|
Acceptable Use =
Policy Mike=20
Cunningham May 7, 2001
Purpose. This document establishes =
policies,=20
assigns responsibilities, and prescribes standards and procedures =
for the=20
management and use of an Automated Information System security =
program for=20
the District Office.
Authority. This document implements =
guidance=20
and standards published in: the Office of Management and Budget =
(OMB)=20
Circular No. A-130, Management of Federal Information Resources =
Management=20
Regulations (FIRMR) on security, privacy, and automated data =
processing,=20
telecommunications management, and acquisition, the National =
Institute of=20
Standards and Technology’s Federal Information Processing =
Standards=20
Publications (FIPS PUBS) dealing with Information System security, =
and the=20
Office of Personnel Management’s Federal Personnel Manual =
issuance’s on=20
personnel security as they relate to Automated Information =
Systems. The=20
above guidance implements numerous laws dealing with Automated =
Information=20
Systems security including the Brooks Act of 1965, the Privacy Act =
of=20
1974, the Computer Fraud and Abuse Act of 1986, and the Computer =
Security=20
Act of 1987.
Definitions for the purposes of =
this document:=20
- Security. The management =
controls,=20
operational procedures, and controls established to provide an=20
acceptable level of protection from vulnerability that could =
result in=20
attacks against confidentiality, integrity or availability of =
the=20
Automated Information System.
- Application. Computer programs =
and routines=20
that run on one or more computers that are designed to =
accomplish=20
automated tasks in support of administrative or mission oriented =
functions.
- Automated Information System =
(AIS). The=20
combination of computer equipment, operating system software,=20
applications, network functionality, and established methods and =
procedures designed to collect, process, store, and/or =
communicate=20
information for the purpose of supporting specific =
administrative or=20
mission related requirements.=20
- Computer/ADP Designated =
Position. Any=20
position where the duties involve participation in designing,=20
developing, operating, or maintaining sensitive computer =
installations=20
or applications, as well as those positions requiring access to=20
sensitive data.
- Personnel Security. The =
safeguards=20
established to ensure that all personnel who have access to AIS =
have the=20
required authorities and the appropriate levels of training,=20
computer/ADP position designations, and security clearances.=20
Scope.
- The provisions of this document =
apply to,=20
but are not limited to Information created, processed, stored, =
or=20
transmitted by a Federal AIS, Information in any form when used =
as input=20
to, output from, or documentation of an AIS, AIS installations =
and=20
facilities used in the collection, processing, storage, =
communication,=20
and retrieval of information, and all software, operating =
systems,=20
utilities and application programs, etc. used on the AIS by =
users of the=20
AIS=20
- This document applies to users =
of the AIS=20
including this District’s employees, contractors and other =
organizations, which operate the AIS on behalf of the District =
and/or=20
the Bureau.
- Since the re-writing of OMB =
A-130, all=20
Federal Automated Information Systems are now considered =
sensitive. This=20
means that all Federal systems contain data that require =
protection due=20
to the risk and magnitude of the loss or harm that could result =
from=20
inadvertent or deliberate disclosure, alteration, or destruction =
of the=20
data.
- Sensitive data include =
proprietary data,=20
records about individuals requiring protection under the Privacy =
Act,=20
confidential data such as payroll, financial, or management =
information,=20
or data that is critical to the mission of the Bureau. =
Policy.
- All Bureau information =
technology facilities=20
and equipment shall be protected against loss, damage, theft, =
and=20
misuse, and all data processed by Bureau AIS shall be protected =
against=20
unauthorized disclosure, modification, or destruction, as well =
as=20
attacks against confidentiality, integrity and available. =
- The level of protection shall be =
commensurate with the sensitivity of the information created, =
processed,=20
stored, or transmitted by the AIS.
- Violations of Federal and Bureau =
regulations=20
and policy pertaining to AIS security will result in appropriate =
administrative, disciplinary, or legal action against the =
violators.=20
- District employees can, when =
appropriate for=20
their job responsibilities, communicate via E-mail with =
consumers, other=20
government agency officials, and contractors (as long as the use =
complies with OMB Circular A-130 requirements for electronic =
release of=20
agency information), access external databases and files to =
conduct=20
research, and read E-mail from listserv discussion groups on =
job-related=20
topics.
- Supervisors shall allow and =
encourage staff=20
to attend Internet training sessions and to use official time to =
practice the skills learned in those sessions. It is in the =
interest of=20
the District to have employees trained in the use of the =
Internet.=20
- Employees shall use the Internet =
responsibly. Employees who use the Internet are required to =
learn about=20
network etiquette (""netiquette""), customs, and courtesies. =
Certain=20
procedures and guidelines should be followed when using E-mail=20
communications, participating in E-mail discussion groups, using =
remote=20
computer services, and transferring files from other computers. =
- Employees shall abide by =
existing security=20
policies, procedures, and guidelines in their use of the =
Internet, and=20
shall refrain from any practices, which might jeopardize the =
District’s=20
data, network, and systems security. Employees are required to =
be aware=20
of computer security and privacy concerns and to guard against =
computer=20
viruses and security breaches of any kind.
