GLRI_logo

Great Lakes National Program Office (GLNPO) Rules of Behavior

January 31, 2020

 

 

 

 

Table of Contents

1      Rules of Behavior Overview

1.1      Purpose

1.2      Scope

2      RoB Standard

2.1      Rules of Behavior

2.2      System Access and Use

2.3      Identification and Authentication

2.4      Electronic Data Protection

2.5      Use of Software

2.6      Information Technology Incident Reporting

3      Definitions

4      APPENDIX: ACRONYMS & ABBREVIATIONS

 

 

 

 

1 Rules of Behavior Overview
1.1 Purpose

This document is based on the Environmental Protection Agency (EPA) National Rules of Behavior (NRoB) to help establish the Rules of Behavior (RoB) for EPA’s Great Lakes National Program Office (GLNPO) information systems, including GLNPO.NET and RV Lake Guardian‘s computing equipment. GLNPO NET users have Internet access to various applications and systems for the exchange of environmental information among U.S. interagency and international partners. Users aboard the RV Lake Guardian may use computer systems and networks there for the purposes of research, education, or supporting the needs and activities of the ship. The GLNPO RoB apply to all users of GLNPO information and information systems and are designed to safeguard GLNPO information and information systems from misuse, abuse, loss, or unauthorized access.

1.2 Scope

The standard covers use of all GLNPO information and information systems to include information and information systems used, managed, or operated by EPA employees, contractors, and GLNPO’s external partners. The GLNPO RoB apply to all EPA employees, contractors, and all other users of GLNPO information and information systems.

2 RoB Standard

The following are the RoB for the protection of GLNPO information and information systems. The Appendix includes a listing of abbreviations and acronyms.

2.1 Rules of Behavior

Users must acknowledge their knowledge and understanding of responsibilities as well as the GLNPO RoB when using EPA information and information systems, before being granted access to any GLNPO system. The acknowledgement statement is included on the https://apply.glnpo.net/useraccount.html website.

Violation of these rules will be reported to the GLNPO SIO and conveyed to EPA’s Region 5 Information Security Officer (ISO) and the Computer Security Incident Response Center (CSIRC). Non-compliance with these rules may subject the user to disciplinary action, as well as penalties and sanctions, including verbal or written warning, removal of system access privileges, reassignment to other duties, removal from Federal service, and/or civil or criminal prosecution depending on the severity of the violation.

Unauthorized access, use, misuse, or modification of government computer systems constitutes a violation of Title 18, United States Code, Section 1030.

2.2 System Access and Use

Preventing unauthorized access to GLNPO information systems and information requires the full cooperation of all users. Users must be aware of their responsibilities for maintaining effective access controls, particularly regarding the use of identification and authentication information and strict adherence to the permissions granted to them.

The following RoB are relevant to GLNPO system access and use. Users must:

  • Understand they have no expectation of privacy regarding any communications or data transiting or stored on EPA information systems, that information is the property of the Government and may become an official record.
  • Be aware that at any time, and for any lawful government purpose, the government may monitor, intercept, and search and seize any communication or data transiting or stored on EPA information systems.
  • Use Government furnished equipment (GFE) for work-related purposes only, except as allowed by EPA telework policy and as prescribed by CIO 2101.0 Policy on Limited Personal Use of Government Office Equipment.
  • Adhere to all Federal laws, EPA information security policies, procedures, standards and other directives.
  • Limit personal use of the Internet and email in accordance with CIO 2101.0 Policy on Limited Personal Use of Government Office Equipment.
  • Be responsible for all actions performed and activities initiated using his or her user account.
  • Use only authorized devices and solutions when traveling internationally.
  • Access and use only information or information systems for which he or she has been granted access by official authorization and for which access is required for the user’s job function.
  • Report inappropriate access to the GLNPO SIO.
  • Follow established procedures for accessing information, including the use of user identification (ID), authentication information (e.g., personal identification numbers, passwords, digital certificates), and other physical and logical safeguards.
  • Follow established procedures for requesting and disseminating information.
  • Ensure all sensitive information is protected in a manner that prevents unauthorized personnel from having visual access to the information being processed. This may be accomplished by utilizing devices such as monitor privacy screens, hoods, or positioning equipment (monitors or printers) so that it faces away from doorways, windows, or open areas.
  • Terminate sessions or employ a session-locking mechanism before leaving equipment unattended.
  • Terminate sessions and log off of all information systems at the conclusion of the work day unless a specific need requires remaining logged on, e.g., system maintenance or incident response.

