PL-04-727 Rules of Behavior

Rules of Behavior

PL-04-727
Rules of Behavior
Planning
Identify, Protect
Data Classification, Media
LOW, MOD, HIGH
P2
Yes
September 22, 2016

The Rules of Behavior for Use of Agency Information Resources (TTI RoB) provides the rules that govern the appropriate use of all TTI-owned or maintained information resources for Agency users, including employees, contractors, and other system users. The TTI RoB are issued under the authority of the TTI Information Resources Rule.[1] The prior TTI Acceptable Use Policy (TTI AUP) (dated November 7, 2013) is made obsolete by the publication of this updated version.

All new users of Agency information resources must read the TTI RoB and acknowledge the conditions outlined in the RoB through the TAMUS TrainTraq application before accessing Agency data or other information, systems, and/or networks. This acknowledgment must be completed annually thereafter. By acknowledging these conditions users reaffirm their knowledge of, and agreement to adhere to, the TTI RoB.

The TTI RoB cannot account for every possible situation. Therefore, where the TTI RoB does not provide explicit guidance, users must exercise their best judgment to apply the principles set forth in the standards for ethical conduct to guide their actions.[2]

Non-compliance with the TTI RoB may be cause for disciplinary actions. Depending on the severity of the violation and management discretion, consequences may include one or more of the following actions:

  • Suspension of access privileges;
  • Revocation of access to federal information, information systems, and/or facilities;
  • Reprimand;
  • Termination of employment;
  • Removal or disbarment from work on federal contracts or projects;
  • Monetary fines; and/or
  • Criminal charges that may result in imprisonment.

Supplemental rules of behavior may be created for specific information resources[3] that require users to comply with rules beyond those contained in this document. In such cases, users must also sign these supplemental rules of behavior prior to receiving access to these resources and must comply with ongoing requirements of each individual resource to retain access (such as re-acknowledging the resource-specific rules by signature each year). Information resource owners must document any additional resource-specific rules of behavior and any recurring requirement to sign the respective acknowledgment in the security plan for their resources. Each information resource owner must implement a process to obtain and retain the signed rules of behavior for such resources and must ensure that user access to such resource information is prohibited without a signed acknowledgment of resource-specific rules and a signed acknowledgment of the TTI RoB.

National security systems, as defined by the Federal Information Security Management Act (FISMA)[4], must independently or collectively implement their own resource-specific rules.

These TTI RoB apply to local, network, and remote use[5] of Agency information (in both electronic and physical forms) and information resources by any individual.

Users of Agency information and information resources must acknowledge the following statements:

I assert my understanding that:

  • Use of Agency information and information resources must comply with TAMUS policies and regulations, Agency rules, standards, procedures, and controls, and all applicable laws;
  • Use for other than official assigned duties is subject to TAMUS policies regarding use of System resources[6];
  • Unauthorized access to information or information resources is prohibited; and
  • Users must prevent unauthorized disclosure or modification of sensitive information.

I must:

General Security Practices

  • Follow Agency security practices whether working at my primary workplace or remotely;
  • Accept that I will be held accountable for my actions while accessing and using Agency information and information resources;
  • Ensure that I have appropriate authorization to install and use software, including downloaded software on Agency information resources and that before doing so I will ensure that all such software is properly licensed, approved, and free of malicious code;
  • Lock workstations and remove any hardware authentication tokens from computing resources when leaving them unattended;
  • Use only my assigned unique identification and authentication mechanisms to access Agency information resources and facilities;
  • Complete security awareness training (i.e., TAMUS Information Security Awareness Training) before accessing any Agency information resource and on an annual basis thereafter, and complete any specialized role-based security or privacy training that may be assigned to me;
  • Permit only authorized Agency users to use Agency equipment and/or software;
  • Take all necessary precautions to protect Agency information assets[7] (including but not limited to hardware, software, personally identifying information (PII)[8], sensitive personal information (SPI)[9], protected health information (PHI)[10], and state and federal records [media neutral]) from unauthorized access, use, modification, destruction, theft, disclosure, loss, damage, or abuse, and treat such assets in accordance with any information handling policies;
  • Immediately report to the information security office (ISO) all lost or stolen Agency information resources; known or suspected security incidents[11]; known or suspected information security policy violations or compromises; or suspicious activity;
  • Notify the export control officer when I plan to bring Agency-owned equipment on foreign travel;
  • Maintain awareness of risks involved with clicking on e-mail or text message web links; and
  • Only use approved methods for accessing Agency information and information resources.

