RULES OF BEHAVIOR
1. SCOPE
1.1 Identification
Almond Consulting creates Rules of Behavior documentation for Organizations to assist with the establishment of the rules concerning the use and behavior within a given Automated Information Systems (AIS) for all users, contractors, and employees.
Almond Consulting creates Rules of Behavior documentation for Organizations to assist with the establishment of the rules concerning the use and behavior within a given Automated Information Systems (AIS) for all users, contractors, and employees.
2. RULES OF BEHAVIOR
2.1 Introduction
This section describes the rules of behavior requirements and provides guidance and policy for the AIS.
2.2 What Are Rules of Behavior?
Rules of Behavior are part of a comprehensive program to provide Information Security (INFOSEC) for all AIS. They represent a new approach to information security to provide awareness of an employee’s/user’s responsibility and to hold him or her accountable for his or her actions with respect to information security. Procedures and technical controls cannot always be implemented cost-effectively to cover all scenarios. Rules of Behavior establish ethical and practical standards in recognition of the following fact: knowledgeable employees/users are the foundation of a successful security program.
Rules of Behavior inform employees/users of what is expected of them and how to actively protect information. The rules call employees/users to be proactive by being alert to threats and vulnerabilities, staying abreast of security policies and issues, and reporting incidents. Employees/users are called to act ethically, take initiative, and accept responsibility for safeguarding information resources. These Rules of Behavior applies to all employees/users involved with or having access to Government computer systems; signed acknowledgement of the rules is a condition of access. In addition, these rules apply to all employees/users using AIS resources or providing services (for example, contractors).
2.3 Why Are Rules of Behavior Needed?
The primary threats to information security are often the employees/users who access and implement the information. The most serious threat to information and systems has frequently been internal misuse through miscommunication. With the proliferating use of networks, public access systems (including the Internet), and work-at-home programs, employees/users have a greater responsibility for information security. Within all computing environments, technical controls alone are insufficient in ensuring adequate security. Management controls must be used to support and enforce technical controls.
Some basic concerns include the loss of data, threats, computer crimes, computer viruses, the abuse or unauthorized use of software and equipment, the release of sensitive data, and so forth. Employees/users need to comply with the City, State, Federal, DoD, etc. policies and procedures described here.
2.4 Responsibilities
Management is responsible for ensuring an adequate level of protection is afforded to AIS, through an appropriate mix of technical, administrative, and managerial controls. Management develops policies and procedures, ensures the development and presentation of user and contractor awareness sessions, inspects, and conducts spot checks to determine that an adequate level of compliance with security requirements exists. Management is responsible for periodically conducting vulnerability analyses to help determine if security controls are adequate. Special attention is given to those new and developing technologies, systems, and applications that can open or have opened vulnerabilities in the a given ’ security posture.
2.5 Other Policies and Procedures
The Rules of Behavior are not to be used in place of existing policy, rather they are intended to enhance and further define the specific rules each user must follow while accessing.
2.6 General Principles
The principles of behavior presented here apply to all employees and to all personnel developing and using information resources or providing services (for example, contractors). Because written guidance cannot cover every contingency, employees/users are asked to exceed the stated principles, using their best judgment and highest ethical standards to guide their actions.
This section describes the rules of behavior requirements and provides guidance and policy for the AIS.
2.2 What Are Rules of Behavior?
Rules of Behavior are part of a comprehensive program to provide Information Security (INFOSEC) for all AIS. They represent a new approach to information security to provide awareness of an employee’s/user’s responsibility and to hold him or her accountable for his or her actions with respect to information security. Procedures and technical controls cannot always be implemented cost-effectively to cover all scenarios. Rules of Behavior establish ethical and practical standards in recognition of the following fact: knowledgeable employees/users are the foundation of a successful security program.
Rules of Behavior inform employees/users of what is expected of them and how to actively protect information. The rules call employees/users to be proactive by being alert to threats and vulnerabilities, staying abreast of security policies and issues, and reporting incidents. Employees/users are called to act ethically, take initiative, and accept responsibility for safeguarding information resources. These Rules of Behavior applies to all employees/users involved with or having access to Government computer systems; signed acknowledgement of the rules is a condition of access. In addition, these rules apply to all employees/users using AIS resources or providing services (for example, contractors).
