SlideShare uma empresa Scribd logo
1 de 12
Baixar para ler offline
Rules of Behavior
<Information System Name>, <Date>




                               Rules of Behavior




                     <Information System Name>
                                <Vendor Name>
                                    Version 1.0
                                     May 2, 2012
Rules of Behavior
Version 0.1 / Date




                                                        Table of Contents
1.      Overview...........................................................................................................................................................6
2.      Rules of Behavior for Internal Users .................................................................................................................7
3.      Rules of Behavior for External Users ..............................................................................................................10




                                                                                                                                                                 Page 2
Rules of Behavior
Version 0.1 / Date


                         Document Revision History


           Date         Description            Version   Author
           05/02/2012   Document Publication   1.0           FedRAMP Office




                                                                              Page 3
Rules of Behavior
Version 0.1 / Date

ABOUT THIS DOCUMENT
This document has been developed to provide guidance on how to participate in and understand
the FedRAMP program.

Who should use this document?
This document is intended to be used by Cloud Service Providers (CSPs), Third Party Assessor
Organizations (3PAOs), government contractors working on FedRAMP projects, government
employees working on FedRAMP projects, and any outside organizations that want to make use
of the FedRAMP Contingency Planning process.

How this document is organized
This document is divided into ten sections. Most sections include subsections.

Section 1 describes and overview of the Rules of Behavior.

Section 2 describes recommended Rules of Behavior for internal users.

Section 3 describes recommended Rules of Behavior for external users.

Conventions used in this document
This document uses the following typographical conventions:

Italic
    Italics are used for email addresses, security control assignments parameters, and formal
document names.

Italic blue in a box
    Italic blue text in a blue box indicates instructions to the individual filling out the template.

     Instruction: This is an instruction to the individual filling out of the template.

Bold
  Bold text indicates a parameter or an additional requirement.

Constant width
   Constant width text is used for text that is representative of characters that would show up on
a computer screen.

<Brackets>
Bold blue text in brackets indicates text that should be replaced with user-defined values. Once
the text has been replaced, the brackets should be removed.

Notes
  Notes are found between parallel lines and include additional information that may be helpful


                                                                                                  Page 4
Rules of Behavior
Version 0.1 / Date

to the users of this template.


        Note: This is a note.


Sans Serif
  Sans Serif text is used for tables, table captions, figure captions, and table of contents.

How to contact us
If you have questions about FedRAMP or something in this document, please write to:

        info@fedramp.gov

For more information about the FedRAMP project, please see the website at:

        http://www.fedramp.gov.




                                                                                                Page 5
Rules of Behavior
Version 0.1 / Date

1. OVERVIEW
Rules of Behavior describe security controls associated with user responsibilities and certain
expectations of behavior for following security policies, standards, and procedures. Security
control PL-4 requires Cloud Service Providers to implement Rules of Behavior. It is often the
case that different Rules of Behavior apply to internal and external users. Internal users are
employees of your organizations, including contractors. External users are anyone who has
access to a system that you own that is not one of your employees or contractors. External users
might be customers or partners, or customer prospects that have been issued demo accounts.

CSP employees who have access to the <Information System Name> must sign Internal Rules
of Behavior. If the CSP provisions accounts for customers, including management accounts, it is
the CSP’s responsibility to ensure that whoever the CSP provisions an account to signs an
External Rules of Behavior. If the CSP provisions a management account to an individual
customer, and then that manager in turn provisions subsequent customer accounts, it is the
responsibility of the customer manager to ensure that users that he/she has provisioned sign the
CSP provided Rules of Behavior. Ultimately, whoever provisions the account owns the
responsibility for getting users to sign the Rules of Behavior for the accounts that they have
provisioned.

Rules of Behavior may be signed on paper or electronically at first login. Either way, the
organization must retain artifacts to enable an independent assessor to verify that Rules of
Behavior have been signed for all users.

 Instruction: A sample set of Rules of Behavior have been provided for both Internal Users
 and External Users on the pages that follow. The CSP should modify these sets of rules to
 match the Rules of Behavior that are necessary to secure the system. You do not need to use
 these exact rules per se – they have been provided as examples. Please keep in mind that
 certain rules that apply to internal users may not apply to external users and vice versa.




                                                                                               Page 6
Rules of Behavior
Version 0.1 / Date

2. RULES OF BEHAVIOR FOR INTERNAL USERS
You must comply with copyright and site licenses of proprietary software.

You must process only data that pertains to official business and is authorized to be processed on the
system.

You must report all security incidents or suspected incidents to the IT department.

You must discontinue use of any system resources that show signs of being infected by a virus or other
malware and report the suspected incident.

You must challenge unauthorized personnel that appear in your work area.

You must use only the data for which you have been granted authorization.

You must notify your <Company Name>manager if access to system resources is beyond that which is
required to perform your job.

You must attend computer security awareness and privacy training as requested by <Company Name>.

You must coordinate your user access requirements, and user access parameters, with your <Company
Name>manager.

You must ensure that access to application-specific sensitive data is based on your job function.

You must safeguard resources against waste, loss, abuse, unauthorized users, and misappropriation.

You must ensure that access is assigned based on your <Company Name>manager’s approval.

You must familiarize yourself with any special requirements for accessing, protecting, and utilizing data,
including Privacy Act requirements, copyright requirements, and procurement of sensitive data.

