Draft Order. Draft U.S. Government Accountability Office GAO INFORMATION SYSTEMS RULES OF BEHAVIOR TBD

Similar documents
Information Privacy and Security

I. PURPOSE DEFINITIONS. Page 1 of 5

Joint Base Lewis-McChord (JBLM), WA Network Enterprise Center (NEC) COMPUTER-USER AGREEMENT Change 1 (30 Jun 2008)

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

Department of Defense INSTRUCTION. SUBJECT: Security of Unclassified DoD Information on Non-DoD Information Systems

Security Risk Analysis

Chapter 9 Legal Aspects of Health Information Management

NORTHWEST TERRITORIES INFORMATION AND PRIVACY COMMISSIONER Review Recommendation File: July 13, 2015

United States Department of Agriculture. Office of the Chief Information Officer DN

DATA PROTECTION POLICY

Notre Dame College Website Terms of Use

MEMORANDUM FOR HEADQUARTERS, UNITED STATES ARMY ACQUISITION SUPPORT CENTER (HQ, USAASC), FORT BELVOIR, VA 22060

Policy on Telecommuting

PRIVACY BREACH MANAGEMENT POLICY

PROCEDURE FOR MOBILE DEVICE & TELEWORKING POLICY

CENTRAL TEXAS MEDICAL CENTER

COUNTY OF EL DORADO, CALIFORNIA

Privacy and Security For Teammates

Report No. D September 25, Controls Over Information Contained in BlackBerry Devices Used Within DoD

Emergency Medical Services Division Policies Procedures Protocols

INCOMPLETE APPLICATIONS WILL NOT BE PROCESSED

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

(1) COMNAVRESFOR Telework Information Technology Strategy

Safeguarding Healthcare Information. By:

What is your start date? (Date in which you plan to begin seeing patients in the hospital). Specialty SECTION I. IDENTIFICATION DATA

Report of the Information & Privacy Commissioner/Ontario. Review of the Cardiac Care Network of Ontario (CCN):

ethesis Submission Guide: PGR Students

AN OVERVIEW OF FIPPA for FACULTY, INSTRUCTORS & ADMINISTRATORS. Information and tips on how to keep you FIPPA FRIENDLY

Supply Chain Risk Management

Telecommuting Policy - SAMPLE

Teleworking and access to ECHA IT systems

Technology Standards of Practice

REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File

INFORMATION TECHNOLOGY, MOBILES DIGITAL MEDIA POLICY AND PROCEDURES

HIPAA Privacy Training for Non-Clinical Workforce

Guide to Enterprise Telework and Remote Access Security (Draft)

PERSONALLY IDENTIFIABLE INFORMATON (PII)

East Carolina University 2010 Annual HIPAA Privacy Training

1. Student demonstrates age appropriate keyboarding speed & accuracy. 2. Student demonstrates the ability to solve the most common technology

State of Delaware TELECOMMUTING POLICY

4-223 BODY WORN CAMERAS (06/29/16) (07/29/17) (B-D) I. PURPOSE

Compliance Program, Code of Conduct, and HIPAA

The Privacy & Security of Protected Health Information

MINNEAPOLIS PARK POLICE DEPARTMENT

octo TELEWORK POLICY IV. POLICY Policy Number: OCT Effective Date: February 23, 2016 I. PURPOSE Ill. SCOPE

HIPAA Privacy & Security Training

HIPAA Privacy & Security Training

DOCUMENT CONTROL Title: Use of Mobile Phones and Tablets (by services users & visitors in clinical areas) Policy. Version: Reference Number: CL062

Department of the Army *USAFCOEFS Regulation Headquarters, USAFCOEFS 455 McNair Avenue, Suite 100 Fort Sill, Oklahoma June 2015

Piedmont Healthcare, Inc. Code of Conduct

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

HIPAA and HITECH: Privacy and Security of Protected Health Information

Rialto Police Department Policy Manual

Working with Information Governance INFORMATION GOVERNANCE REFRESHER TRAINING WORK BOOK

Telecommuting. Policy Statement. Reason for the Policy. Applicability of the Policy. Policy V

June 6, Mr. Scott Gessler Secretary of State State of Colorado Department of State 1700 Broadway, Suite 200 Denver, CO 80290

MOT CHARTER SCHOOL ASSIGNED SCHOOL COMPUTER USE AGREEMENT

SECURITY and MANAGEMENT CONTROL OUTSOURCING STANDARD for NON-CHANNELERS

FCSRMC 2017 HIPAA PRESENTATION

DRAFT. Telework Policy. 1. Applicability. This policy applies to civilian employees of the Fort Belvoir Garrison.

