The U.S. Equal Employment Opportunity Commission

INFORMATION SECURITY RESPONSIBILITIES OF EEOC SYSTEM USERS

It is the responsibility of all EEOC systems users to help ensure the security and integrity of the information contained in the Commission’s automated and manual records systems. The Office of Management and Budget (OMB) Circular A-130, the Privacy Act of 1974, and the Federal Information Security Management Act of 2002 all define such information, as well as the technology used to maintain it, as a vital Government asset. Those who control or use this information are responsible for its care, custody and protection. All EEOC system users, whether EEOC employees, contractors, contingent workers, and other users of EEOC information and information systems, are expected to be aware of certain legal rules and policies which must be followed for the purpose of safeguarding such information. Violation of these rules may be grounds for disciplinary action up to and including removal.

1. Responsibilities Under the Confidentiality Provisions of Laws Enforced by EEOC

The confidentiality provisions of Title VII of the Civil Rights Act of 1964 and Title I of the Americans with Disabilities Act prohibit the Commission, its officers and employees from disclosing to the public, prior to the institution of a lawsuit, information involving: (a) any charges filed under those Acts, (b) anything said or done during informal efforts to resolve such charges, (c) any reports that employers are required to file with the Commission under those Acts, and (d) any information obtained by the Commission during the investigation of such charges. Violators can be fined not more than $1,000, imprisoned for not more than one year, or disciplined.

2. Privacy Act Responsibilities

The Privacy Act of 1974 prohibits any disclosure by an agency officer or employee of information from any system of records about individual persons, unless the disclosure is consented to by the individual to whom the record pertains, is covered by an exception, or would be for a routine use, as defined by the Act. Violation is a criminal misdemeanor subject to a fine of not more than $5,000. The same penalty also applies to any agency officer or employee who maintains a system of records (manual or automated) about individual persons without complying with the Privacy Act notice requirements. The Act also makes it possible for individuals who believe that they are the victims of such illegal disclosures, or who believe that such information, even though properly disclosed, was inaccurate, to sue the agency responsible for such disclosures as well as for any harm, embarrassment or inconvenience which might have been caused by the existence of such inaccurate information.

3. Procurement Integrity Act Responsibilities

For those working pursuant to the Procurement Integrity Act, the Act prohibits all disclosures not authorized by the head of the agency or the agency-contracting officer of all proprietary or source selection information during the conduct of a procurement action. The Act provides for civil and criminal penalties, as well as administrative discipline for violation.

4. Federal Property Management and Office of Government Ethics Responsibilities

The information resources, including computers and telecommunications equipment, acquired and used by the Agency, are Federal property and are subject to EEOC, OMB, General Services Administration, and Office of Government Ethics regulations on the management and use of Federal property [5 CFR Part 2635 Standards of Ethical Conduct for Employees of the Executive Branch; 41 CFR Ch. 101 - Federal Property Management Regulations]. EEOC has obtained its information technology (IT) equipment for the purpose of performing mission-related work. Any activity which interferes with that purpose violates Federal property regulations. Such activities include using IT equipment for non-governmental commercial business purposes, intentionally spreading computer viruses, the use of Federally funded Internet accounts and services for non-government business, etc. Employees who have not fulfilled their responsibilities under the provisions of these property regulations are subject to administrative disciplinary action.

Federal employees are permitted limited use of government office equipment for personal, non-commercial needs if the use does not interfere with official business and involves minimal additional expense to the Government. This limited personal use of government office equipment should take place during the employee’s non-work time. This privilege may be revoked or limited at any time by the employee’s supervisor or by other appropriate agency officials.

5. Software Licensing Compliance Responsibilities

Agency employees, contractors, contingent workers, and other users of EEOC information and information systems are prohibited from making unauthorized use or duplication of software acquired by the Government for official business, or from the use of unlicensed software on government equipment which would violate the Federal Copyright statute, and expose EEOC to the possibility of lawsuits from software vendors. System users are to install on EEOC computers only commercial software that has been purchased through the government procurement process and has been determined by the Office of Information Technology (OIT) to be compatible with EEOC’s standard desktop configuration requirements. Employees are not allowed to install personally owned software on government computers, unless a specific, written exemption has been authorized by OIT. Detailed procedures for performing the foregoing responsibilities are contained in the March 2, 1999 memorandum entitled “EEOC Copyrighted Software Policy.”

