EFTA00152121.pdf

EOUSA Division MEGA4 Automated Litigation Support System Account Request and Approval Form For EOUSA Division Users To be used for DOJ EOUSA Division employees and authorized MEGA4 contractor staff Case/Project Information DJ NUMBER: 2442-0129 CASE NAME: US V. Epstein LEAD EOUSA DIVISION ATTORNEY NAME AND PHONE NUMBER: EOUSA CASE MANAGER NAME AND PHONE NUMBER: iCONECT 1 RELATIVITY LIST OF SPECIFIC CASES/PROJECTS FOR WHICH ACCESS IS REQUIRED: US v. Epstein End User Information: FULL NAME: EOUSA SECTION: POSITION/TITLE: TELEPHONE NUMB R: FBI Special Agent APPROVED BY: Date: SIGNATURE: MEGA4 System Access — EOUSA Page of 8 EFTA00152121  Department of Justice Information Technology (IT) Securi Rules of Behavior (ROB) for General U rs Version 7.0 January 3, 2014 I. Introduction The Rules of Behavior (ROB) for General Users pertain to the use, securi and acceptable level of risk for Department of Justice (DOS) systems. The rules highlight that taking rsonal responsibility for the security of an information system and its data is an essential part of your j b. Asa user of the DOJ Information Technology (IT) data and systems, you are the first line of de nse in support of DOD's IT security. The intent of the ROB is to acknowledge users' receipt and understanding applicable IT security requirements from various Federal and DOJ policies and procedures. Th requirements include, but are not limited to, the Office of Management and Budget (OMB) Circular -130, OMB M-07-16, OMB M-05-08, the Privacy Act of 1974, DOJ Order 2640.2 (series), DOJ Order 740.1 (series), and the DOJ IT Security Standard. Who is covered by these rules? These rules apply to all personnel (government employees and contractors who perform general non- privileged duties on DOJ information systems, access or use DOJ informa on, or provide IT services to DOJ — hereafter referred to as users. All users are required to review an provide signature or electronic verification acknowledging compliance with these rules to their spective Component IT Security representative. Certain authorized personnel may obtain limited exemptions for specific urrences when performing official duties. These individuals must document situations where equipm nt and software limitations listed below prevent mission operations. In addition to this ROB, the user hall also agree to and provide signature or electronic verification acknowledging compliance for he Privileged User ROB. The system Authorizing Official (AO) will issue an exemption if the accep ed risk(s) and justification is documented and appropriate'. What are the penaltiesfor noncompliance? Non-compliance with requirements will be enforced through sanctions co ensurate with the level of infraction. Actions may include a verbal or written warning, temporary su nsion of system access or permanent revocation, reassignment to other duties, or termination, depend ng on the severity of the violation. In addition, activities that lead to or cause disclosure of classifie information may result in criminal prosecution under the U.S. Code, Title 18, Section 798, and other pplicable statutes. Unauthorized browsing or inspection of Federal Taxpayer Information (Int real Revenue Code Sec. 72I3A) is punishable with a fine of up to $1,000 and/or up to one year imp isonment. Unauthorized disclosure of Tax Return information (Internal Revenue Code Sec. 7213) is a felony punishable with a fine of up to $5,000 and up to five years in prison. In addition to these pen ties, any Federal employee convicted under Sec. 7213 or Sec.7213A will be dismissed from employm t. ' For additional information on mobile device exemptions, please refer to die Department Justice Mobile Device and Mobile Application Security Policy Instruction v2 (http://dojnet.doj.gov/jmd/irmfitsecurity/docum nts/FINAL- DOJ_Mobile_Device_and_Application_Security_Policy_Instruction_v2.pdf). MEGA4 System Access — EOUSA Revised Mardi 2014 Page 2 of 8 EFTA00152122  Department of Justice Information Technology (IT) Securi Rules of Behavior (ROB) for General U rs Version 7.0 January 3, 2014 II. User Responsibilities A. General 1. Comply with all Federal laws and Department and Component poll ies and requirements, including DOJ Orders and Standards. Use DOJ information and in rmation systems for lawful, official use, and authorized purposes only. 2. Do not generate, download, store, copy, or transmit offensive or in propriate information in any medium, to include e-mail messages, documents, images, vi eos, and sound files. 