EFTA00152121.pdf

EOUSA Division MEGA4 Automated Litigation Support System Account Request and Approval Form For EOUSA Division Users To be used for DOJ EOUSA Division employees and authorized MEGA4 contractor staff Case/Project Information DJ NUMBER: 2442-0129 CASE NAME: US V. Epstein LEAD EOUSA DIVISION ATTORNEY NAME AND PHONE NUMBER: EOUSA CASE MANAGER NAME AND PHONE NUMBER: iCONECT 1 RELATIVITY LIST OF SPECIFIC CASES/PROJECTS FOR WHICH ACCESS IS REQUIRED: US v. Epstein End User Information: FULL NAME: EOUSA SECTION: POSITION/TITLE: FBI Special Agent TELEPHONE NUMB R: APPROVED BY: Date: SIGNATURE: MEGA4 System Access — EOUSA Page of 8 EFTA00152121 Department of Justice Information Technology (IT) Securi Rules of Behavior (ROB) for General U rs Version 7.0 January 3, 2014 I. Introduction The Rules of Behavior (ROB) for General Users pertain to the use, securi for Department of Justice (DOS) systems. The rules highlight that taking security of an information system and its data is an essential part of your j Information Technology (IT) data and systems, you are the first line of de security. The intent of the ROB is to acknowledge users' receipt and understanding requirements from various Federal and DOJ policies and procedures. Th are not limited to, the Office of Management and Budget (OMB) Circular M-05-08, the Privacy Act of 1974, DOJ Order 2640.2 (series), DOJ Order IT Security Standard. Who is covered by these rules? These rules apply to all personnel (government employees and contractors privileged duties on DOJ information systems, access or use DOJ informa to DOJ — hereafter referred to as users. All users are required to review an electronic verification acknowledging compliance with these rules to their Security representative. Certain authorized personnel may obtain limited exemptions for specific official duties. These individuals must document situations where equipm listed below prevent mission operations. In addition to this ROB, the user provide signature or electronic verification acknowledging compliance for The system Authorizing Official (AO) will issue an exemption if the accep is documented and appropriate'. What are the penalties for noncompliance? Non-compliance with requirements will be enforced through sanctions co infraction. Actions may include a verbal or written warning, temporary su permanent revocation, reassignment to other duties, or termination, depend violation. In addition, activities that lead to or cause disclosure of classifie criminal prosecution under the U.S. Code, Title 18, Section 798, and other Unauthorized browsing or inspection of Federal Taxpayer Information (Int 72I3A) is punishable with a fine of up to $1,000 and/or up to one year imp disclosure of Tax Return information (Internal Revenue Code Sec. 7213) is fine of up to $5,000 and up to five years in prison. In addition to these pen convicted under Sec. 7213 or Sec.7213A will be dismissed from employm ' For additional information on mobile device exemptions, please refer to die Department Application Security Policy Instruction v2 (http://dojnet.doj.gov/jmd/irmfitsecurity/docum nts/FINAL- DOJ_Mobile_Device_and_Application_Security_Policy_Instruction_v2.pdf). and acceptable level of risk rsonal responsibility for the b. Asa user of the DOJ nse in support of DOD's IT applicable IT security requirements include, but -130, OMB M-07-16, OMB 740.1 (series), and the DOJ who perform general non- on, or provide IT services provide signature or spective Component IT urrences when performing nt and software limitations hall also agree to and he Privileged User ROB. ed risk(s) and justification ensurate with the level of nsion of system access or ng on the severity of the information may result in pplicable statutes. real Revenue Code Sec. isonment. Unauthorized a felony punishable with a ties, any Federal employee t. Justice Mobile Device and Mobile MEGA4 System Access — EOUSA Revised Mardi 2014 Page 2 of 8 EFTA00152122 Department of Justice Information Technology (IT) Securi Rules of Behavior (ROB) for General U Version 7.0 January 3, 2014 II. User Responsibilities A. General 1. Comply with all Federal laws and Department and Component poll including DOJ Orders and Standards. Use DOJ information and in official use, and authorized purposes only. 2. Do not generate, download, store, copy, or transmit offensive or in in any medium, to include e-mail messages, documents, images, vi 3. Limit distribution of e-mail to only those with a "need to know." 4. Do not open e-mails from suspicious sources (e.g., people you don normally communicate with) and do not visit untrusted or inapprop authorized). Only download permissible files from known and reli checking procedures prior to file use. 5. Protect and safeguard all DOJ information, including personally i• (P11), commensurate with the sensitivity and value of the data at ris all DOJ information and information systems from unauthorized ac inadvertent modification, disclosure, damage, destruction, loss, the improper sanitization, and improper use. 6. Verify that each computer-readable data extract containing sensitiv within 90 days of origination or that its use is still required. 