VCU Health System PatientKeeper Connect. Request Instructions

The Impact of New Technology in Health Care on Privacy

System of Records Notice (SORN) Checklist

FAFSA Completion Initiative Participation Agreement

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

THIS AGREEMENT made effective this day of, 20. BETWEEN: NOVA SCOTIA HEALTH AUTHORITY ("NSHA") AND X. (Hereinafter referred to as the Agency )

VHA Privacy Policy Training FY VHA Privacy Office

EMPLOYEE HANDBOOK EMPLOYEE HANDBOOK. Code of Conduct

DOD MANUAL ACCESSIBILITY OF INFORMATION AND COMMUNICATIONS TECHNOLOGY (ICT)

2018 Employee HIPAA Orientation (EHO) Handbook

NOTICE OF PRIVACY PRACTICES

1. INTRODUCTION 2. BACKGROUND

CLINICIAN S GUIDE TO HIPAA PRIVACY

Department of Defense INSTRUCTION

Subj: BUREAU OF NAVAL PERSONNEL POLICY FOR USING NAVY MOBILE DEVICES (SMART PHONE/TABLETS)

I. SUBJECT: PORTABLE VIDEO RECORDING SYSTEM

Compliance with Personal Health Information Protection Act

Advanced HIPAA Communications and University Relations

Effective date of issue: March 1, 2004 (Revised September 1, 2009) Page 1 of 7 STATE OF MARYLAND JUDICIARY. Policy on Telework

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

NIAGARA FALLS POLICE DEPARTMENT GENERAL ORDER

IT Managed Services Provider

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

PROCEDURAL MANUAL SAFEGUARDING INFORMATION DESIGNATED AS CHEMICAL-TERRORISM VULNERABILITY INFORMATION (CVI)

PRIVACY IMPACT ASSESSMENT (PIA) For the

Social Media IUSM-GME-PO-0031

COMPLIANCE PROGRAM. Our commitment to ethical conduct and compliance depends on all employees having a clear understanding of Corporate expectations.

Identification and Protection of Unclassified Controlled Nuclear Information

Report of the Information & Privacy Commissioner/Ontario. Review of Cancer Care Ontario:

U.S. Department of Defense: Defense Logistics Agency (DLA) achieves unmatched agility through telework and BYOD strategy

I. Preamble: II. Parties:

DESK OPERATIONS COORDINATOR HIRING DOCUMENT

Personal Electronic Devices Acceptable Use Policy

Scanning Electron Microscopy Facility Rules

HIPAA Training

COMPLIANCE WITH THIS PUBLICATION IS MANDATORY

USER VALIDATION FORM (NIPRNET & SIPRNET)

Health Information Privacy Policies and Procedures

City and County of San Francisco Telecommuting Program Policy

Privacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)

Transcription:

U.S. Government Accountability Office Draft Order Draft 0510.2-01 Subject: GAO INFORMATION SYSTEMS RULES OF BEHAVIOR Chapter 1. Introduction... 2 1. Purpose and Scope. 2 2. Supersession. 2 3. Authority. 2 4. Definitions. 2 5. Security Web Page. 3 Chapter 2. Requirements... 3 1. General Requirements. 3 2. Virtual Desktop Infrastructure (VDI). 4 3. Making Changes to GAO IT Resources. 5 4. Passwords. 5 5. Physically Protecting GAO IT Resources. 5 6. Using GAO IT Resources Away from GAO. 6 7. Using the Internet. 7 8. Using E-mail. 7 9. Using Personally Owned Hardware and Software. 7 10. Using Compact Discs, USB Drives, and other Removable Media. 8 11. Printing. 8 12. Running Into Problems. 8 Chapter 3. Enforcement and Penalties... 9 1. Penalties. 9 2. Accountability for Personal Use of GAO IT Resources. 9 3. Authority to Recover and Restore GAO IT Resources. 9 4. Authority to Monitor Use of GAO IT Resources. 9 Appendix 1. References... 10 Appendix 2. Description of Changes... 11 Distribution: GAO Intranet Initiated by: Information Systems and Technology Services (ISTS)