6. Physical Security Responsibilities

EEOC system users must notify their EEOC supervisor or point of contact of every occurrence of fire, water damage, or other incident which results in damage to information assets. They should be knowledgeable about office fire procedures and where the nearest fire extinguisher is located.

7. Accountability and Control Responsibilities

EEOC system users are responsible for ensuring the security of sensitive information and protecting the technology and equipment which supports its information systems as specified in the following:

  1. IT resources (i.e., hardware, software, information, etc.) are Federal property, and must be protected from unauthorized use or theft. The Office Director and the office’s designated System Security Officer are responsible for defining and establishing the appropriate levels of control needed to safeguard their office’s information systems and IT resources. However, each employee has a personal responsibility to ensure that the information and information resources which they use, manage, and maintain, are properly protected and secured. These responsibilities include the proper use of passwords for accessing local and wide area networks, electronic bulletin boards, web pages, database systems, logging out of unattended information systems and providing appropriate physical security for information systems in their care.
  2. Supervisors and the System Security Officers must be notified of any suspected incident of a breach or unauthorized disclosure of Agency information or any occurrence (e.g., virus attack, fire, water damage, etc.), which results in damage to an Agency information asset.
  3. EEOC system users must take reasonable steps to prevent the loss of application software programs or data belonging to the EEOC. This includes making regular use of EEOC’s anti-virus software to scan computers for possible viruses and eradicating them when detected. In addition, system users should scan any storage media (diskettes, tape, etc.) for viruses before copying information onto the Agency’s IT resources. This is particularly important for all electronic files downloaded from the Internet, and other external electronic bulletin boards services.
  4. System users must promptly report any hardware or software malfunctions to the individual responsible for maintenance support.
  5. Any system user responsible for administration of an Agency information system will periodically back-up and store, in a secure location, a current copy of application software and copies of system data files. At a minimum, administrators of information systems critical to the accomplishment of the EEOC mission (e.g., charge and litigation information, budget and procurement information, etc.) must create a full backup of all data on a weekly basis, and (in consultation with the Office Director or System Security Officer) should consider making arrangements for off-site storage of the back-ups.
  6. All electronic media (diskettes, disk drives, CD-ROM disks, tapes, etc.) containing sensitive information must be properly secured to prevent any unauthorized access. When disposing of such media, employees must take steps to ensure that any data stored on the media cannot be recovered or read. System users should consider reformatting, degaussing, or overwriting the media to ensure that the information cannot be retrieved.
  7. System users must take appropriate measures to secure paper reports containing sensitive information and properly dispose of these materials through shredding or other appropriate means.
  8. The authorized movement or transfer of equipment, such as computers (both desktop and laptop/notebook), peripheral devices and software, from a government facility must be controlled. A system user who is responsible for any such movement should obtain a property pass from the designated facilities control official before such items are removed from the office. To protect such equipment, a sign-out log, showing specific removal and return dates, should be maintained for all laptop or notebook computers, which are checked out of the office.
  9. All hardware and software, including data files, storage media, manuals and other documentation should be returned to the supervisor or appropriate property officer when an employee is reassigned, transferred, separated, or terminated.

8. Other EEOC System User Information Security Responsibilities

  1. Exercise reasonable care not to cause a loss of programs or data assigned to or used by another EEOC system user;
  2. Do not tape passwords to desks, walls, or terminals; commit them to memory and do not disclose them;
  3. Exercise reasonable care not to leave terminals or personal computers turned on and unattended in unlocked rooms for long periods of time; use of password-protected screen savers is required.
  4. Take appropriate measures to secure (i.e., protect from unauthorized or illegal disclosure or alteration) and dispose of (i.e., shred) printouts containing sensitive information as defined above;
  5. Follow all of the policies and procedures described in EEOC Order 240.006 (EEOC Internet Policy and Procedures) concerning EEOC system user responsibilities for the use of the Internet, as well as those described in the December 7, 2000 OIT memorandum entitled “Policy on Utilization of EEOC’s Electronic Mail Systems.”

ACKNOWLEDGMENT OF RECEIPT

This will acknowledge that I have received and read a copy of:


_______________________________________
 (PRINT   YOUR   NAME   HERE)                                                  


_______________________________________	                                      
 SIGNATURE									DATE

This page was last modified on April 24, 2007.

Home Return to Home Page