Produced by Araxis Merge on 3/27/2019 4:03:32 PM Eastern Daylight Time. See www.araxis.com for information about Merge. This report uses XHTML and CSS2, and is best viewed with a modern standards-compliant browser. For optimum results when printing this report, use landscape orientation and enable printing of background images and colours in your browser.
# | Location | File | Last Modified |
---|---|---|---|
1 | JLV_CV_CV_2_9_1_0.zip\CV-VAS\web-app\resources | 31167_FY17_VA_Rules_of_behavior.docx | Wed Mar 27 18:56:57 2019 UTC |
2 | JLV_CV_CV_2_9_1_0.zip\CV-VAS\web-app\resources | 31167_FY17_VA_Rules_of_behavior.docx | Wed Mar 27 19:06:38 2019 UTC |
Description | Between Files 1 and 2 |
|
---|---|---|
Text Blocks | Lines | |
Unchanged | 1 | 308 |
Changed | 0 | 0 |
Inserted | 0 | 0 |
Removed | 0 | 0 |
Whitespace | |
---|---|
Character case | Differences in character case are significant |
Line endings | Differences in line endings (CR and LF characters) are ignored |
CR/LF characters | Not shown in the comparison detail |
No regular expressions were active.
1 | APPENDIX A : Departme nt of Vete ran Affair s Informat ion Securi ty Rules o f Behavior | |
2 | COVERAGE | |
3 | ||
4 | Department of Vetera ns Affairs (VA) Info rmation Se curity Rul es of Beha vior (ROB) provides the specif ic respons ibilities and expect ed behavio r for orga nizational users and non-organ izational users of V A systems and VA inf ormation a s required by 0MB Ci rcular A-1 30, Append ix Ill, pa ragraph 3a (2)(a) and VA Handbo ok 6500, M anaging In formation Security R isk: VA In formation Security P rogram. | |
5 | Organizati onal users are ident ified as V A employee s, contrac tors, rese archer, st udents, vo lunteers, and repres entatives of Federal , state, l ocal or tr ibal agenc ies. | |
6 | Non-organi zational u sers are i dentified as all inf ormation s ystem user s other th an VA user s explicit ly categor ized as or ganization al users. | |
7 | VA Informa tion Secur ity ROB do es not sup ersede any policies of VA faci lities or other agen cy compone nts that p rovide hig her levels of protec tion to VA 's informa tion or in formation systems. T he VA Info rmation Se curity ROB provides the minima l rules wi th which i ndividual users must comply. A uthorized users are required t o go beyon d stated r ules using "due dili gence" and the highe st ethical standards . | |
8 | COMPLIANCE | |
9 | ||
10 | Non-compli ance with VA ROB may be cause for discip linary act ions. Depe nding on t he severit y of the v iolation a nd managem ent discre tion, cons equences m ay include restricti ng access, suspensio n of acces s privileg es, reprim and, demot ion and su spension f rom work. Theft, con version, o r unauthor ized dispo sal or des truction o f Federal property o r informat ion may re sult in cr iminal san ctions. | |
11 | Unauthoriz ed accessi ng, upload ing, downl oading, ch anging, ci rcumventin g, or dele ting of in formation on VA syst ems; unaut horized mo difying VA systems, denying or granting access to VA systems ; using VA resources for unaut horized us e on VA sy stems; or otherwise misusing V A systems or resourc es is stri ctly prohi bited. | |
12 | VA Informa tion Secur ity Rules of Behavio r (ROB) do es not cre ate any ot her right or benefit , substant ive or pro cedural, e nforceable by law, b y a party in litigat ion with t he U.S. Go vernment. | |
13 | ||
14 | ||
15 | ||
16 | ||
17 | ACKNOWLEDG EMENT | |
18 | ||
19 | VA Informa tion Secur ity ROB mu st be sign ed before access is provided t o VA infor mation sys tems or VA informati on. The VA ROB must be signed annually b y all user s of VA in formation systems or VA inform ation. Thi s signatur e indicate s agreemen t to adher e to the V A ROB. Ref usal to si gn VA Info rmation Se curity ROB will resu lt in deni ed access to VA info rmation sy stems or V A informat ion. Any refusal to sign the VA Informa tion Secur ity ROB ma y have an adverse im pact on em ployment w ith VA. | |
20 | The ROB ma y be signe d in hard copy or el ectronical ly. If sig ned using the hard c opy method , the user should in itial and date each page and p rovide the informati on request ed under A cknowledge ment and A cceptance. For Other Federal G overnment Agency use rs, docume ntation of a signed ROB will b e provided to the VA requestin g official . | |
