|
|
||
PSC Home | Administrative Operations |
Federal Occupational Health | Financial Management |
||
Human ResourcesIntegrated Time and Attendance SystemRules of Behavior1. Introduction The following rules of behavior are to be followed by all users (Contractors and HHS Employees) that use any networked or standalone System that supports the mission and functions of the Dept. of Health and Human Services and any Sub Agency. The rules in Section 4 clearly delineate responsibilities and expectations for all individuals with access to these systems. The rules in Section 5 are additional rules for systems security administrators, systems administrators, and database administrators who have significant access level permissions for processes and data in any of these systems. Non-compliance of these rules will be enforced through sanctions commensurate with the level of infraction. Actions may range from a verbal or written warning, removal of system access for a specific period of time, reassignment to other duties, or termination, depending on the severity of the violation. 2. Responsibilities The Director, Human Resources Service is responsible for ensuring an adequate level of protection is afforded to any Human Resource Services systems through appropriate implementations of technical, administrative, and managerial controls. The Director, with the assistance of the PSC Information Systems Security Officer (ISSO) and HRS Information Technology Security Officer (ITSO), develops policies and procedures, ensures the development and presentation of user and contractor awareness sessions, and performs inspections and spot checks to determine that an adequate level of compliance with security requirements exists. The Director is responsible for periodically conducting vulnerability analyses to help determine if security controls are adequate. 3. Other Policies and Procedures These Rules of Behavior are not to be used in place of existing policy; rather, they are intended to enhance and further define the specific rules each user must follow while accessing and using any HRS System. The rules are consistent with the policy and procedures described in the Department of Health and Human Services (DHHS) Automated Information Systems Security Program Handbook (The AISSP Handbook) and specific IRM policy documents. The AISSP Handbook and the IRM policies contains computer security guidance on a wide range of topics and describes the Automated Information Systems Security Program that establishes policies, procedures, and responsibilities in the area of computer security within the Department 4. HRS Systems Rules 4.1 To ensure individual accountability of actions performed in any HRS System, users are responsible for understanding and complying with all password use requirements, including the need for adequate (difficult to decipher) passwords that are 8 characters in length and contain at least one number, the necessity for changing passwords at least every 90 days, and the requirement to not share or disclose passwords. 4.2 Users are not allowed to exceed their authorized access limits in any HRS System by changing information or searching databases beyond the responsibilities of their job or by divulging information to anyone not authorized to know that information. 4.3 No inter-connections to other HRS Systems or transfer of HRS Data to other information systems is authorized beyond those established as part of the standard authorized processing requirements of any HRS System. 4.4 No employees having access to any HRS System will disable any encryption established for network, internet and web browser communications. 4.5 No direct dial-in access to any HRS System has been established nor is authorized. 4.6 All personnel, as well as contractors, that are responsible for developing and maintaining any HRS System, must comply with all copyright license regulations associated with HRS software. Managers must ensure that government personnel and Contractor personnel understand and comply with license requirements. End users, supervisors, and functional managers are ultimately responsible for this compliance 4.7 Users should be aware that personal use of information resources is authorized on a limited basis within the provisions of HHS IRM Policy 2000-0003, "HHS IRM Policy for Personal Use of Information Technology Resources," January 8, 2001 4.8 Users are required to report all instances of actual or potential security violations to their supervisors and to their Information Systems Security Officer. 4.9 Each subscriber organization establishes its own policies for determining which employees may work at home or in other remote workplace locations. Any remote work arrangement should include policies that:
5. Additional Rules for Security and Administration Users Security and system administration personnel have significant access to processes and data in any HRS System. As such, the System Security Administrators, Systems Administrators, and Database Administrators have added responsibilities to ensure the secure operation of any HRS System Security and administration personnel are to:
|
PSC Home | Products and Services | PSC FOIA Office | Contact PSC |