You must ensure electronic official records (including attachments) are printed and stored according to
<Company Name> policy and standards.

You must ensure that sensitive, confidential, and proprietary information sent to a fax or printer is
handled in a secure manner, e.g., cover sheet to contain statement that information being faxed is
Confidential and Proprietary, For Company Use Only, etc.

You must ensure that hard copies of Confidential and Proprietary information is destroyed (after it is no
longer needed) commensurate with the sensitivity of the data.

You must ensure that Confidential and Proprietary information is protected against unauthorized access
using encryption, according to <Company Name> standards, when sending it via electronic means
(telecommunications networks, e-mail, and/or facsimile).


                                                                                                        Page 7
Rules of Behavior
Version 0.1 / Date

You must not process U.S. classified national security information on any system at <Company Name>
for any reason.

You must not install <Company Name>unapproved software onto the system. Only <Company
Name>designated personnel are authorized to load software.

You must not add additional hardware or peripheral devices to the system. Only designated personnel
can direct the installation of hardware on the system.

You must not reconfigure hardware or software on any <Company Name> systems, networks, or
interfaces.

You must follow all <Company Name> wireless access policies.

You must not retrieve information for someone who does not have authority to access that information.

You must not remove computer resources from the facility without prior approval. Resources may only
be removed for official use.

You must ensure that web browsers check for a publisher’s certificate revocation.

You must ensure that web browsers check for server certificate revocation.

You must ensure that web browsers check for signatures on downloaded files.

You must ensure that web browsers empty/delete temporary Internet files when the browser is closed.

You must ensure that web browsers use Secure Socket Layer (SSL) version 3.0 (or higher) and Transport
Layer Security (TLS) 1.0 (or higher). SSL and TLS must use a minimum of 128-bit, encryption.

You must ensure that web browsers warn about invalid site certificates.

You must ensure that web browsers warn if the user is changing between secure and non-secure mode.

You must ensure that web browsers warn if forms submittal is being redirected.

You must ensure that web browsers do not allow access to data sources across domains.

You must ensure that web browsers do not allow the navigation of sub-frames across different domains.

You must ensure that web browsers do not allow the submission of non-encrypted critical form data.

You must ensure that your <Company Name>Web browser window is closed before navigating to other
sites/domains.

You must not store customer information on a system that is not owned by <Company Name>.



                                                                                                Page 8
Rules of Behavior
Version 0.1 / Date

You must ensure that sensitive information entered into systems is restricted to team members on a
Need-To-Know basis.

You understand that any person who obtains information from a computer connected to the Internet in
violation of her employer’s computer-use restrictions is in violation of the Computer Fraud and Abuse
Act.



  ACCEPTANCE AND SIGNATURE

  I have read the above Rules of Behavior for Internal Users for<Company Name> systems and
  networks. By my electronic acceptance and/or signature below, I acknowledge and agree that my
  access to all <Company Name> systems and networks is covered by, and subject to, such Rules.
  Further, I acknowledge and accept that any violation by me of these Rules may subject me to civil
  and/or criminal actions and that <Company Name> retains the right, at its sole discretion, to
  terminate, cancel or suspend my access rights to the <Company Name> systems at any time,
  without notice.

  User’s Legal Name: _________________________________ (printed)

  User’s Signature:   _________________________________ (signature)

  Date:               _________________________________



                Comments here:




                                                                                                  Page 9
Rules of Behavior
Version 0.1 / Date

3. RULES OF BEHAVIOR FOR EXTERNAL USERS
You must conduct only authorized business on the system.

Your level of access to systems and networks owned by <Company Name> is limited to ensure your
access is no more than necessary to perform your legitimate tasks or assigned duties. If you believe you
are being granted access that you should not have, you must immediately notify the <Company Name>
Operations Center <phone number>.

You must maintain the confidentiality of your authentication credentials such as your password. Do not
reveal your authentication credentials to anyone; a <Company Name> employee should never ask you
to reveal them.

You must follow proper logon/logoff procedures. You must manually logon to your session; do not store
you password locally on your system or utilize any automated logon capabilities. You must promptly
logoff when session access is no longer needed. If a logoff function is unavailable, you must close your
browser. Never leave your computer unattended while logged into the system.

You must report all security incidents or suspected incidents (e.g., lost passwords, improper or
suspicious acts) related to <Company Name> systems and networks to the <Company Name>
Operations Center <phone number>.

You must not establish any unauthorized interfaces between systems, networks, and applications
owned by <Company Name>.

Your access to systems and networks owned by <Company Name> is governed by, and subject to, all
Federal laws, including, but not limited to, the Privacy Act, 5 U.S.C. 552a, if the applicable <Company
Name> system maintains individual Privacy Act information. Your access to <Company Name> systems
constitutes your consent to the retrieval and disclosure of the information within the scope of your
authorized access, subject to the Privacy Act, and applicable State and Federal laws.

You must safeguard system resources against waste, loss, abuse, unauthorized use or disclosure, and
misappropriation.

You must not process U.S. classified national security information on the system.

You must not browse, search or reveal information hosted by <Company Name> except in accordance
with that which is required to perform your legitimate tasks or assigned duties.

You must not retrieve information, or in any other way disclose information, for someone who does not
have authority to access that information.

You must ensure that Web browsers use Secure Socket Layer (SSL) version 3.0 (or higher) and Transport
Layer Security (TLS) 1.0 (or higher). SSL and TLS must use a minimum of 256-bit, encryption.