Users must not:

  • Allow anyone to use their system or application account.
  • Use EPA information or information systems to conduct or support a personal business.
  • Place unauthorized software onto an EPA computing resource.
  • Install peer-to-peer (P2P) software on EPA computers without explicit written approval of the Authorizing Official (AO).
  • Use any computing resources to process, store, or transmit EPA information unless such use has been authorized.
  • Connect any computing device or resource to any EPA system, including infrastructure systems, without Information System Security Officer (ISSO) authorization.
  • Divulge access information (e.g., login procedures, lists of user accounts) for an unauthorized computing resource to anyone who does not have a “need to know” the information as determined by EPA management.
  • Capture copies of security or configuration information from a computing resource for the purpose of unauthorized personal use or with the intention of divulging the information to anyone without a specific need to know as determined by EPA management.
  • Leave an open login session unattended. The user shall lock the user interface to the session in such fashion that the user must identify and authenticate to regain access to the session.
  • Bypass or attempt to bypass system controls or access data for any reason other than official duties.
  • Use Internet, email and social media for fraudulent or harassing messages or for sexual remarks or the downloading of illegal or inappropriate materials (e.g., pornography) in accordance with CIO 2101.0 Policy on Limited Personal Use of Government Office Equipment and CIO 2184.0 Social Media Policy.
2.3 Identification and Authentication

Identification is the process by which a person, device, or program is differentiated from all others. User identification is commonly provided in the form of User-IDs, but is also provided using other methods, such as digital certificates.

Authentication is the process by which user identification is verified. Authentication can be performed using passwords, cryptographic keys, digital certificates, biometrics, access cards, tokens, or other methods.

To protect access to computing resources users must:

  • Protect authentication information from disclosure at a level comparable to the most sensitive level of information on the most sensitive system accessible to the user’s access rights once authenticated.
  • Change authentication information immediately in the event of suspected or known compromise.
  • Select and use unique authentication information for each computing resource or group of computing resources using discrete authentication objects.
  • Notify accounthelp@glnpo.net when experiencing difficulties with user account or authentication information.
  • Report any suspected or known authentication information (e.g., password, digital certificate) compromise to EPA’s Region 5 ISO, GLNPO Information System Security Officer (ISSO), and to EPA’s Call Center at 1-866-411-4-EPA (4372) or epacallcenter@epa.gov.
  • Construct and maintain passwords in accordance with CIO 2120-P-07.2 Identification and Authentication Procedures document.

Users must not:

  • Allow anyone else to know or use their identification and authentication information to access an EPA information system.
  • Attempt to bypass or circumvent access controls to a computing resource.
  • Store authentication information in writing, on-line (including password saving features of operating systems and applications, such as auto-fill), or in password storage systems (e.g., “password wallets” or “password safes”) unless approved/authorized and/or provided by EPA.
  • Use the same authentication information for GLNPO system access and non-GLNPO purposes.
2.4 Electronic Data Protection

The user is responsible for protecting the confidentiality, integrity and availability of GLNPO information. Storage, disposal, mailing and electronic transmission of sensitive information shall be in accordance with Federal and EPA policies and directives. Users shall not create or maintain a System of Records (SoR or SOR) which contains information subject to the Privacy Act (e.g., files containing information related to individuals retrievable by name and/or other unique personal identifier) on a GLNPO system without approval of the GLNPO System Owner AND proper preannouncement of the SOR via a System Of Records Notice (SORN) published in the Federal Register (please consult the Agency Privacy officer and CIO policy CIO 2151-P-03.1 for assistance). Users shall protect controlled unclassified information (CUI) in accordance with EPA directives. Within EPA, CUI categories include Personally Identifiable Information (PII) and Sensitive Personally Identifiable Information (SPII).

Personally Identifiable Information (PII). Per OMB M-06-19 (July 12, 2006), "the term Personally Identifiable Information means any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history, and criminal or employment history and information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual."

Sensitive Personally Identifiable Information (SPII). SPII is a subset of PII, which, if lost, compromised or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience or unfairness to an individual. At EPA, SPII is defined as social security numbers or comparable identification numbers, financial information associated with individuals and medical information associated with individuals. SPII requires additional levels of security controls (see EPA Information Security – Privacy Procedures).

The Privacy Act protects personal information collected for entry into a system of records and information that is contained in a Privacy Act System of Records.

To protect PII, users shall comply with the CIO 2151.0 Privacy Policy:

  • Ensure that PII retrieved by an individual’s name or other personal identifier is maintained in an authorized system of records for which a Privacy Act SORN has been published in the Federal Register.
  • If Sensitive PII is being collected ensure you have the legal authority to do so and ensure a SORN was published before the system became active describing the information.
  • PII in electronic form should only be accessed via EPA-authorized computing resources such as EPA provided desktop and laptop computers If SPII must be emailed, ensure it is within an encrypted attachment using EPA authorized encryption standards and the password provided separately (e.g., by phone, another email, or in person).
  • PII data-at-rest on EPA-authorized removable storage media (USB flash drives, external disk drives, etc.), desktop/laptop computer hard drives (or solid-state equivalents thereof) shall be encrypted using EPA authorized encryption standards1.
  • Use authentication information protection and where possible, automatically lock out after 15 minutes (or less) of user inactivity all mobile computing resources on which PII is stored.
  • Identify files, extracts or outputs that contain PII and delete those that no longer serve a business purpose.
  • Disseminate PII only to those EPA employees who have a “need to know” to perform their official duties, not a “want to know.”
  • Maintain PII in a manner that will ensure no inadvertent or unauthorized disclosures occur:
  • Do not leave in open view of others; o Use an opaque envelope when transmitting through the mail;
  • Secure paper records in a locked file drawer and electronic records in a password protected or restricted access file; and
  • Do not place or store PII on a shared network drive unless access controls are enforced.
  • Ensure disposition complies with EPA records disposition schedules.
  • Dispose of PII using sensitive waste disposal methods.

