United States Department of Health and Human Services
Decorative bullet image: Home

HHS Home
Decorative bullet image: Questions?

Questions?
Decorative bullet image: Contact Us

Contact HHS
Decorative bullet image: Site Map

Site Map
HHS Logo Bottom
spacer image
    

Office of the Assistant Secretary for Administration and Management

Program Support Center

PSC Home | Administrative Operations | Federal Occupational Health | Financial Management
Human Resources | Strategic Acquisition Service | About the PSC | PSC Search

Human Resources

Integrated Time and Attendance System

Rules of Behavior

1. Introduction

The following rules of behavior are to be followed by all users (Contractors and HHS Employees) that use any networked or standalone System that supports the mission and functions of the Dept. of Health and Human Services and any Sub Agency. The rules in Section 4 clearly delineate responsibilities and expectations for all individuals with access to these systems. The rules in Section 5 are additional rules for systems security administrators, systems administrators, and database administrators who have significant access level permissions for processes and data in any of these systems.

Non-compliance of these rules will be enforced through sanctions commensurate with the level of infraction. Actions may range from a verbal or written warning, removal of system access for a specific period of time, reassignment to other duties, or termination, depending on the severity of the violation.

2. Responsibilities

The Director, Human Resources Service is responsible for ensuring an adequate level of protection is afforded to any Human Resource Services systems through appropriate implementations of technical, administrative, and managerial controls. The Director, with the assistance of the PSC Information Systems Security Officer (ISSO) and HRS Information Technology Security Officer (ITSO), develops policies and procedures, ensures the development and presentation of user and contractor awareness sessions, and performs inspections and spot checks to determine that an adequate level of compliance with security requirements exists. The Director is responsible for periodically conducting vulnerability analyses to help determine if security controls are adequate.

3. Other Policies and Procedures

These Rules of Behavior are not to be used in place of existing policy; rather, they are intended to enhance and further define the specific rules each user must follow while accessing and using any HRS System. The rules are consistent with the policy and procedures described in the Department of Health and Human Services (DHHS) Automated Information Systems Security Program Handbook (The AISSP Handbook) and specific IRM policy documents. The AISSP Handbook and the IRM policies contains computer security guidance on a wide range of topics and describes the Automated Information Systems Security Program that establishes policies, procedures, and responsibilities in the area of computer security within the Department

4. HRS Systems Rules

4.1 To ensure individual accountability of actions performed in any HRS System, users are responsible for understanding and complying with all password use requirements, including the need for adequate (difficult to decipher) passwords that are 8 characters in length and contain at least one number, the necessity for changing passwords at least every 90 days, and the requirement to not share or disclose passwords.

4.2 Users are not allowed to exceed their authorized access limits in any HRS System by changing information or searching databases beyond the responsibilities of their job or by divulging information to anyone not authorized to know that information.

4.3 No inter-connections to other HRS Systems or transfer of HRS Data to other information systems is authorized beyond those established as part of the standard authorized processing requirements of any HRS System.

4.4 No employees having access to any HRS System will disable any encryption established for network, internet and web browser communications.

4.5 No direct dial-in access to any HRS System has been established nor is authorized.

4.6 All personnel, as well as contractors, that are responsible for developing and maintaining any HRS System, must comply with all copyright license regulations associated with HRS software. Managers must ensure that government personnel and Contractor personnel understand and comply with license requirements. End users, supervisors, and functional managers are ultimately responsible for this compliance

4.7 Users should be aware that personal use of information resources is authorized on a limited basis within the provisions of HHS IRM Policy 2000-0003, "HHS IRM Policy for Personal Use of Information Technology Resources," January 8, 2001

4.8 Users are required to report all instances of actual or potential security violations to their supervisors and to their Information Systems Security Officer.

4.9 Each subscriber organization establishes its own policies for determining which employees may work at home or in other remote workplace locations. Any remote work arrangement should include policies that:

  • Are in writing.
  • Provide authentication of the remote user through the use of ID and password or other acceptable technical means.
  • Develop a management/employee agreement that, at a minimum, outlines the work to be performed and the security safeguards and procedures the employee is expected to follow.
  • Ensure adequate storage of files, removal and non-recovery of temporary files created in processing sensitive data, virus protection, intrusion detection, and physical security for government equipment and sensitive data.
  • Establish mechanisms to back up data created and/or stored at alternate work locations.

5. Additional Rules for Security and Administration Users

Security and system administration personnel have significant access to processes and data in any HRS System. As such, the System Security Administrators, Systems Administrators, and Database Administrators have added responsibilities to ensure the secure operation of any HRS System

Security and administration personnel are to:

  • Advise the system owner on matters concerning information technology security.
  • Assist the system owner in developing security plans, risk assessments, and supporting documentation for the certification and accreditation process.
  • Ensure that any changes to any HRS System that affect contingency and disaster recovery plans are conveyed to the person responsible for maintaining continuity of operations plans for HRS Systems.
  • Ensure that adequate physical and administrative safeguards are operational within their areas of responsibility and that access to information and data is restricted to authorized personnel on a need to know basis.
  • Verify that users have received appropriate security training before allowing access to any HRS System.
  • Implement applicable security access procedures and mechanisms, incorporate appropriate levels of system auditing, and review audit logs.
  • Document and investigate known or suspected security incidents or violations and report them to the ISSO, ITSO, and systems owner.

Some documents require Adobe Acrobat® Reader.

Last revised: April 16, 2004

 

PSC Home | Products and Services | PSC FOIA Office | Contact PSC

HHS Home | Questions? | Contact HHS | Site Map | Accessibility | Privacy Policy | Freedom of Information Act | Disclaimers

The White House | FirstGov

U.S. Department of Health & Human Services · 200 Independence Avenue, S.W. · Washington, D.C. 20201