3. Limit distribution of e-mail to only those with a "need to know." 4. Do not open e-mails from suspicious sources (e.g., people you don recognize, know, or normally communicate with) and do not visit untrusted or inapprop iate websites (unless authorized). Only download permissible files from known and reli ble sources and use virus- checking procedures prior to file use. 5. Protect and safeguard all DOJ information, including personally i• tifiable information (P11), commensurate with the sensitivity and value of the data at ris Protect and safeguard all DOJ information and information systems from unauthorized ac unauthorized or inadvertent modification, disclosure, damage, destruction, loss, the denial of service, improper sanitization, and improper use. 6. Verify that each computer-readable data extract containing sensitiv Pll data has been erased within 90 days of origination or that its use is still required. 7. Upon discovery of a known or suspected security incident, report incident to your Help Desk, Incident Response Representative, Justice Security Operations Cen r, Security Manager, or Supervisor. 8. Immediately report lost or stolen devices (e.g., laptop, phone, tabl thumb drive) to your Help Desk, Incident Response Representative, Justice Security Operatio s Center, Security Manager, or Supervisor. 9. Encrypt all DOJ Sensitive but Unclassified (SBU) data on authori mobile computers, laptops, tablets, and removable media (e.g., removable hard drives, thumb d Ives, and DVDs) using Department-approved solutions unless a waiver or policy exemptio exists. For classified environments, follow the procedures required for those networks f. data storage and transport. All data is considered sensitive unless designated as non-sensitive the Component Director/Head/Office Head. 10. Read and understand the DOJ security warning banner that appears rior to logging onto the system or mobile device. I I. Screen-lock or log off your computer when leaving the work area, d remove your PIV card, if utilized. Log off when departing for the day. 12. Keep all government-furnished equipment (GFE) mobile devices igned to you in your 2 MEGA4 System Access — EOUSA Page 3 of 8 EFTA00152123  Department of Justice Information Technology (IT) Securi Rules of Behavior (ROB) for General U rs Version 7.0 January 3, 2014 physical presence whenever possible. When it is necessary for you o be away from your GFE, particularly at a non-secure location, secure all your portable elect • nic devices and removable media, preferably out-of-sight (e.g. in a locked container). 13. Do not use Peer-to-Peer (P2P) technology on the Internet, such as S ype, BitTorrent, etc. P2P is forbidden throughout the Department unless the Department's Chie Information Officer (CIO) or designee approves a waiver. 14. Do not auto-forward emails from your DOJ email account to your rsonal email account (e.g., Gmail, Yahoo, Hotmail). 15. Ensure that individuals have the proper clearance, authorization, an need-to-know before providing access to any DOJ information. 16. Consent to monitoring and search of any IT equipment that is brou: into, networked to, or removed from DOJ owned, controlled, or leased facilities consisten with employee and contractor consent obtained through log-on banners and DOJ polici s. 17. Properly mark and label classified and sensitive documents, electro 'c equipment, and media in accordance with the DOJ Security Program Operating Manual (SP M) and DOJ Order 2620.7. 18. Adhere to Separation of Duties principles. Understand conflict of terest in responsibilities, roles, and functions within a system or application (e.g., duties of t System Administrator and Information System Security Officer (ISSO) should not be co fined). 19. Do not change any configurations or settings of the operating syste and security-related software, or circumvent and test the security controls of the system nless authorized. 20. Do not bypass native mobile device operating system controls to ga increased privileges (i.e., jailbreaking or rooting the device). 21. Do not use anonymizer sites on the Internet and bypass the Depart nt security mechanisms designed to protect systems from malicious Internet sites. B. Classified Systems/Information 22. Do not process classified information on an unclassified system unl s authorization is obtained to support a specific job function. 23. Send classified email only on systems authorized for that purpose a d for the highest level of the classified data involved. 24. When in use, operate IT systems only in those areas or facilities ce ified for the highest classification or sensitivity level of the information involved. Whe not in use, store a classified computer, hard drive, removable media, etc. in an approv security container or in a facility approved for open storage. 25. Use classified laptops and similar devices in accordance with the D J Removable Media Requirements for Classified Systems, dated April 25, 2011. 