function or category of access.
• Agency senior management, namely the agency director, will designate a specific official to issue PINs and passwords, for access to systems working with SSA provided information.
• Agency senior management is to request, from IT Staff, periodic access logs to review employee or contractor systems access, and random sampling of work activity to determine that the access and usage comply with SSA’s requirements.
• If a user is to be subjected to an adverse administrative action (reduction in pay, disciplinary action, termination of employment, temporary lay-off), his or her access to SSA-provided information is to be removed sufficiently in advance of the adverse action to preclude the employee from performing unauthorized activities that involve SSA-provided information (eg. Breach of SSA-provided information.)

Safeguarding the SSA-provided PII information while in use at rest, during transmission or after archiving

• It is prohibited to print out information digitally returned by SSA for ticket to work related purposes.
• When no longer needed for business purposes, the SSA-provided information, either in paper or electronic form, is to be destroyed in accordance to state, federal and program retention and secure destruction requirements.
• Any SSA-provided information in paper files is to be safeguarded in a locked cabinet, in an office locked when not in use, in order to prevent unauthorized personnel from accessing such materials.
• Any mail received from SSA will not be opened by a front desk receptionist and will be delivered unopened to the Ticket to Work Reimbursement program director.

Management oversight and Quality Assurance

• Any employoyee who uses SSA-provided information is prohibited from processing programmatic workloads to make benefit or entitlement determinations from participation in management or quality assurance functions.
• Senior management will periodically initiate a self-review to monitor agency’s ongoing usage of SSA-provided information.
• Senior management will perform random sampling of work activity that involves SSA-provided information to determine if the access and usage comply with NIST’s guidelines.
• Senior management will use “least privilege”, “separation of duties”, and “need-to-know” principles when assigning users access to SSA-provided information.
• IT management will be included in quality assurance functions, to provide subject matter expertise on subjects such as security awareness training, sensitivity of SSA-provided information, safeguarding requirements, operating procedures, and the potential civil and criminal consequences and penalties for misuse and improper disclosure of such information.
• Quality assurance personnel will not be allowed to request or use SSA-provided information.
• Agency management will ensure that the oversight and quality assurance functions perform periodic self-reviews to monitor ongoing usage of SSA-provided information.
• Agency  will ensure that management oversight and quality assurance functions perform random sampling of work activity that involves SSA-provided information to determine if the access and usage comply with the terms of the information exchange agreement.

Incident reporting

• If the agency experiences or suspects a breach or loss of PII or a security incident, which includes SSA-provided information, we must notify the State official responsible for Systems Security (VR IT management, and OCIO – CSO (Chief Security Officer))
  The state official or delegate must then notify the SSA regional Office Contact or the SSA systems security contact identified in the agreement with SSA. If, for any reason the responsible State official or delegate is unable to notify the SSA Regional Office or the SSA systems Security Contact within one hour, the responsible State Agency official or delegate must report the incident by contacting SSA’s National Network Service Center (NNSC) at 1-877-697-4889 (Select “Security and PII Reporting”from the options list.) The EIEP (VR) will provide updates as they become available to SSA contact as appropriate. 
• VR’s Systems Security Contact responsible for contacting SSA in the event of a data loss or breach:
  • Tibor Moldovan, NDE Tech. Services Administrator
  • Chris Hobbs, Nebraska OCIO CSO