7. Upon discovery of a known or suspected security incident, report Incident Response Representative, Justice Security Operations Cen Supervisor. 8. Immediately report lost or stolen devices (e.g., laptop, phone, tabl Desk, Incident Response Representative, Justice Security Operatio or Supervisor. 9. Encrypt all DOJ Sensitive but Unclassified (SBU) data on authori tablets, and removable media (e.g., removable hard drives, thumb d Department-approved solutions unless a waiver or policy exemptio environments, follow the procedures required for those networks f. All data is considered sensitive unless designated as non-sensitive Director/Head/Office Head. 10. Read and understand the DOJ security warning banner that appears system or mobile device. I I. Screen-lock or log off your computer when leaving the work area, utilized. Log off when departing for the day. 12. Keep all government-furnished equipment (GFE) mobile devices 2 rs ies and requirements, rmation systems for lawful, propriate information eos, and sound files. recognize, know, or iate websites (unless ble sources and use virus- tifiable information Protect and safeguard unauthorized or denial of service, Pll data has been erased incident to your Help Desk, r, Security Manager, or thumb drive) to your Help s Center, Security Manager, mobile computers, laptops, Ives, and DVDs) using exists. For classified data storage and transport. the Component rior to logging onto the d remove your PIV card, if igned to you in your MEGA4 System Access — EOUSA Page 3 of 8 EFTA00152123 Department of Justice Information Technology (IT) Securi Rules of Behavior (ROB) for General U Version 7.0 January 3, 2014 rs physical presence whenever possible. When it is necessary for you o be away from your GFE, particularly at a non-secure location, secure all your portable elect • nic devices and removable media, preferably out-of-sight (e.g. in a locked container). 13. Do not use Peer-to-Peer (P2P) technology on the Internet, such as S forbidden throughout the Department unless the Department's Chie Information Officer (CIO) or designee approves a waiver. 14. Do not auto-forward emails from your DOJ email account to your (e.g., Gmail, Yahoo, Hotmail). 15. Ensure that individuals have the proper clearance, authorization, an providing access to any DOJ information. 16. Consent to monitoring and search of any IT equipment that is brou: removed from DOJ owned, controlled, or leased facilities consisten contractor consent obtained through log-on banners and DOJ polici 17. Properly mark and label classified and sensitive documents, electro accordance with the DOJ Security Program Operating Manual (SP 18. Adhere to Separation of Duties principles. Understand conflict of roles, and functions within a system or application (e.g., duties of t and Information System Security Officer (ISSO) should not be co 19. Do not change any configurations or settings of the operating syste software, or circumvent and test the security controls of the system 20. Do not bypass native mobile device operating system controls to ga jailbreaking or rooting the device). 21. Do not use anonymizer sites on the Internet and bypass the Depart designed to protect systems from malicious Internet sites. B. Classified Systems/Information 22. Do not process classified information on an unclassified system unl obtained to support a specific job function. 23. Send classified email only on systems authorized for that purpose a the classified data involved. 24. When in use, operate IT systems only in those areas or facilities ce classification or sensitivity level of the information involved. Whe classified computer, hard drive, removable media, etc. in an approv facility approved for open storage. 25. Use classified laptops and similar devices in accordance with the D Requirements for Classified Systems, dated April 25, 2011. 3 ype, BitTorrent, etc. P2P is rsonal email account need-to-know before into, networked to, or with employee and s. 'c equipment, and media in M) and DOJ Order 2620.7. terest in responsibilities, System Administrator fined). and security-related nless authorized. increased privileges (i.e., nt security mechanisms s authorization is d for the highest level of ified for the highest not in use, store a security container or in a J Removable Media MEGA4 System Access — EOUSA Page 4 of 8 EFTA00152124 Department of Justice Information Technology (IT) Securi Rules of Behavior (ROB) for General U Version 7.0 January 3, 2014 C. Passwords 26. Adhere to at least the minimum password requirements for the syst working. 