3 MEGA4 System Access — EOUSA Page 4 of 8 EFTA00152124  Department of Justice Information Technology (IT) Securi Rules of Behavior (ROB) for General U rs Version 7.0 January 3, 2014 C. Passwords 26. Adhere to at least the minimum password requirements for the syst m on which you are working. 27. Change the default password upon receipt from system administra r. 28. Do not share account passwords with anyone. 29. Avoid using the same password for multiple accounts. D. Mobile Computing & Remote Access Users 30. Use mobile GFE (e.g., laptop, tablet, smartphone) for official busin ss and authorized uses. Mobile GFE is for use by DOJ personnel only (no spouses or relati es) and shall only connect through an authorized DOJ remote access network when accessing he Internet. 31. Only authorized applications and software for mobile GFE can be wnloaded and installed on DOJ devices, and only from DOJ-authorized sources. 32. The use of Short Message Service (SMS) must be approved by the uthorizing Official. SMS messages are be limited to non-sensitive information. 33. Only install DOJ-provided removable media, including memory an subscriber identity module (SIM) cards, on mobile GFE. 34. Only connect to secure wireless networks where possible and take recautionary measures to prevent the compromise of DOJ data when insecure wireless netw s must be used.2 35. Follow these guidelines unless explicitly authorized by the Autho • ing Official to do otherwise: a. Do not connect non-DOJ mobile devices and/or accessories to D I J networks. This includes mobile phones, tablets, laptops, Bluetooth devices, and other dev ces requiring both wired and wireless communication access. b. Do not enable mobile device tethering via Bluetooth, Universal 'erial Bus (USB), or Wi-Fi hotspots on mobile GFE. c. Do not access non-Government cloud-based services—such as I ropBox and iCloud—from mobile GFE. d. Do not connect mobile GFE to non-DOJ information systems, to include personal computers. E. Virtual Conferencing 36. Hosts and presenters must provide participants with advance noti if the virtual conference session is being recorded. 2 For additional information, please refer to the Department of Justice Secure Use of W. ess Networks FAQ at http://dojnet.doj.gov/jmd/irmlitsecurity/ises_team.php. 4 MEGA4 System Access — EOUSA Page 5 of 8 EFTA00152125  Department of Justice Information Technology (IT) Security Rules of Behavior (ROB) for General U rs Version 7.0 January 3,2014 37. Do not access a virtual conference presentation using an account w elevated privileges. 38. Limit presentation information to only that which is authorized for ssemination. 39. Delete all DOJ information on a provider's web site immediately u n the end of a virtual conference. 40. Do not install any agents or other software designed to enhance or d in virtual conferencing. 41. Employ strong participant authentication mechanisms (i.e., multi-f. tor authentication, a pin, unique login credentials, etc.). 42. Enable logging and archiving to provide auditability of participant d host activity, as well as enable/disable meeting functions (e.g., upload, download, desktop aring). F. Hardware 43. Do not add, modify, or remove hardware, or connect unauthorized ccessories or communications connections to DOJ IT resources unless specifical authorized. 44. Do not access the internal components of the computer, or remove e computer or its hard drive from Dal facilities unless specifically authorized. 45. Wipe all devices prior to reissue. There is no expectation of mainta ning any personal information, data, or applications on these devices. G. Software 46. Do not copy or distribute intellectual property — including music, ftware, documentation, and other copyrighted materials — without permission or license fro the copyright owner. Use DOJ-licensed and authorized software only. 47. Do not install or update any software unless specifically authorized 48. Do not attempt to access any electronic audit trails that may exist o the computer unless specifically authorized. H. Remote Web Access 49. Follow your organization's telework guidelines when working rem rely and/or accessing DOJ information remotely. 50. Ensure the confidentiality of government information when using mote web access (e.g., OWA) from a non-GFE client (public or private). This includes th following: a. When downloading attachments to registered non-GFE private mputers, immediately remove any extraneous attachments, encrypt them locally, or sfer them to an approved encrypted USB drive. b. Delete attachments when finished on registered non-GFE privet computers. c. Do not download attachments on unregistered non-GFE public mputers. 