Draft 0510.2-01 Chapter 1. Introduction 1. Purpose and Scope. a. This order provides instructions regarding permitted and prohibited activities when using Government Accountability Office (GAO) Information Technology (IT) resources and accessing GAO information, generally referred to as Information Systems Rules of Behavior. b. This order applies to GAO employees (referred to as covered persons ). The requirements herein shall apply to contractor personnel and other nongovernment employees by the inclusion of references in contracts or memorandums of agreement as conditions for using GAO office equipment and space. c. This order does not apply to GAO IT resources that are authorized for processing, maintaining, or communicating classified national security information (referred to as classified information ). See GAO Directive 0910.1-02, Information Security Requirements for Classified Information. 2. Supersession. This order supersedes GAO Directive 0510.2-01, GAO Information Technology Rules of Behavior, dated September 15, 2010. 3. Authority. a. This order is issued under the authority of GAO Order 0510.2, Information Systems Security Policy, and GAO Order 0910.1, GAO Security Program. b. This order is consistent with (and related guidance can be found in) (1) GAO Order 0645.1, Limited Personal Use of Government-Provided Office and IT Equipment, Including Internet; (2) GAO Order 2300.5, GAO's Telework Program and GAO Order 2300.5.1, Telework for Non-Bargaining Unit Employees; and (3) GAO Order 0621.3, Control of Capitalized and Other Accountable Personal Property. 4. Definitions. a. For purposes of this order, GAO information is all information used in the course of GAO authorized work, whether for mission or administrative purposes. This includes information relating to audits and investigations, and internal personnel and financial management. It includes information on internal and external Web sites maintained by GAO, computer hard drives, and USB drives and other mobile storage devices. Examples include word processor and spreadsheet documents, business related e-mail, internal Web application and Web page contents, and logs from computer systems. b. Sensitive information refers to any information under the authority or control of GAO that is not classified national security information (referred to as classified information ), but that requires protection to ensure that it is not released to the public or any other individual or organization not under the authority or control of GAO without further review because it may be exempt from such disclosure. Examples of sensitive information include: 2

Draft 0510.2-01 personally identifiable information (PII), national security information, law enforcement information, proprietary commercial rights, and internal agency decision-making (GAO Order 0910.1-03 Information Security Requirements for Sensitive Information). c. GAO IT resources include all IT under the authority or control of GAO, including hardware (e.g., smartphones, computers, tablets, servers, etc.), software, and the GAO network. d. GAO network is the IT infrastructure (hardware and software) that provides information processing and communications capabilities to GAO covered persons. This includes information processing at user workstations, access to the Internet, and internal GAO Web sites, Web applications, e-mail, and printing. The GAO network provides this access to covered persons at GAO facilities and remotely, via the Internet, to covered persons at home and on travel. e. Hardware is physical IT resources. This includes laptops, workstations, and other technology, including computer peripherals such as monitors, keyboards, mice, docking stations, mobile storage devices (such as portable hard drives, USB drives, CD-ROMs, and DVDs), and mobile communications devices (such as smartphones and tablets). f. Software is digital (nonphysical) IT resources, not including information. This includes operating systems, applications running on a laptop or desktop computer, and applications accessed via the GAO network. Examples of software include Microsoft Windows, Microsoft Word, Microsoft Outlook, as well as engagement-support applications such as EAGLE, the Engagement Management System (EMS), and the various security tools installed on GAO user workstations. g. Personally owned hardware and software is hardware or software owned by the user. Examples of personally owned hardware and software include a personal home computer, an MP3 player, a non-gao smartphones, and software such as productivity suites, video games, and communications tools purchased by the user rather than GAO. h. Third-party devices are hardware not owned by the user and not under the authority or control of GAO. Examples of third-party devices include hotel wireless access points, computers in Internet cafes and similar settings, and equipment owned by other agencies. i. Users (also known as covered persons) are all GAO employees. 5. Security Web Page. The IT Security Policy webpage on GAO s intranet contains updates to GAO information systems security guidance. Chapter 2. Requirements 1. General Requirements. a. Users must understand that there is no expectation of privacy as any information on or transmitted through GAO IT resources may be monitored, recorded, or copied by authorized personnel, and such information may be provided to law enforcement officials. b. Use of GAO IT resources is permitted by authorized persons only. 3