27. Change the default password upon receipt from system administra 28. Do not share account passwords with anyone. 29. Avoid using the same password for multiple accounts. D. Mobile Computing & Remote Access Users 30. Use mobile GFE (e.g., laptop, tablet, smartphone) for official busin Mobile GFE is for use by DOJ personnel only (no spouses or relati through an authorized DOJ remote access network when accessing 31. Only authorized applications and software for mobile GFE can be DOJ devices, and only from DOJ-authorized sources. 32. The use of Short Message Service (SMS) must be approved by the messages are be limited to non-sensitive information. 33. Only install DOJ-provided removable media, including memory an module (SIM) cards, on mobile GFE. 34. Only connect to secure wireless networks where possible and take prevent the compromise of DOJ data when insecure wireless netw 35. Follow these guidelines unless explicitly authorized by the Autho • otherwise: rs m on which you are r. ss and authorized uses. es) and shall only connect he Internet. wnloaded and installed on uthorizing Official. SMS subscriber identity recautionary measures to s must be used.2 ing Official to do a. Do not connect non-DOJ mobile devices and/or accessories to D I J networks. This includes mobile phones, tablets, laptops, Bluetooth devices, and other dev ces requiring both wired and wireless communication access. b. Do not enable mobile device tethering via Bluetooth, Universal 'erial Bus (USB), or Wi-Fi hotspots on mobile GFE. c. Do not access non-Government cloud-based services—such as I ropBox and iCloud—from mobile GFE. d. Do not connect mobile GFE to non-DOJ information systems, to include personal computers. E. Virtual Conferencing 36. Hosts and presenters must provide participants with advance noti if the virtual conference session is being recorded. 2 For additional information, please refer to the Department of Justice Secure Use of W. ess Networks FAQ at http://dojnet.doj.gov/jmd/irmlitsecurity/ises_team.php. 4 MEGA4 System Access — EOUSA Page 5 of 8 EFTA00152125 Department of Justice Information Technology (IT) Security Rules of Behavior (ROB) for General U Version 7.0 January 3,2014 37. Do not access a virtual conference presentation using an account w 38. Limit presentation information to only that which is authorized for 39. Delete all DOJ information on a provider's web site immediately u conference. 40. Do not install any agents or other software designed to enhance or 41. Employ strong participant authentication mechanisms (i.e., multi-f. a pin, unique login credentials, etc.). 42. Enable logging and archiving to provide auditability of participant enable/disable meeting functions (e.g., upload, download, desktop F. Hardware 43. Do not add, modify, or remove hardware, or connect unauthorized communications connections to DOJ IT resources unless specifical 44. Do not access the internal components of the computer, or remove drive from Dal facilities unless specifically authorized. 45. Wipe all devices prior to reissue. There is no expectation of mainta information, data, or applications on these devices. G. Software 46. Do not copy or distribute intellectual property — including music, and other copyrighted materials — without permission or license fro Use DOJ-licensed and authorized software only. 47. Do not install or update any software unless specifically authorized 48. Do not attempt to access any electronic audit trails that may exist o specifically authorized. H. Remote Web Access 49. Follow your organization's telework guidelines when working rem information remotely. 50. Ensure the confidentiality of government information when using OWA) from a non-GFE client (public or private). This includes th a. When downloading attachments to registered non-GFE private remove any extraneous attachments, encrypt them locally, or encrypted USB drive. b. Delete attachments when finished on registered non-GFE privet c. Do not download attachments on unregistered non-GFE public 5 rs elevated privileges. ssemination. n the end of a virtual d in virtual conferencing. tor authentication, d host activity, as well as aring). ccessories or authorized. e computer or its hard ning any personal ftware, documentation, the copyright owner. the computer unless rely and/or accessing DOJ mote web access (e.g., following: mputers, immediately sfer them to an approved computers. mputers. MEGA4 System Access —EOUSA Page 6 of 8 EFTA00152126 Department