These Rules of Behavior (ROB) cover the U.S. Department of Health and Human Services (HHS), Assistant Secretary for Preparedness and Response (ASPR) MedMap Application (MedMap), in accordance with the requirements of the Office of Management and Budget (OMB) Circular A-130, the National Institute of Standards and Technology (NIST) guidance, the HHS information security guidance and policy, and the Office of the Secretary (OS) Certification & Accreditation (C&A) guidance.
This ROB document is modeled after, and is in compliance with, the HHS Information Security Program Policy, Section 4.1.2, December 15, 2004, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide for Developing Security Plans for Information Technology Systems, Section 4.3, December 1998, and the draft OS Network, Rules of Behavior and Rules of Behavior Procedures, October 31, 2002.
This document is a companion appendix to the MedMap System Security Accreditation Package (SSAP), which contains the MedMap basic system information.
The rules of behavior contained in this document are to be followed by all MedMap users and system administrators. Each individual will be held accountable for their actions on MedMap. Non-compliance of these rules will be disciplined through sanctions commensurate with the level of infraction. Sanctions may range from a verbal or written warning, removal of MedMap access for a specific period of time, reassignment to other duties, or termination, depending on the severity of the violation. These ROB are not to be used in place of existing policy. Rather, they are intended to enhance and further define rules specifically for MedMap users and system administrators.
Questions about this document may be directed to the MedMap System Owner (SO).
All MedMap users and system administrators are responsible for:• Complying with the guidance set forth in this MedMap Rules of Behavior document;• Signing the ROB Acknowledgement form;• Maintaining a readily accessible copy of the MedMap ROB and the completed ROB Acknowledgement form, to be made available upon request to the ASPR CISO and/or the HHS Inspector General staff; and• Providing the original of the completed ROB Acknowledgement form to the MedMap system owner within five business days of receipt of the MedMap ROB. 2.1 System OwnerThe MedMap System Owner is responsible for:• Compiling a list of MedMap users, and distributing a copy of the MedMap ROB to each individual with instructions to return the acknowledgement form;• Maintaining current acknowledgement signatures for each MedMap user and system administrator;• Ensuring each MedMap user periodically receives MedMap-appropriate security awareness training;• Responding to the ASPR Chief Information Security Officer (CISO) and/or the HHS Inspector General (IG) auditing staff to provide documentation of current acknowledgements; and• Periodically reviewing these MedMap Rules of Behavior to ensure their accuracy and currency.
2.2 System AdministratorThe MedMap System Administrator is responsible for:• Conducting inspections and spot checks to ensure user compliance with the MedMap ROB;• Only accessing or viewing an user account with the expressed consent of the user and/or the System Owner; and• Performing periodic vulnerability analyses to help determine if security controls are adequate.
2.3 SupervisorsEach user’s supervisor is responsible for:• Signing their user’s acknowledgement form;• Formally requesting their user’s access privileges, and the degree of access, to MedMap; and• Officially notifying the MedMap System Owner when the user’s access rights should be terminated or modified.
2.4 UsersThe MedMap users are responsible for:• Protecting their MedMap passwords and the MedMap information to which they have access;• While logged onto MedMap, never leaving their workstation unattended for long periods without activating a screen protection;• If locked out, notifying the MedMap System Owner for assistance;• Reporting any unusual or suspicious MedMap activities to the MedMap System Owner;• Only using another person’s MedMap account or identity when authorized; and• Ensuring the integrity of MedMap data created or modified.
3. Expected BehaviorMedMap takes full advantage of the security controls implemented on the OS Network. Individuals accessing MedMap are expected to be familiar with the OS Network’s Rules of Behavior, including email, Internet usage, off-site computing, etc. The below sections deal directly with MedMap.
3.1 System Access PrivilegesMedMap access will only be issued, and used by, authorized individuals. MedMap access is granted based on an official request from an authorizing official. Each MedMap user is given access to MedMap based on a need to perform specific work. Users are to work within the confines of the access allowed and are not to attempt access to which access has not been authorized.
3.2 Password GuidanceMedMap users are to use passwords of a mix of eight (8) alpha, numeric and special characters, with at least one uppercase letter, one lower case letter, and one number. Users will be expected to change their passwords every 90 days. Users should keep their passwords confidential and not share them with anyone.
3.3 Individual AccountabilityEach MedMap user will be held accountable for their actions on MedMap. Care should be taken to ensure the integrity of MedMap data created, accessed, or modified.
Each MedMap user should apply the necessary safeguards to protect MedMap data from unauthorized disclosure, alteration, and/or loss, including the protection of MedMap hard copy documents.
3.4 Protection of Copyright Licenses (Software)The MedMap System Owner and the MedMap System Administrator comply with the MedMap copyright license requirements. MedMap users and supervisors are also responsible for complying with these requirements.
MedMap software will not be modified without the approval of the MedMap System Owner. MedMap users are not to download MedMap software, or deactivate MedMap security features or controls. Audit logs will be reviewed to determine whether unauthorized activity has been attempted.