Draft 0510.2-01 (1) All users are responsible for understanding current GAO policies and procedures relating to the use of GAO IT resources, including the GAO Information Systems Rules of Behavior, as specified in this order. (2) All users shall immediately report any unauthorized disclosure of sensitive information to a supervisor and to the GAO Help Desk, as provided in Directive 0910.1-08, GAO Information Security Incident Response. (3) Authorized use of GAO IT resources requires the user to c. Users shall (a) sign an acknowledgement of the GAO Information Systems Rules of Behavior as a precondition to authorization, and (b) receive annual training on the GAO Information Systems Rules of Behavior. (1) behave in an ethical, proficient, informed, and trustworthy manner, as required by GAO Order 2735.1, Code of Ethics; (2) use GAO IT resources for the purpose and in the manner they are intended; and (3) protect GAO IT resources from theft, destruction, or inappropriate use. d. Users shall know the sensitivity of the information they are working with, including whether it is classified information, and protect it consistent with GAO policies and procedures, as required by Order 0910.1 GAO Security Program, Directive 0910.1-02, Information Security Requirements for Classified Information, and Directive 0910.1-03, Information Security Requirements for Sensitive Information. Users shall: (1) Limit personal use of GAO IT resources so that the use does not interfere with the conduct of official business, diminish productivity, or involve inappropriate activity that could adversely reflect on GAO, as required by GAO Order 0645.1, Limited Personal Use of Government-Provided Office and IT Equipment, Including Internet. (2) Log out of and turn off GAO laptop and desktop computers daily. (3) Be aware of and comply with any relevant system-specific rules of behavior. e. The Chief Information Officer (CIO) may grant waivers for any portion of this order on a temporary or permanent basis. Such waivers may be general or apply to specific users, groups, projects, technologies, and may be based on any factors deemed appropriate by the CIO. 2. Virtual Desktop Infrastructure (VDI). VDI automatically enforces some of the rules/policies described in the following sections. Whether using a physical or virtual device to connect to the GAO Network, these practices will be enforced when connecting to VDI. a. Slim Client Standard desktop image placed on new laptops issued to staff. (1) There is no storage supported on the physical computer. (2) There are no applications (software) on the physical computer. b. All VDI desktops are shut down/recycled every night. 4

Draft 0510.2-01 c. Data download to removable media requires coordination and approval. d. Support for two-factor authentication using RSA token. e. Connection to VDI only requires endpoint (e.g., computer, tablet, or smartphone) to support Citrix Receiver. 3. Making Changes to GAO IT Resources. GAO uses a least privileged policy when building computer images (meaning that users are given enough privileges to be able to do their work, but users should not modify the configuration provided on their assigned computer.) a. Making changes to GAO IT resources without authorization is prohibited. (1) Users shall not change the configuration of GAO IT resources without coordination with, and authorization by, Information Systems and Technology Services (ISTS). (2) Users shall not install software without coordination with, and authorization by, ISTS. (3) Users shall not attempt to override or circumvent security mechanisms, such as login screens and desktop management software. b. No changes may be made to GAO IT resources in a manner inconsistent with GAO Order 0645.1, Limited Personal Use of Government-Provided Office and IT Equipment, Including Internet. 4. Passwords. For most password requirements, GAO supports two-factor authentication using the RSA token. Users should follow the guidance below and the guidance available in the ISTS Technology Guidance section on the GAO Intranet. a. When creating passwords, users shall follow the ISTS secure password guidelines. b. Users shall not share passwords or personal identification numbers (PIN) with others. c. Users should not save passwords to files on computers except for ISTS-approved password storage applications. d. Passwords should never be written down or stored online, except in an ISTS-approved password application. 5. Physically Protecting GAO IT Resources. It is the responsibility of users to safeguard assigned IT equipment from loss or damage. a. Users shall lock their computer screen (start the screensaver) when leaving the workspace and shut the computer down at the end of the work day. b. Users shall physically secure their RSA SecurID token. When leaving work, precautions include locking it in a cabinet or drawer, or taking it home. It is strongly recommended that users take their token home with them each night to facilitate working from home, if needed. c. Users shall position monitors so that screen contents cannot be seen by individuals who may not have authorization to view them. Whenever possible, monitors should not face doors, windows, or heavily traveled areas. 5