                                                                                                   Page 10
Rules of Behavior
Version 0.1 / Date

You must ensure that your web browser is configured to warn about invalid site certificates.

You must ensure that web browsers warn if the user is changing between secure and non-secure mode.

You must ensure that your web browser window used to access systems owned by <Company Name> is
closed before navigating to other sites/domains.

You must ensure that your web browser checks for a publisher’s certificate revocation.

You must ensure that your web browser checks for server certificate revocation.

You must ensure that web browser checks for signatures on downloaded files.

You must ensure that web browser empties/deletes temporary Internet files when the browser is
closed.

By your signature or electronic acceptance (such as by clicking an acceptance button on the screen) you
must agree to these rules.

You understand that any person who obtains information from a computer connected to the Internet in
violation of her employer’s computer-use restrictions is in violation of the Computer Fraud and Abuse
Act.

You agree to contact the <Company Name> Chief Information Security Officer or the <Company Name>
Operations Center <phone number> if you do not understand any of these rules.




                                                                                                Page 11
Rules of Behavior
Version 0.1 / Date



  ACCEPTANCE AND SIGNATURE

  I have read the above Rules of Behavior for External Users of <Company Name> systems and
  networks. By my electronic acceptance and/or signature below, I acknowledge and agree that my
  access to the <Company Name> systems and networks is covered by, and subject to, such Rules.
  Further, I acknowledge and accept that any violation by me of these Rules may subject me to civil
  and/or criminal actions and that <Company Name> retains the right, at its sole discretion, to
  terminate, cancel or suspend my access rights to the <Company Name> systems at any time,
  without notice.

  User’s Legal Name: _________________________________ (printed)

  User’s Signature:   _________________________________ (signature)

  Date:               _________________________________



                Comments Here:




                                                                                                Page 12

Mais conteúdo relacionado

Mais procurados (18)

Microservices
MicroservicesMicroservices
Microservices
 
Ch4
Ch4Ch4
Ch4
 
Ch4-Software Engineering 9
Ch4-Software Engineering 9Ch4-Software Engineering 9
Ch4-Software Engineering 9
 
Ch11-Software Engineering 9
Ch11-Software Engineering 9Ch11-Software Engineering 9
Ch11-Software Engineering 9
 
Ch12-Software Engineering 9
Ch12-Software Engineering 9Ch12-Software Engineering 9
Ch12-Software Engineering 9
 
Software Requirement Specification
Software Requirement SpecificationSoftware Requirement Specification
Software Requirement Specification
 
Engineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacyEngineering Software Products: 7. security and privacy
Engineering Software Products: 7. security and privacy
 
Online auction system srs riport
Online auction system srs  riportOnline auction system srs  riport
Online auction system srs riport
 
Ch20-Software Engineering 9
Ch20-Software Engineering 9Ch20-Software Engineering 9
Ch20-Software Engineering 9
 
Ch20 systems of systems
Ch20 systems of systemsCh20 systems of systems
Ch20 systems of systems
 
Enterprise Broadband Business Appications
Enterprise Broadband Business AppicationsEnterprise Broadband Business Appications
Enterprise Broadband Business Appications
 
Ch10 dependable systems
Ch10 dependable systemsCh10 dependable systems
Ch10 dependable systems
 
Ch12 safety engineering
Ch12 safety engineeringCh12 safety engineering
Ch12 safety engineering
 
Ch13 security engineering
Ch13 security engineeringCh13 security engineering
Ch13 security engineering
 
Ch9 evolution
Ch9 evolutionCh9 evolution
Ch9 evolution
 
Ch18-Software Engineering 9
Ch18-Software Engineering 9Ch18-Software Engineering 9
Ch18-Software Engineering 9
 
Ch14 resilience engineering
Ch14 resilience engineeringCh14 resilience engineering
Ch14 resilience engineering
 
Ch19 systems engineering
Ch19 systems engineeringCh19 systems engineering
Ch19 systems engineering
 

Destaque

Management in healthcare
Management in healthcareManagement in healthcare
Management in healthcareOther Mother
 
Security Assessment Plan (Template)
Security Assessment Plan (Template)Security Assessment Plan (Template)
Security Assessment Plan (Template)GovCloud Network
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response PlanMatthew J McMahon
 
What's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing ConferenceWhat's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing ConferenceCengage Learning
 
Cloud application architecture with sql azure and windows azure
Cloud application architecture with sql azure and windows azureCloud application architecture with sql azure and windows azure
Cloud application architecture with sql azure and windows azureEduardo Castro
 
Writing a Zoom Introduction
Writing a Zoom IntroductionWriting a Zoom Introduction
Writing a Zoom IntroductionAngela Astuto
 
Creating Email Campaigns that Work: A Focus on Design Elements
Creating Email Campaigns that Work: A Focus on Design ElementsCreating Email Campaigns that Work: A Focus on Design Elements
Creating Email Campaigns that Work: A Focus on Design ElementsEmail on Acid
 
MCH Curricula: Strategies for Developing Materials_Hanold_5.11.11
MCH Curricula: Strategies for Developing Materials_Hanold_5.11.11MCH Curricula: Strategies for Developing Materials_Hanold_5.11.11
MCH Curricula: Strategies for Developing Materials_Hanold_5.11.11CORE Group
 
Natureza Maravilhosa
Natureza MaravilhosaNatureza Maravilhosa
Natureza MaravilhosaAnjovison .
 
