How does Counting Us address security issues?
The security safeguards that are in place were shaped by the thorough review of our security infrastructure when HUD licensed Simtech's Point in Time Counting Tool, and has been refined further with guidance and support from Amazon Web Services.
While HUD does not require the collection of any personal information, Counting Us includes optional fields to collect full names and dates of birth. There is no field to collect social security numbers. Still, we understand that even basic identifiers are data that need to be protected and we have strong safeguards in place to ensure that this information remains safe and secure.
There are two main technical components of the Point in Time data collection framework, and we have rigorous protections in place to ensure the data remains protected in both.
Within the Counting Us app, the survey data is not stored in the app and is removed immediately after a survey has been submitted. Users can only submit data and cannot look up or view data that has already been submitted.
The only time that data is stored on the device of the count volunteer either decided to save a survey to complete later or if he/she was in an area without an Internet coverage and had to save off the survey to submit it later when he/she does have coverage. To help protect any data that is saved off as a draft, we encourage all count volunteers to use the built-in security features within their mobile devices to require the entry of an access code after a set period of inactivity. This is a best practice for anyone who uses their mobile device for email, online banking, or other secure transactions. For the Counting Us app, even if a user was mid-survey and lost their phone, or had surveys saved as drafts, the person who finds their phone would only be able to reset the device to the factory defaults - in which case both the app and the surveys would be gone.
The Regional Command Center is hosted in the cloud using Amazon Web Services. Amazon's industry-proven technology includes the safeguards required to ensure all client records are protected. Details on Amazon's secure infrastructure can be found here.
In addition to the security of the hosting environment, all data transmitted to and from the command center is protected using RSA 2048-bit encryption and access to the data is limited to those whom have been designated by the contracted regional administrator. The data at rest is stored using Amazon's EBS encryption which is described in detail here.
For those communities still using paper, it should be noted that paper surveys are subject to numerous opportunities for loss and exposure of personal information. Tools such as Excel that are used to compile the results are only as safe as the desktop they are running on and are not encrypted.
Technical Infrastructure Diagram