Draft 0510.2-01 6. Using GAO IT Resources Away from GAO. GAO s solution for accessing the GAO Network when away from the office is primarily to support telework but also supports network access when on travel. a. Users shall not remove GAO IT resources from GAO facilities, except under the following circumstances. (1) Users are authorized to take their GAO non-classified laptops, mobile storage, and/or communications devices home, on travel, or otherwise away from GAO facilities, as needed to perform GAO work. (2) Use of GAO IT resources away from GAO facilities must be consistent with GAO Orders 0510.2, 0645.1, 0910.1, 2300.5, 2300.5.1 and associated directives and guidance. b. Upon removal of GAO IT resources from GAO facilities, users are responsible for (1) keeping those resources secure, and (2) complying with the GAO Information Systems Rules of Behavior, as specified in this order. c. Users shall not leave GAO IT resources unattended or unsecured when away from GAO facilities. (1) It is not acceptable to leave GAO IT resources in plain view, unsecured in a room, such as a locked hotel room where persons unknown to the user may have access to the room. Users shall ensure that the resource is secured to the greatest extent possible. (2) Acceptable techniques for securing IT resources should be applied while teleworking. However, the determination of the particular technique to use while teleworking is at the discretion of the individual teleworking, who is responsible for safeguarding GAO assets and information. d. Users are permitted to use GAO IT resources to connect remotely to the GAO Network as needed to perform GAO work. All such work must comply with the requirements set forth in GAO Order 2300.5, GAO s Telework Program and GAO Order 2300.5.1, Telework for Non-Bargaining Unit Employees. e. Use of wireless networks at home, on travel, and at other locations such as coffee shops is permitted for telework purposes and limited personal use. f. The following best practices are strongly recommended when working from home, on travel, or otherwise away from GAO. (1) When working in public spaces, users should be aware of any individuals attempting to read screen contents. (2) Users should consider the security protections of a third-party device before using it for GAO work. Users often want to perform remote access from third-party devices, such as checking email from a kiosk computer at a conference or connecting via a wireless access point at an Internet café. Users shall not use third-party devices for GAO work involving sensitive information. See GAO Directive 0910.1-03, Information Security Requirements for Sensitive Information. 6

Draft 0510.2-01 (3) Users who use their wired or wireless home networks for telework should ensure that they are securely configured and that all attached devices are securely configured. 7. Using the Internet. Web browsers (e.g., Internet Explorer and Firefox) installed on various GAO IT resources ensure that users are able to access the Internet. Users are also able to use their personal computer s web browser to access the GAO Network. a. When using GAO IT resources, from any location, to access the Internet, the user must comply with existing limited personal use restrictions. (1) The following uses are prohibited except when specifically authorized to perform GAO work: (a) Accessing, downloading, storing, viewing, displaying, or printing sexually explicit or suggestive text or images, or other offensive material; (b) Accessing, downloading, storing, viewing, displaying, or printing violent or haterelated content; (c) Accessing online gambling; and (d) Using peer-to-peer file sharing (P2P). (2) Further requirements and guidance are provided in GAO Order 0645.1, Limited Personal Use of Government-Provided Office and IT Equipment, Including Internet. 8. Using E-mail. It is the responsibility of users to safeguard GAO data that is being transmitted via e-mail. a. Users shall exercise caution when conducting GAO business via e-mail. (1) Users shall not send official correspondence from a non-gao e-mail address without receiving authorization to do so from the CIO and the GAO Records Officer. (2) Users shall not auto-forward GAO information to personal e-mail addresses. b. Users are permitted to forward individual e-mails to personal accounts, provided that any data sent is protected commensurate with the sensitivity of the data contained therein. c. Business-related emails that meet the definition of a GAO record (see GAO Order 04101., GAO Records Management Program) must be saved into the electronic records management repository in order for the appropriate records retention policy to be applied. d. Further requirements and guidance for protecting sensitive data are provided in GAO Directive 0910.3, Security Requirements for Sensitive Information. 9. Using Personally Owned Hardware and Software. a. Approval is required from ISTS for use of personally owned hardware (e.g., computers, portable music players, portable hard drives, USB drives, or other peripherals) connecting to the GAO network or their assigned GAO laptop or desktop computer. (Users can initiate this request via the ISTS Helpdesk at (202) 512-9500.) b. Users are not permitted to load personally owned software on their assigned GAO laptop or desktop computer. GAO uses a least privileged policy when building computer images 7

