User Accountability
I Will:
•
Complete mandatory security and privacy awareness training within designated time frames, and
complete any additional role-based security training required based on my role and
responsibilities. SOURCE: AT-3
•
I Understand that authorized VA personnel may review my conduct or actions concerning
VA information and information systems, and take appropriate action. SOURCE: AU-1
•
Have my GFE scanned and serviced by VA authorized personnel. This may require me to return it
promptly to a VA facility upon demand. SOURCE: MA-2
•
Permit only those authorized by Ol&T to perform maintenance on IT components, including
installation or removal of hardware or software. SOURCE: MA-5
•
Sign specific or unique ROBs as required for access or use of specific VA systems. I may be
required to comply with a non-VA entity's ROB to conduct VA business. While using their system, I
must comply with their ROB. SOURCE: PL-4
Sensitive Information
I Will:
•
Ensure that all printed material containing VA sensitive information is physically secured when not in use (e.g., locked
cabinet, locked door). SOURCE: MP-4
•
Only provide access to sensitive information to those who have a need
- to-know for their professional duties, including
only posting sensitive information to web-based collaboration tools restricted to those who have a need-to-know and
when proper safeguards are in place for
sensitive information. SOURCE: UL-2
•
Recognize that access to certain databases has the potential to cause great risk to VA, its customers and employees
due to the number and/or sensitivity of the records being accessed. I
will act accordingly to ensure the confidentiality and security of these data commensurate with this increased potential
risk. SOURCE: UL-2
•
Obtain approval from my supervisor to use, process, transport, transmit, download, print or store electronic VA sensitive
information remotely (outside of VA owned or managed facilities (e.g., medical centers, community based outpatient
clinics (CBOC), or regional offices)). SOURCE: UL-2
•
Protect VA sensitive information from unauthorized disclosure, use, modification, or destruction, and will use encryption
products approved and provided by VA to protect sensitive data.
SOURCE: SC-13
•
Transmit individually identifiable information via fax only when no other reasonable means exist, and when someone is
at the machine to receive the transmission or the receiving machine is in a secure location. SOURCE: SC-8
•
Encrypt email, including attachments, which contain VA sensitive information. I will not encrypt email that does not
include VA sensitive information or any email excluded from the encryption requirement.SOURCE: SC-8
•
Protect Sensitive Personal Information (SPI) aggregated in lists, databases, or logbooks,
and will include only the minimum necessary SPI to perform a legitimate business function. SOURCE: SC-28