21 | INFORMATIO N SECURITY RULES of BEHAVIOR A ccess and Use of VA Informatio n Systems | |
22 | I Will: | |
23 | ||
24 | Comply wit h all fede ral VA inf ormation s ecurity, p rivacy, an d records management policies. SOURCE: P M-1 | |
25 | Have NO ex pectation of privacy in any re cords that I create or in my a ctivities while acce ssing or u sing VA in formation systems. S OURCE: AC- 8 | |
26 | Use only V A-approved devices, systems, s oftware, s ervices, a nd data wh ich I am a uthorized to use, in cluding co mplying wi th any sof tware lice nsing or c opyright r estriction s. SOURCE: AC-6 | |
27 | Follow est ablished p rocedures for reques ting acces s to any V A computer system an d for noti fying my V A supervis or or desi gnee when the access is no lon ger needed . SOURCE: AC-2 | |
28 | Only use m y access t o VA compu ter system s and/or r ecords for officiall y authoriz ed and ass igned duti es. SOURCE : AC-6 | |
29 | Log out of all infor mation sys tems at th e end of e ach workda y. SOURCE: AC-11 | |
30 | Log off or lock any VA compute r or conso le before walking aw ay. SOURCE : AC- 11 | |
31 | Only use o ther Feder al governm ent inform ation syst ems as exp ressly aut horized by the terms of those systems; p ersonal us e is prohi bited. SOU RCE: AC-20 | |
32 | ||
33 | ||
34 | Only use V A-approved solutions for conne cting non- VA-owned s ystems to VA's netwo rk. SOURCE : AC-20 | |
35 | I Will Not : | |
36 | ||
37 | Attempt to probe com puter syst ems to exp loit syste m controls or to obt ain unauth orized acc ess to VA sensitive data. SOUR CE: AC-6 | |
38 | Engage in any activi ty that is prohibite d by VA Di rective 60 01, Limite d Personal Use of Go vernment O ffice Equi pment Incl uding Info rmation Te chnology. SOURCE: AC -8 | |
39 | Have a VA network co nnection a nd a non-V A network connection (includin g a modem or phone l ine or wir eless netw ork card, etc.) phys ically con nected to any device at the sa me time un less the d ual connec tion is ex plicitly a uthorized. SOURCE: A C-17 (k) | |
40 | Host, set up, admini ster, or o perate any type of I nternet se rver or wi reless acc ess point on any VA network un less expli citly auth orized by my Informa tion Syste m Owner, l ocal CIO, or designe e and appr oved by my ISO. SOUR CE: AC-18 | |
41 | Protection of Comput ing Resour ces | |
42 | ||
43 | I Will: | |
44 | ||
45 | Secure mob ile device s and port able stora ge devices (e.g., la ptops, Uni versal Ser ial Bus (U SB) flash drives, sm artphones, tablets, personal d igital ass istants (P DA)). SOUR CE: AC-19 | |
46 | I Will Not : | |
47 | ||
48 | Swap or su rrender VA hard driv es or othe r storage devices to anyone ot her than a n authoriz ed 01&T em ployee. SO URCE: MP-4 | |
49 | Attempt to override, circumven t, alter o r disable operationa l, technic al, or man agement se curity con figuration controls unless exp ressly dir ected to d o so by au thorized V A staff. S OURCE: CM- 3 | |
50 | Electronic Data Prot ection | |
51 | ||
52 | I Will: | |
53 | ||
54 | Only use v irus prote ction soft ware, anti -spyware, and firewa ll/intrusi on detecti on softwar e authoriz ed by VA. SOURCE: Sl -3 | |
55 | Safeguard VA mobile devices an d portable storage d evices con taining VA informati on, at wor k and remo tely, usin g FIPS 140 -2 validat ed encrypt ion (or it s | |
56 | ||
57 | successor) unless it is not te chnically possible. This inclu des laptop s, flash d rives, and other rem ovable sto rage devic es and sto rage media (e.g., Co mpact Disc s (CD), Di gital Vide o Discs (D VD)). SOUR CE: SC-13 | |
58 | Only use d evices enc rypted wit h FIPS 140 -2 (or its successor ) validate d encrypti on. VA own ed and app roved stor age device s/media mu st use VA' s approved configura tion and s ecurity co ntrol requ irements. SOURCE: SC -28 | |
59 | Use VA e-m ail in the performan ce of my d uties when issued a VA email a ccount. SO URCE: SC-8 | |
60 | Obtain app roval prio r to publi c dissemin ation of V A informat ion via e- mail as ap propriate. SOURCE: S C-8 | |
61 | I Will Not : | |
62 | ||
63 | Transmit V A sensitiv e informat ion via wi reless tec hnologies unless the connectio n uses FIP S 140-2 (o r its succ essor) val idated enc ryption. S OURCE: AC- 18 | |