Draft 0510.2-01 (meaning that users are given enough privileges to be able to do their work but users should not modify the configuration provided on their assigned computer without assistance from ISTS.) c. GAO-issued equipment is preferred for use away from GAO. However, users are permitted to use personally owned hardware and software to connect remotely to the GAO network, as needed, to perform GAO work. All such work must comply with the requirements set forth in GAO Order 2300.5, GAO s Telework Program and GAO Order 2300.5.1, Telework for Non-Bargaining Unit Employees. d. Users are permitted to connect GAO laptops to home and third-party networks for work purposes and limited personal use. All Information Systems Rules of Behavior apply. See chapter 2, paragraph 6. 10. Using Compact Discs, USB Drives, and other Removable Media. a. Users are permitted to store GAO information on GAO-provided writable CDs/DVDs, USB drives, and other removable media, provided that when doing so, they shall (1) Be aware of the sensitivity level of information being stored and protect the media commensurate with the sensitivity level of the information on it. See GAO Directive 0910.1-3, Information Security Requirements for Sensitive Information. If unsure, consult a manager. (2) Adhere to secure disposal procedures for media containing GAO information. For more information, visit the Office of Security Web page on the GAO Intranet. (3) Ensure that the removable media does not contain any executable files (.exe). (4) GAO business-related information that meets the definition of a GAO record (see GAO Order 0410.1, GAO Records Management Program) must be saved into the electronic records management repository in order for the appropriate record retention policy to be applied. b. With using VDI, staff must gain approval from their SES management and coordinate with the Help Desk when they want to store GAO information on removable media. For more information, visit the Downloading to External Devices in VDI webpage on the GAO Intranet. 11. Printing. a. When printing documents, users shall be aware of the sensitivity level of information being printed. Users shall protect the documents commensurate with the sensitivity level of the information. See GAO Directive 0910.1-3, Information Security Requirements for Sensitive Information. b. Use of printers is subject to GAO Order 0645.1, Limited Personal Use of Government- Provided Office and IT Equipment, Including Internet. 12. Running Into Problems. For problems with IT resources, unless noted otherwise below, contact the ISTS Helpdesk at (202) 512-9500. 8

Draft 0510.2-01 a. Users shall not attempt to perform physical maintenance on GAO IT resources. In the event of damage to GAO IT resources, users shall contact the ISTS Helpdesk. b. In the event that GAO IT resources are stolen, lost, or damaged, (1) users shall notify the GAO Helpdesk as soon as practicable; and (2) the discoverer of the loss, theft, or damage of GAO IT resources shall provide written notification (with a description of the circumstances) to the Director, Security and Emergency Management (SEM), the Director of Facility Management and Services (FMS), and the CIO, as required by GAO Order 0621.3, and GAO Directive 0910.1-04, Protection Services Program. c. Users shall report any incidents of suspected fraud, waste, or misuse of GAO IT resources to the Office of Inspector General at (866) 680-7963. Also, see the OIG fraud web page, Fraud, Waste, and Abuse, on the GAO Intranet. d. Users shall report any condition that might constitute a breach of system security and unusual network, hardware, and software behavior to the ISTS Helpdesk. e. For general problems and questions, users should contact the ISTS Helpdesk. Chapter 3. Enforcement and Penalties 1. Penalties. Users who do not comply with the rules of behavior defined in this order are subject to penalties imposed under existing requirements, as provided in GAO Order 2751.1, Discipline and Adverse Actions. 2. Accountability for Personal Use of GAO IT Resources. Although GAO does not prohibit all use of GAO IT resources for personal purposes, users will be held accountable for acts deemed inappropriate or negligent. (See GAO Order 0645.1, Limited Personal use of Government-Provided Office and IT Equipment including Internet.) 3. Authority to Recover and Restore GAO IT Resources. In the event that user-installed software or devices are determined to be the cause of system failure or loss of functionality, GAO reserves the right to erase the hard drive and restore hardware to its original state as it was issued. 4. Authority to Monitor Use of GAO IT Resources. Any information on or transmitted through GAO IT resources may be monitored, recorded, or copied by authorized personnel, and such information may be provided to law enforcement officials. 9