Understanding the Essential Nutrition Actions Framework_Jennifer Nielsen_5.5.14
Understanding the Essential Nutrition Actions Framework_Jennifer Nielsen_5.5.14Understanding the Essential Nutrition Actions Framework_Jennifer Nielsen_5.5.14
Understanding the Essential Nutrition Actions Framework_Jennifer Nielsen_5.5.14CORE Group
 
Moje poczatki-w-programie-partnerskim darmowy ebook pdf
Moje poczatki-w-programie-partnerskim darmowy ebook pdfMoje poczatki-w-programie-partnerskim darmowy ebook pdf
Moje poczatki-w-programie-partnerskim darmowy ebook pdfmazur16111
 

Destaque (17)

Management in healthcare
Management in healthcareManagement in healthcare
Management in healthcare
 
Security Assessment Plan (Template)
Security Assessment Plan (Template)Security Assessment Plan (Template)
Security Assessment Plan (Template)
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response Plan
 
What's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing ConferenceWhat's New In CompTIA Security+ - Course Technology Computing Conference
What's New In CompTIA Security+ - Course Technology Computing Conference
 
Cloud application architecture with sql azure and windows azure
Cloud application architecture with sql azure and windows azureCloud application architecture with sql azure and windows azure
Cloud application architecture with sql azure and windows azure
 
research paper 2012
research paper 2012research paper 2012
research paper 2012
 
Writing a Zoom Introduction
Writing a Zoom IntroductionWriting a Zoom Introduction
Writing a Zoom Introduction
 
Temario taller 4
Temario taller 4Temario taller 4
Temario taller 4
 
Nice Hawaii
Nice HawaiiNice Hawaii
Nice Hawaii
 
E-Signature in Document Management - Megan Smale
E-Signature in Document Management - Megan SmaleE-Signature in Document Management - Megan Smale
E-Signature in Document Management - Megan Smale
 
Gold, серебро
Gold, сереброGold, серебро
Gold, серебро
 
Creating Email Campaigns that Work: A Focus on Design Elements
Creating Email Campaigns that Work: A Focus on Design ElementsCreating Email Campaigns that Work: A Focus on Design Elements
Creating Email Campaigns that Work: A Focus on Design Elements
 
MCH Curricula: Strategies for Developing Materials_Hanold_5.11.11
MCH Curricula: Strategies for Developing Materials_Hanold_5.11.11MCH Curricula: Strategies for Developing Materials_Hanold_5.11.11
MCH Curricula: Strategies for Developing Materials_Hanold_5.11.11
 
Chistesvarios6
Chistesvarios6Chistesvarios6
Chistesvarios6
 
Natureza Maravilhosa
Natureza MaravilhosaNatureza Maravilhosa
Natureza Maravilhosa
 
Understanding the Essential Nutrition Actions Framework_Jennifer Nielsen_5.5.14
Understanding the Essential Nutrition Actions Framework_Jennifer Nielsen_5.5.14Understanding the Essential Nutrition Actions Framework_Jennifer Nielsen_5.5.14
Understanding the Essential Nutrition Actions Framework_Jennifer Nielsen_5.5.14
 
Moje poczatki-w-programie-partnerskim darmowy ebook pdf
Moje poczatki-w-programie-partnerskim darmowy ebook pdfMoje poczatki-w-programie-partnerskim darmowy ebook pdf
Moje poczatki-w-programie-partnerskim darmowy ebook pdf
 

Semelhante a Rules of Behavior

Acceptable Use Policy
Acceptable Use PolicyAcceptable Use Policy
Acceptable Use PolicyChase Hubbard
 
Consensus Policy Resource CommunityRemote Access Polic
Consensus Policy Resource CommunityRemote Access PolicConsensus Policy Resource CommunityRemote Access Polic
Consensus Policy Resource CommunityRemote Access PolicAlleneMcclendon878
 
Consensus policy resource community remote access polic
Consensus policy resource community remote access policConsensus policy resource community remote access polic
Consensus policy resource community remote access policARIV4
 
Sample Security PoliciesAcceptable_Encryption_Policy.docAccep.docx
Sample Security PoliciesAcceptable_Encryption_Policy.docAccep.docxSample Security PoliciesAcceptable_Encryption_Policy.docAccep.docx
Sample Security PoliciesAcceptable_Encryption_Policy.docAccep.docxtodd331
 
201810003 201750007project report
201810003 201750007project report201810003 201750007project report
201810003 201750007project reportssuser219889
 
Internet usage policy(1)
Internet usage policy(1)Internet usage policy(1)
Internet usage policy(1)scobycakau
 
INTRODUCTION to software engineering requirements specifications
INTRODUCTION to software engineering requirements specificationsINTRODUCTION to software engineering requirements specifications
INTRODUCTION to software engineering requirements specificationskylan2
 
Medical facility network design
Medical facility network designMedical facility network design
Medical facility network designnephtalie
 
software requirements specification template
software requirements specification templatesoftware requirements specification template
software requirements specification templateAzimiddin Rakhmatov
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)MHumaamAl
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxdewhirstichabod
 