- Unless specifically stated, =
copyright laws=20
prohibit sending or receiving copyrighted materials (including =
articles=20
and software) via the Internet. Employees are responsible for =
validating=20
the copyright status of any file requested, downloaded or =
received=20
before use. All data files and programs MUST be scanned for =
viruses=20
before being loaded on the District’s local area network. =
Copyright=20
infringement can result in felony convictions.=20
- Employees will not send, forward =
or solicit=20
offensive or harassing statements including disparagement of =
others=20
based on their race, national origin, sex, sexual orientation, =
age,=20
disability, religious or political beliefs. Sending or =
soliciting=20
sexually oriented messages or an image is prohibited.
- All employees who are to use, =
manage, or=20
operate AIS must receive computer security awareness training to =
ensure=20
that all individuals are appropriately trained in how to fulfill =
their=20
security responsibilities before allowing them access to the=20
system.
The Computer Security Act of 1987 =
requires=20
periodic training for all employees who are involved with the =
management,=20
use, or operation of each Federal AIS within or under the =
supervision of=20
the Bureau. Such training shall assure that employees are versed =
in the=20
rules of the system, be consistent with guidance issued by NIST =
and OPM,=20
and apprise them about available assistance and technical security =
products and techniques. Conduct consistent with the rules of the =
system=20
and periodic refresher training shall be required for continued =
access to=20
the system. The training shall be designed to enhance =
employee’s awareness=20
of the threats to and vulnerabilities of computer systems and to =
emphasize=20
their responsibilities for protecting Bureau information resources =
and for=20
using these resources in a proper manner. Bureau managers are =
responsible=20
for ensuring those employees under their supervision who meet the =
above=20
criteria receive the appropriate level of training. Computer =
security=20
awareness training shall be documented on the Standard Form 182 =
and=20
retained in each employee’s official personnel folder. =
- Basic Security Awareness =
training creates a=20
basic knowledge of AIS sensitivity to threats and =
vulnerabilities and=20
the recognition of the need to protect data, information, and =
the means=20
of processing them.
- In Depth training provides =
sensitive AIS=20
owners/managers, administrators, information technology =
personnel, and=20
computer security personnel with the abilities to perform risk =
analyses,=20
design AIS protection programs, implement security measures, or =
evaluate=20
the effectiveness of existing security programs. =
District employees are required to =
use access=20
to the Internet in a responsible and informed way, conforming to =
network=20
etiquette. Use of the Internet encompasses many different =
interconnected=20
networks and computer systems. Each system has its own rules and=20
limitations, which are usually explained to a new user along with =
the=20
electronic greeting. Guests on these systems have an obligation to =
learn=20
and abide by the rules posted on each system.
Use of the Internet is a privilege, =
not a=20
right, which may be revoked at any time for inappropriate conduct. =
The=20
District employs procedures for routine monitoring of Internet =
activities=20
to identify and correct policy violations. Examples of =
inappropriate=20
conduct include a) use of the Internet for unlawful or malicious=20
activities, including copyright infringements and non-official use =
b) use=20
of abusive, offensive or objectionable language in either public =
or=20
private messages c) misrepresentation of oneself or the Department =
or d)=20
other activities that could cause congestion and disruption of =
networks=20
and systems (local or remote), including the sending of chain=20
letters.
The content and maintenance of a =
user's=20
electronic mailbox and file storage areas are the user's =
responsibility.=20
Users should ensure the following:
- Check electronic mail daily. =
- Use signature blocks or a typed =
name and=20
e-mail address at the bottom of E-mail messages. Some E-mail =
systems=20
used by recipient’s strip header information from =
messages, including=20
Internet E-mail address. Appending a signature block to the end =
of=20
message ensures that the receiver will know who sent it. =
Signature=20
blocks should be short, preferably not more than six lines, and =
should=20
include your name and Internet E-mail address at a minimum and,=20
optionally, your work telephone number and postal address. =
- If an E-mail message, which you =
are sending,=20
contains personal opinions that might be mistaken as Interior or =
government policy, add a clear personalized disclaimer to the =
signature=20
block. An example of a personal disclaimer is: The opinions =
expressed=20
here are my own and do not represent official policy of the =
Bureau.=20
- Be aware that E-mail is not =
private=20
communication, since others may be able to read or access it. =
E-mail may=20
best be regarded as a postcard rather than as a sealed letter. =
- Delete unwanted messages or =
files=20
immediately, because they take up disk storage space.
- Keep messages stored in =
electronic mailboxes=20
to a minimum.
- Transfer to your local hard disk =
or=20
diskettes for future reference any messages or files to be =
saved.=20
- Maintain file storage areas =
(your personal=20
directory). Users should keep their files to a minimum, as =
server=20
storage space is limited. If users utilize excessive server =
storage, the=20
System Administrator will notify them and ask them to remove =
files.=20
- Check for viruses before using =
any=20
executable files (especially with DOS file name extensions of =
.exe or=20
.com) or data, which you receive as attachments to an E-mail =
message. Do=20
not use infected files and report all viruses to your System=20
Administrator.
References
|
|