Privacy

  • Understand and consent to having no expectation of privacy while accessing Agency computers, networks, or e-mail;
  • Release information to members of the public including individuals or the media only as allowed by the scope of my duties and the law;
  • Refrain from accessing information about individuals unless specifically authorized and required as part of my assigned duties;
  • Use PII, SPI and PHI only for the purposes for which it was collected and consistent with conditions set forth by stated privacy notices such as those provided to individuals at the point of data collection and published System of Records Notices; and
  • Ensure the accuracy, relevance, timeliness, and completeness of PII, as is reasonably necessary and to the extent possible, to assure fairness in making determinations about an individual.

Sensitive Information

  • Treat computer, network and web application account credentials as sensitive private information (SPI) and refrain from sharing accounts;
  • Secure sensitive information, regardless of media or format, when left unattended;
  • Keep sensitive information out of sight when visitors are present;
  • Sanitize or destroy electronic media and papers that contain sensitive data when no longer needed, in accordance with the TTI Records Management Procedures[12]and sanitization policies, or as otherwise lawfully directed by management;
  • Access sensitive information only when necessary to perform job functions; and
  • Properly protect (e.g., encrypt) Agency sensitive information at all times while stored or in transmission, in accordance with Agency security controls for cryptographic protection.[13]

I must not:

  • Violate, direct, or encourage others to violate TAMUS policies or regulations, or Agency rules or procedures;
  • Circumvent security safeguards, including violating security policies or procedures or reconfiguring systems, except as authorized;
  • Use another person’s account, identity, password/passcode/PIN, or hardware authentication token, or share my password/passcode/PIN;
  • Remove data or equipment from the Agency premises without proper authorization;
  • Use Agency information, information resources, and hardware to send or post threatening, harassing, intimidating, or abusive material about others in public or private messages or forums;
  • Exceed authorized access to sensitive information;
  • Share or disclose sensitive information except as authorized and with formal agreements that ensure third-parties will adequately protect it;
  • Transport, transmit, e-mail, remotely access, or download sensitive information unless such action is explicitly permitted by the owner or custodian of such information and appropriate safeguards are in place per Agency policies concerning sensitive information;
  • Use sensitive information for anything other than the purpose for which it has been authorized;
  • Access information for unauthorized purposes;
  • Use sensitive Agency information for private gain or to misrepresent myself or the Agency, or for any other unauthorized purpose;
  • Store sensitive information in public folders or other insecure physical or electronic storage locations;
  • Knowingly or willingly conceal, remove, mutilate, obliterate, falsify, or destroy information;
  • Copy or distribute intellectual property including music, software, documentation, and other copyrighted materials without written permission or license from the copyright owner;
  • Modify or install software without prior proper approval per Network & Information Systems procedures;
  • Conduct official Agency business or transmit/store sensitive Agency information using non-authorized equipment or services; or
  • Use systems (either Agency issued or non-government systems) without the following protections in place to access sensitive Agency information:
    • Antivirus software with the latest updates;
    • Anti-spyware and personal firewalls;
    • A time-out function that requires re-authentication after no more than 30 minutes of inactivity on remote access; and
    • Approved encryption[14]to protect sensitive information stored on recordable media, including laptops, USB drives, and external disks; or transmitted or downloaded via e-mail or remote connections.

I must refrain from the following activities when using Agency systems, which are prohibited per the TAMUS Policy for Use of System Resources[15]:

  • Unethical or illegal conduct;
  • Sending or posting obscene or offensive material;
  • Sending or forwarding chain letters, e-mail spam, inappropriate messages, or unapproved newsletters and broadcast messages;
  • Sending messages supporting prohibited partisan political activity;
  • Conducting any commercial or for-profit activity;
  • Using peer-to-peer (P2P) software except for secure tools approved in writing by the chief information security officer to meet business or operational needs;
  • Sending, retrieving, viewing, displaying, or printing sexually explicit, suggestive text or images, or other offensive material (other than in the course of academic research);
  • Creating and/or operating unapproved Web sites or services;
  • Allowing personal use of Agency resources to adversely affect Agency systems, services, and co-workers (such as using non-trivial amounts of storage space or bandwidth for personal digital photos, music, or video);
  • Using the Internet or Agency workstation to play games or gamble; and
  • Posting Agency information to external newsgroups, social media and/or other types of third-party website applications, or other public forums without authority, including information which is at odds with Agency missions or positions. This includes any use that could create the perception that the communication was made in my official capacity as a state government employee unless I have previously obtained appropriate Agency approval.