Stock Maintenance System-Problem Statement, SRS, ERD, DFD, Structured Chart
Stock Maintenance System-Problem Statement, SRS, ERD, DFD, Structured ChartStock Maintenance System-Problem Statement, SRS, ERD, DFD, Structured Chart
Stock Maintenance System-Problem Statement, SRS, ERD, DFD, Structured Chartgrandhiprasuna
 
Privacy Threshold Analysis
Privacy Threshold AnalysisPrivacy Threshold Analysis
Privacy Threshold AnalysisGovCloud Network
 
Network Security Policies
Network Security PoliciesNetwork Security Policies
Network Security PoliciesAamir Sohail
 
Luis Perez ITS written report
Luis Perez ITS written reportLuis Perez ITS written report
Luis Perez ITS written reportLuis Perez
 
A Project to Automate Inventory Management in a Fast Food, Cas.docx
A Project to Automate Inventory Management in a Fast Food, Cas.docxA Project to Automate Inventory Management in a Fast Food, Cas.docx
A Project to Automate Inventory Management in a Fast Food, Cas.docxransayo
 
Azstec cyber-security-workbook
Azstec cyber-security-workbookAzstec cyber-security-workbook
Azstec cyber-security-workbookYulia Dianova
 

Semelhante a Rules of Behavior (20)

Acceptable Use Policy
Acceptable Use PolicyAcceptable Use Policy
Acceptable Use Policy
 
Consensus Policy Resource CommunityRemote Access Polic
Consensus Policy Resource CommunityRemote Access PolicConsensus Policy Resource CommunityRemote Access Polic
Consensus Policy Resource CommunityRemote Access Polic
 
Consensus policy resource community remote access polic
Consensus policy resource community remote access policConsensus policy resource community remote access polic
Consensus policy resource community remote access polic
 
Sample Security PoliciesAcceptable_Encryption_Policy.docAccep.docx
Sample Security PoliciesAcceptable_Encryption_Policy.docAccep.docxSample Security PoliciesAcceptable_Encryption_Policy.docAccep.docx
Sample Security PoliciesAcceptable_Encryption_Policy.docAccep.docx
 
Ch06 Policy
Ch06 PolicyCh06 Policy
Ch06 Policy
 
201810003 201750007project report
201810003 201750007project report201810003 201750007project report
201810003 201750007project report
 
Internet usage policy(1)
Internet usage policy(1)Internet usage policy(1)
Internet usage policy(1)
 
INTRODUCTION to software engineering requirements specifications
INTRODUCTION to software engineering requirements specificationsINTRODUCTION to software engineering requirements specifications
INTRODUCTION to software engineering requirements specifications
 
Medical facility network design
Medical facility network designMedical facility network design
Medical facility network design
 
software requirements specification template
software requirements specification templatesoftware requirements specification template
software requirements specification template
 
Capstone Finished
Capstone FinishedCapstone Finished
Capstone Finished
 
Cis controls v8_guide (1)
Cis controls v8_guide (1)Cis controls v8_guide (1)
Cis controls v8_guide (1)
 
Businesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docxBusinesses involved in mergers and acquisitions must exercise due di.docx
Businesses involved in mergers and acquisitions must exercise due di.docx
 
Stock Maintenance System-Problem Statement, SRS, ERD, DFD, Structured Chart
Stock Maintenance System-Problem Statement, SRS, ERD, DFD, Structured ChartStock Maintenance System-Problem Statement, SRS, ERD, DFD, Structured Chart
Stock Maintenance System-Problem Statement, SRS, ERD, DFD, Structured Chart
 
Software engg unit 2
Software engg unit 2 Software engg unit 2
Software engg unit 2
 
Privacy Threshold Analysis
Privacy Threshold AnalysisPrivacy Threshold Analysis
Privacy Threshold Analysis
 
Network Security Policies
Network Security PoliciesNetwork Security Policies
Network Security Policies
 
Luis Perez ITS written report
Luis Perez ITS written reportLuis Perez ITS written report
Luis Perez ITS written report
 
A Project to Automate Inventory Management in a Fast Food, Cas.docx
A Project to Automate Inventory Management in a Fast Food, Cas.docxA Project to Automate Inventory Management in a Fast Food, Cas.docx
A Project to Automate Inventory Management in a Fast Food, Cas.docx
 
Azstec cyber-security-workbook
Azstec cyber-security-workbookAzstec cyber-security-workbook
Azstec cyber-security-workbook
 

Mais de GovCloud Network

IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmarkGovCloud Network
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for meGovCloud Network
 
ViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeGovCloud Network
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in CyberspaceGovCloud Network
 
Vets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessVets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessGovCloud Network
 
GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network
 
Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture   Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture GovCloud Network
 
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings   Kevin JacksonICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings   Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin JacksonGovCloud Network
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition   Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition   Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSAGovCloud Network
 
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher PageGovCloud Network
 
Agile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanAgile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanGovCloud Network
 
DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle  (BCL)  Guide (Draft)DoD Business Capability Lifecycle  (BCL)  Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)GovCloud Network
 
GovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefGovCloud Network
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS  - Kevin L. JacksonIntrusion Detection on Public IaaS  - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. JacksonGovCloud Network
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentGovCloud Network
 
NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013GovCloud Network
 
Tech gate kevin l jackson - 09-21-2013
Tech gate   kevin l jackson - 09-21-2013Tech gate   kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013GovCloud Network
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud:  Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud:  Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...GovCloud Network
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)GovCloud Network
 

