HHS Rules of Behavior

(For Use of Technology Resources and Information)

February 12, 2008 

HHS-OCIO-2008-0001.003S

The HHS Rules of Behavior (HHS Rules) provides common rules on the appropriate use of all HHS technology resources and information[1] for Department users, including federal employees, interns and contractors.  The HHS rules work in conjunction with the HHS-OCIO-2006-0001, Policy for Personal Use of Information Technology Resources, dated February 17, 2006, and are issued under the authority of the  HHS-OCIO-2007-0002, Policy for Department-wide Information Security, dated September 25, 2007. Both references may be found at URL: http://www.hhs.gov/ocio/policy/index.html.

All users of Department technology, resources, and, information must read these rules and sign the accompanying acknowledgement form before accessing Department data/information, systems and/or networks.  This acknowledgement must be signed annually, preferably as part of Information Security Awareness Training, to reaffirm knowledge of and agreement to adhere to the HHS rules.  The HHS rules may be presented to the user in writing or electronically, and the user’s acknowledgement may be obtained by written or electronic signature.  Each Operating Division (OPDIV) Chief Information Officer (CIO) shall determine how signatures are to be submitted, retained, and recorded[2]; and may append any necessary information or fields to the signature page.  For electronic signatures, the specific version number of the HHS rules must be retained along with the date, and sufficient identifying information to uniquely link the signer to his or her corresponding information system accounts.  Electronic copies of the signed Signature Page may be retained in lieu of the original.  Each OPDIV CIO shall ensure that information system and information access is prohibited in the absence of a valid, signed HHS rules from each user.

Each HHS OPDIV may require user certification to policies and requirements, more restrictive than the rules prescribed herein, for the protection of OPDIV information and systems.

Furthermore, supplemental rules of behavior may be created for systems which require users to comply with rules beyond those contained in the HHS Rules.  In such cases, users must additionally sign these supplemental rules of behavior prior to receiving access to these systems, and must comply with any ongoing requirements of each individual system to retain access (such as re-acknowledging the system-specific rules by signature each year).  System owners shall document system-specific rules of behavior and any recurring requirement to sign them in the System Security Plan for their systems. Each OPDIV CIO shall implement a process to obtain and retain the signed rules for such systems and shall ensure that user access to their information is prohibited without a signed, system-specific rules and a signed HHS Rules.

National security systems, as defined by the Federal Information Security Management Act (FISMA), must independently or collectively, implement their own system-specific rules.

These HHS Rules apply to both the local and remote use of HHS information (in both electronic and physical forms) and information systems by any individual.

• Information and system use must comply with Department and OPDIV policies and standards, and with applicable laws.
• Use for other than official, assigned duties is subject to the HHS-OCIO-2006-0001, Policy for Personal Use of Information Technology Resources, dated February 17, 2006.
• Unauthorized access to information or information systems is prohibited.
• Users must prevent unauthorized disclosure or modification of sensitive information, including Personally Identifiable Information (PII)[3]. 

Users shall:

• In accordance with OPDIV procedures, immediately report all lost or stolen HHS equipment, known or suspected security incidents, known or suspected information security policy violations or compromises, or suspicious activity. Known or suspected security incidents is inclusive of an actual or potential loss of control or compromise, whether intentional or unintentional, of authenticator, password, or sensitive information, including PII, maintained or in possession of the OPDIV.
• Ensure that software, including downloaded software, is properly licensed, free of malicious code, and authorized before installing and using it on Departmental systems.
• Wear identification badges at all times in federal facilities.
• Log-off or lock systems when leaving them unattended.
• Use provisions for access restrictions and unique identification to information and avoid sharing accounts.
• Complete security awareness training before accessing any HHS/OPDIV system and on an annual basis thereafter.  Also, complete any specialized role-based security or privacy training, as required.  See Memo from HHS CIO: Training of Individuals Developing and Managing Sensitive Systems, dated November 7, 2007.
• Permit only authorized HHS users to use HHS equipment and/or software.
• Secure sensitive information (on paper and in electronic formats) when left unattended.
• Keep sensitive information out of sight when visitors are present.
• Sanitize or destroy electronic media and papers that contain sensitive data when no longer needed, in accordance with HHS records management and sanitization policies, or as otherwise directed by management.
• Only access sensitive information necessary to perform job functions (i.e., need to know).
• Use PII only for the purposes for which it was collected, to include conditions set forth by stated privacy notices and published system of records notices.
• Ensure the accuracy, relevance, timeliness, and completeness of PII, as is reasonably necessary, to assure fairness in making determinations about an individual.