of Justice Information Technology (IT) Security Rules of Behavior (ROB) for General U Version 7.0 January 3, 2014 51. Do not print emails in public areas and with public non-GFE printe non-GFE private printers at home. Users will be held responsible Government information through negligence or a willful act. 52. Maintain a reasonable security posture (i.e., updated antivirus, local software patch levels) on registered non-GFE private computers u I. Traveling Users 53. The Component Mobile Computing Operatiobs Manager, or equiv: or an equivalent authorized SOC in advance, if you intend to travel DOJ laptop that will accompany you during any portion of travel w location(s) of travel. For travel to countries designated as high-risk use of mobile devices must be approved by the Dal CISO prior to processed via email to both the DOJ 1TSS Director and the DOJ I 54. Minimize the information on your IT system to what is required to mission while travelling and destroy copies of sensitive data when 55. Shut down IT devices when not in use or no longer needed. If the I the associated network capability, turn off/disable the network/wire 56. Assume all communications (including cellular services) are being on travel in a foreign country. 57. Keep your remote access token separate from the laptop/tablet (pre possible. J. Personally Identifiable Information 58. Safeguard against breaches of information involving P11, which re be used alone or combined with other information that can distingui identity—such as a name, social security number, biometric record birth, mother's maiden name, etc. 59. Report all breaches of information involving P11 to JSOC through y procedures. rs Users may print with r the compromise of firewall, updated OS and for remote access. ent, shall notify the JSOC, o a foreign country with a the intended dates and unter-intelligence, the avel. Requests are S Deputy Director.3 rform a particular longer needed. device is needed but not ss network functionality.4 tercepted and read when rably on you) when to information that can h or trace an individual's the date and place of ur Component's standard For additional information on foreign travel requirements, please refer to the Foreign Tr • -I Laptop Use and Foreign Travel Laptop Use Waiver Request forms (http://dojnet.doj.gov/jmdfinn/itsecurityfjsoc-cyber-de nse.php). For additional information on the use of mobile devices during foreign travel, please refer to the Mobile ice and Mobile Application Security Policy Instruction (http://dojnet.doj.govimdfirm/itsecurity/documents/FINAL- DOJMobile_Deviceand_Application_Security_Policy_Instruction_v2.pdf). 4 For additional information, please refer to the Department of Justice Secure Use of Wirel ss Networks FAQ at hftp://dojnet.doj.gov/jmcVinn/itsecurity/ises_team.php. 6 MEGA4 System Access — EOUSA Page 7 of 8 EFTA00152127 Department of Justice Information Technology (IT) Security Rules of Behavior (ROB) for General U Version 7.0 January 3, 2014 60. Access, maintain, store, or transmit Pll that you are given explicit a you meet required security controls.s 61. Disclose P1I in accordance with appropriate legal authorities and th 62. Dispose of and retain records in accordance with applicable record Archives and Records Administration guidelines and Department P 63. Do not perform unauthorized querying, review, inspection, or disc) Information! (See Internal Revenue Code Sec. 7213 and 7213A at http:/Iwww. irs.gov/irm/part 11/irm 11-003-001 .htmllid0e 176) rs thorization to and ensure Privacy Act of 1974. hedules, National licies.6 sure of Federal Taxpayer I acknowledge receipt and understand my responsibilities as identified ve. Additionally, this acknowledgment accepts my responsibility to ensure the protection of P11 at I may handle. I will comply with the DOJ IT Security ROB for General Users, Version 7.0, ed January 3, 2014. hq Date Component and Sub-Compo Note: Statement of acknowledgement may be made by signature if the R reviewed in hard copy or by email/electronic acknowledgement if reviewe required to review and provide their signature or electronic verification with these rules. Users with privileged accesses and permissions shall a for Privileged Users. If you have questions related to this ROB, please c Security Manager, or Supervisor. The Department has the right, reserved or otherwise, to update the ROB to with all applicable laws, regulations, and DOJ Standards. Updates to the through the Department's ISES Team Lead and Component Training Coo 7 ent for General Users is online. All users are knowledging compliance o agree to and sign the ROB tact your Help Desk, nsure it remains compliant OB will be communicated inators. MEGA4 System Access — EOUSA Page 8 of 8 EFTA00152128