Users shall not:

  • Remove electronic EPA data (including PII) from EPA controlled spaces unless it is appropriately protected, utilizing EPA authorized and provided cryptographic methods.
  • Use personal computing resources for processing, transmitting, or storing PII pertaining to EPA official business.
  • Email or otherwise transmit PII outside of EPA’s infrastructure, except when authorized and necessary to conduct official agency business. Emailing PII within EPA’s local area network (LAN) or wide area network (WAN) is acceptable, including to and from all mobile devices that interact within EPA’s email system. Emailing PII to personal email accounts (e.g., Gmail, Hotmail, Yahoo, etc.) is prohibited.
  • Leave SPII in hard copy unattended and unsecured
2.5 Use of Software

Users shall abide by CIO 2104.1 Software Management and Piracy Policy, Executive Order 13103 and U.S. copyright laws when using EPA systems, and shall not acquire, install, reproduce, distribute, or transmit computer software in violation of these and other applicable directives and the applicable software license.
 

2.6 Information Technology Incident Reporting

Users must be vigilant for questionable activities or behavior that may indicate that an information security incident is in progress. Users must report actual and suspected incidents immediately to the GLNPO SIO or at accounthelp@glnpo.net. Examples of incidents include:

Social engineering efforts

  • Intelligence gathering email or phone calls (e.g., unknown persons soliciting personal or information system information).
  • Requests for user identification and authentication information.
  • Unexpected computer activity
  • Automatic installation of unknown software.
  • Constant disk activity.

Intruders

  • Computer use in EPA facilities by unknown or unidentified individuals.
  • Losses or compromises of PII.
  • Losses or compromise of confidential business Information (CBI) or trade secrets.

Situations involving the improper handling or storage of PII must be reported immediately to the GLNPO SIO.

User Accountability

Unauthorized use of a user account or a computing resource can result in criminal penalties under Section 1030, Title 18, of the United States Code. Users will be held accountable for their access and use of EPA computing resources. Users shall:

  • Have no expectation of privacy while using any EPA computing resource.
  • Read and understand warning banners and end-user licensing agreements.

 

3 Definitions
  • Access – means “Ability to make use of any information system (IS) resource. Further, Access means ability and means to communicate with or otherwise interact with a system, to use system resources to handle information, to gain knowledge of the information the system contains, or to control system components and functions.”
  • Availability – ensuring timely and reliable access to and use of information.
  • Confidentiality – preserving restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.
  • Information Security – the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
  • Information System – a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
  • Information Technology (IT) – any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by an agency. For purposes of the preceding sentence, equipment is used by an agency if the equipment is used by the Agency directly or is used by a contractor under a contract with the Agency that (i) requires the use of such equipment or (ii) requires the use, to a significant extent, of such equipment in the performance of a service or the furnishing of a product. The term Information Technology includes computers, ancillary equipment, software, firmware, and similar procedures, services (including support services), and related resources.
  • Integrity – guarding against improper modification or destruction of information, including ensuring information nonrepudiation and authenticity.
  • Organization – a federal agency or, as appropriate, any of its operational elements.
  • Need-to-know – means a determination within the executive branch in accordance with directives issued pursuant to this policy or procedure that a prospective recipient requires access to specific classified information in order to perform or assist in a lawful and authorized governmental function.
  • Signature (of an individual) – a mark or sign made by an individual to signify knowledge, approval, acceptance, or obligation (can be accomplished manually, sometimes referred to as a “wet signature,” or electronically).
  • User – individual or (system) process authorized to access an information system.
  • Written (or in writing) – means to officially document the action or decision, either manually or electronically, and includes a signature.

 

 

4 APPENDIX: ACRONYMS & ABBREVIATIONS

AO

Authorizing Official

CIO

Chief Information Officer

CSIRC

Computer Security Incident Response Center

CUI

Controlled Unclassed Information

EPA

Environmental Protection Agency

GFE

Government Furnished Equipment

GLNPO

Great Lakes National Program Office

GLRI

Great Lakes Restoration Initiative

ID

Identification

ISO

Information Security Officer

ISSO

Information System Security officer

IT

Information Technology

LAN

Local Area Network

NRoB

National Rules of Behavior

OMB

Office of Management and Budget

P2P

Peer-to-Peer

PII

Personally Identifiable information

RoB

Rules of Behavior

SOR

System of Records

SORN

System of Records Notice

SPII

Sensitive personally Identifiable Information

WAN

Wide Area Network.