Users shall not:

• Direct or encourage others to violate HHS policies.
• Circumvent security safeguards or reconfigure systems except as authorized (i.e., violation of least privilege).
• Use another person’s account, identity, or password.
• Remove computers or equipment.
• Send or post threatening, harassing, intimidating, or abusive material about others in public or private messages or forums.
• Exceed authorized access to sensitive information.
• Store sensitive information in public folders or other insecure physical or electronic storage locations.
• Share sensitive information, except as authorized and with formal agreements that ensure third parties will adequately protect it.         
• Transport, transfer, email, remotely access, or download sensitive information, inclusive of PII, unless such action is explicitly permitted by the manager or owner of such information.
• Store sensitive information on portable devices such as laptops, personal digital assistants (PDA) and universal serial bus (USB) drives or on remote/home systems without authorization or appropriate safeguards, as stipulated by the HHS Encryption Standard for Mobile Devices and Portable Media, dated August 21, 2007.   
• Knowingly or willingly conceal, remove, mutilate, obliterate, falsify, or destroy information for personal use for self or others. (See 18 U.S.C. 2071)
• Copy or distribute intellectual property—including music, software, documentation, and other copyrighted materials—without permission or license from the copyright owner.
• Modify software without management approval.

The following are prohibited on Government systems per the HHS-OCIO-2006-0001, Policy for Personal Use of Information Technology Resources, dated February 17, 2006:

• Sending or posting obscene or offensive material in messages or forums.
• Sending or forwarding chain letters, e-mail spam, inappropriate messages, or unapproved newsletters and broadcast messages.
• Sending messages supporting political activity restricted under the Hatch Act.
• Conducting any commercial or “for-profit” activity.
• Utilizing peer-to-peer software without OPDIV CIO approval.
• Sending, retrieving, viewing, displaying, or printing sexually explicit, suggestive text or images, or other offensive material.
• Operating unapproved web sites.
• Incurring more than minimal additional expense, such as using non-trivial amounts of storage space or bandwidth for personal files or photos.
• Using the Internet or HHS workstation to play games, visit chat rooms, or gamble.

Users shall ensure the following protections are properly engaged, particularly on non-HHS equipment or equipment housed outside of HHS facilities:

• Use antivirus software with the latest updates.
• On personally-owned systems, use of anti-spyware and personal firewalls.
• For remote access and mobile devices, a time-out function that requires re-authentication after no more than 30 minutes of inactivity.
• Adequate control of physical access to areas containing sensitive information.
• Use of approved encryption to protect sensitive information stored on portable devices or recordable media, including laptops, thumb drives, and external disks; stored on remote or home systems; or transmitted or downloaded via e-mail or remote connections.
• Use of two-factor authentication for remote access to sensitive information.

Users shall ensure that passwords:

• Contain a minimum of eight alphanumeric characters and (when supported by the OPDIV environment) at least one uppercase and one lowercase letter, and one number, and one special character.
• Avoid words found in a dictionary, names, and personal data (e.g., birth dates, addresses, social security numbers, and phone numbers).
• Are changed at least every 90 days, immediately in the event of known or suspected compromise, and immediately upon system installation (e.g. default or vendor-supplied passwords).
• Are not reused until at least six other passwords have been used.
• Are committed to memory, or stored in a secure place.

[1] HHS technology resources and information are comprised of technology resources and information under the ownership of both HHS Operating Divisions and directly by the Department.