2.3 Why Are Rules of Behavior Needed?
The primary threats to information security are often the employees/users who access and implement the information. The most serious threat to information and systems has frequently been internal misuse through miscommunication. With the proliferating use of networks, public access systems (including the Internet), and work-at-home programs, employees/users have a greater responsibility for information security. Within all computing environments, technical controls alone are insufficient in ensuring adequate security. Management controls must be used to support and enforce technical controls.
Some basic concerns include the loss of data, threats, computer crimes, computer viruses, the abuse or unauthorized use of software and equipment, the release of sensitive data, and so forth. Employees/users need to comply with the City, State, Federal, DoD, etc. policies and procedures described here.
2.4 Responsibilities
Management is responsible for ensuring an adequate level of protection is afforded to AIS, through an appropriate mix of technical, administrative, and managerial controls. Management develops policies and procedures, ensures the development and presentation of user and contractor awareness sessions, inspects, and conducts spot checks to determine that an adequate level of compliance with security requirements exists. Management is responsible for periodically conducting vulnerability analyses to help determine if security controls are adequate. Special attention is given to those new and developing technologies, systems, and applications that can open or have opened vulnerabilities in the a given ’ security posture.
2.5 Other Policies and Procedures
The Rules of Behavior are not to be used in place of existing policy, rather they are intended to enhance and further define the specific rules each user must follow while accessing.
2.6 General Principles
The principles of behavior presented here apply to all employees and to all personnel developing and using information resources or providing services (for example, contractors). Because written guidance cannot cover every contingency, employees/users are asked to exceed the stated principles, using their best judgment and highest ethical standards to guide their actions.
3. GENERAL POLICIES
3.1 Computer Programs and Data Ownership
All computer programs and data in systems are considered the property of the organization. The program and data are for the sole purpose of carrying out the organization’s mission.
3.2 Proper Use
All systems and equipment are to be used only by authorized system employees/users or organizations with appropriate user identification and passwords. Use of systems and equipment for unauthorized personal reasons is strictly prohibited.
3.3 Misuse of Government Computer Systems
A violation of the above policy is cause for disciplinary action. Misuse of organization property—including programs and data—may be punishable by dismissal.
3.4 General Procedures
The general procedures are as follows:
3.5 Electronic Mail (Email) Policy
Email users must exercise common sense, good judgment, and propriety in the use of organization provided resources. Employees/users are specifically prohibited from using the organization’s email system to send information on any non-organizational activity, including, but not limited to, charitable events, religious observances, fund-raisers, and personal business. Prohibited emails are listed here, but are not limited to the following:
3.6 Internet Policy
When employees/users are using organization-provided Internet, they may only use it for official organizational business related to accomplishing the organization’s mission. Employees/users have a duty to protect and conserve organization property and shall not use such property, or allow its use, for other than authorized purposes.
Strictly prohibited Internet uses include, but are not limited to the following:
3.7 Official Work and Use of Organization Equipment
3.8 Password Guidelines
The system password “Dos and Don’ts” are as follows:
3.9 Removal of Equipment
The Employees/users are not to remove equipment from its assigned facility without the prior authorization from the organization.
3.10 Software Policy
It is the responsibility of all employees/users to protect the organization’s interests in the performance of their duties. This includes the responsibility for ensuring that commercial software acquired by the organization is used only in accordance with licensing agreements.
All computer programs and data in systems are considered the property of the organization. The program and data are for the sole purpose of carrying out the organization’s mission.
3.2 Proper Use
All systems and equipment are to be used only by authorized system employees/users or organizations with appropriate user identification and passwords. Use of systems and equipment for unauthorized personal reasons is strictly prohibited.
3.3 Misuse of Government Computer Systems
A violation of the above policy is cause for disciplinary action. Misuse of organization property—including programs and data—may be punishable by dismissal.
