CHGME PP Computer System User Agreement and Rules of Behavior for the FY 2008 Reconcilation Application Cycle

Printer-friendly Adobe/.pdf Agreement (68 KB)

Date:

Hospital Name:   

Medicare Provider ID Number:

Hospital Address:

City:

State:

User First and Last Name:

Title:

COMPUTER SYSTEM USER AGREEMENT and RULES OF BEHAVIOR:

System-specific Rules of Behavior (RoB) must be created for each HRSA Major Application and General Support System as part of the System Security Plan.  It is the responsibility of each user to know and understand the Rules of Behavior and other security policies.  Being unaware of a policy does not remove culpability if a policy is violated.    At a minimum, all users should comply with the following rules:

1. I am required to comply with HRSA Information System Security Policies regarding the protection of HRSA information systems from misuse, abuse, loss, or unauthorized access or modification.

2. I have completed the required HRSA computer security awareness web training on ____________. The training took me approximately ______________.   ________ Initials

3. I must create and use password(s) consisting of at least eight (8) characters that cannot be easily guessed and that do not contain a word found in any language.  My password must contain letters, numbers, and at least one special character (e.g. @, !, $, %).  I am required to change my password every 60 days or at the interval prescribed for the system.  I must not reuse old passwords.  I understand that HRSA reserves the right to change my password or terminate my access at any time.

4. I must protect my passwords and application user-ID’s (this will be provided to you by the CHGME Database Manager once training is complete). Should I suspect a compromise of my password or application user codes, I must change my password immediately and report the suspected compromise to my supervisor and the CHGME Database Manager (DM) immediately. I will not enter my password or application user code(s) in a file or record maintained in any automated system for the purpose of affecting an "auto login" feature for my convenience, unless the feature has been approved for use by the HRSA Information Security Program Manager. I must not share my user-ID and passwords and I must not write down my password or application user codes.

5. I must logoff any time that I leave my terminal unattended. The system will automatically log the user off after thirty (30) minutes.  I must use a password protected screen saver at any time that I leave my terminal unattended for time periods longer than fifteen (15) minutes. Users must not leave sensitive information in an unsecured location.

6. I am required to notify the system database manager for my system immediately when there is a change in my employment status and/or when my access to the system is no longer required.

7. I will access only those applications for which the system administrator has authorized access. I will use the government website only for approved purposes.

8. I am prohibited from using information acquired from access via a Federal web based system for personal gain.

9. I will not attempt to override technical or management controls (e.g. carrying sensitive data home on a floppy disk without prior approval).

10. I will ensure that my anti-virus software is up to date.

11. I will report all incidents immediately to the CHGME Regional Manager in Rockville who will inform the DM immediately. The DM will then notify the supervisor and call the Help Desk at 301-496-4357.

12. I understand that my actions while on a HRSA system may be monitored.

13. I understand that if I must use Personally Identifiable Information (PII) (for example: social security number, bank records, health records and so on...) then to only use it to the extent necessary to perform my job duties if sensitive or PII data is to be stored or transmitted it must be encrypted using a FIPS 140-2 compliant utility (ex: SecureZip). WinZip may be used if the data is NOT sensitive or does not contain PII.

14. Users are prohibited from using licensed HRSA software for personal use.

15. HRSA policy allows outside entities to access to the HRSA LAN/WAN from a remote location as long as the user has been approved to do so. Users are responsible for updating virus protection software on their systems.

16. If a user violates any of these Rules of Behavior and/or HRSA policies, they may be subject to disciplinary action at the discretion of HRSA management. These actions, depending on the severity of the violation, may include a verbal or written warning, removal of system access, reassignment to other duties, or termination.

I acknowledge and certify, as an Authorized Individual ("User") requiring access to the HRSA information systems that I have read, understand, and agree to adhere to the HRSA IT Rules of Behavior as listed above.