Rules of Behavior

For use of

PROGRAM SUPPORT CENTER

Enterprise Support Service SYSTEMS

 

1. Introduction

The following rules of behavior are to be followed by all users (contractors and employees) that use any networked or standalone ESS System that supports the mission and functions of the Enterprise Support Service and any Sub Organizations. The rules in Section 4 clearly delineate responsibilities and expectations for all individuals with access to these systems.

 

Non-compliance of these rules will be enforced through sanctions commensurate with the level of infraction. Actions may range from a verbal or written warning and/or removal of system access for a specific period of time depending on the severity of the violation.

 

2. Responsibilities

The Director, Enterprise Support Service is responsible for ensuring an adequate level of protection is afforded to any Enterprise Support Service systems through appropriate implementations of technical, administrative, and managerial controls. The Director, with the assistance of the PSC Information Systems Security Officer (ISSO) and ESS Information Technology Security Officer (ITSO), develops policies and procedures, ensures the development and presentation of user and contractor awareness sessions, and performs inspections and spot checks to determine that an adequate level of compliance with security requirements exists. The Director is responsible for periodically conducting vulnerability analyses to help determine if security controls are adequate.

 

3. Other Policies and Procedures

Rules of Behavior (RoB) provide general instructions on the appropriate use of Departmental IT resources and apply to all Departmental users, including both civil servants and contractors. All government and contractor staff are required to read this document and sign and submit the appropriate form(s) before accessing Departmental systems and or networks.

 

The HHS Rules of Behavior are not to be used in place of existing policy. Rather, they are intended to supplement the HHS Information Security Program Policy and the HHS Information Security Program Handbook. Because written guidance cannot cover every contingency, Departmental staff and users are asked to augment these rules and use their best judgment and highest ethical standards to guide their actions. Because these principles are based on federal laws and regulations, and Departmental regulations and directives, there are consequences for failure to comply with the principles of behavior. Violation of these rules may result in suspension of access privileges, written reprimand, suspension from work, demotion, and criminal and civil penalties.

 

All government and contractor staff must sign the appropriate form, acknowledging that they have been made aware of and understand the requirements and responsibilities outlined in this document and the Secure One HHS Handbook which can be found athttp://intranet.hhs.gov/infosec/policies_guides.html . Questions about these ROB may be directed to one’s supervisor or Contracting Officer’s Technical Representative (COTR), or to the Operating Division (OPDIV) Chief Information Security Officer (CISO).

 

Activities on Departmental network system resources are subject to monitoring, recording, and periodic audits. Authorized IT security personnel may access any “user’s” computer system or data communications and disclose information obtained through such auditing to appropriate third parties (e.g., law enforcement personnel). Use of Departmental IT system resources expresses consent by the user to such monitoring, recording, and auditing.

 

4. ESS Systems Rules

4.1To ensure individual accountability of actions performed in any ESS System, users are responsible for understanding and complying with all password use requirements.Passwords are an important aspect of computer security and are the front line of protection for users accounts.Users are to abide by the password requirements as outlined in the Secure One HHS Handbook which can be found at http://intranet.hhs.gov/infosec/policies_guides.html, including the need for adequate (difficult to decipher) passwords that are a minimum of 8 characters in length and contain at least one number, one capital letter, and one lowercase letter to insure the password is difficult to decipher, the necessity for changing passwords at least every 90 days, and the requirement to not share or disclose passwords.

 

4.2       Users are not allowed to exceed their authorized access limits in any ESS System by changing information or searching databases beyond the responsibilities of their job or by divulging information to anyone not authorized to know that information.

 

4.3       No inter-connections to other ESS Systems or transfer of ESS Data to other information systems is authorized beyond those established as part of the standard authorized processing requirements of any ESS System.

 

4.4       No user having access to any ESS System will disable any encryption established for network, internet and web browser communications.

 

4.5        No direct dial-in access to any ESS System has been established nor is authorized.

 

4.6        All personnel, as well as contractors, that are responsible for developing and maintaining any ESS System, must comply with all copyright license regulations associated with ESS software. Managers must ensure that government personnel and Contractor personnel understand and comply with license requirements. End users, supervisors, and functional managers are ultimately responsible for this compliance

 

4.7        Users should be aware that personal use of information resources is authorized on a limited basis within the provisions of HHS IRM Policy 2000-0003, "HHS IRM Policy for Personal Use of Information Technology Resources," January 8, 2001

 

4.8        Users are required to report all instances of actual or potential security violations to their supervisors, Information Technology Security Officer, and Information Systems Security Officer.

 

4.9        Each subscriber organization establishes its own policies for determining which employees may work at home or in other remote workplace locations. Any remote work arrangement, to insure the security of ESS systems, should include:

·         Provisions for the authentication of the remote user through the use of ID and password or other acceptable technical means.

·         A management/employee agreement that, at a minimum, outlines the work to be performed and the security safeguards and procedures the employee is expected to follow.

·         Ensure adequate storage of files, removal and non-recovery of temporary files created in processing sensitive data, virus protection, intrusion detection, and physical security for government equipment and sensitive data.

·         Established mechanisms to back up data created and/or stored at alternate work locations.

 

 

5. Additional Rules for Security and Administration Users

Security and system administration personnel have significant access to processes and data in any ESS System. As such, the System Security Administrators, Systems Administrators, and Database Administrators have added responsibilities to ensure the secure operation of any ESS System

 

Security and administration personnel are to:

  • Advise the system owner on matters concerning information technology security.
  • Assist the system owner in developing security plans, risk assessments, and supporting documentation for the certification and accreditation process.
  • Ensure that any changes to any ESS System that affect contingency and disaster recovery plans are conveyed to the person responsible for maintaining continuity of operations plans for ESS Systems.
  • Ensure that adequate physical and administrative safeguards are operational within their areas of responsibility and that access to information and data is restricted to authorized personnel on a need to know basis.
  • Verify that users have received appropriate security training before allowing access to any ESS System.
  • Implement applicable security access procedures and mechanisms, incorporate appropriate levels of system auditing, and review audit logs.
  • Document and investigate known or suspected security incidents or violations and report them to the ISSO, ITSO, and systems owner.