64 | Auto-forwa rd e-mail messages t o addresse s outside the VA net work. SOUR CE: SC-8 | |
65 | Download s oftware fr om the Int ernet, or other publ ic availab le sources , offered as free tr ials, shar eware; or other unli censed sof tware to a VA-owned system. SO URCE: CM-1 1 | |
66 | Disable or degrade s oftware pr ograms use d by VA th at install security software u pdates to VA compute r equipmen t, to comp uter equip ment used to connect to VA inf ormation s ystems, or used to c reate, sto re or use VA informa tion. SOUR CE: CM-10 | |
67 | Teleworkin g and Remo te Access | |
68 | ||
69 | I Will: | |
70 | ||
71 | Keep gover nment furn ished equi pment (GFE ) and VA i nformation safe, sec ure, and s eparated f rom my per sonal prop erty and i nformation , regardle ss of work location. I will pr otect GFE from theft , loss, de struction, misuse, a nd emergin g threats. SOURCE: A C-17 | |
72 | Obtain app roval prio r to using remote ac cess capab ilities to connect n on-GFE equ ipment to VA's netwo rk while w ithin the VA facilit y. SOURCE: AC-17 | |
73 | Notify my VA supervi sor or des ignee prio r to any i nternation al travel with a GFE mobile de vice (e.g. laptop, P DA) and up on return, including potential ly issuing a specifi cally conf igured dev ice for in ternationa l travel a nd/or insp ecting the device or reimaging the hard drive upon return. S OURCE: AC- 17 | |
74 | ||
75 | ||
76 | Safeguard VA sensiti ve informa tion, in a ny format, device, s ystem and/ or softwar e in remot e location s (e.g., a t home and during tr avel). SOU RCE: AC-17 | |
77 | Provide au thorized O l&T person nel access to inspec t the remo te locatio n pursuant to an app roved tele work agree ment that includes a ccess to V A sensitiv e informat ion. SOURC E: AC-17 | |
78 | Protect in formation about remo te access mechanisms from unau thorized u se and dis closure. S OURCE: AC- 17 | |
79 | Exercise a higher le vel of awa reness in protecting GFE mobil e devices when trave ling inter nationally as laws a nd individ ual rights vary by c ountry and threats a gainst Fed eral emplo yee device s may be h eightened. SOURCE: A C-19 | |
80 | I Will Not : | |
81 | ||
82 | Access non -public VA informati on technol ogy resour ces from p ublicly-av ailable IT computers , such as remotely c onnecting to the int ernal VA n etwork fro m computer s in a pub lic librar y. SOURCE: AC-17 | |
83 | Access VA' s internal network f rom any fo reign coun try design ated as su ch unless approved b y my VA su pervisor, ISO, local CIO, and Informatio n System O wner. SOUR CE: AC-17 | |
84 | User Accou ntability | |
85 | ||
86 | I Will: | |
87 | ||
88 | Complete m andatory s ecurity an d privacy awareness training w ithin desi gnated tim e frames, and comple te any add itional ro le-based s ecurity tr aining req uired base d on my ro le and res ponsibilit ies. SOURC E: AT-3 | |
89 | Understand that auth orized VA personnel may review my conduc t or actio ns concern ing VA inf ormation a nd informa tion syste ms, and ta ke appropr iate actio n. SOURCE: AU-1 | |
90 | Have my GF E scanned and servic ed by VA a uthorized personnel. This may require me to return it prompt ly to a VA facility upon deman d. SOURCE: MA-2 | |
91 | Permit onl y those au thorized b y Ol&T to perform ma intenance on IT comp onents, in cluding in stallation or remova l of hardw are or sof tware. SOU RCE: MA-5 | |
92 | Sign speci fic or uni que ROBs a s required for acces s or use o f specific VA system s. I may b e required to comply with a no n-VA entit y's ROB to conduct V A business . While us ing their system, I must compl y with the ir ROB. SO URCE: PL- 4 | |
93 | ||
94 | Sensitive Informatio n | |
95 | ||
96 | I Will: | |
97 | ||
98 | Ensure tha t all prin ted materi al contain ing VA sen sitive inf ormation i s physical ly secured when not in use (e. g., locked cabinet, locked doo r). SOURCE : MP-4 | |
99 | Only provi de access to sensiti ve informa tion to th ose who ha ve a need- to-know fo r their pr ofessional duties, i ncluding o nly postin g sensitiv e informat ion to web - based co llaboratio n tools re stricted t o those wh o have a n eed-to-kno w and when proper sa feguards a re in plac e for sens itive info rmation. S OURCE: UL- 2 | |