Mais de GovCloud Network (20)

IaaS Price performance-benchmark
IaaS Price performance-benchmarkIaaS Price performance-benchmark
IaaS Price performance-benchmark
 
Cloud computing training what's right for me
Cloud computing training what's right for meCloud computing training what's right for me
Cloud computing training what's right for me
 
ViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT ChangeViON Corporation: Surviving IT Change
ViON Corporation: Surviving IT Change
 
Staying Safe in Cyberspace
Staying Safe in CyberspaceStaying Safe in Cyberspace
Staying Safe in Cyberspace
 
Vets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate SuccessVets 360 Services - Military Dedication - Corporate Success
Vets 360 Services - Military Dedication - Corporate Success
 
GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014GovCloud Network LLC Overview - June 25, 2014
GovCloud Network LLC Overview - June 25, 2014
 
Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture   Army PEO EIS Cloud Architecture
Army PEO EIS Cloud Architecture
 
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings   Kevin JacksonICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings   Kevin Jackson
ICH Agile Cloud Session 1-Highlights /Prospective Svc Offerings Kevin Jackson
 
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition   Emile Monette GSAImproving Cybersecurity and Resilience Through Acquisition   Emile Monette GSA
Improving Cybersecurity and Resilience Through Acquisition Emile Monette GSA
 
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
@AgileCLoud_ICH Presentation - 20140521 US Navy OPNAV - Capt Christopher Page
 
Agile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John BrennanAgile Cloud Conference 2 Introduction - John Brennan
Agile Cloud Conference 2 Introduction - John Brennan
 
DoD Business Capability Lifecycle (BCL) Guide (Draft)
DoD Business Capability Lifecycle  (BCL)  Guide (Draft)DoD Business Capability Lifecycle  (BCL)  Guide (Draft)
DoD Business Capability Lifecycle (BCL) Guide (Draft)
 
GovCloud Network Overview Presentation
GovCloud Network Overview PresentationGovCloud Network Overview Presentation
GovCloud Network Overview Presentation
 
PM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing briefPM ISE Information Interoperability Presentation -agile sourcing brief
PM ISE Information Interoperability Presentation -agile sourcing brief
 
Intrusion Detection on Public IaaS - Kevin L. Jackson
Intrusion Detection on Public IaaS  - Kevin L. JacksonIntrusion Detection on Public IaaS  - Kevin L. Jackson
Intrusion Detection on Public IaaS - Kevin L. Jackson
 
A Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African GovernmentA Framework for Cloud Computing Adoption in South African Government
A Framework for Cloud Computing Adoption in South African Government
 
NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013NCOIC GCC OWS-10 presentation 10 7 2013
NCOIC GCC OWS-10 presentation 10 7 2013
 
Tech gate kevin l jackson - 09-21-2013
Tech gate   kevin l jackson - 09-21-2013Tech gate   kevin l jackson - 09-21-2013
Tech gate kevin l jackson - 09-21-2013
 
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud:  Cloud Services Brokerage for Highly Secure, Dem...Paving the Way to the Cloud:  Cloud Services Brokerage for Highly Secure, Dem...
Paving the Way to the Cloud: Cloud Services Brokerage for Highly Secure, Dem...
 
Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)Government cloud deployment lessons learned final (4 4 2013)
Government cloud deployment lessons learned final (4 4 2013)
 

Último

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintMahmoud Rabie
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...Aggregage
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopBachir Benyammi
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIUdaiappa Ramachandran
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServiceRenan Moreira de Oliveira
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 

Último (20)

Empowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership BlueprintEmpowering Africa's Next Generation: The AI Leadership Blueprint
Empowering Africa's Next Generation: The AI Leadership Blueprint
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
The Data Metaverse: Unpacking the Roles, Use Cases, and Tech Trends in Data a...
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 
NIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 WorkshopNIST Cybersecurity Framework (CSF) 2.0 Workshop
NIST Cybersecurity Framework (CSF) 2.0 Workshop
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
RAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AIRAG Patterns and Vector Search in Generative AI
RAG Patterns and Vector Search in Generative AI
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer ServicePicPay - GenAI Finance Assistant - ChatGPT for Customer Service
PicPay - GenAI Finance Assistant - ChatGPT for Customer Service
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 