Draft 0510.2-01 Appendix 1. References This appendix lists the GAO orders and directives that are pertinent to this order. a. GAO Order 0510.2, GAO Information Systems Security. b. GAO Order 0910.1, GAO Security Program. c. GAO Directive 0910.1-3, Information Security Requirements for Sensitive Information. d. GAO Order 0450.1, GAO Privacy Program. e. GAO Order 0410.1, GAO Records Management Program. f. GAO Directive 0910.1-04, Protection Services Program. g. GAO Order 0621.3, Control of Capitalized and Other Accountable Personal Property. h. GAO Order 0645.1, Limited Personal Use of Government-Provided Office and IT Equipment, Including Internet. i. GAO Order 2300.5, GAO's Telework Program and GAO Order 2300.5.1, Telework for Non-Bargaining Unit Employees. j. GAO Order 2751.1, Discipline and Adverse Actions. 10

Draft 0510.2-01 Appendix 2. Description of Changes The directive has been changed to an order. Therefore, all relevant references to directive have been replaced with order. In addition to editorial changes, the following changes were made: a. Title Section The Title was changed to GAO Information Systems Rules of Behavior to be consistent with the Information Systems Security Policy and to be more inclusive of privacy information. b. Chapter 1 (1) In section 1a, added and accessing GAO information and replaced IT with Information Systems. (2) In section 1b, deleted consultants, contractors, subcontractors, and their employees, and any other persons who have been granted access to GAO IT resources and added The requirements herein shall apply to contractor personnel and other nongovernment employees by the inclusion of references in contracts or memorandums of agreement as conditions for using GAO office equipment and space. (3) Added section 2, Supersession. (4) In section 3b(2), added GAO Order 2300.5.1, Telework For Non-Bargaining Unit Employees. (5) In section 4a, added for purposes of this Order and is all. (6) In section 4b, added Sensitive information refers to any information under the authority or control of GAO that is not classified national security information (referred to as classified information ), but that requires protection to ensure that it is not released to the public or any other individual or organization not under the authority or control of GAO without further review because it may be exempt from such disclosure. Examples of sensitive information include: personally identifiable information (PII), national security information, law enforcement information, proprietary commercial rights, and internal agency decision-making (GAO Order 0910.1-03 Information Security Requirements for Sensitive Information). (7) In section 4c, added (e.g., smartphones, computers, tablets, servers, etc.), to hardware examples. (8) In section 4e, replaced Blackberry with smartphones and cell phones with tablets. (9) In section 4f, deleted the GAO Meeting Room Booking System and JIS and added the Engagement Management System (EMS), and as well as. (10) In section 4g, changed cell phone to smartphones. (11) In section 4i, deleted consultants, contractors, subcontractors, and their employees, and any other persons who have been granted access to GAO IT resources. 11

Draft 0510.2-01 (12) In section 5, updated the reference to the GAO intranet webpage. c. Chapter 2 (1) In section 1a, added must understand that there is no expectation of privacy as; and updated may be monitored, recorded, or copied and added by authorized personnel, and such information may be provided to law enforcement officials. These modifications were made to emphasize the fact that users should have no expectation of privacy when using GAO IT resources. (2) In section 1b(1), updated IT to Information Systems and changed directive to order. (3) In section 1b(2), the following statement was added to ensure that readers know how to report unauthorized disclosure of sensitive information: All users shall immediately report any unauthorized disclosure of sensitive information to a supervisor and to the GAO Help Desk, as provided in Directive 0910.1-08, GAO Information Security Incident Response. (4) In section 1b(3) a and b, replaced IT with Information Systems. (5) In section 1d, added Users shall: In section 1d(1) deleted does not and replaced it with or. (6) Section 2 on VDI is new. (7) In section 3 (former section 2), the following clarifying language was added to this section: GAO uses a least privileged policy when building computer images (meaning that users are given enough privileges to be able to do their work, but users should not modify the configuration provided on their assigned computer. (8) In section 4 (former section 3), the following clarifying language was added to the beginning of the section: For most password requirements, GAO supports two-factor authentication using the RSA token. Users should follow the guidance below and the guidance available in the ISTS Technology Guidance section on the GAO Intranet. (9) In section 4d, deleted users are discouraged from writing down passwords. If written down, passwords must be physically and visually secured to ensure they are not used by anyone else and added passwords should never be written down or stored online, except in an ISTS-approved password application. (10) In section 5 (former section 4), the following clarifying language was added: It is the responsibility of users to safeguard assigned IT equipment from loss or damage. (11) The following sentence from former section 4 was deleted: Users shall secure their assigned GAO laptop in the docking station with the provided security cable. (12) In section 6 (former section 5), the following clarifying language was added: GAO s solution for accessing the GAO Network when away from the office is primarily to support telework but also supports network access when on travel. (13) In section 6a(1), added /or to and. 12