TTI Rules of Behavior Addendum for Privileged Access User Accounts

The TTI Rules of Behavior for Privileged Access User Accounts is an addendum to the TTI Rules of Behavior for Use of Information Resources (TTI RoB) and provides common rules on the appropriate use of all TTI information resources for all Agency Privileged Access Users,[16] including Agency employees, interns, and contractors. Privileged Access User account roles have elevated privileges above those in place for general user accounts regardless of account scope (e.g., both local and domain administrator accounts). Potential compromise of Privileged Access User accounts carries a risk of substantial damage and therefore Privileged Access User accounts require additional safeguards.

All users of Privileged Access User accounts for Agency information resources must read these standards and sign the accompanying acknowledgment form in addition to the TTI RoB before accessing Agency information, information resources, and/or networks in a privileged access role. The same signature acknowledgment process followed for the TTI RoB applies to the Privileged Access User accounts. Each division must maintain a list of Privileged Access User accounts.

I understand that as a Privileged Access User, I must:

  • Protect all Privileged Access User account passwords/passcodes/hardware authentication tokens;
  • Comply with all system/network administrator responsibilities in accordance with NIS procedures;
  • Use my Privileged Access User account(s) for official administrative actions only;
  • Notify system owners immediately when privileged access is no longer required; and
  • Complete any specialized role-based security or privacy training as required before receiving privileged system access.

I understand that as a Privileged Access User, I must not:

  • Share Privileged Access User account(s) or password(s)/passcode(s)/hardware authentication tokens;
  • Install, modify, or remove any system hardware or software without system owner written approval;
  • Remove or destroy system audit, security, event, or any other log data;
  • Acquire, possess, trade, or use hardware or software tools that could be employed to evaluate, compromise, or bypass information resource security controls;
  • Introduce unauthorized code, Trojan horse programs, malicious code, or viruses into Agency information resources or networks;
  • Knowingly write, code, compile, store, transmit, or transfer malicious software code, to include viruses, logic bombs, worms, and macro viruses;
  • Use Privileged Access User account(s) for day-to-day communications;
  • Elevate the privileges of any user without prior approval from the system owner;
  • Use privileged access to circumvent Agency policies or security controls;
  • Use a Privileged Access User account for Web access; or
  • Modify security settings on system hardware or software without the approval of a system administrator and/or a system owner.

__________

[1] TTI Rule 29.01.99.I1, Information Resources.

[2] TAMUS Policy 07.01, Ethics.

[3] Texas Government Code §2054.003(7) defines an “information resource” as: “the procedures, equipment, and software that are employed, designed, built, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information, and associated personnel including consultants and contractors.”

[4] Refer to Title 44 US Code §3542(b)(2)(A) for the definition of “national security systems.”

[5] Refer to the glossary of National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations for definitions of local, network, and remote access.

[6] TAMUS Policy 33.04, Use of System Resources.

[7] Agency information assets are defined as hardware, software, systems, services, and related technology assets used to execute work on behalf of TTI. Definition is adapted from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Revision 1, Guide for Conducting Risk Assessments.

[8] Refer to Texas Business and Commerce Code §521.002(a)(1) for the definition of “personal identifying information.”

[9] Refer to Texas Business and Commerce Code §521.002(a)(2) for the definition of “sensitive personal information.”

[10] Refer to Title 45 Code of Federal Regulations §160.103 for the definition of “protected health information.”

[11] Known or suspected security incidents involve the actual or potential loss of control or compromise, whether intentional or unintentional, of authenticator, password, or sensitive information maintained by or in the possession of TTI or information processed by contractors and third-parties on behalf of TTI.

[12] TTI Records Management Procedures.

[13] Agency Information Security Control SC-13-727, Cryptographic Protection.

[14] Agency Information Security Control SC-13-727, Cryptographic Protection.

[15] TAMUS Policy 33.04, Use of System Resources.

[16] Per National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, privileged roles include, for example, key management, network and system administration, database administration, and Web administration.

Improper use of information or assets occurs inside an information processing facility.
The organization: a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage; b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system; c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and resign when the rules of behavior are revised/updated.
Personnel sign an acceptable usage policy and procedure.
The state organization defines scope, behavior, and practices; compliance monitoring pertaining to users of information resources.
Obtain security planning policy; procedures addressing rules of behavior for information system users; NIST Special Publication 800-18; rules of behavior; other relevant documents or records and ascertain if : (I)the organization establishes a set of rules that describe user responsibilities and expected behavior with regard to information and information system usage. (ii)the organization makes the rules available to all information system users. (iii)the rules of behavior for organizational personnel are consistent with NIST Special Publication 800-18. (iv)the organization receives a signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to the information system and its resident information.