NIH IT General Rules of Behavior

Introduction

The Rules hold users accountable for their actions and responsible for information security. They apply to local, network, and remote use of HHS/NIH information (in both electronic and physical forms) and information systems by any individual.

I assert my understanding that:

  • Information and system use must comply with HHS and NIH policies and standards, and with applicable laws. Use for other than official, assigned duties is subject to the NIH Policy on Limited Authorized Personal Use of NIH Information Technology Resources.

  • Unauthorized access to information or information systems is prohibited.

Users must prevent unauthorized disclosure or modification of sensitive information, including Personally Identifiable Information (PII).

Information is considered sensitive if the loss of confidentiality, integrity, or availability could be expected to have a serious, severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. PII is a subset of sensitive information and is defined as data which can potentially be used to identify, locate, or contact an individual, or potentially reveal the activities, characteristics, or other details about a person.

Important: Two events that must be reported to the NIH IT Service Desk within One Hour include:

  1. A suspected or confirmed loss of PII
  2. Loss of an NIH-issued laptop or BlackBerry (by employees and contractors)

All HHS/NIH laptop computers must be encrypted with approved encryption software (unless there is a waiver). Portable media such as universal serial bus (USB) flash drives must be encrypted if they contain sensitive information, including PII.

In accordance with NIH procedures, I shall:

  • Immediately report:

    • All lost or stolen HHS/NIH equipment to the NIH IT Service Desk, your supervisor and your Information Systems Security Officer (ISSO). As soon as possible, notify law enforcement personnel, the building security office and your IC property manager.

    • Known or suspected security incidents, information security policy violations or compromises, or suspicious activity. (Known or suspected security incidents include actual or potential loss of control or compromise, whether intentional or unintentional, of your login name and password, PII or other sensitive NIH information maintained or in possession of HHS/NIH or information processed by contractors and third parties on behalf of HHS/NIH.)

  • Ensure that software, including downloaded software, is properly licensed, free of malicious code, and authorized before installing and using it on NIH systems.

  • Abstain from loading unapproved software from unauthorized sources on NIH systems or networks. An unauthorized source is any location (e.g., file store or server to which a device could connect, Internet site, intranet site) or process that is not permitted by HHS/NIH IT security personnel for distribution of software).

  • Wear identification badges at all times in Federal facilities.

  • Log-off or lock systems when leaving them unattended.

  • Use provisions for access restrictions and unique identification to information and avoid sharing accounts.

  • Complete security awareness training before accessing any HHS/NIH system and on an annual basis thereafter. As required, complete specialized role-based security, remote access or privacy training, as required by NIH policies. See Memo from HHS CIO: Training of Individuals Developing and Managing Sensitive Systems.

  • Permit only authorized HHS/NIH users to use HHS/NIH equipment and/or software.

  • Secure sensitive information (on paper and in electronic formats) when left unattended.

  • Keep sensitive information out of sight when visitors are present.

  • Sanitize or destroy electronic media and papers that contain sensitive data when no longer needed, in accordance with HHS/NIH records management (contact your IC Records Management Officer for questions) and sanitization policy and guidance, or as otherwise directed by management. Hard copies of sensitive data should be destroyed by pulping or shredding.

  • Only access sensitive information necessary to perform job functions (i.e., need to know).

  • Use PII only for the purposes for which it was collected, to include conditions set forth by stated privacy notices and published System of Records Notices. Information systems containing personally identifiable information (e.g., SSN, name, photo, and patient ID number) must be covered by a Privacy Act (PA) System of Records (SOR) Notice and will likely have added security controls you must follow. Contact your IC PA Coordinator for questions.

  • Ensure the accuracy, relevance, timeliness, and completeness of PII, as is reasonably necessary, to assure fairness in making determinations about an individual.

  • Adequately protect any sensitive information entrusted to me.

  • Protect HHS/NIH information assets from unauthorized access, use, modification, destruction, theft, or disclosure and treat such assets in accordance with any information handling policies.

  • Ensure important data is backed up, in particular, on a server that is backed up on a regular basis. Secure backups in a manner commensurate with the risk and sensitivity of the data, and destroyed when no longer needed.

  • Encrypt sensitive data if sending via email or fax and during transmission outside of the NIHnet perimeter. PII that is distributed or communicated via email must always be encrypted using FIPS 140-2 compliant encryption whether the PII is within an attachment of part of the actual message.

  • Include the following disclaimer on the fax cover sheet when sending faxes:

Warning: The attached information may be confidential. It is intended only for the addressee(s) identified above. If you are not the addressee(s), or an employee or agent of the addressee(s), please note that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this fax in error, please destroy the document and notify the sender of the error.

I Shall Not:

  • Violate, direct or encourage others to violate HHS/NIH policies.

  • Circumvent security safeguards including violating security policies or procedures or reconfigure systems except as authorized (i.e., violation of least privilege).

  • Use another person’s account, identity, or password.

  • Remove computers or equipment from NIH premises without proper authorization (obtain a property pass if appropriate).

  • Send or post threatening, harassing, intimidating, or abusive material about others in public or private messages or forums.

  • Exceed authorized access to sensitive information.

  • Store sensitive information in public folders or other insecure physical or electronic storage locations.

  • Share sensitive information, except as authorized and with formal agreements that ensure third parties will adequately protect it.