Draft 0510.2-01 (14) In section 6a(2), added 2300.5.1. (15) In section 6b(2) replaced IT with Information Systems. (16) In section 6c, parts 1 and 2 were reversed. In 6c(1), Users shall was added. In 6c(2), the following was added: should be applied while teleworking. However, the determination of the particular technique to use while teleworking is at the discretion of the individual teleworking, who is responsible for safeguarding GAO assets and information. (17) In 6d, added the reference to GAO Order 2300.5.1. (18) In section 6f(3), deleted the following statement: For additional information, review tips for working outside the office. (19) In section 7 (former section 6), added the following clarifying language to this section: Web browsers (e.g., Internet Explorer and Firefox) installed on various GAO IT resources ensure that users are able to access the Internet. Users are also able to use their personal computer s web browser to access the GAO Network. (20) In section 7a, added from any location language to ensure users know that the limited personal use restrictions apply in all situations. (21) In section 7a(1), replaced as with when and deleted as needed. (22) In Section 7a(1)(d), added P2P acronym and deleted (i.e., Kazaa, BitTorrent, or Napster). (23) In section 8 (former section 7), added the following clarifying language to this section: It is the responsibility of users to safeguard GAO data that is being transmitted via e- mail. (24) In section 8b, deleted All business related emails must be saved into the electronic records management repository so that records retention policies will be applied. (25) In section 8c, modified the sentence deleted in 8b to read: Business-related emails that meet the definition of a GAO record (see GAO Order 04101., GAO Records Management Program) must be saved into the electronic records management repository in order for the appropriate records retention policy to be applied. (26) In section 9b, added GAO uses a least privileged policy when building computer images (meaning that users are given enough privileges to be able to do their work but users should not modify the configuration provided on their assigned computer without assistance from ISTS.) (27) In section 9c, added and GAO Order 2300.5.1, Telework for Non-Bargaining Unit Employees. (28) In section 9d, updated the reference from chapter 2, paragraph 5 to chapter 2, paragraph 6. Also replaced Technology with Systems. (29) In section 10a(1), added For more information, visit the and on the GAO intranet and deleted a link to the GAO Office of Security. 13

Draft 0510.2-01 (30) In section10a(4), added that meets the definition of a GAO record (see GAO Order 0410.1, GAO Records Management Program), in order for the appropriate, and policy. (31) Added section 10b: With using VDI, staff must gain approval from their SES management and coordinate with the Help Desk when they want to store GAO information on removable media. For more information, visit the Downloading to External Devices in VDI webpage on the GAO Intranet. (32) In section 11, deleted former section 10b: Users shall follow disposal procedures for paper containing GAO Information. See the Office of Security Web page: GAO Office of Security. (33) In section 12 (former section 11), added: For problems with IT resources, unless noted otherwise below, contact the ISTS Helpdesk at (202) 512-9500. Deleted the Helpdesk phone number from the rest of section 12. (34) In section 12b(2) updated the title of the Director of Office of Security (OS) to Director, Security and Emergency Management and Director of Facilities and Property Management to Director of Facility Management and Services (FMS). (35) In section 12c, added on the GAO Intranet and in 12d deleted generally. d. Chapter 3 (1) In section 1, the only order that pertains to penalties is GAO Order 2751.1; therefore, the other orders were deleted. Updated title of order 2751.1 to Discipline and Adverse Actions. (2) In section 2, added a reference to GAO Order 0645.1, Limited Personal use of Government-Provided Office and IT Equipment including Internet. (3) In section 4, deleted GAO reserves the right to monitor, record, or copy any information on or transferred through GAO IT resources and added Any information on or transmitted through GAO IT resources may be monitored, recorded, or copied by authorized personnel, and such information may be provided to law enforcement officials. e. Appendix 1. References (1) Titles of references were updated, as necessary. Dates were deleted. (2) GAO Order 2293.1, Safeguarding Personnel Records and File (Aug, 23, 2005) and a reference to this order were deleted. (3) Added, GAO Order 0450.1, GAO Privacy Program (4) Added, GAO Order 0410.1, GAO Records Management Program (5) Added GAO Directive 0910.1-04, Protection Services Program. (6) In section i, added and GAO Order 2300.5.1, Telework for Non-Bargaining Unit Employees. 14

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback