U.S. Equal Employment Opportunity Commission
This Order provides policies, standards, procedures and methods related to EEOC's Information Security Program, as required by the Federal Information Security Management Act of 2002 (FISMA) and Office of Management and Budget (OMB) Circular A-130, Management of Federal Information Resources. It explains in greater detail EEOC's Information Security Program, which is described in general terms in Appendix C of EEOC Order 370.002, EEOC Security Plan. This Order also serves as a handbook for the implementation of EEOC's Information Security Program and policy.
The protection of EEOC's information and its information technology resources is critical to the performance of its mission. EEOC employees, contractors, contingent workers, and other users of EEOC information and information systems who control and use the Agency's information resources are responsible for the care, custody and protection of those resources.
The primary program elements for implementing EEOC's information security program are: 1) development and update of plans and processes for provision of adequate information security for networks, facilities, and systems or groups of information systems, and 2) development and implementation of appropriate rules of behavior for the users of those networks, facilities, and systems.
The strategic importance of EEOC information requires that the integrity, availability, and confidentiality of sensitive information be protected. While new technologies have helped to make corporate information more accessible to users, the government and industry are faced with many new challenges. Additional safeguards are required to protect the Agency and individuals from the possibility of unauthorized disclosures of information, unauthorized penetration of the Agency's information systems, and from any potential loss or destruction of corporate information and information systems.
FISMA requires that agencies comply with the National Institute of Standards and Technology (NIST) security standards, identify and provide information security protections commensurate with the risk and magnitude of potential harm, ensure that information security is addressed throughout the life cycle of each agency information system, provide plans and procedures to ensure continuity of operations for major information systems, and conduct and report on annual security program reviews.
OMB Circular A-130 requires that agencies implement and maintain a program to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in major applications and general support systems.
Title VII of the Civil Rights Act of 1964, the Privacy Act of 1974, the Procurement Integrity Act of 1988, and the Confidential Information Protection and Statistical Efficiency Act of 2002 address other requirements to protect Federal information.
The Order is based on the fundamental premise that those who create, control and use information are the ones responsible for its care, custody and protection. EEOC employee, contractors, contingent workers, and other users of EEOC information and information systems responsibilities for Information System security, and procedures for assigning those responsibilities, are defined below in compliance with FISMA, NIST, and OMB Circular A-130.
(1) Establishing an information security program for EEOC, including related policies and procedures and control techniques as required by FISMA; identifying networks, facilities, and information systems or groups of systems which require planning for provision of adequate security; and providing appropriate information security awareness training for all agency employees, contractors and other users of EEOC information and information systems;
(2) Developing the Agency's information security program related budget, providing overall direction and guidance on implementation of information security, deciding and recommending the level of financial resources and technical support required for information security safeguards, and ensuring the integration of security into the Agency's capital planning and investment control processes;
(3) Overseeing the conduct of security risk assessments and the development and implementation of security plans for the Agency's major information systems, networks and facilities;
(4) Ensuring that information security-related training and technical support are provided to the Office Directors, IT Specialists, Security Points of Contacts (SPOCs), and users of EEOC's major information systems;
(5) Providing feedback regarding oversight of information security-related activities to HQ Offices and to the Office of Field Programs (OFP);
(6) Overseeing the development and issuance of EEOC information security policies and procedures;
(7) Ensuring the development and testing of contingency and continuity of operations plans for major information systems; and
(8) Responding to requests for information from OMB, the General Accounting Office, and Congressional oversight and appropriations committees designated in FISMA, regarding EEOC's compliance with the Paperwork Reduction Act of 1995, OMB Circular A-130, the Federal Information Security Management Act of 2002, and related statutes.
(1) Ensuring the agency's compliance with federal laws, regulations, and policies relating to information privacy;
(2) Participating in all agency information privacy compliance activities and in assessing the impact of technology on the privacy of personal information;
(3) Assuming a central policy-making role in the agency's development and evaluation of legislative, regulatory and other policy proposals that implicate information privacy;
(4) Conducting reviews of agency policies and processes, and taking corrective action as appropriate to ensure the agency has adequate safeguards to prevent the misuse or unauthorized use of, or access to, personally identifiable information (PII);
(5) Ensuring the agency's information privacy policies and procedures are comprehensive and up to date;
(6) Reminding agency employees and contractors of their responsibilities for safeguarding PII, the rules for acquiring and using such information, the penalties for violating these rules, as well as ensuring they receive appropriate training; and
(7) Preparing the Senior Agency Official for Privacy section of EEOC's FISMA annual report to OMB, as well as responding to requests for information as appropriate.
(1) Serving as the Senior Technical Advisor to EEOC management on all areas of Information Security;
(2) Recommending courses of action and policies to senior management that allow EEOC to securely meet its organizational goals;
(3) Monitoring and recording the security performance of EEOC information systems and reporting the status to management and to other government agencies that collect security data, such as US-CERT, as required; and
(4) Assuming responsibilities related to the implementation and oversight of EEOC's Information Security Program, as delegated by the agency CIO.
(1) Assuring that all new employees, as part of their orientation package, receive and sign an acknowledgment of receipt of "Information Security Responsibilities of EEOC System Users" (Appendix A), as well as all other EEOC documents referenced in the "Acknowledgment of Receipt" form at the end of Appendix A;
(2) Ensuring that the personnel management specialists file the employees' signed Acknowledgments in their Official Personnel Files; and
(3) Working with OIT to facilitate the provision of information security training.
(1) Working with OIT and OHR to facilitate, as requested, the provision of information security training to EEOC's field office personnel; and
(2) Monitoring security-related activities in the field offices, in conjunction with OIT.
(1) Designating a Security Point of Contact (SPOC) for each system that they sponsor;
(2) Participating in and reviewing vulnerability and risk assessments for the major information systems which they sponsor, with the assistance of the SPOC and lead support from OIT;
(3) Participating in the development and update of system security plans for major information systems which they sponsor (as described in Paragraph 8 of this Order), with the assistance of the SPOC and lead support from OIT;
(4) Completing, for each major system which they sponsor, a signed statement accepting the residual risk and authorizing continued processing, and providing a copy of the signed statement to the CIO (as described in Paragraph 7 of this Order);
(5) Participating in the development and testing of contingency plans and disaster recovery plans for major information systems which they sponsor (as described in Paragraph 11 of this Order), with the assistance of the SPOC and lead support from OIT;
(6) Working with OIT to identify appropriate on-line training for each SPOC and ensuring that each SPOC successfully completes at least one IT Security related training per fiscal year; and
(7) Ensuring that their office's designated SPOC performs their responsibilities, as outlined in Section 6.k.
(1) Ensuring compliance with agency web site standards for privacy, accessibility, usability, and preservation of government information, as outlined in Sections 207(f)(2) and 208(c) of the E-Government Act of 2002 and OMB Memoranda; and
(2) Assisting in the preparation of relevant sections of the EEOC's FISMA annual report to OMB, as well as responding to requests for information as appropriate.
(1) Designating a single SPOC (typically the office's IT Specialist) for oversight of information security functions within their districts;
(2) Working with the SPOC and OIT to ensure that an adequate security incident response capability exists for major information systems used within their districts;
(3) Ensuring that their district complies with system security plans for major information systems used within their district offices;
(4) Working with OIT to identify appropriate training for each SPOC and ensuring that each SPOC successfully completes at least one IT Security related training per fiscal year; and
(5) Ensuring that the SPOCs perform their responsibilities, as outlined in Section 6.k.
(1) Ensuring that their employees, contractors, contingent workers, and other users of EEOC information and information systems receive appropriate information security training, including both the general orientation to "Information Security Responsibilities of EEOC System Users"(Appendix A) and more specialized training for systems or system components under their direct jurisdiction, as described in Paragraph 10 of this Order;
(2) Informing OIT and the Office of the Chief Financial Officer (OCFO) when a theft or loss of any computer, peripheral device or software package is detected;
(3) Ensuring that all controls recommended by the Agency for compliance with the Federal Manager's Financial Integrity Act, as specified in EEOC Order 195.001, Internal Control Systems, and related supplemental guidance, are in place; and
(4) Ensuring that their employees, contractors, contingent workers, and other users of EEOC information and information systems, as users of EEOC information systems, perform their responsibilities as outlined in Section 6.l. below.
(1) Exercising overall information security oversight for all systems or portions of systems for which they are responsible;
(2) Developing or assisting in the development of security plans, vulnerability, risk, and threat assessments, and other studies with the guidance and assistance of the Office Director and OIT;
(3) Developing and testing contingency/continuity plans as directed by the Office Director and/or OIT;
(4) Reporting to the Office Director and OIT all security incidents that could degrade data or system integrity or compromise the confidentiality of sensitive information;
(5) Ensuring compliance with the system security plans of major information systems for which they are responsible;
(6) Ensuring that appropriate password protection is in place and maintained for all such systems, and that the user-IDs and passwords are deleted or changed when system users separate from the office;
(7) Monitoring anti-virus software deployment within their office's jurisdiction and the successful completion of automated on-line back-ups;
(8) Ensuring that each office within their district employs uninterruptible power supplies (UPS) for information systems when appropriate; and
(9) Monitoring the use of software on the Agency's information systems to enforce legitimate use of government information technology resources.
(1) Following their acknowledged responsibilities as delineated in this Order, and as described in Appendix A, Information Security Responsibilities of EEOC System Users;
(2) Cooperating with EEOC ISOs and SPOCs; and
(3) Complying with any additional rules or policies which guide or restrict the use of EEOC's information systems.
(1) The objectives and requirements of authorizing systems to process are as follows:
(a) Review system security categorizations against FIPS Publication 199 requirements;
(b) Ensure all vulnerabilities have been examined and, if appropriate, ensure that cost-effective measures have been taken to correct them;
(c) Ensure EEOC security requirements are reviewed for major information systems;
(d) Ensure EEOC-implemented safeguards are examined so that they satisfy the security requirements;
(e) Ensure any safeguards that do not satisfy the security requirements are reported to the appropriate office; and
(f) Ensure management approval is obtained to authorize initial or continued operation of major information systems.
(2) Authorizations-of-processing shall include EEOC information security policy, practices and procedures to assure the following:
(a) Periodic vulnerability and risk assessments are completed for each system to ensure appropriate security controls are in place. A single risk assessment may be used to review the security controls for multiple IT systems;
(b) EEOC major information and general support systems are authorized to process;
(c) EEOC employees understand their roles and responsibilities in the authorization process;
(d) Compliance with relevant NIST and FIPS guidance for all associated activities; and
(e) Re-authorization occurs every three years or after there has been a significant change in the system.
(1) OMB Circular A-130, Management of Federal Information Resources.
(2) NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems.
(3) NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.
(4) NIST Special Publication 800-39, Managing Information Security Risk
(5) NIST Special Publication 800-53 (with revisions), Recommended Security Controls for Federal Information Systems.
(6) NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Security to Security Categories.
(7) Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems.
(8) Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems.
(1) The objectives and requirements of each system security plan are as follows:
(a) Ensure EEOC users understand and comply with system rules of behavior;
(b) Ensure appropriate management, technical, and operational controls are in place and tested for the system;
(c) Ensure users have the least possible rights that enable them to carry out their work functions;
(d) Ensure that individuals who are authorized to bypass significant technical and operational controls of the system are appropriately screened commensurate with the risk and magnitude of harm they could cause;
(e) Ensure that the appropriate controls are in place to review user access permissions to assure that privileges are granted on a need-to-know basis;
(f) Ensure an EEOC incident response capability is in place and implemented;
(g) Ensure EEOC contingency and disaster recovery plans exist;
(h) Ensure that cost-effective security products and techniques are appropriately used within the system;
(i) Ensure there are policies and safeguards for system interconnection and information sharing, which are consistent with the rules of the system and in accordance with the guidance of NIST. This includes written management authorization, based on the acceptance of the risk to the system, prior to connecting with other systems.
(2) The system security plan shall include EEOC information security policy, practices and procedures to ensure the following:
(a) Operational, management, and technical controls, security training, and system rules of behavior are implemented and enforced;
(b) An EEOC employee is assigned to ensure that the system has adequate security;
(c) The frequency of security plan reviews and updates align with the frequency of the updated risk assessment or security evaluation, which should be commensurate with the acceptable level of risk for the system; and
(d) Security reviews occur at least every three years and partial reviews occur annually for the most major and vulnerable systems.
(1) The PIA objectives and requirements are as follows:
(a) Assess new or substantially altered agency information systems that contain PII to determine the risks of collecting, maintaining and disseminating PII, and evaluate protections for handling PII to mitigate potential privacy risks;
(b) Analyze and describe what information is collected, why it is collected, its intended use, with whom it is shared, what opportunities individuals have to decline to provide information or to consent to particular uses of the information, how individuals grant consent, how the information is secured, and whether a system of records is being created under the Privacy Act; and
(c) Document management, technical, and operational controls to protect PII and to review access to and use of information systems that contain PII.
(1) The objectives and requirements of the IT Security Training Program are as follows:
(a) Ensure employees, contractors, contingent workers, and other users of EEOC information and information systems are aware of the vulnerabilities of and threats to EEOC information systems and the risks associated with the exploited vulnerabilities;
(b) Ensure employees, contractors, contingent workers, and other users of EEOC information and information systems are knowledgeable and skilled in applying EEOC information security policies, practices and procedures;
(c) Ensure new employees, contractors, contingent workers, and other users of EEOC information and information systems attend training as a part of their orientation process; and
(d) Ensure all employees, contractors, contingent workers, and other users of EEOC information and information systems attend refresher and continuing training as the information system environment, security policy, practices, work or job function changes.
(2) The IT Security Training Program shall include EEOC information security policies, practices and procedures to ensure the following:
(a) EEOC information security objectives are met;
(b) Managers and system users are responsible and/or held accountable for their actions;
(c) Proper information accessibility, handling and storage, including information and system access control procedures, are enforced;
(d) Physical and environmental hazard protections exist;
(e) Appropriate response to emergency and disaster situations is executed;
(f) Threats and vulnerabilities to EEOC information resources are identified; and
(g) Other security and privacy related matters are considered.
(1) The objectives and requirements of contingency and disaster recovery plans are as follows:
(a) Ensure that an IT contingency and disaster recovery plan for each major information system, and interconnected system, is prepared;
(b) Ensure that EEOC system users understand the contingency and disaster recovery process;
(c) Ensure that contingency and disaster recovery plans enable the continuing service of all major applications or general support systems, including the interconnections between such systems;
(d) Ensure that contingency and disaster recovery plans are tested periodically (i.e., nondestructive testing) to demonstrate their effectiveness;
(e) Ensure that emergency checklists exist that contain pertinent information (e.g., location of fire extinguishing equipment, alarm activation and deactivation procedures, and evacuation plans); and
(f) Ensure contingency and disaster recovery plans are secured in a safe place, and can be located in the event of an emergency or disaster.
(2) The contingency and disaster recovery planning process shall assure the following:
(a) EEOC information or processing capabilities are protected in a cost-effective manner from loss, misuse, unauthorized access or modification, or system unavailability in the event of an emergency or disaster situation;
(b) Procedures are in place to enable offices responsible for each major information system to obtain planning and testing assistance from OIT from the outset of each new system and throughout its life cycle; and
(c) Appropriate response to emergency and disaster situations is executed.
(1) The objectives and requirements of the incident response capability are as follows:
(a) Ensure EEOC system users recognize and understand the importance of reporting information security incidents;
(b) Ensure EEOC system users are aware of the steps and procedures for reporting information security incidents;
(c) Ensure an incident handling person has been designated and that this person understands his or her role (i.e., determining the significance of the incident, reporting significant incidents to the appropriate individual/office; suggesting patches and fixes);
(d) Ensure other personnel who oversee systems and networks are notified of security incidents; and
(e) Ensure all incidents are documented and analyzed for any trends that might escalate into future significant incidents.
(2) The incident response capability shall include the development and revision of EEOC information security policies, practices and procedures to assure the following:
(a) Security measures (i.e., access controls, anti-virus software, and regular system backups) are in place and implemented to protect against security incidents;
(b) EEOC system users follow appropriate incident reporting procedures;
(c) Strong technical, management, and operational security controls are in place and implemented to protect against future security incidents;
(d) Security incidents are logged for trend analysis; and
(e) Appropriate patches and fixes are implemented immediately and with approval from OIT management.
The Electronic Government Act of 2002, 44 U.S.C. Ch 36, in particular the following Titles:
The Privacy Act of 1974, as amended [5 U.S.C. Section 552a]
Office of Management and Budget (OMB) Circulars:
Homeland Security Presidential Directive (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection, December 17, 2003
National Institute of Standards and Technology (NIST) Special Publications (SP):
Federal Emergency Management Administration (FEMA), Federal Preparedness Circular (FPC), 65: Federal Executive Branch Continuity of Operations Plan (COOP), as revised June 15, 2004.
Equal Employment Opportunity Commission (EEOC) Orders:
Access Control. Measures that ensure the resources of an information system can be accessed only by authorized users in authorized ways.
Application. The use of information resources (information and information technology) to satisfy a specific set of user requirements.
Asset. Any resource, item or information of value to an organization, which, if compromised in some manner, would result in a loss.
Authorization-of-Processing. A signed statement authorizing the continued processing and accepting any residual risk of a major application or general support system. This procedure is required by OMB Circular A-130.
Automated Information Security Program. A program, required by OMB A-130, to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in major applications and general support systems. The Federal Information Security Management Act (FISMA) also requires such assurance for all major information systems.
Automated Information Systems (AIS). Electronic systems that create, prepare, or manipulate information; includes computers, word processing systems, and other electronic information handling systems, associated equipment and media.
Computer Abuse. A willful or negligent unauthorized activity that affects the availability, confidentiality, or integrity of computer resources. Computer abuse includes fraud, embezzlement, theft, malicious damage, unauthorized use, denial of service and misappropriation.
Computer Fraud. Computer-related crime, involving deliberate misrepresentation or alteration of data in order to obtain something of value, usually for monetary gain.
Computer Virus. A computer virus is a self-propagating computer program developed specifically to spread copies of itself to as many computers as possible, in order to perform other malicious and unauthorized actions, such as: causing massive destruction of programs and/or data (e.g., formatting a disk); partial destruction (e.g., erasure or modification of part of a disk); and random havoc (e.g., changing data in memory, or changing keystroke values.) Computer viruses and related threats are generally referred to as malware.
Contingency Plan. A plan for emergency response, backup procedures, and post-disaster recovery; mostly synonymous with disaster plan, emergency plan and continuity plan.
General Support System. (OMB A-130) An interconnected set of information resources under the same direct management control, which shares common functionality. A system normally includes hardware, software, information, data, applications, communications, and people. A system can be, for example, a local area network (LAN) including smart terminals that supports a branch office, an agency-wide backbone, a communications network, a departmental information technology center including its operating system and utilities, a tactical radio network, or a shared information processing service organization.
Hardware. The electrical, electronic, optoelectronic and mechanical equipment used for processing data. It consists of cabinets, racks, transistors, wires, glass fibers, motors, etc.
Incident Response Capability. An organizational ability to detect and react quickly and efficiently to disruptions in normal processing caused by malicious technical threats. OMB A-130 mandates agencies to provide this capability, which includes sharing information with other agencies about common vulnerabilities.
Information Security. (FISMA) Protecting information and information systems from unauthorized access, use, disclosure, modification, or destruction in order to provide integrity (which means guarding against improper information modification or destruction, and includes ensuing information nonrepudiation and authenticity), confidentiality (which means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information), and availability (which means ensuring timely and reliable access to and use of information).
Information System. Any equipment or interconnected system of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. This includes computers, ancillary equipment, software, firmware and similar procedures, services and related resources as defined by GSA.
Loss. A quantitative measure of harm or deprivation due to a threat acting upon a vulnerable system resource.
Major Application. (OMB A-130) An application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application.
Major Information System. (FISMA) Each agency is required by FISMA to develop and maintain and report on an inventory of major information systems operated by or under the control of such agency. Pending issuance of FISMA guidance by OMB, EEOC has determined that any system identified previously as either a major application or general support system will be considered to be a major information system.
Piracy. Unauthorized copying of software.
Risk. The probability that a particular threat will exploit a particular vulnerability of a system.
Rules. System-specific policy stated as rules of behavior which tells system users what is expected of them and how to actively protect information.
Safeguard. A protective measure designed to reduce the probability of a loss of an asset.
Security Point of Contact (SPOC). Individual with primary responsibility for protecting the information contained in one or more major information systems.
System Sponsor. Within EEOC, the primary organizational element, which originates and uses the information stored and processed in a particular application or information system.
Threat. Any circumstance or event with the potential to cause harm to a system in the form of destruction, disclosure, modification of data, or denial of service.
US-CERT. The United States Computer Emergency Readiness Team interacts with federal agencies, industry, the research community, state and local governments and others to disseminate reasoned and actionable cyber security information to the public.Vulnerability. A weakness in security policy, procedures, personnel, management, administration, hardware, software, physical layout, organization or other factors affecting security that may allow harm to an information processing system.
Appendix A - Information Security Responsibilities of EEOC System Users
Appendix B - Policy on Protecting Information Technology (IT) Security Documents
Appendix C - Table of EEOC Major Information Systems and Sponsoring Offices
Appendix D - Requirement for Screen Warning On Externally Connected Systems
This order supersedes EEOC Order 240.005, EEOC Information Security Program, Change 3, dated May, 2008 and prior releases - which will be removed from reference files and destroyed.
It is the responsibility of all EEOC systems users to help ensure the security and integrity of the information contained in the Commission's automated and manual records systems. The Office of Management and Budget (OMB) Circular A-130, the Privacy Act of 1974, and the Federal Information Security Management Act of 2002 all define such information, as well as the technology used to maintain it, as a vital Government asset. Those who control or use this information are responsible for its care, custody and protection. All EEOC system users, whether EEOC employees, contractors, contingent workers, and other users of EEOC information and information systems, are expected to be aware of certain legal rules and policies which must be followed for the purpose of safeguarding such information. Violation of these rules may be grounds for disciplinary action up to and including removal.
The confidentiality provisions of Title VII of the Civil Rights Act of 1964 and Title I of the Americans with Disabilities Act prohibit the Commission, its officers and employees from disclosing to the public, prior to the institution of a lawsuit, information involving: (a) any charges filed under those Acts, (b) anything said or done during informal efforts to resolve such charges, (c) any reports that employers are required to file with the Commission under those Acts, and (d) any information obtained by the Commission during the investigation of such charges. Violators can be fined not more than $1,000, imprisoned for not more than one year, or disciplined.
The Privacy Act of 1974 prohibits any disclosure by an agency officer or employee of information from any system of records about individual persons, unless the disclosure is consented to by the individual to whom the record pertains, is covered by an exception, or would be for a routine use, as defined by the Act. Violation is a criminal misdemeanor subject to a fine of not more than $5,000. The same penalty also applies to any agency officer or employee who maintains a system of records (manual or automated) about individual persons without complying with the Privacy Act notice requirements. The Act also makes it possible for individuals who believe that they are the victims of such illegal disclosures, or who believe that such information, even though properly disclosed, was inaccurate, to sue the agency responsible for such disclosures as well as for any harm, embarrassment or inconvenience which might have been caused by the existence of such inaccurate information.
For those working pursuant to the Procurement Integrity Act, the Act prohibits all disclosures not authorized by the head of the agency or the agency-contracting officer of all proprietary or source selection information during the conduct of a procurement action. The Act provides for civil and criminal penalties, as well as administrative discipline for violation.
The information resources, including computers and telecommunications equipment, acquired and used by the Agency, are Federal property and are subject to EEOC, OMB, General Services Administration, and Office of Government Ethics regulations on the management and use of Federal property [5 CFR Part 2635 Standards of Ethical Conduct for Employees of the Executive Branch; 41 CFR Ch. 101 - Federal Property Management Regulations]. EEOC has obtained its information technology (IT) equipment for the purpose of performing mission-related work. Any activity which interferes with that purpose violates Federal property regulations. Such activities include using IT equipment for non-governmental commercial business purposes, intentionally spreading computer viruses, the use of Federally funded Internet accounts and services for non-government business, etc. Employees who have not fulfilled their responsibilities under the provisions of these property regulations are subject to administrative disciplinary action.
Federal employees are permitted limited use of government office equipment for personal, non-commercial needs if the use does not interfere with official business and involves minimal additional expense to the Government. This limited personal use of government office equipment should take place during the employee's non-work time. This privilege may be revoked or limited at any time by the employee's supervisor or by other appropriate agency officials.
Agency employees, contractors, contingent workers, and other users of EEOC information and information systems are prohibited from making unauthorized use or duplication of software acquired by the Government for official business, or from the use of unlicensed software on government equipment which would violate the Federal Copyright statute, and expose EEOC to the possibility of lawsuits from software vendors. System users are to install on EEOC computers only commercial software that has been purchased through the government procurement process and has been determined by the Office of Information Technology (OIT) to be compatible with EEOC's standard desktop configuration requirements. Employees are not allowed to install personally owned software on government computers, unless a specific, written exemption has been authorized by OIT. Detailed procedures for performing the foregoing responsibilities are contained in the March 2, 1999 memorandum entitled "EEOC Copyrighted Software Policy."
EEOC system users must notify their EEOC supervisor or point of contact of every occurrence of fire, water damage, or other incident which results in damage to information assets. They should be knowledgeable about office fire procedures and where the nearest fire extinguisher is located.
EEOC system users are responsible for ensuring the security of sensitive information and protecting the technology and equipment which supports its information systems as specified in the following:
updated August, 2014
This will acknowledge that I have received and read a copy of:
(PRINT YOUR NAME HERE)
Security analyses and reviews are done at the Equal Employment Opportunity Commission (EEOC) to comply with various Federal statutes and regulations. At the minimum, these include risk assessments, security plans, authorizations to process, and disaster recovery plans. The very nature of such documents reveals details and vulnerabilities that can be exploited for destructive purposes. The result is that all such documents contain sensitive information, as defined by OMB Circular A-130. Therefore, it is necessary to protect the documents appropriately.
IT Security Documents Should Not Be Shared
IT Security Documents should only be given to employees on a "need to know" basis. The documents may be used to maintain the availability, confidentiality and integrity of the data, or to make revisions. Authorized EEOC system users may also hold the plans for safekeeping and reference. IT Security Documents should be closely held by these system users.
IT Security Documents Should Not Leave the Premises
IT Security Documents should stay in the office unless there is an explicit need to remove them. If a person is working on the documents, they may bring them to another place to work on them. As soon as the work is completed, they must be returned to the office premises. However, if a person is one of those tasked with maintaining the completed documents in a place outside of the office, an exception to this premise is recognized as necessary. Such documents must be returned to the office as soon as the person tasked with safeguarding them is no longer tasked to do so.
IT Security Documents Should Be Destroyed Properly
When IT Security Documents are obsolete, the documents should be destroyed properly. If the document is a hard paper copy, it should be shredded. If it is on another medium, it should be destroyed according to EEOC's accepted method for destroying secure data on that medium.
Inappropriate Handling of IT Security Documents
If these restrictions are not followed, the deviation, situation or incident will be referred to the Information Security Officer. If it is warranted, such matters will be referred to EEOC management for appropriate action.
|Name of Major Information System||Sponsoring Office|
|EEO-1 Survey System||Office of Research, Information and Planning|
|Document Management System||Office of Information Technology|
|Integrated Mission System||Office of Information Technology|
Momentum Financials (through FY 2011)
|Office of the Chief Financial Officer|
|Federal Personnel and Payroll System||Office of Human Resources|
|EEOC Data Network||Office of Information Technology|
On all EEOC systems using any external telecommunications, a Screen Warning, similar to the one shown below, should appear prior to the log-on sequence. Public Law 99-474 (Computer Fraud and Abuse Act) requires that a warning message be displayed, notifying unauthorized users that they have accessed a U.S. Government computer system and unauthorized use can be punished by fines or imprisonment. Although the warning does not prevent unauthorized use of the system, it does allow violators to be punished more easily. Failure to notify an unauthorized user that it is a Government system may make prosecution more difficult, regardless of how much damage is done to the system.
If any EEOC office has implemented an externally connected system which does not have the required screen warning, processing should be suspended until the situation is corrected. OIT should be consulted for assistance in this matter.
All EEOC workstations which access the primary EEOC Network display a warning banner upon initial power-on and every time a user logs in. The word "Welcome" is not used in the warning banner because this may imply that anyone is welcome to access the system. The EEOC warning banner states:
EEOC's Computer Systems Important Notice
This is an Equal Employment Opportunity Commission Computer System. This system is intended to support official government business. Any information on this system is subject to recording, copying, reading, or interception by authorized personnel, including the Office of Inspector General. Use of this system constitutes consent to any such action and acknowledgment that there is no reasonable expectation of privacy with respect to any information or communications on this system.
Unauthorized users may be subject to civil and criminal penalties or administrative action for computer fraud or abuse.