3.4 General Procedures
The general procedures are as follows:
- Do not reconfigure equipment, software, or computers using locks or an operating system password unless operating under the organization, or approved and applicable standard procedures for the systems. If approved, all operating system passwords and keys for locks on specific computer systems shall be left with the local system management.
- Protect passwords, information, equipment, systems, networks, and communications pathways to which you have access:
- Minimize the threat of viruses by write-protecting removable media, checking “foreign” data for viruses, and never circumventing the antivirus safeguards of the system.
- Never leave your terminal unattended for long periods without password protecting your personal computer (for example, user mail passwords, screen savers that require a password, or completely logging off the system).
- Report anything unusual or suspicious (especially viruses) to your supervisor
3.5 Electronic Mail (Email) Policy
Email users must exercise common sense, good judgment, and propriety in the use of organization provided resources. Employees/users are specifically prohibited from using the organization’s email system to send information on any non-organizational activity, including, but not limited to, charitable events, religious observances, fund-raisers, and personal business. Prohibited emails are listed here, but are not limited to the following:
- Chain letters, games and threatening, obscene, harassing, or personal messages are not permitted.
- Emails containing sensitive organization system information are not to be sent from Internet email applications.
- Never leave email software open on computer systems, thus allowing unauthorized access and misuse.
3.6 Internet Policy
When employees/users are using organization-provided Internet, they may only use it for official organizational business related to accomplishing the organization’s mission. Employees/users have a duty to protect and conserve organization property and shall not use such property, or allow its use, for other than authorized purposes.
Strictly prohibited Internet uses include, but are not limited to the following:
- Attempting to break into another computer or introducing computer viruses, worms, or Trojan horses
- Downloading or transmitting personal data, pornographic material, and unauthorized organization-owned data across the Internet.
- Installing unofficial software or software in violation of the vendor’s license
- Performing unlawful or other malicious activities prohibited on organization property
- Sending, retrieving, viewing, displaying, or printing of sexually explicit, suggestive text or images, or offensive material
- Sending harassing, intimidating, abusive, or offensive material to or about others
- Using abusive or objectionable language in either public or private messages
- Using another person’s account or identity without authorization
3.7 Official Work and Use of Organization Equipment
- Any time for which an employee/user is being paid is considered official work hours.
- Employees/users are not entitled to come in early or stay late to work on their private concerns at their job location.
3.8 Password Guidelines
The system password “Dos and Don’ts” are as follows:
- Do not use words found in a dictionary.
- Do change the password immediately if the password has been seen, guessed, or compromised.
- Do combine alpha, numeric, and special characters for passwords.
- Do create passwords that are case sensitive and contain at least 15 characters. The password will be a mix of two uppercase letters, two lowercase letters, two numbers, and two special characters. At least four characters must be changed when a new password is created.
- Do not accept another user’s password, even if offered.
- Do not post passwords on terminals, blackboards, bulletin boards, under keyboards, in desk drawers, transmit via telephone, or in any other location where they may be disclosed.
- Do not reuse old passwords. New passwords should differ from old passwords by at least four characters.
- Do not share user IDs and passwords.
- Do not use an obvious readable password. Avoid passwords that incorporate personal data elements (for example, user’s name, child’s name, date of birth, address, telephone number, Social Security number, other personal attributes, and so forth).
3.9 Removal of Equipment
The Employees/users are not to remove equipment from its assigned facility without the prior authorization from the organization.
3.10 Software Policy
It is the responsibility of all employees/users to protect the organization’s interests in the performance of their duties. This includes the responsibility for ensuring that commercial software acquired by the organization is used only in accordance with licensing agreements.
DISCLAIMER: The use or misuse of the contents on this site, except as provided in these terms and conditions or in the site content, is strictly prohibited. The information, postings, materials and other content on this site are provided on an "as is" and "as available" basis without any warranties or representations, either express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. Reasonable care has been taken to ensure that the site content is accurate and up-to-date; however, Almond Consulting makes no warranties or representations about the accuracy or completeness of the site content. Almond Consulting shall not be liable for any direct, incidental, consequential, indirect or punitive damages arising out of access to or use of any content on this site, regardless of the accuracy or completeness of any such content.