Rules of Behavior

  • 1. Rules of Behavior <Information System Name>, <Date> Rules of Behavior <Information System Name> <Vendor Name> Version 1.0 May 2, 2012
  • 2. Rules of Behavior Version 0.1 / Date Table of Contents 1. Overview...........................................................................................................................................................6 2. Rules of Behavior for Internal Users .................................................................................................................7 3. Rules of Behavior for External Users ..............................................................................................................10 Page 2
  • 3. Rules of Behavior Version 0.1 / Date Document Revision History Date Description Version Author 05/02/2012 Document Publication 1.0 FedRAMP Office Page 3
  • 4. Rules of Behavior Version 0.1 / Date ABOUT THIS DOCUMENT This document has been developed to provide guidance on how to participate in and understand the FedRAMP program. Who should use this document? This document is intended to be used by Cloud Service Providers (CSPs), Third Party Assessor Organizations (3PAOs), government contractors working on FedRAMP projects, government employees working on FedRAMP projects, and any outside organizations that want to make use of the FedRAMP Contingency Planning process. How this document is organized This document is divided into ten sections. Most sections include subsections. Section 1 describes and overview of the Rules of Behavior. Section 2 describes recommended Rules of Behavior for internal users. Section 3 describes recommended Rules of Behavior for external users. Conventions used in this document This document uses the following typographical conventions: Italic Italics are used for email addresses, security control assignments parameters, and formal document names. Italic blue in a box Italic blue text in a blue box indicates instructions to the individual filling out the template. Instruction: This is an instruction to the individual filling out of the template. Bold Bold text indicates a parameter or an additional requirement. Constant width Constant width text is used for text that is representative of characters that would show up on a computer screen. <Brackets> Bold blue text in brackets indicates text that should be replaced with user-defined values. Once the text has been replaced, the brackets should be removed. Notes Notes are found between parallel lines and include additional information that may be helpful Page 4
  • 5. Rules of Behavior Version 0.1 / Date to the users of this template. Note: This is a note. Sans Serif Sans Serif text is used for tables, table captions, figure captions, and table of contents. How to contact us If you have questions about FedRAMP or something in this document, please write to: info@fedramp.gov For more information about the FedRAMP project, please see the website at: http://www.fedramp.gov. Page 5
  • 6. Rules of Behavior Version 0.1 / Date 1. OVERVIEW Rules of Behavior describe security controls associated with user responsibilities and certain expectations of behavior for following security policies, standards, and procedures. Security control PL-4 requires Cloud Service Providers to implement Rules of Behavior. It is often the case that different Rules of Behavior apply to internal and external users. Internal users are employees of your organizations, including contractors. External users are anyone who has access to a system that you own that is not one of your employees or contractors. External users might be customers or partners, or customer prospects that have been issued demo accounts. CSP employees who have access to the <Information System Name> must sign Internal Rules of Behavior. If the CSP provisions accounts for customers, including management accounts, it is the CSP’s responsibility to ensure that whoever the CSP provisions an account to signs an External Rules of Behavior. If the CSP provisions a management account to an individual customer, and then that manager in turn provisions subsequent customer accounts, it is the responsibility of the customer manager to ensure that users that he/she has provisioned sign the CSP provided Rules of Behavior. Ultimately, whoever provisions the account owns the responsibility for getting users to sign the Rules of Behavior for the accounts that they have provisioned. Rules of Behavior may be signed on paper or electronically at first login. Either way, the organization must retain artifacts to enable an independent assessor to verify that Rules of Behavior have been signed for all users. Instruction: A sample set of Rules of Behavior have been provided for both Internal Users and External Users on the pages that follow. The CSP should modify these sets of rules to match the Rules of Behavior that are necessary to secure the system. You do not need to use these exact rules per se – they have been provided as examples. Please keep in mind that certain rules that apply to internal users may not apply to external users and vice versa. Page 6
  • 7. Rules of Behavior Version 0.1 / Date 2. RULES OF BEHAVIOR FOR INTERNAL USERS You must comply with copyright and site licenses of proprietary software. You must process only data that pertains to official business and is authorized to be processed on the system. You must report all security incidents or suspected incidents to the IT department. You must discontinue use of any system resources that show signs of being infected by a virus or other malware and report the suspected incident. You must challenge unauthorized personnel that appear in your work area. You must use only the data for which you have been granted authorization. You must notify your <Company Name>manager if access to system resources is beyond that which is required to perform your job. You must attend computer security awareness and privacy training as requested by <Company Name>. You must coordinate your user access requirements, and user access parameters, with your <Company Name>manager. You must ensure that access to application-specific sensitive data is based on your job function. You must safeguard resources against waste, loss, abuse, unauthorized users, and misappropriation. You must ensure that access is assigned based on your <Company Name>manager’s approval. You must familiarize yourself with any special requirements for accessing, protecting, and utilizing data, including Privacy Act requirements, copyright requirements, and procurement of sensitive data. You must ensure electronic official records (including attachments) are printed and stored according to <Company Name> policy and standards. You must ensure that sensitive, confidential, and proprietary information sent to a fax or printer is handled in a secure manner, e.g., cover sheet to contain statement that information being faxed is Confidential and Proprietary, For Company Use Only, etc. You must ensure that hard copies of Confidential and Proprietary information is destroyed (after it is no longer needed) commensurate with the sensitivity of the data. You must ensure that Confidential and Proprietary information is protected against unauthorized access using encryption, according to <Company Name> standards, when sending it via electronic means (telecommunications networks, e-mail, and/or facsimile). Page 7