  • Transport, transfer, email, remotely access, or download sensitive information, inclusive of PII, unless such action is explicitly permitted by the manager or owner of such information and appropriate safeguards are in place per NIH policies concerning sensitive information.

  • Use sensitive information for anything other than the purpose for which it has been authorized.

  • Access information for unauthorized purposes.

  • Use sensitive HHS/NIH data for private gain or to misrepresent myself or HHS/NIH or any other unauthorized purpose.

  • Store sensitive information on portable devices such as laptops, personal digital assistants (PDAs), universal serial bus (USB) drives or on remote/home systems without authorization and appropriate safeguards, as stipulated by the HHS Encryption Standard for Mobile Devices and Portable Media

  • Knowingly or willingly conceal, remove, mutilate, obliterate, falsify, or destroy information for personal use for self or others. (See 18 U.S.C. 2071)

  • Copy or distribute intellectual property—including music, software, documentation, and other copyrighted materials—without permission or license from the copyright owner.

  • Modify software without management approval.

  • Use a personal email system (i.e., Gmail, Yahoo, Hotmail) to transmit sensitive information.

Actions Prohibited by the NIH Policy

Limited Authorized Personal Use of NIH Information Technology Resources

  • Unethical or illegal conduct.

  • Sending or posting obscene or offensive material in messages or forums.

  • Sending or forwarding chain letters, e-mail spam, inappropriate messages, or unapproved newsletters and broadcast messages.

  • Sending messages supporting political activity restricted under the Hatch Act.

  • Conducting any commercial or “for-profit” activity.

  • Utilizing peer-to-peer software except for secure tools approved in writing the NIH CIO to meet business or operational needs.

  • Sending, retrieving, viewing, displaying, or printing sexually explicit, suggestive text or images, or other offensive material.

  • Creating and/or operating unapproved Web sites.

  • Incurring more than minimal additional expense, such as using non-trivial amounts of storage space or bandwidth for personal files or photos.

  • Using the Internet or NIH workstation to play games, visit chat rooms, or gamble.

I Shall Ensure Passwords

See the NIH Password Policy for more information.

  • Are complex and contain a minimum of eight alphanumeric characters with at least three of the following: capital letters, lowercase letters, numbers and special characters. Password length and complexity must be consistent with the sensitivity of the information or transactions that they protect or enable.

  • Do not contain words found in a dictionary, names, and personal data (e.g., birth dates, addresses, social security numbers, and phone numbers).

  • Are changed at least every 60 days, immediately in the event of known or suspected compromise, and immediately upon system installation (e.g. default or vendor-supplied passwords).

  • Are not reused until at least 24 other passwords have been used.

  • Are committed to memory, or stored in a secure place. I will not share passwords.

  • I may consider using a Pass Phrase instead of a password—they are generally more secure.

General Information Management Requirements: Ensure the following protections are properly engaged when accessing sensitive HHS/NIH information—particularly on non-HHS/NIH equipment or equipment housed outside of HHS/NIH facilities.

  • Use antivirus software with the latest updates.

  • On personally-owned systems, use anti-spyware and personal firewalls.

  • For remote access and mobile devices, use a time-out function that requires re-authentication after no more than 30 minutes of inactivity. Blackberry and similar devices must be protected with a 6-character password. The time-out screen must contain the following text (but can be more specific): “US Government Property. If found, please call 301-496-4357.”

  • Use two-factor authentication for remote access to sensitive information.

  • Adequately control physical access to areas containing sensitive information.

  • Use approved encryption to protect sensitive information stored on portable devices or recordable media, including laptops, thumb drives, and external disks; stored on remote systems; or transmitted or downloaded via e-mail or remote connections. Government data cannot be stored on personally-owned equipment.

  • Adhere to all provisions and agreements related to off-site work.

Note: As part of their annual security awareness training, all NIH staff review and agree to adhere to these Rules by electronically accepting the following statement.

Federal Acknowledgement Statement

I have read the HHS/NIH Rules of Behavior, dated September 27, 2010, and understand and agree to comply with its provisions.

  • I understand that when accessing a U.S. Government information system (which includes: 1) the computer, 2) the computer network, 3) all computers connected to that network, and 4) all devices and storage media attached to that network or to a computer on that network), use of the system is for U.S. Government-authorized use only. By using the information system, I understand and consent to the following:

    • I have no reasonable expectation of privacy regarding any communications or data transiting or stored on the information system, including removable storage media in my possession or work spaces. At any time, and for any lawful Government purpose, the government may monitor, intercept, record, and search and seize any communication or data transiting or stored on the information system or contained in removable storage media.

    • Any communication or data transiting or stored on the information system may be disclosed or used for any lawful Government purpose.

  • I understand that violations of the HHS/NIH Rules or information security policies and standards may lead to disciplinary action, up to and including termination of employment; removal or debarment from work on Federal contracts or projects; and/or revocation of access to Federal information, information systems, and/or facilities and may also include civil and criminal penalties and/or imprisonment.

  • I understand that exceptions to the HHS/NIH Rules must be authorized in advance in writing by the NIH Chief Information Officer or his/her designee.

  • I also understand that violation of laws, such as the Privacy Act of 1974, copyright law, and 18 USC 2071, which the Rules draw upon, can result in monetary fines and/or criminal charges that may result in imprisonment.