5 MEGA4 System Access —EOUSA Page 6 of 8 EFTA00152126  Department of Justice Information Technology (IT) Security Rules of Behavior (ROB) for General U rs Version 7.0 January 3, 2014 51. Do not print emails in public areas and with public non-GFE printe Users may print with non-GFE private printers at home. Users will be held responsible r the compromise of Government information through negligence or a willful act. 52. Maintain a reasonable security posture (i.e., updated antivirus, local firewall, updated OS and software patch levels) on registered non-GFE private computers u for remote access. I. Traveling Users 53. The Component Mobile Computing Operatiobs Manager, or equiv: ent, shall notify the JSOC, or an equivalent authorized SOC in advance, if you intend to travel o a foreign country with a DOJ laptop that will accompany you during any portion of travel w the intended dates and location(s) of travel. For travel to countries designated as high-risk unter-intelligence, the use of mobile devices must be approved by the Dal CISO prior to avel. Requests are processed via email to both the DOJ 1TSS Director and the DOJ I S Deputy Director.3 54. Minimize the information on your IT system to what is required to rform a particular mission while travelling and destroy copies of sensitive data when longer needed. 55. Shut down IT devices when not in use or no longer needed. If the I device is needed but not the associated network capability, turn off/disable the network/wire ss network functionality.4 56. Assume all communications (including cellular services) are being tercepted and read when on travel in a foreign country. 57. Keep your remote access token separate from the laptop/tablet (pre rably on you) when possible. J. Personally Identifiable Information 58. Safeguard against breaches of information involving P11, which re to information that can be used alone or combined with other information that can distingui h or trace an individual's identity—such as a name, social security number, biometric record the date and place of birth, mother's maiden name, etc. 59. Report all breaches of information involving P11 to JSOC through y ur Component's standard procedures. For additional information on foreign travel requirements, please refer to the Foreign Tr • -ILaptop Use and Foreign Travel Laptop Use Waiver Request forms (http://dojnet.doj.gov/jmdfinn/itsecurityfjsoc-cyber-de nse.php). For additional information on the use ofmobile devices during foreign travel, please refer to the Mobile ice andMobile Application Security Policy Instruction (http://dojnet.doj.govimdfirm/itsecurity/documents/FINAL- DOJMobile_Deviceand_Application_Security_Policy_Instruction_v2.pdf). 4 For additional information, please refer to the Department of Justice Secure Use of Wirel ss Networks FAQ at hftp://dojnet.doj.gov/jmcVinn/itsecurity/ises_team.php. 6 MEGA4 System Access — EOUSA Page 7 of 8 EFTA00152127  Department of Justice Information Technology (IT) Security Rules of Behavior (ROB) for General U rs Version 7.0 January 3, 2014 60. Access, maintain, store, or transmit Pll that you are given explicit a thorization to and ensure you meet required security controls.s 61. Disclose P1I in accordance with appropriate legal authorities and th Privacy Act of 1974. 62. Dispose of and retain records in accordance with applicable record hedules, National Archives and Records Administration guidelines and Department P licies.6 63. Do not perform unauthorized querying, review, inspection, or disc) sure of Federal Taxpayer Information! (See Internal Revenue Code Sec. 7213 and 7213A at http:/Iwww.irs.gov/irm/part11/irm 11-003-001.htmllid0e176) I acknowledge receipt and understand my responsibilities as identified ve. Additionally, this acknowledgment accepts my responsibility to ensure the protection of P11 at I may handle. I will comply with the DOJ IT Security ROB for General Users, Version 7.0, ed January 3, 2014. hq Date Component and Sub-Compo ent Note: Statement ofacknowledgement may be made by signature if the R for General Users is reviewed in hard copy or by email/electronic acknowledgement if reviewe online. All users are required to review andprovide their signature or electronic verification knowledging compliance with these rules. Users with privileged accesses andpermissions shall a o agree to and sign the ROB for Privileged Users. Ifyou have questions related to this ROB, please c tact your Help Desk, Security Manager, or Supervisor. The Department has the right, reserved or otherwise, to update the ROB to nsure it remains compliant with all applicable laws, regulations, andDOJStandards. Updates to the OB will be communicated through the Department's ISES Team Leadand Component Training Coo inators. 7 MEGA4 System Access — EOUSA Page 8 of 8 EFTA00152128