  • 8. Rules of Behavior Version 0.1 / Date You must not process U.S. classified national security information on any system at <Company Name> for any reason. You must not install <Company Name>unapproved software onto the system. Only <Company Name>designated personnel are authorized to load software. You must not add additional hardware or peripheral devices to the system. Only designated personnel can direct the installation of hardware on the system. You must not reconfigure hardware or software on any <Company Name> systems, networks, or interfaces. You must follow all <Company Name> wireless access policies. You must not retrieve information for someone who does not have authority to access that information. You must not remove computer resources from the facility without prior approval. Resources may only be removed for official use. You must ensure that web browsers check for a publisher’s certificate revocation. You must ensure that web browsers check for server certificate revocation. You must ensure that web browsers check for signatures on downloaded files. You must ensure that web browsers empty/delete temporary Internet files when the browser is closed. You must ensure that web browsers use Secure Socket Layer (SSL) version 3.0 (or higher) and Transport Layer Security (TLS) 1.0 (or higher). SSL and TLS must use a minimum of 128-bit, encryption. You must ensure that web browsers warn about invalid site certificates. You must ensure that web browsers warn if the user is changing between secure and non-secure mode. You must ensure that web browsers warn if forms submittal is being redirected. You must ensure that web browsers do not allow access to data sources across domains. You must ensure that web browsers do not allow the navigation of sub-frames across different domains. You must ensure that web browsers do not allow the submission of non-encrypted critical form data. You must ensure that your <Company Name>Web browser window is closed before navigating to other sites/domains. You must not store customer information on a system that is not owned by <Company Name>. Page 8
  • 9. Rules of Behavior Version 0.1 / Date You must ensure that sensitive information entered into systems is restricted to team members on a Need-To-Know basis. You understand that any person who obtains information from a computer connected to the Internet in violation of her employer’s computer-use restrictions is in violation of the Computer Fraud and Abuse Act. ACCEPTANCE AND SIGNATURE I have read the above Rules of Behavior for Internal Users for<Company Name> systems and networks. By my electronic acceptance and/or signature below, I acknowledge and agree that my access to all <Company Name> systems and networks is covered by, and subject to, such Rules. Further, I acknowledge and accept that any violation by me of these Rules may subject me to civil and/or criminal actions and that <Company Name> retains the right, at its sole discretion, to terminate, cancel or suspend my access rights to the <Company Name> systems at any time, without notice. User’s Legal Name: _________________________________ (printed) User’s Signature: _________________________________ (signature) Date: _________________________________ Comments here: Page 9
  • 10. Rules of Behavior Version 0.1 / Date 3. RULES OF BEHAVIOR FOR EXTERNAL USERS You must conduct only authorized business on the system. Your level of access to systems and networks owned by <Company Name> is limited to ensure your access is no more than necessary to perform your legitimate tasks or assigned duties. If you believe you are being granted access that you should not have, you must immediately notify the <Company Name> Operations Center <phone number>. You must maintain the confidentiality of your authentication credentials such as your password. Do not reveal your authentication credentials to anyone; a <Company Name> employee should never ask you to reveal them. You must follow proper logon/logoff procedures. You must manually logon to your session; do not store you password locally on your system or utilize any automated logon capabilities. You must promptly logoff when session access is no longer needed. If a logoff function is unavailable, you must close your browser. Never leave your computer unattended while logged into the system. You must report all security incidents or suspected incidents (e.g., lost passwords, improper or suspicious acts) related to <Company Name> systems and networks to the <Company Name> Operations Center <phone number>. You must not establish any unauthorized interfaces between systems, networks, and applications owned by <Company Name>. Your access to systems and networks owned by <Company Name> is governed by, and subject to, all Federal laws, including, but not limited to, the Privacy Act, 5 U.S.C. 552a, if the applicable <Company Name> system maintains individual Privacy Act information. Your access to <Company Name> systems constitutes your consent to the retrieval and disclosure of the information within the scope of your authorized access, subject to the Privacy Act, and applicable State and Federal laws. You must safeguard system resources against waste, loss, abuse, unauthorized use or disclosure, and misappropriation. You must not process U.S. classified national security information on the system. You must not browse, search or reveal information hosted by <Company Name> except in accordance with that which is required to perform your legitimate tasks or assigned duties. You must not retrieve information, or in any other way disclose information, for someone who does not have authority to access that information. You must ensure that Web browsers use Secure Socket Layer (SSL) version 3.0 (or higher) and Transport Layer Security (TLS) 1.0 (or higher). SSL and TLS must use a minimum of 256-bit, encryption. Page 10
  • 11. Rules of Behavior Version 0.1 / Date You must ensure that your web browser is configured to warn about invalid site certificates. You must ensure that web browsers warn if the user is changing between secure and non-secure mode. You must ensure that your web browser window used to access systems owned by <Company Name> is closed before navigating to other sites/domains. You must ensure that your web browser checks for a publisher’s certificate revocation. You must ensure that your web browser checks for server certificate revocation. You must ensure that web browser checks for signatures on downloaded files. You must ensure that web browser empties/deletes temporary Internet files when the browser is closed. By your signature or electronic acceptance (such as by clicking an acceptance button on the screen) you must agree to these rules. You understand that any person who obtains information from a computer connected to the Internet in violation of her employer’s computer-use restrictions is in violation of the Computer Fraud and Abuse Act. You agree to contact the <Company Name> Chief Information Security Officer or the <Company Name> Operations Center <phone number> if you do not understand any of these rules. Page 11
  • 12. Rules of Behavior Version 0.1 / Date ACCEPTANCE AND SIGNATURE I have read the above Rules of Behavior for External Users of <Company Name> systems and networks. By my electronic acceptance and/or signature below, I acknowledge and agree that my access to the <Company Name> systems and networks is covered by, and subject to, such Rules. Further, I acknowledge and accept that any violation by me of these Rules may subject me to civil and/or criminal actions and that <Company Name> retains the right, at its sole discretion, to terminate, cancel or suspend my access rights to the <Company Name> systems at any time, without notice. User’s Legal Name: _________________________________ (printed) User’s Signature: _________________________________ (signature) Date: _________________________________ Comments Here: Page 12