100 | Recognize that acces s to certa in databas es have th e potentia l to cause great ris k to VA, i ts custome rs and emp loyees due to the nu mber and/o r sensitiv ity of the records b eing acces sed. I wil l act acco rdingly to ensure th e confiden tiality an d security of these data comme nsurate wi th this in creased po tential ri sk. SOURCE : UL-2 | |
101 | Obtain app roval from my superv isor to us e, process , transpor t, transmi t, downloa d, print o r store el ectronic V A sensitiv e informat ion remote ly (outsid e of VA ow ned or man aged facil ities (e.g ., medical centers, community based outp atient cli nics (CBOC ), or regi onal offic es)). SOUR CE: UL-2 | |
102 | Protect VA sensitive informati on from un authorized disclosur e, use, mo dification , or destr uction, an d will use encryptio n products approved and provid ed by VA t o protect sensitive data. SOUR CE: SC-13 | |
103 | Transmit i ndividuall y identifi able infor mation via fax only when no ot her reason able means exist, an d when som eone is at the machi ne to rece ive the tr ansmission or the re ceiving ma chine is i n a secure location. SOURCE: S C-8 | |
104 | Encrypt em ail, inclu ding attac hments, wh ich contai n VA sensi tive infor mation. SO URCE: SC-8 | |
105 | Protect SP I aggregat ed in list s, databas es, or log books, and will incl ude only t he minimum necessary SPI to pe rform a le gitimate b usiness fu nction. SO URCE: SC-2 8 | |
106 | Ensure fax transmiss ions are s ent to the appropria te destina tion. This includes double che cking the fax number , confirmi ng deliver y, using a fax cover sheet wit h the requ ired notif ication me ssage incl uded. SOUR CE: SC-8 | |
107 | I Will Not : | |
108 | ||
109 | Disclose i nformation relating to the dia gnosis or treatment of drug ab use, alcoh olism or a lcohol abu se, HIV, o r sickle c ell anemia without a ppropriate legal aut hority. I understand unauthori zed disclo sure of th is informa tion may h ave a | |
110 | ||
111 | serious ad verse effe ct on agen cy operati ons, agenc y assets, or individ uals. SOUR CE: IP-1 | |
112 | Allow VA s ensitive i nformation to reside on non-VA systems o r devices unless spe cifically designated and autho rized in a dvance by my VA supe rvisor, IS O, and Inf ormation S ystem Owne r, local C IO, or des ignee. SOU RCE: AC-20 | |
113 | Make any u nauthorize d disclosu re of any VA sensiti ve informa tion throu gh any mea ns of comm unication including, but not l imited to, e-mail, i nstant mes saging, on line chat, and web b ulletin bo ards or lo gs. SOURCE : SC-8 | |
114 | Encrypt em ail that d oes not in clude VA s ensitive i nformation or any em ail exclud ed from th e encrypti on require ment. SOUR CE: SC-8 | |
115 | Identifica tion and A uthenticat ion | |
116 | ||
117 | I Will: | |
118 | ||
119 | Use passwo rds that m eet the VA minimum r equirement s. SOURCE: IA-5 (1) | |
120 | Protect my passwords ; verify c odes, toke ns, and cr edentials from unaut horized us e and disc losure. SO URCE: IA-5 (h) | |
121 | I Will Not : | |
122 | ||
123 | Store my p asswords o r verify c odes in an y file on any IT sys tem, unles s that fil e has been encrypted using FIP S 140-2 (o r its succ essor) val idated enc ryption, a nd I am th e only per son who ca n decrypt the file. SOURCE: IA -5 (1) (c) | |
124 | Hardcode c redentials into scri pts or pro grams. SOU RCE: IA-5 (1) (c) | |
125 | ||
126 | Incident R eporting | |
127 | ||
128 | I Will: | |
129 | ||
130 | Report sus pected or identified informati on securit y incident s includin g anti-vir us, antisp yware, fir ewall or i ntrusion d etection s oftware er rors, or s ignificant alert mes sages (sec urity and privacy) t o my VA su pervisor o r designee immediate ly upon su spicion. S OURCE: IR- 6 | |
131 | ||
132 | ACKNOWLEDG EMENT AND ACCEPTANCE | |
133 | ||
134 | I acknowle dge that I have rece ived a cop y of VA in formation Security R ules of Be havior. | |
135 | I understa nd, accept and agree to comply with all terms and conditions of VA Inf ormation S ecurity Ru les of Beh avior. | |
136 | ||
137 | ||
138 | ||
139 | ||
140 | ||
141 | ||
142 | ||
143 | ||
144 | ||
145 | Print or t ype your f ull nameSi gnatureDat e | |
146 | ||
147 | ||
148 | ||
149 | ||
150 | ||
151 | ||
152 | ||
153 | ||
154 | Office Pho nePosition Title |
Araxis Merge (but not the data content of this report) is Copyright © 1993-2016 Araxis Ltd (www.araxis.com). All rights reserved.